Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
[For the entire history of the ACM Risks Forum, we have sought integrity and trustworthiness in scientific and engineering efforts, and what we might be able to do to ensure it. This may be first government RFI to be included in RISKS, but it seems to be exactly in our wheelhouse. I believe our International audience might want to respond, as well as those in the U.S. PGN] The White House Office of Science and Technology Policy (OSTP) seeks information by 28 July 2021 to help improve the effectiveness of Federal scientific integrity policies to enhance public trust in science. The January 27, 2021 Presidential Memorandum on Restoring Trust in Government Through Scientific Integrity and Evidence-Based Policymaking (Memorandum) directs OSTP to convene an inter-agency task force under the National Science and Technology Council to review the effectiveness of policies developed since the issuance of the Presidential Memorandum on scientific integrity issued on March 9, 2009 in preventing improper political interference in the conduct of scientific research and the collection of data; preventing the suppression or distortion of findings, data, information, conclusions, or technical results; supporting scientists and researchers of all genders, races, ethnicities, and backgrounds; and advancing the equitable delivery of the Federal Government's programs. To support this assessment, OSTP seeks information about: (1) The effectiveness of Federal scientific integrity policies and needed areas of improvement; (2) good practices Federal agencies could adopt to improve scientific integrity, including in the communication of scientific information, addressing emerging technologies and evolving scientific practices, supporting professional development of Federal scientists, and promoting transparency in the implementation of agency scientific integrity policies; and (3) other topics or concerns that Federal scientific integrity policies should address. Please note the purpose of this RFI is not to receive reports on alleged offenses that are in violation of Federal scientific integrity policies. If you have witnessed or experienced any harmful acts that may undermine scientific integrity and you would like to report these allegations, please contact the Scientific Integrity Officer or Office of the Inspector General at the relevant Federal agency. https://www.federalregister.gov/documents/2021/06/28/2021-13640/request-for-information-to-improve-federal-scientific-integrity-policies
And here is the code grabber hidden in the Game Boy case. https://twitter.com/it4sec/status/1411902542993412096
The German ministry for education and science (BMBF) has published a study in which it puts forward a Chinese-style social credit system for Germany. A translated quote from the long version on an official BMBF https://www.vorausschau.de/vorausschau/de/home/home_node.html#zukuenfte (the web site's design is atrocious, trying to find the information is quite difficult). “Highly controversial at the beginning, the bonus point system is largely accepted in the 2030s. It establishes new norms in everyday life that were not possible before. The participatory development of the rules also ensures greater acceptance among the population. Approval of the bonus system is growing, particularly in view of the increasing dynamics of climate change. A point-based evaluation, for example, the of ecological footprint—helps to make the polluter-pays principle transparent.'' Participation in the point system would be voluntary in the sense that not participating would bring very real drawbacks. Another quote: “The bonus system is also helpful for the labor market, which continues to suffer from a shortage of skilled workers. system is helpful. It helps to identify qualification potential and efficiently organize the spatial mobility of the workforce.'' So, not participating would lead to lower chances of getting a job. China is explicitly mentioned as a role model.
From https://www.theregister.com/2021/07/05/infinidash/ “A tweeted musing that merely mentioning a new AWS product would be enough to see it appear in job ads has come true ” even though the product mentioned is made up.'' Amusingly, enough people picked up the joke and ran with it (my personal favourite was the announcement of an *O RLY* book) for it to indeed expose quite a few bandwagons, not in the least the aforementioned job specs which have long demonstrated a remarkable ability to remain disconnected from reality. Entertaining - and educational.
Matt Burgess, WiReD, 7 Jul 2021 Companies are racing to track your emotions, how you walk and your voiceprint. Should Europe ban biometric tracking entirely? Your body is a data goldmine. From the way you look to how you think and feel, firms working in the burgeoning biometrics industry are developing new and alarming ways to track everything we do. And, in many cases, you may not even know you're being tracked. But the biometrics business is on a collision course with Europe's leading data protection experts. Both the European Data Protection Supervisor, which acts as the EU's independent data body, and the European Data Protection Board, which helps countries implement GDPR consistently, have called for a total ban on using AI to automatically recognise people. [...] https://www.wired.co.uk/article/europe-ai-biometrics
[Why is this still legal?] https://www.nbcnews.com/science/environment/some-locals-say-bitcoin-mining-operation-ruining-one-finger-lakes-n1272938?cid=sm_npd_nn_tw_ma
https://medicalxpress.com/news/2021-07-burden-electronic-health-primary-clinicians.html Health record data entry by physicians interferes with patient quality of care. Data entry streamlines healthcare billing, but should it be prioritized over positive patient outcome? Apparently yes. What can be done to mitigate this conflict? "Virtual or AI-powered scribes could reduce the burden of note-taking across primary care specialties and can be evaluated in future studies, the authors state. Interventions that streamline messaging and placing orders are also research priorities." Naturally enough, these medical incidents are known to arise from old-fashioned, hands-on medicine. How common are these medical errors? The abstract from "Your Health Care May Kill You: Medical Errors," via https://pubmed.ncbi.nlm.nih.gov/28186008/ from Stud Health Technol Inform 2017;234:13-17. "Recent studies of medical errors have estimated errors may account for as many as 251,000 deaths annually in the United States (U.S)., making medical errors the third leading cause of death. Error rates are significantly higher in the U.S. than in other developed countries such as Canada, Australia, New Zealand, Germany and the United Kingdom (U.K)." I wonder if AI-driven prescriptions will go haywire? Or the wrong diagnostic procedure will be ordered and performed? Fortunately, the pneumoencephalogram (https://en.wikipedia.org/wiki/Pneumoencephalography) has been retired. [I almost misread this as pneumann ... has been retired. PNeumann]
Just say no. -L https://www.technologyreview.com/2021/07/06/1027770/vaccine-passport-new-york-excelsior-pass/
Even as Microsoft *expanded patches* https://docs.microsoft.com/en-us/windows/release-health/windows-message-center for the so-called PrintNightmare vulnerability for Windows 10 version 1607, Windows Server 2012, and Windows Server 2016, it has come to light that the patch for the remote code execution exploit in the Windows Print Spooler service can be bypassed in certain scenarios, effectively defeating the security protections and permitting attackers to run arbitrary code on infected systems. On Tuesday, the Windows maker issued an *emergency out-of-band update* <https://thehackernews.com/2021/07/microsoft-issues-emergency-patch-for.html> to address *CVE-2021-34527* <https://thehackernews.com/2021/07/microsoft-warns-of-critical.html> (CVSS score: 8.8) after the flaw was accidentally disclosed by researchers from Hong Kong-based cybersecurity firm Sangfor late last month, at which point it emerged that the issue was different from another bug ” tracked as CVE-2021-1675—that was patched by Microsoft on June 8. <https://thehackernews.com/2021/06/researchers-leak-poc-exploit-for.html> "Several days ago, two security vulnerabilities were found in Microsoft Windows' existing printing mechanism," Yaniv Balmas, head of cyber-research at Check Point, told The Hacker News. "These vulnerabilities enable a malicious attacker to gain full control on all windows environments that enable printing." "These are mostly working stations but, at times, this relates to entire servers that are an integral part of very popular organizational networks. Microsoft classified these vulnerabilities as critical, but when they were published they were able to fix only one of them, leaving the door open for explorations of the second vulnerability," Balmas added. [...] https://thehackernews.com/2021/07/microsofts-emergency-patch-fails-to.html
Humans are an organization's strongest defence against evolving cyber-threats, but security awareness training alone often isn't enough to transform user behaviour. Human Risk Management (HRM) is the FIX. Checkout this new guide from @getusecure: [...] https://thehackernews.com/2021/07/security-awareness-training-is-broken.html via https://twitter.com/TheHackersNews/status/1413158374057730052
Last week cybercriminals deployed ransomware to 1,500 organizations that provide IT security and technical support to many other companies. The attackers exploited a vulnerability in software from *Kaseya*, a Miami-based company whose products help system administrators manage large networks remotely. Now it appears Kaseya’s customer service portal was left vulnerable until last week to a data-leaking security flaw that was first identified in the same software six years ago. On July 3, the REvil ransomware affiliate program <https://krebsonsecurity.com/?s=revil> began using a zero-day security hole (CVE-2021-30116 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30116>) to deploy ransomware to hundreds of IT management companies running Kaseya’s remote management software ” known as the *Kaseya Virtual System Administrator* (VSA). According to this entry for CVE-2021-30116 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30116>, the security flaw that powers that Kaseya VSA zero-day was assigned a vulnerability number on April 2, 2021, indicating Kaseya had roughly three months to address the bug before it was exploited in the wild <https://csirt.divd.nl/2021/07/04/Kaseya-Case-Update-2/>. Also on July 3, security incident response firm *Mandiant* notified Kaseya that their billing and customer support site ”*portal.kaseya.net <http://portal.kaseya.net>* ” was vulnerable to CVE-2015-2862 <https://nvd.nist.gov/vuln/detail/CVE-2015-2862>, a “directory traversal” vulnerability in Kaseya VSA that allows remote users to read any files on the server using nothing more than a Web browser. As its name suggests, CVE-2015-2862 was issued in July 2015. Six years later, Kaseya’s customer portal was still exposed to the data-leaking weakness. [...] https://krebsonsecurity.com/2021/07/kaseya-left-customer-portal-vulnerable-to-2015-flaw-in-its-own-software/
New UC Berkeley research draws a strong link between cell phone radiation and tumors, particularly in the brain. Researchers took a comprehensive look at statistical findings from 46 different studies around the globe and found that the use of a cell phone for more than 1,000 hours, or about 17 minutes a day over a ten year period, increased the risk of tumors by 60 percent. Researchers also pointed to findings that showed cell phone use for 10 or more years doubled the risk of brain tumors. *Joel Moskowitz* <https://publichealth.berkeley.edu/people/joel-moskowitz/>, <https://publichealth.berkeley.edu/people/joel-moskowitz/> director of the Center for Family and Community Health with the <https://publichealth.berkeley.edu/people/joel-moskowitz/>*UC Berkeley School of Public Health* <https://publichealth.berkeley.edu/> conducted the research in partnership with Korea’s National Cancer Center, and Seoul National University. Their analysis took a comprehensive look at statistical findings from case control studies from 16 countries including the U.S., Sweden, United Kingdom, Japan, Korea, and New Zealand. [...] https://www.ktvu.com/news/new-uc-berkeley-study-draws-strong-link-between-cell-phone-use-and-cancer
[Hi Steven—My concern was only hypothetical.] Suppose the TransUnion data breached, and certain parties had chosen to weaponize or exploit it? Those unfortunate 8K folks might experience palpable consequences: reduced job eligibility, stigmatization, etc. until or unless they could exonerate themselves by attempting to restore reputation. Gives one pause about profiling activities in general, and the lists of values/attribute labels contained in profiles. History suggests the global data breach pandemic is unlikely to subside. Consequences and risks compound with each case.
In Risks 32.75, Steve Klein points out that we shouldn't get excited about the U.S. Supreme court decision siding with the credit agency for SOME PEOPLE—because "... faulty records that were never shared ... could not have suffered any damages." I am not a lawyer and have not read the decision, but it sounds like: 1. Someone has a loaded gun pointed to my head. 2. The trigger will be pulled - as soon as some random user pays $10 (or whatever fee they charge). 3. The courts cannot do anything until the trigger is pulled. 4. So, after I am dead (or my life is ruined), the courts MAY fine the credit agency some nominal amount. Is this as f**ked up as it sounds?
Please report problems with the web pages to the maintainer