The RISKS Digest
Volume 32 Issue 63

Friday, 30th April 2021

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


The Plane Paradox: More Automation Should Mean More Training
VPN hacks are a slow-motion disaster
AirDrop could make 1.5 billion Apple devices vulnerable to hackers
Hundreds lose Internet service in northern B.C. after beaver chews through cable
NYPD Robot Dog's Run Is Cut Short After Fierce Backlash
Researchers Say Changing Simple iPhone Setting Fixes Long-Standing Privacy Bug
Mike Snider
Why the FCC Keeps Shooting Down Requests From Companies That Want To Shoot Down Drones
IEEE Spectrum
How Close Is Ordinary Light to Doing Quantum Computing?
Niel Savage
SolarWinds, Microsoft Hacks Prompt Focus on Zero-Trust Security
James Rundle
Outlook/Exchange accounts under attack?
Rob Slade
U.S. investigating possible mysterious directed energy attack near White House
An Ambitious Plan to Tackle Ransomware Faces Long Odds
Man arrested over fake QR codes
South Australia Police
Spending on Cloud Computing Hits US$42 Billion Worldwide
Fighting patent trolls
Rob Slade
Re: Eversource Energy data breach caused by unsecured cloud storage
Anthony Thorn
Re: Fiery Tesla crash with no one driving
Re: IBM Clarifies Stance On Developers Working On Open-Source Projects In Off-Hours
Amos Shapir
Re: Masking the CoVID-19 problem
Robert Weaver
Info on RISKS (comp.risks)

The Plane Paradox: More Automation Should Mean More Training (WiReD)

Gabe Goldberg <>
Sun, 25 Apr 2021 21:23:37 -0400
Today's highly automated planes create surprises pilots aren't familiar
with. The humans in the cockpit need to be better prepared for the machine's

Shortly after a Smartlynx Estonian Airbus 320 took off on February 28, 2018,
all four of the aircraft's flight control computers stopped working. Each
performed precisely as designed, taking themselves offline after
(incorrectly) sensing a fault. The problem, later discovered, was an
actuator that had been serviced with oil that was too viscous. A design
created to prevent a problem created a problem. Only the skill of the
instructor pilot on board prevented a fatal crash.

Now, as the Boeing 737 MAX returns to the skies worldwide following a
21-month grounding, flight training and design are in the crosshairs.
Ensuring a safe future of aviation ultimately requires an entirely new
approach to automation design using methods based on system theory, but
planes with that technology are 10 to 15 years off. For now we need to train
pilots how to better respond to automation's many inevitable quirks.

  [This leads us to the old paradox.  The more automated everything is, the
  fewer trained system administrators will know what to do when the
  resiliency fails to provide self-recovering automated systems.  PGN]

VPN hacks are a slow-motion disaster (WiReD)

Gabe Goldberg <>
Sun, 25 Apr 2021 21:27:54 -0400
Recent spying attacks against Pulse Secure VPN are just the latest example
of a long-simmering cybersecurity meltdown.

AirDrop could make 1.5 billion Apple devices vulnerable to hackers (Fortune)

Gabe Goldberg <>
Mon, 26 Apr 2021 01:09:23 -0400
Apple's AirDrop feature could allow hackers to gain personal information via
your Apple device, according to security researchers in Germany.

A report from Technische Universitat Darmstadt says it has found a
`significant privacy leak' in Apple's file-sharing service. When users begin
sharing files with each other using AirDrop, others with malicious intent
can also tap into the data and gain access to the phone number and email of

Researchers say 1.5 billion Apple devices are vulnerable, and Apple has not
issued a security update since the report was issued.

Researchers say they alerted Apple to the problem in May 2019 but said,
“Apple has neither acknowledged the problem nor indicated that they are
working on a solution.” The team added it had also offered a fix for the
flaw, but have not heard back from Apple about the proposal.

Linked article gives a bit more information:

...but it requires proximity AND a brute force attack. So claiming 1.5B
devices at risk is a bit overwrought. So if this gets wider coverage, don't

Hundreds lose Internet service in northern B.C. after beaver chews through cable (CBC.CA)

"Matthew Kruk" <>
Mon, 26 Apr 2021 13:19:38 -0600
Telus calls damage 'uniquely Canadian turn of events' affecting about 900

  [This event was noted in Tumbler Ridge, British Columbia.
  However, it is not the first such case reported in RISKS:
    Eager beaver blamed for killing Internet, cell service" (RISKS-27.36)
  Nevertheless, beavers have a long way to go in competing with squirrel
  stories.  PGN]

NYPD Robot Dog's Run Is Cut Short After Fierce Backlash (NYTimes)

Gabe Goldberg <>
Fri, 30 Apr 2021 12:12:31 -0400
The Police Department will return the device earlier than planned after
critics seized on it as a dystopian example of overly aggressive policing.

When the Police Department acquired a robotic dog last year, officials
heralded the four-legged device as a futuristic tool that could go places
that were too dangerous to send officers.

“This dog is going to save lives,” Inspector Frank Digiacomo of the
department's technical Assistance Response Unit said in a television
interview in December. “It's going to protect people. It's going to protect

Instead, the machine, which the police named Digidog, became a source of
heated debate. After it was seen being deployed as part of the response to a
home invasion in the Bronx in February, critics likened it to a dystopian
surveillance drone.

And when officers used it at a public housing building in Manhattan this
month, a backlash erupted again, with some people describing the device as
emblematic of how overly aggressive the police can be when dealing with poor

Now, the robotic dog's days in New York have quietly been cut short.

Blindingly stupid citizens. Robodog is cute, capable, and unarmed yet people
feel threatened while worse issues ignored.

Researchers Say Changing Simple iPhone Setting Fixes Long-Standing Privacy Bug (Mike Snider)

ACM TechNews <>
Mon, 26 Apr 2021 12:22:14 -0400 (EDT)
Mike Snider, *USA Today*, 24 Apr 2021, via ACM TechNews, 26 Apr 2021

Scammers could exploit a bug in iPhones and MacBooks' AirDrop feature to
access owners' email and phone numbers, according to researchers at
Germany's Technical University of Darmstadt (TU Darmstadt). AirDrop allows
users with both Bluetooth and Wi-Fi activated to discover nearby Apple
devices, and share documents and other files; however, strangers in range of
such devices can extract emails and phone numbers when users open AirDrop,
because the function checks such data against the other user's address book
during the authentication process. The researchers said they alerted Apple
to the vulnerability nearly two years ago, but the company "has neither
acknowledged the problem nor indicated that they are working on a solution."
They recommend users disable AirDrop and not open the sharing menu, and to
only activate the function when file sharing is needed, then deactivate it
when done.

Why the FCC Keeps Shooting Down Requests From Companies That Want To Shoot Down Drones (IEEE Spectrum)

Gabe Goldberg <>
Thu, 29 Apr 2021 00:22:34 -0400
Regulators have denied testing permits to at least four electronic warfare
systems in the last six months

How Close Is Ordinary Light to Doing Quantum Computing? (Niel Savage)

ACM TechNews <>
Wed, 28 Apr 2021 12:19:27 -0400 (EDT)
Neil Savage, *IEEE Spectrum*, 27 Apr 2021
via ACM TechNews, Wednesday, April 28, 2021

Using mirrors to generate a light beam with multiple, classical
entanglements is possible, according to researchers at China's Tsinghua
University, the U.K.'s University of Southampton, and South Africa's
University of Witswaterand (WITS). WITS' Andrew Forbes said this technique
can entangle a potentially infinite number of photonic pathways, and his
team demonstrated eight degrees of freedom within a single beam by changing
the spacing between mirrors in the laser cavity. Said Forbes, "Not only
could we make light that took many different paths at once, but we could
encode information into those paths to make it look like we were holding a
high-dimensional multi-photon quantum state." Forbes added that since
quantum computing relies on particles existing in multiple states, some
algorithms could be run using classically entangled light, bridging quantum
and classical computers.

SolarWinds, Microsoft Hacks Prompt Focus on Zero-Trust Security (James Rundle)

ACM TechNews <>
Wed, 28 Apr 2021 12:19:27 -0400 (EDT)
James Rundle, *The Wall Street Journal*, 26 Apr 2021
via ACM TechNews, Wednesday, April 28, 2021

At an April 22 virtual event hosted by Cyber Education Institute LLC's
Billington Cybersecurity unit, U.S. Department of Defense's John Sherman
said the public and private sectors should adopt zero-trust models that
constantly verify whether a device, user, or program should be able to do
what it is asking to do. Ericom Software Ltd.'s Chase Cunningham said, "No
one who actually understands zero trust says abandon the perimeter. But the
reality of it is that you need to understand your perimeter's probably
already compromised, especially when you're in a remote space." Carnegie
Mellon University's Gregory Touhill stressed that zero trust is not a
technology but a strategy, and "we've got too many folks in industry that
are trying to peddle themselves as zero-trust vendors selling the same stuff
that wasn't good enough the first time."

Outlook/Exchange accounts under attack?

Rob Slade <>
Thu, 29 Apr 2021 10:06:53 -0700
Possibly it's due to all the Exchange servers still "pwned" from the
SolarWinds attack.  But I have been noticing a *huge* up-tick in spam (and
particularly phishing) messages in my Outlook account,
(The same account is also,,, and, but most of the spam seems to be addressed to

OK, maybe nine messages a day doesn't seem huge, but bear in mind that this
is an account that I hardly ever use.  I generally don't post from it, and
almost never to any mailing lists.  I don't exactly hide its existence, and
I sometimes note it as an alternate email when people have trouble with my
main Shaw account, or when I'm giving presentations.  And, up until a couple
of months ago, I hardly received any email in it at all.  (Which is why I
wonder about the SolarWinds thing.)

It's not as if Microsoft is really bad at spam filtering.  Looking at the
spam folder (which Microsoft insists on labeling "Junk") I note that there
are a number of messages Microsoft has dealt with automatically.  Although
an awful lot of the phishing messages that I *do* see (and report,
religiously, one of the reasons that I'm so aware of the growing spam
numbers) are dead copies of each other, even if they come from different
email accounts and sources.

I know that phishing doesn't have to have a high success rate.  Sending
phishing messages is pretty close to zero cost for phishers, so you can
have a success rate of 0.01% and still consider that a win.  But I am
starting to wonder how many people are getting"pwned" by this recent
onslaught ...

U.S. investigating possible mysterious directed energy attack near White House (CNNPolitics)

Gabe Goldberg <>
Thu, 29 Apr 2021 18:15:52 -0400
Washington (CNN)—Federal agencies are investigating at least two possible
incidents on US soil, including one near the White House in November of last
year, that appear similar to mysterious, invisible attacks that have led to
debilitating symptoms for dozens of US personnel abroad.

Multiple sources familiar with the matter tell CNN that while the Pentagon
and other agencies probing the matter have reached no clear conclusions on
what happened, the fact that such an attack might have taken place so close
to the White House is particularly alarming.

Defense officials briefed lawmakers on the Senate and House Armed Services
Committees on the matter earlier this month, including on the incident near
the White House. That incident, which occurred near the Ellipse, the large
oval lawn on the south side of the White House, sickened one National
Security Council official, according to multiple current and former US
officials and sources familiar with the matter.

An Ambitious Plan to Tackle Ransomware Faces Long Odds (WiReD)

Gabe Goldberg <>
Thu, 29 Apr 2021 18:24:59 -0400
A task force counting Amazon, Cisco, and the FBI among its members has
proposed a framework to solve one of cybersecurity's biggest problems.  Good

Man arrested over fake QR codes (South Australia Police)

Jim Reisert AD1C <>
Thu, 29 Apr 2021 20:11:30 -0600
28 Apr 2021

An Edwardstown man has been arrested after he allegedly placed fake QR codes
over business COVID check-in QR codes.

On 28 Apr 2021, members of SAPOL's COVID Compliance Section attended an
address in Edwardstown following allegations that false QR codes has been
placed over business QR Codes at South Plympton on Sunday 25 April.

"Anti-vaxxers are to blame for a QR code scam in Blackwood. Fake QR codes
were placed over genuine COVID safe check-ins and once scanned, it is
understood it led people to a website with information against
vaccinations. 7NEWS Adelaide at 6pm" #7NEWS

Spending on Cloud Computing Hits US$42 Billion Worldwide (Canalys)

ACM TechNews <>
Fri, 30 Apr 2021 12:25:23 -0400 (EDT)
Business Times (Singapore), 30 Apr 2021. via ACM TechNews, 30 Apr 2021

Market tracker Canalys said global cloud computing spending reached a
record-high US$41.8 billion in the first quarter of 2021 as businesses used
the Internet heavily to weather the pandemic. Worldwide spending on cloud
infrastructure services rose nearly US$11 billion year over year, according
to Canalys. The company's Blake Murray said, "Organizations depended on
digital services and being online to maintain operations and adapt to the
unfolding situation," although most businesses have not yet made the
"digital transformation." Canalys ranked Amazon Web Services as the world's
top cloud service provider, accounting for 32% of the market, followed by
Microsoft's Azure platform with 19% and Google Cloud with 7%. Going forward,
Murray expects continued migration to the cloud amid improving economic
confidence and the revitalization of postponed projects.

  [Too much trusting of potentially untrustworthy third-parties?

Fighting patent trolls

Rob Slade <>
Wed, 28 Apr 2021 10:12:46 -0700
Even though I'm an author, I'm not really big on "intellectual property."
Not that I'm against the idea of a creator benefitting from control over
what they've created: I just don't see it working out very well in the real
world.  As is usual, the Golden Rule is that “they that have the gold make
the rules,'' and intellectual property law tends not to protect creators as
much as it makes it possible for large corporations, with hordes of lawyers,
to pay a pittance to originators and then make fabulous profits off the

But what *really* gets my goat is patent trolls.  People or companies that
file for hugely overbroad patents, generally on things they never plan to
produce, and then sue people who actually produce usable products that stray
into the patent's clutches.  I have wasted *far* too much time over the past
decade and more, helping defend companies that have been hit by patent

Much of the time, the situation goes like this.  ABC Corp makes a product.
XYZ Corp, the patent troll, figures that it infringes on their patent.  XYZ
sues ABC for a hundred million dollars.  ABC goes to their lawyers.  Their
lawyers go to IP lawyers.  The IP lawyers get someone to do prior art
searches.  At this point they find me.  (This is mostly in the field of
antimalware stuff, and I reviewed basically everything that was available
between 1987 and 1996.)  So, the IP lawyers tell me about the XYZ patent,
and I list off all the programs that invalidate the XYZ patent because they
did what the XYZ patent talks about before it was filed.  So the IP lawyers
go back to the ABC lawyers, and ABC says to XYZ, "Well, we could invalidate
your patent, but it would be a long and expensive process: here's a hundred
thousand dollars.  Go away."  So, XYZ, who only wanted $100,000, is happy,
ABC is happy that they saved $100,000,000, the IP lawyers are happy they got
to charge lots of billable hours, and the only one *not* happy is me.

So I am delighted that Cloudflare has taken umbrage at being sued by a
patent troll, and encourage everyone to support their prior art search:

Re: Eversource Energy data breach caused by unsecured cloud storage (Wolitzky, RISKS-32.62)

Anthony Thorn <>
Mon, 26 Apr 2021 08:40:42 +0200
Did he become suspicious too late?

Jan Wolitzky describes a possible/probable phishing attempt:

> "I went to the website provided to sign up, but around the point where
> they asked for my Social Security number, I got suspicious."

How hard would it be to send a mass mailing on utility company letterhead,
warning people of a non-existent data breach, and sending them to some
website to sign up for credit monitoring, thereby quickly collecting all the
information you'd otherwise have to wait for a careless utility company to

I do hope that he did not follow a link in the email because his computer
might already be compromised...

Re: Fiery Tesla crash with no one driving (RISKS-32.61 & 62)

goldy <>
Sun, 25 Apr 2021 19:40:59 -0600
We have now had items in two RISKS issues repeating the "news" that a Tesla
crash took over four hours and 30,000 gallons of water to extinguish.
The RISK? Not checking facts before repeating rumors.

It seems that there is a difference between putting out a fire and keeping
a scene cool so that a fire does not reignite.

  [I do have dupes now and then, especially when an item is submitted well
  after an issue has already appeared.  (I often check for duplicates, but
  tend to miss a few now and then, because I do not have a lot of time to
  check everything.  However, I always try to run corrections when a
  submitted item is incorrect, and rely on readers to help keep the archival
  record straight, as you have done.  So yours is greatly appreciated.  PGN]

Re: IBM Clarifies Stance On Developers Working On Open-Source Projects In Off-Hours (RISKS-32.61)

Amos Shapir <>
Tue, 27 Apr 2021 17:51:26 +0300
I worked at IBM 10 years ago, but it seems they still keep their
spirit...   IBM views itself not as a company, but as a Kingdom (which used
to be an Empire).

The claim "You are an IBM employee 100% of the time" is not a whim of a bad
manager, but a direct quote from their Business Conduct Guide—a 200-page
document every candidate should read, before given access to any system.

In there, employees are taught that every person on Earth is either an IBM
Employee, an IBM Supplier, an IBM Customer, or else (implied consequently)
an IBM Enemy.  The 100% Employee is warned that anyone s/he may meet on a
bus, in a bar, or PTA meeting, may belong in one of these categories, and
should be approached accordingly.

Re: Masking the CoVID-19 problem (Weaver, RISKS-31.68)

Robert Weaver <>
Tue, 27 Apr 2021 10:50:42 -0400 (EDT)
If memory serves, Rob Slade had a bit of a screed on masks (see
RISKS-31.65), and was taken to task for it.  Then I commented on the 6-foot
thing, and there was some response around that issue, partly by Herr Doctor
Professor Peter Ladkin—who had been watching it, and referred to a study
and to a movie, "the Sneeze".

We now have better science to design controls, such as and while the guidance doesn't quite invert the previous recommendations, it deeply changes the advice.

The risks are subtle, and perhaps not precisely computer-related, but more
[generally] "science" related: the risks of jumping to a control with
limited scientific information, applying controls inexpertly, failure to
change the control regime in a timely fashion when the data changes, etc.

  [In retrospect, the Pandemic is still an evolving exercise a year later.

Please report problems with the web pages to the maintainer