The RISKS Digest
Volume 32 Issue 69

Sunday, 30th May 2021

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

U.S. nuclear weapon secrets revealed in cloud flash-card apps
Bellingcat
U.S. nuclear weapon bunker security secrets spill from online
The Register via Tom Van Vleck
Surviving an in-flight anomaly: what happened on Ingenuity's sixth flight
NASA
"Rule of 48" redux concerning airborne spread of pathogens, a reminder with wide applicability to all research
WiReD
A Never-Before-Seen Wiper Malware Is Hitting Israeli Targets
WiReD
Secret Chats Show How Cybergang Became a Ransomware Powerhouse
NYTimes
Why GitHub Refuses to Provide Key Evidence to a Man on Death Row
Gizmodo
Several Organizations Protest Facebook, Sign Public Complaints Against Platform
Broadband Breakfast
An FTC Lawsuit Says Frontier Lied About Internet Speeds
WiReD
Scatalogical appliances
Medicalxpress.com
A new replication crisis: Research that is less likely to be true is cited more
phys.org
"Hobbit" house renamed due to lawsuit threat
Rob Slade
Florida governor signs law to block *deplatforming* of Florida politicians
The Verge
D.C. Attorney General Karl A. Racine brings antitrust lawsuit against Amazon
The Washington Post
Microsoft Tips Generational Update for Windows 10
PCMag
NFTs and tokenization: How crypto could help regular people become real-estate tycoons
Fortune
Security of the IMPs
Bernie Cosell
SolarWinds hackers are back with a new mass campaign, Microsoft says
NYTimes
Canada Post says 950,000 customers exposed in data breach
CBC
A New Line of Attack that Evades Spectre Defenses
WiReD
As Congress Dithers, States Step In to Set Rules for the Internet
NYTimes
Colonial Pipeline accused of negligence in proposed class action
Bloomberg Law
Truth, Lies, and Automation
Georgetown
That Salesforce outage: Global DNS downfall started by one engineer trying a quick fix
The Register
For First Time, Microsoft Integrating GPT-3 Into Its Software
EnterpriseAI
Caltech Prof Helps Solve Hindenburg Disaster
NOVA via Henry Baker
Re: Just 12 People Are Behind Most Vaccine Hoaxes On Social Media
Toebs Douglass
Sharing lock-picking information on RISKS
Jay Libove
NoScript is immoral?
Martin Ward
Re: freemium for all, was A mom panicked
John Levine
June 2021 CACM Inside Risks column and video
David Roman
Info on RISKS (comp.risks)

U.S. nuclear weapon secrets revealed in cloud flash-card apps (Bellingcat)

Rob Wilcox <robwilcoxjr@gmail.com>
Sat, 29 May 2021 15:04:54 -0700
Flash cards are a common memorization tool. They can be simply written on
pieces of paper and easily be carried for use in spare moments.

Military personnel in Europe used public flash-card apps to memorize exact
locations, previously secret, and the precise security details to keep
those nuclear weapons from unintended use.

The data uncovered by reporters spanned 2013 to the present. When NATO was
asked to comment, the data was taken down. Let's hope the archives too!

There is a good argument that human foibles make us unsuitable for tools
too powerful.

Full report via the Bellingcat investigative journalist group at
https://www.bellingcat.com/news/2021/05/28/us-soldiers-expose-nuclear-weapons-secrets-via-flashcard-apps/


U.S. nuclear weapon bunker security secrets spill from online flashcards since 2013 (The Register)

Tom Van Vleck <thvv@multicians.org>
Sat, 29 May 2021 10:39:55 -0400
https://www.theregister.com/2021/05/28/flashcards_military_nuclear/

Seems like this problem is the result of people not understanding simple
consequences.  Either they didn't know some facts, or they didn't draw
logical conclusions.

Some things the missile workers should have been told:
- Phones and servers holding classified data must be approved for storing such data.
- Your cellphone is not secure. the flashcard servers are not secure.
- Even if it says 'secure' on the box, that doesn't make it secure.

The Three Questions apply.
- Have we made this error anywhere else?
- If we make a simple fix, what problem will we encounter next?
- How can we make this kind of problem impossible?

ACM SIGSOFT Software Engineering Notes, vol 14 no 5 July 1989, pp 62-63
(https://multicians.org/thvv/threeq.html, has cartoon also)


Surviving an in-flight anomaly: what happened on Ingenuity's sixth flight (NASA)

Monty Solomon <monty@roscom.com>
Sat, 29 May 2021 10:57:31 -0400
https://mars.nasa.gov/technology/helicopter/status/305/surviving-an-in-flight-anomaly-what-happened-on-ingenuitys-sixth-flight/


"Rule of 48" redux concerning airborne spread of pathogens, a reminder with wide applicability to all research

Bob Gezelter <gezelter@rlgsc.com>
Sat, 29 May 2021 07:54:01 -0400
The "Rule of 48" mentioned in Michael Crichton's "Andromeda Strain" is a
more general phenomenon affecting all fields of research. The "Rule of 48"
refers to a 1936 citation reporting the number of human chromosomes as
48. Decades later, the original microscope photographs were examined, and
the count was confirmed as 46.

Wired published "The 60-Year-Old Scientific Screwup That Helped Covid Kill",
describing recent research into the airborne spread of virus particles,
including SARS-CoV-2/COVID-19. The article documents how a questionable
number became embedded in the medical and public health communities.

An interesting read, applicable to many areas other than medicine and public
health.

https://www.wired.com/story/the-teeny-tiny-scientific-screwup-that-helped-covid-kill/


A Never-Before-Seen Wiper Malware Is Hitting Israeli Targets (WiReD)

Gabe Goldberg <gabe@gabegold.com>
Fri, 28 May 2021 14:52:24 -0400
The malicious code, which masquerades as ransomware, appears to come from a
hacking group with ties to Iran.

https://www.wired.com/story/never-before-seen-wiper-malware-hitting-israeli-targets/


Secret Chats Show How Cybergang Became a Ransomware Powerhouse (NYTimes)

"Matthew Kruk" <mkrukg@gmail.com>
Sun, 30 May 2021 13:43:34 -0600
https://www.nytimes.com/2021/05/29/world/europe/ransomware-russia-darkside.html

As the ransomware industry exploded, a Russian-speaking outfit called
DarkSide offered would-be computer crooks not just the tools, but also
customer support.  We got an inside look.


Why GitHub Refuses to Provide Key Evidence to a Man on Death Row (Gizmodo)

Gabe Goldberg <gabe@gabegold.com>
Fri, 28 May 2021 14:26:28 -0400
As a result of the law enforcement exception, Facebook alone honors hundreds
of thousands of government requests for user data annually—roughly
296,000 in 2020.  Meanwhile, social media companies have spent years fending
off defendants' court-approved subpoenas, even when they're aware that the
consequence could be a death sentence. In 2019, a Superior Court judge who
approved one such subpoena in a murder trial excoriated the companies.
Facebook and Twitter appear to be misusing their immense resources to
manipulate the judicial system in a manner that deprives two indigent young
men facing life sentences of their constitutional right to defend themselves
at trial, Judge Charles Crompton wrote.  Facebook and Twitter have made it
clear that they are unwilling to alter their behavior, regardless of the
harm to others—or the rulings of this court.''  Crompton found them in
contempt of court for disobeying a lawful order, and the companies simply
ate the maximum $1,000 fines, a penalty that was likely cheaper than paying
their lawyers to do another hour of work.

If the Supreme Court decides to hear the case and rules in Colone's favor,
it could stand to not only potentially save Colone's life but spare
countless underprivileged people years of unjust incarceration.

https://gizmodo.com/a-death-row-inmate-has-waited-years-for-github-to-provi-1846976389


Several Organizations Protest Facebook, Sign Public Complaints Against Platform (Broadband Breakfast)

Gabe Goldberg <gabe@gabegold.com>
Thu, 27 May 2021 15:17:17 -0400
Organizations signed a formal list of 70 public complaints against the
social media giant.

May 26, 2021—“Representatives from a coalition of organizations gathered
outside Facebook's lobbying headquarters in Washington, D.C. Tuesday to
protest the company's alleged abuse of the American people and announce a
formal list of 70 public complaints against the social media platform.

Robert Weissman, president of the consumer rights advocacy group and think
tank Public Citizen, accused Facebook of political indifference and
subverting democracy, saying “the American people and people of the world
will no longer tolerate Facebook's abuses. This is a company out of
control. It is literally out of the control of our democracy.''

The organizations present hold Facebook responsible for the alleged
spreading of misinformation that influences elections, limiting users'
access to competing ideas, and wielding unjust amounts of political power.

With the support of the agreeing organizations present, Weissman expressed a
lack of confidence in Facebook's ability to manage itself, claiming its
leaders had given up control to algorithms the company leaders didn't
understand. They called on the government to regulate the industry, break up
the company, and hold its executives legally accountable for the damages
done against the world.

https://broadbandbreakfast.com/2021/05/several-organizations-protest-facebook-sign-public-complaints-against-platform/


An FTC Lawsuit Says Frontier Lied About Internet Speeds (WiReD)

Gabe Goldberg <gabe@gabegold.com>
Sun, 23 May 2021 14:56:55 -0400
https://www.wired.com/story/ftc-lawsuit-says-frontier-lied-about-internet-speeds/

I'm shocked that an ISP would lie about such an important matter.


Scatalogical appliances (Medicalxpress.com)

Richard Stein <rmstein@ieee.org>
Mon, 24 May 2021 10:24:03 +0800
https://medicalxpress.com/news/2021-05-smart-toilet-stool-health-problems.html

"An artificial intelligence tool under development at Duke University can be
added to the standard toilet to help analyze patients' stool and give
gastroenterologists the information they need to provide appropriate
treatment, according to research that was selected for presentation at
Digestive Disease Week (DDW) 2021. The new technology could assist in
managing chronic gastrointestinal issues such as inflammatory bowel disease
(IBD) and irritable bowel syndrome (IBS)."

This gizmo uses images to decide. Would an olfactory cross-reference elevate
diagnostic efficacy?

Risk: False negative/positive detection

  [Don't be bow(e)led over by this item.  It's just another questionable
  application for the Internet-of-Stinks.  Risks?  just more potential
  disruptive features of improperly protected online access.  PGN]


A new replication crisis: Research that is less likely to be true is cited more (phys.org)

Richard Stein <rmstein@ieee.org>
Mon, 24 May 2021 10:32:58 +0800
https://phys.org/news/2021-05-replication-crisis-true-cited.html

Non-reproducible publications that are not retracted can be weaponized via
social media, and are used to promote falsehoods that jeopardize public
health and promote incivility.

"The influence of an inaccurate paper published in a prestigious journal can
have repercussions for decades. For example, the study Andrew Wakefield
published in The Lancet in 1998 turned tens of thousands of parents around
the world against the measles, mumps and rubella vaccine because of an
implied link between vaccinations and autism. The incorrect findings were
retracted by The Lancet 12 years later, but the claims that autism is linked
to vaccines continue."


"Hobbit" house renamed due to lawsuit threat (Rob Slade)

Rob Slade <rslade@gmail.com>
Mon, 24 May 2021 12:13:11 -0700
Well, I thought Disney was the "Gold Standard" in terms of threatening
lawsuits over any possible trademark infringement, but Warner Brothers seems
to be trying to make their mark in the field.

Warner Brothers, distributor of the Hobbit movie franchise, has threatened
a lawsuit over the "Hobbit Mountain Hole" house.  the owner, not interested
in lawsuits, has renamed it the "Second Breakfast Hideaway."
https://vancouversun.com/news/local-news/b-c-hobbit-house-renamed-after-threat-of-lawsuit-from-warner-bros

A couple of points: I wonder if Warner is going to go after over the "second
breakfast" reference.

Also, wouldn't it be the Tolkien estate that would have the real rights to
"Hobbit" references?  (Actually, you could probably defend the use of the
term "hobbit" on the basis of prior art: the word was in use before Tolkien
wrote about it ...)


Florida governor signs law to block *deplatforming* of Florida politicians (The Verge)

Gabe Goldberg <gabe@gabegold.com>
Mon, 24 May 2021 19:20:13 -0400
Skeptics say the law is *clearly unconstitutional*

https://www.theverge.com/2021/5/24/22451425/florida-social-media-moderation-facebook-twitter-deplatforming

Good luck with that. Maybe deplatform Florida entirely. Or provide a list
setting I've long wished for "Set bozo mode" for a subscriber, so bozo sees
own posts, thinks they're broadcasting, but nobody else does.


D.C. Attorney General Karl A. Racine brings antitrust lawsuit against Amazon (The Washington Post)

Gabe Goldberg <gabe@gabegold.com>
Wed, 26 May 2021 01:11:13 -0400
D.C. Attorney General Karl A. Racine on Tuesday brought an antitrust
complaint against Amazon, alleging that the e-commerce giant wields monopoly
power that has resulted in higher prices for consumers.

https://www.washingtonpost.com/technology/2021/05/25/dc-ag-antitrust/

Shocking.


Microsoft Tips Generational Update for Windows 10 (PCMag)

Gabe Goldberg <gabe@gabegold.com>
Wed, 26 May 2021 19:33:39 -0400
At Build, Microsoft CEO Satya Nadella calls the update the 'next generation
of Windows,' and promises to share more details soon.

During his keynote at Tuesday's Build developer conference, CEO Satya
Nadella teased that major changes are in store for the operating system.
“Soon we will share one of the most significant updates to Windows of the
past decade to unlock greater economic opportunity for developers and
creators.  I've been self-hosting it over the past several months, and I'm
incredibly excited about the next generation of Windows.''  [...]

Nadella didn't reveal much else, except to tease that the updated OS will
benefit software developers everywhere. “Our promise to you is this: we
will create more opportunity for every Windows developer today and welcome
every creator who is looking for the most innovative, new, open platform to
build and distribute and monetize applications. We look forward to sharing
more very soon,'' Nadella said.

The comment might be connected to how Redmond is reportedly developing a new
version of the Microsoft App Store for Windows 10. According to Windows
Central, the company is refreshing the store with a new interface while also
relaxing the rules on how developers can publish apps on the platform. This
includes giving developers the option to use any third-party payment
solution to charge customers.

https://www.pcmag.com/news/microsoft-tips-generational-update-for-windows-10

This is supposed to be good news? As it's aimed to benefit developers?  And
inflicted on everyone?


NFTs and tokenization: How crypto could help regular people become real-estate tycoons (Fortune)

Gabe Goldberg <gabe@gabegold.com>
Thu, 27 May 2021 15:48:00 -0400
By using technologies online from the cryptocurrency world, like tokens and
blockchains, regular people could participate in real estate transactions
that are too unwieldy in the analog world.

For example, a hot new idea is using NFTs, or non-fungible tokens—digital
certificates that convey exclusive rights to something.  Although NFTs are
just starting to be applied to real estate, supporters say they will become
standard in the industry.

https://fortune.com/2021/05/20/real-estate-crypto-nfts-what-is-an-nft-tokenization-non-fungible-token-houses/


Security of the IMPs

"Bernie Cosell" <cosell@alum.mit.edu>
Fri, 21 May 2021 22:02:15 -0400
A colleague recently asked me how the teletype stuff worked in the old
ARPAnet IMP.

  [Tech short answer: it used a two-layer co-routine.  tricky and a bit
  obscure but small and fast].  How it works was that there were two fake
  [i.e., internal] hosts in the IMP: one for the tty and one for a simple
  DDT-like debugger.  when the first two IMPs were installed [UCLA & SRI],
  while the host systems were working on their hardware and software,, the
  IMP-guys there had the communication- lines up and working right away and
  knew it was OK because they connected their TTYs to each other and could
  what-we'd-call-today "DM" each other, so we knew the message machinery,
  line machinery, routing machinery worked.. and we were just waiting for
  the hosts to send an external-host-to-external-host message [the TTY and
  DDT used the *exact* same host machinery/software so we were pretty sure
  the IMP stuff was OK]

And I was horrified what a huge risk that machinery was.  I realized [for
the first time in 50+ years] how poorly designed that functionality was.  In
particular , since the DDT used the normal host machinery, ANY host on the
network could send commands and probes to ANY IMP [indeed we did that from
the NCC on IMP 5 to manage the IMPs].  BUT: ANY host.  no protections.  At
the time, for example, I believe that the MIT ITS system allowed just anyone
to [anonymously] access the ARPAnet.  All it would've taken is ONE hacker
knowing what I knew [damn.. and had implemented] to cause utter chaos
[untraceably!!!] on the ARPAnet.  E.g., could could every now and then tweak
the routing table, or tell an IMP to restart or disable some functionality.

In musing about this I was thinking that many of our current woes are due to
the fact that ARPAnet was built with not a single thought to security [I can
attest our primary/only concern was , really, that it *work*].  that then
oozed into the host protocols and so we are, to this day, have to deal with
things like SNMP which should have been hardened, if not scrapped, before
the network was let loose out from ARPA's thumb.  I wonder how the
ARPAnet/Internet might have been different if we'd thought about security
and making the protocols robust right from the start.


SolarWinds hackers are back with a new mass campaign, Microsoft says (NYTimes)

Monty Solomon <monty@roscom.com>
Sat, 29 May 2021 01:44:05 -0400
Russia Appears to Carry Out Hack Through System Used by U.S. Aid
Agency https://www.nytimes.com/2021/05/28/us/politics/russia-hack-usaid.html

SolarWinds hackers are back with a new mass campaign, Microsoft says
https://arstechnica.com/gadgets/2021/05/microsoft-says-solarwinds-hackers-targeted-us-agencies-in-a-new-campaign/


Canada Post says 950,000 customers exposed in data breach (CBC)

"Matthew Kruk" <mkrukg@gmail.com>
Thu, 27 May 2021 20:06:45 -0600
https://www.cbc.ca/news/business/canada-post-breach-1.6042602

Canada's national mail carrier says a malware attack on one of its suppliers
has impacted 44 of its biggest corporate customers across the country, and
potentially up to nearly one million people.

Canada Post said in a statement Wednesday that one of its suppliers,
Commport Communications, had its systems compromised in a cyberattack.


A New Line of Attack that Evades Spectre Defenses (WiReD)

Bob Gezelter <gezelter@rlgsc.com>
Sat, 29 May 2021 07:51:04 -0400
The "Rule of 48" mentioned in Michael Crichton's "Andromeda Strain" is a
more general phenomenon affecting all fields of research. The "Rule of 48"
refers to a 1936 citation reporting the number of human chromosomes as
48. Decades later, the original microscope photographs were examined, and
the count was confirmed as 46.

WiReD published "The 60-Year-Old Scientific Screwup That Helped Covid Kill",
describing recent research into the airborne spread of virus particles,
including SARS-CoV-2/COVID-19. The article documents how a questionable
number became embedded in the medical and public health communities.

An interesting read, applicable to many areas other than medicine and public
health.

https://www.wired.com/story/the-teeny-tiny-scientific-screwup-that-helped-covid-kill/


As Congress Dithers, States Step In to Set Rules for the Internet (NYTimes)

Monty Solomon <monty@roscom.com>
Sat, 29 May 2021 01:44:08 -0400
As Congress Dithers, States Step In to Set Rules for the Internet

Virginia, Florida, Arkansas and Maryland are among dozens of states that have introduced bills to curtail the power of Amazon, Google, Facebook and Twitter.

https://www.nytimes.com/2021/05/14/technology/state-privacy-internet-laws.html


Colonial Pipeline accused of negligence in proposed class action (Bloomberg Law)

Richard Stein <rmstein@ieee.org>
Sat, 22 May 2021 10:55:50 +0800
https://news.bloomberglaw.com/tech-and-telecom-law/colonial-pipeline-accused-of-negligence-in-proposed-class-action

Schadenfreude emerges when inspecting CP's "General Terms & Conditions:
https://colonialoilindustries.com/2018/wp-content/uploads/gtc.pdf

See the last phrase beginning with "except to the extent proximately caused
by..."

  "12. Indemnification. To the extent permitted by applicable law, Buyer
  agrees to indemnify, defend, hold harmless and reimburse Colonial for,
  from and/or against all claims, suits, judgments, costs, expenses, damages
  and/or liabilities of any nature or kind, including reasonable attorney's
  fees and costs, brought against or suffered, incurred or sustained by
  Colonial and arising or resulting in any way from (a) Buyer's breach of
  this Agreement or (b) any acts, omissions, events, occurrences, spills,
  releases, noncompliance with laws, rules or regulations, strict liability,
  explosions, fires or accidents of, involving, concerning or relating in
  any way to the product (whether relating to handling, storage, transfer,
  shipping, release or use thereof or otherwise) and which occur, take place
  or relate to any time after the time title passes to Buyer hereunder,
  except to the extent proximately caused by Colonial's negligent or willful
  wrongful acts."

CP was advised a few years in advance about deficient internet defenses;
they apparently did not invest to correct these deficiencies. The business
operations platforms—sales and inventory, customer profiling, etc—were
consequently assaulted. The US East Coast commuting population experienced
significant inconvenience.

Every for-profit shop with an internet footprint invokes indemnification to
shield against lawsuits. Indemnification enables corporations to operate --
sell products, collect, and exploit sales data—with commercial impunity.

When the corporate brand is threatened by strategic operational mistake—a
failure proactively mitigate auspicious infosec weaknesses—there's almost
no legal cover.

Expect a monetary settlement, a "non-admission of corporate guilt
statement," and a deferred prosecution agreement that waives employee
imprisonment subject to CP's promise to prevent recurrence.

I'll wait for my free gasoline voucher.


IS: Truth, Lies, and Automation

geoff goodfellow <geoff@iconia.com>
Sat, 22 May 2021 08:36:00 -1000
*How Language Models Could Change Disinformation*

Growing popular and industry interest in high-performing natural language
generation models has led to concerns that such models could be used to
generate automated disinformation at scale. This report examines the
capabilities of GPT-3--a cutting-edge AI system that writes text--to analyze
its potential misuse for disinformation. A model like GPT-3 may be able to
help disinformation actors substantially reduce the work necessary to write
disinformation while expanding its reach and potentially also its
effectiveness.

For millennia, disinformation campaigns have been fundamentally human
endeavors.  Their perpetrators mix truth and lies in potent combinations
that aim to sow discord, create doubt, and provoke destructive action. The
most famous disinformation campaign of the twenty-first century—the
Russian effort to interfere in the U.S. presidential election—relied on
hundreds of people working together to widen preexisting fissures in
American society.

Since its inception, writing has also been a fundamentally human endeavor.
No more. In 2020, the company OpenAI unveiled GPT-3, a powerful artificial
intelligence system that generates text based on a prompt from human
operators. The system, which uses a vast neural network, a powerful machine
learning algorithm, and upwards of a trillion words of human writing for
guidance, is remarkable. Among other achievements, it has drafted an op-ed
that was commissioned by The Guardian, written news stories that a majority
of readers thought were written by humans, and devised new internet memes.

In light of this breakthrough, we consider a simple but important question:
can automation generate content for disinformation campaigns? If GPT-3 can
write seemingly credible news stories, perhaps it can write compelling fake
news stories; if it can draft op-eds, perhaps it can draft misleading
tweets.  [...]
https://cset.georgetown.edu/publication/truth-lies-and-automation/


That Salesforce outage: Global DNS downfall started by one engineer trying a quick fix (The Register)

Lauren Weinstein <lauren@vortex.com>
Sat, 22 May 2021 07:56:04 -0700
Operational procedures should make this sort of error impossible for
one person to do. So it's never just one person's fault. -L

https://www.theregister.com/2021/05/19/salesforce_root_cause/


For First Time, Microsoft Integrating GPT-3 Into Its Software (EnterpriseAI)

Gabe Goldberg <gabe@gabegold.com>
Wed, 26 May 2021 01:01:22 -0400
MICROSOFT BUILD 2021—Eight months after licensing the GPT-3 natural
language AI model from OpenAI last September, Microsoft is integrating the
language generator into its Microsoft Power Apps software to make it easier
for enterprise workers to build no-code applications.  [...]

Once GPT-3 is integrated with Microsoft Power Apps, non-technical employees
will be able to build a no-code Power Apps application by entering
conversational language and then have it automatically transformed into the
needed code using GPT-3, according to Microsoft.

https://www.enterpriseai.news/2021/05/25/for-first-time-microsoft-integrating-gpt-3-into-its-software/

Taking the old joke about, "Write your program in FORTRAN or write a story
about your program in COBOL" to new levels of storytelling. Funny,
announcement doesn't describe how non-technical employees will debug or
enhance their stories.


Caltech Prof Helps Solve Hindenburg Disaster (NOVA)

Henry Baker <hbaker1@pipeline.com>
Sat, 29 May 2021 08:02:01 -0700
I just watched the PBS NOVA program in which a Caltech professor provides
experimental evidence of how the Hindenburg Zeppelin burned and crashed in
1937—a NTSB-like investigation 84 years in the making.

As a trained electrical engineer, I agree with the conclusions, but the PBS
story excessively convoluted the relatively simple argument.

Here's my version on one slide:

* Hydrogen had been leaking from the tail section for some time—enough so
  that it was almost impossible to 'trim' the zeppelin so that the tail
  wouldn't touch the ground first.

* The skin and the frame of the zeppelin were electrically insulated from
  one another, so that they formed a giant capacitor (called a 'condenser'
  in 1937); every capacitor has a 'break down' voltage at which it 'shorts
  out'—sometimes in a spectacular fashion.

* During the zeppelin flight, both 'plates' (skin, frame) of this capacitor
  acquired a large charge relative to the ground, but with no voltage drop
  between them.

* When the landing ropes were dropped, the charge from the frame leaked down
  the somewhat wet ropes to the ground over a 4-minute period determined by
  the 'RC time constant', where R=rope resistance and C=skin/frame
  capacitance.

* The charge on the skin 'plate' remained, however, and thus the voltage
  drop between the skin and the frame increased until the breakdown voltage
  limit was reached, at which point numerous sparks all over the skin led to
  hydrogen ignition near the tail.

History's Mysteries: Caltech Professor Helps Solve Hindenburg Disaster
Emily Velasco, 17 May 2021
https://www.caltech.edu/about/news/historys-mysteries-caltech-professor-helps-solve-hindenburg-disaster

  [Very long item omitted for RISKS.  However, it is worth reading in its
  entirety, PGN]


Re: Just 12 People Are Behind Most Vaccine Hoaxes On Social Media, Research Shows (RISKS-32.68)

Toebs Douglass <risks@winterflaw.net>
Sat, 22 May 2021 18:44:18 +0200
The NPR article begins with this statement;

"Researchers have found just 12 people are responsible for the bulk of the
misleading claims and outright lies about COVID-19 vaccines that proliferate
on Facebook, Instagram and Twitter."

The NPR article explains nothing; it has an early paragraph stating a claim,
and a link to a PDF which is the basis for that claim, and then the rest of
the article goes on about how harmful this all is.

Reading the PDF, I'm finding it rather difficult to pick out what was
actually done, and so what is actually claimed.  What I'm come up with is
this;

The investigators examined 10 private and 20 public anti-vaccine groups on
Facebook, over a period of six weeks, and from this selected 483 pieces of
anti-vaccine content which they considered representative (no basis for
selection was given).  They found over Facebook as a whole, these 483 pieces
of anti-vaccine content had been posted or shared about 690,000 times, and
that of these posts, 73% were of content which came from a group of twelve
individuals.

I don't think it's stated how many of the 483 pieces of anti-vaccine content
actually came from these twelve individuals.  Obviously, if say 90% of them
came from those twelve individuals, then selection bias at that point will
strongly influence the later findings.

Also, it seems to me that the number 690,000 is a very low number of posts
for all of Facebook for six weeks on such a topical matter.  Given how few
posts there are, I would also like to know how many of those posts were in
fact part of those 30 anti-vaccine groups.

In any event, generalizing from this to the entirety to Facebook, Instagram
and Twitter is wholly improper.

(Indeed, in the PDF, Instagram is in fact not investigated at all.  It is
mentioned as being a platform these individuals use, but the content was not
examined - only Facebook and Twitter.)

I think the large majority of the PDF is emotive activism to censorship,
including an actual and fairly lengthy profile of each of the accused, with
a small and I have to say I found rather confusingly presented, and rather
unexplained (too many "we choose as representative") part being the
investigation that was performed.

There may be something in this, but taken as it is, right now, this seems to
me to be a means to an end - indeed, not entirely unlike the very
disinformation it seeks to discredit in others.  The origin is the "Center
for Countering Digital Hate", so we can imagine they're coming at this from
a particular point of view.


Sharing lock-picking information on RISKS

Jay Libove <libove@felines.org>
Sat, 22 May 2021 05:01:55 +0000
  [was: Re: A mom panicked when her 4-year-old bought $2,600 in SpongeBob,
  Popsicles (RISKS-32.65)]

Interesting note by PGN, and interesting comment be Bernie. My eyes barely
twitched when I read the original post which described how to bypass the
Washington Post paywall. (I just open WaPo articles in an
InPrivate/Incognito browser and re-accept the cookie and "You have three
free articles left" notice).

Should we share information about how to pick locks? I'm pretty sure we do
that. Every day, in announcing vulnerabilities and the devilishly clever
technology steps taken to exploit them. And, even better, in a timeless
SciFi way, by theorizing from where a next class of such vulnerabilities
will come, and how they may be used (for good and ill).

Of course, there's a responsible way to do that (and in my decades reading
RISKS the posts here have always fallen on the responsible side; thank you,
moderators).

What constitutes responsible disclosure of "Site <X>'s paywall can be
bypassed?"

For that matter, what constitutes *ethics* in such a situation?

I'm a paying subscriber to at least four major news publications across
three countries on two continents, and on all of them I *still* have to
repeatedly deal with cookie (re-)notices, to re-log in too frequently
(despite the "remember me" box having been ticked), and to suffer a raft of
other repetitive, intrusive technology and user experience design failures.

Where is the ethos that says that, especially for the paying customer, site
<X> has to do a good enough job to avoid repeatedly interfering with my paid
use of their product, and stop wasting my time?

Two wrongs don't make a right (Despite that sometimes three lefts do ...),
but, NOT talking about the-secret-that-everyone-knows which isn't even so
much a symptom of "I don't want to pay for it"-it is but really "it's broken
and everyone knows it but why won't anyone actually fix it" .. is that even
unethical, in fact? Or is it a needed prod to fix these services?

With all that background, plus of course the broad availability of browser
plugins, etc, meant explicitly to bypass paywalls, cookie banners, etc, I
didn't see any reason why RISKS shouldn't allow such an item to be posted,
and I'm unsurprised that the moderators didn't get much feedback about it.

Bernie, I'm glad you raised it, because I think that a *risk* that maybe we
haven't discussed enough in recent years is the aggregated societal cost in
wasted time and increased stress from poor user experience caused by a
combination of incompetence, excessive intent to continue selling (even to
those who have already bought), and failures to understand/ excessive(?)
fear of regulatory action provoking excessive "security" and "compliance"
friction in daily Internet use.

  [This is a very useful response.  I do not endorse schemes to get around
  paywalls.  For many years, I have tried to invoke fair use and *not* to
  not run pay-walled items without seriously abridging them or PGN-ed-ing
  them into my own words, and encouraging interested readers to dig out the
  originals as appropriate.  In running the original item, I was hoping to
  trigger some constructive discussion that is respectful of paywalls but
  also warning that we are increasingly living in a world where almost
  everything is becoming monetized.  I am delighted with the responses from
  both Bernie and Jay.  PGN]


NoScript is immoral? (Re: RISKS-32.69)

Martin Ward <martin@gkc.org.uk>
Sat, 22 May 2021 12:09:13 +0100
I have been running NoScript to block all Javascript by default on all but a
few websites for many years and have been reading the occasional article
from the Washington Post for many years. I would not have even *known* about
their javascript block if I hadn't run the experiment of turning off
NoScript on the web site. Note that the Post hands out and displays the
complete article, along with some javascript that waits a few moments, and
then covers up the article with a request for a subscription. If the
javascript is not executed, then the article is not covered up. For all I
know, there may be dozens of other web sites that do the same!

A real world analogy: The Washington Post says, "I have an article about
XYZ, would you like to read it?", You reply "OK, I'll have a look at it".
*The Washington Post* hands you the article and you start reading. Then *The
Washington Post* hands you a piece of cardboard and says "Please cover the
article I just gave you with this cardboard".  You ask "Why?" and WP answers
"So that I can ask you to pay me money to take the cardboard away
again". You say "How about I just decide *not* to cover the article with the
cardboard and carry on reading?".  "THIEF!!!" Except in my case, I didn't
even *hear* the request to cover the article with the card. Am I still a
thief?

Is it really morally wrong to choose *not* to execute by default every piece
of code that is handed to you by any web site that you decide to visit?


Re: freemium for all, was A mom panicked

"John Levine" <johnl@iecc.com>
21 May 2021 21:50:31 -0400
It appears that Bernie Cosell <cosell@alum.mit.edu> said:

>How handy!  We needed a forum on how to "share" things that we ought to pay
>for.  Next fun activity on RISKS—how to get ATMs to spit out money.
>
>NB: I don't mean to start a fight but I don't think that kind of "help" is
>appropriate for RISKS.

For anyone familiar with the way that the web works, it should be obvious
that freemium sites that let you view a few articles and then ask you to pay
use a browser cookie to keep the article count. If you set your browser not
to accept cookies from a site, there is no counter and in most cases you can
see all the articles you want. A few sites are pickier and check to see if
you're doing that, but mostly they don't bother, on the reasonable
assumption that anyone trying that hard to bypass the paywall is unlikely
ever to pay, and the harder they try to block freeloaders, the more likely
they'll also accidentally block legit users.

Those of us from the previous millennium remember software on copy protected
floppy disks, same idea to allow some kinds of use typical of paying
customers but not other kinds typical of non-payors.  The software industry
eventually stopped doing that, because the copy protection annoyed the legit
users, and the people who might be deterred by copy protection were unlikely
to turn into paying customers.  There was even a plausible argument that a
certain amount of copying led to more sales as people with illicit copies
found they liked the software enough to pay for documentation (there were
these paper things called "manuals") and support (using a now-forgotten kind
of telephone that you couldn't lose because it was attached to the wall with
a wire.)

As I've noted before, newspaper reporters like to eat, and subscriptions are
a big part of how they do that.  So if you tweak your browser to bypass the
paywall, that has nothing to do with "freedom".  You're just being cheap.

PS: Next rant: why I don't waste a lot of time chasing down pirate PDFs of
my books. But when people write and say your book is expensive, send me a
PDF for free, sorry, no, that's what libraries are for.


June 2021 CACM Inside Risks column and video

David Roman <roman@hq.acm.org>
Mon, 24 May 2021 20:16:00 +0000
"The Risks of Election Believability (or Lack Thereof)," the Inside Risks
column in the June 2021 Communications of the ACM (CACM), and its related
video, by Rebecca T. Mercuri and Peter G. Neumann, have been published
online at
https://cacm.acm.org/magazines/2021/6/252836-the-risks-of-election-believability-or-lack-thereof/fulltext.
The video alone is at https://vimeo.com/552504677.

  [David's ACM URLs are likely to be behind the ACM paywall.  The article
  is also up on the Inside Risks website at
    http://www.csl.sri.com/neumann/insiderisks251.pdf
  PGN]

Please report problems with the web pages to the maintainer

x
Top