Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
NSW (New South Wales) is Australia's most populous state. There are 810 000 students in NSW public schools.
Public school teachers and principals could be without access to their online learning materials and email accounts until next week, after a cyber attack hit the NSW Education Department just hours after the state government directed schools to return to remote learning.
Educators have been locked out of the department’s online portal and unable to access their calendars, remote learning resources and communications since Wednesday evening, when the department deactivated its systems as a precaution while investigating the attack. The error message on the department's portal.
On Thursday, department secretary Georgina Harrisson said she was confident online access would be restored by the start of term three, which begins on Tuesday, and assured families home learning would not be impacted.
In what could read like a complete issue of RISKS-L, UK regulator OFCOM has today released a report on the technologies which is has identified, are likely to share the Internet of the future.
This makes for very interesting reading.
The European Parliament on Tuesday approved a controversial law that would allow digital companies to detect and report child sexual abuse on their platforms for the next three years. […]
What comes next? […]
With most of the child trafficking and abuse done through encrypted communications on apps like WhatsApp and Telegram, the Commission wants to limit how secure those communications can be.
YouTube has been fined 100 000 Euros for being late in following a court injunction to restore a video.
The 25-minute video about Corona protests in Switzerland had been removed because of a five-second utterance of a demonstrator about Covid.
The Higher Regional Court at Dresden hat issued an interim injunction to resintate the video on 2021-04-20; it took until 2021-05-14 for the video to reappear.
To justify the delay, YouTube wrote
# The debtor [YouTube] therefore had to carefully weigh the respective # consequences of the Higher Regional Court of Dresden's decision and its # options before posting the video material back on YouTube for retrieval by # third parties.
The opposing attorney was not amused (or maybe he was) and wrote
# The debtor thus once again underlines her assessment that she considers # herself above the unconditional observance of a court prohibition and # subordinates this to her own discretion. The Chamber will have to evaluate # this attitude.
The court was not amused either and found that
# Against this background, the infringement is to be seen as a deliberate # and - due to the duration - also serious infringement on the part of the # defendant against the injunction, which - also taking into account the # economic circumstances of the defendant against the injunction - justifies # the imposition of a significantly higher fine than assumed by the Regional # Court. Since, on the other hand, this is the first infringement on the # part of the defendant, the Chamber has refrained from setting the fine at # the maximum amount, but instead considers the imposition of a fine in the # amount of €100,000.00 to be (still) sufficient as a result of the overall # consideration.
# If it is not possible to recover the fine, it will be replaced by # imprisonment.
A YouTube spokesperson was reported to have commented
“We have a responsibility to connect our users with trustworthy information and combat misinformation during Covid-19.” and “This is a single decision, which we will respect and review accordingly”.
Original of the legal quotations are from
“Researchers at the University of Surrey found certain stop-watches commit rounding errors when converting raw times to final submitted times.”
Dave Philipps, The New York Times, 10 Jul 2021
This is somewhat depressing for the VA modernization process to replace the old Vista system, ten years, and over $16 billion, including an apparently unexpected extra $2.5 billion for new laptops to accommodate the new software. The training efforts appear to have had mixed results. Not surprisingly, blame is widely diverse, aimed at past and present administrations.
“When it comes to public safety, traffic jams and environmental hazards, there is no framework for regulating private space travel.”
The framework's measurement and enforcement seeds are plugged into the US air traffic control system. See https://www.faa.gov/news/fact_sheets/news_story.cfm?newsId=23476 (retrieved on 20JUL2021) for the “Space Data Integration” platform.
In 2019, globally, there were 102 reported launches (and 5 of these launches failed) per http://www.spacelaunchreport.com/log2019.html (retrieved on 20JUL2021). ~40 launches in the US consisting of various Internet-access enhancing satellites and constellations that pollute ground-based astronomical observations, earth observation platforms, military/intelligence platforms, tardigrade experiments, quantum network experiments, and the odd “Scoop” asteroid sample return mission of the “Andromeda Strain”, etc.
The US launch number is projected to grow to ~70 or more in the next few years, especially for von Karman line “joy rides” (@ ~100 kilometers altitude per https://en.wikipedia.org/wiki/Kármán_line).
If you've ever experienced an airport ground stop while the U.S. president's flight stops air traffic for a runway haircut, or while that PIP (politically important person) traverses an air corridor's radius near you, you'll know the hassle it introduces to departure and landing schedules, idle jet engine fuel consumption, and air traffic routing congestion.
With SDI, the FAA can factor planned rocket departures and re-rentry touchdowns into their scheduled air traffic planning and tracking platforms. Assuming there's no launch failure catastrophe or a re-entry flotsam shower, you'll be largely unaffected by the low launch quantity.
https://www.faa.gov/air_traffic/by_the_numbers/ (retrieved on 20JUL2021) estimates ~16.41M annual departures, ~45K per day. The arithmetic favors no ground stop delay for Wichita, KS to Patuxent River, MD air travel.
Ever since we got vaccines for CoVID, people have been talking about herd immunity. (No, this is not “I heard that vitamin D protects you against CoVID, so I’m not getting vaccinated.” That’s not heard immunity, it’s just cluelessness. And selfishness.) We keep hearing numbers like 70%, 80% and so forth. But herd immunity is not an absolute number. It can be a very complicated calculation, relying on a large number of factors, and it may be very difficult to predict in advance. It is, however, very real, and we, in technology, see it in operation all the time.
The math behind herd immunity has a number of similarities to traffic analysis. In the technical world we run into traffic analysis all the time, even if we don’t do the formal math on it. But we do encounter it and see the results.
First, let’s look at real traffic. Consider a stretch of road or highway at rush hour. To simplify things to the greatest extent, consider a bridge. As you inject more traffic (add cars, going to work or home), the throughput of the bridge increases. This continues (adding more traffic increases the throughput of the bridge), pretty linearly, until we get close to a certain maximum. At this point, the bridge has reached maximum capacity and throughput. If you add more traffic, cars get too close to each other, drivers get nervous, traffic slows down, and the throughput starts to fall. Very often the fall-off in throughput is precipitous and dramatic very soon after we exceed the maximum, and we get a traffic jam.
We see the same thing in various types of data networks. Consider Ethernet. We see the same pattern. As we inject traffic, the bandwidth increases. This continues until we reach a maximum. (In the case of Ethernet, that maximum is a rather surprisingly low 18% of the theoretical bandwidth.) At this point we get collisions, retransmission attempts, and the bandwidth starts to fall. (I recall one network where over 90% of the actual traffic on it was the noise of collisions and retransmissions.) Again, everything seems fine until we exceed the maximum, at which point the bandwidth, utility, and productivity of the net falls dramatically.
Herd immunity is very similar. I suppose, since everyone is talking about herd immunity but very few have actually studied it, that I have to explain that the concept of herd immunity was discovered by vets, and they were talking about an actual herd. (I should also point out that, in the initial paper on the subject, they weren’t talking about vaccinations as much as which animals were immune to a certain disease, and their initially recommended course was not vaccinating the non-immune, but culling them first. Taking that approach in the current situation might have a very beneficial effect on vaccine hesitancy.)
While the totality of herd immunity calculus is extremely complicated, one aspect can be illustrated very simply. Take a set of Go stones, or any large set of pieces or tiles that are divided into two colours. Consider white as unvaccinated, and black as vaccinated. Start with maybe 10% vaccinated. Dump the stones onto a flat surface such that the stones form a single layer. Wherever you have white stones touching each other, you have the potential for transmission. Where you have long strings of white together, you have the possibility of outbreaks. Continue dumping the stones, increasing the proportion of vaccinated stones each time. As the proportion of black stones increases, the number and length of white strings diminishes. Eventually, you get to the point where each white stone is completely surrounded by black. At that point you have illustrated herd immunity, because although not all of the population is vaccinated, the unvaccinated don’t ‘touch’ anyone to whom they can transmit.
We don’t, yet, have enough solid data about transmissibility, infection rates, vaccine efficacy, and other factors to predict, in advance, what level of vaccination we have to get to in order to reach herd immunity. We do know that, as I write this, we haven’t reached it anywhere in the world. We know that because we are still, despite various levels of precautions, seeing numbers of cases of CoVID every day. Once we reach herd immunity, the number of cases will drop quite dramatically.
Get vaccinated. Tell your family to get vaccinated. Tell your friends and work colleagues to get vaccinated. It protects you. It protects your family. It protects your neighbours and community. It allows you to go and visit your brand new great grandchildren. It allows you to start going to restaurants and movies. It allows for restarting economies. It prevents the development of new and more dangerous variants. (If I can’t convince you any other way, did I mention that one of the symptoms of long haul CoVID is sexual or erectile dysfunction?) Just do it.
‘Capability’/‘Tagged’ computer HW systems have traditionally lost out to ‘bare metal’-based HW systems due to higher complexity and higher cost.
From Burroughs to Multics to Lisp Machines to Intel iAPX 432 & i960, the road to safety has been littered with good intentions.
Initially, the additional memory cost for the tags was blamed; if we can't even afford memory parity bits, we certainly can't afford tag bits.
Thankfully, memory storage size is no longer an issue, and ECC memory is now nearly ubiquitous.
Next up in the blame game was CISC v. RISC. But modern instruction stream caches have completely obliterated this issue; indeed, CISC instructions are routinely ‘compiled on-the-fly’ into RISC instructions for storage into a RISC I-cache and executed at 100X memory speeds.
Yet ‘use-after-free’ and other memory mischief still consume trillions of dollars of effort each year by both the black hats and white hats.
Computer systems have to cater to programming patterns that provide both efficiency and security. No matter how safe a computer architecture is, it cannot be commercially successful unless it enables the highest speeds for compression/decompression, encryption/decryption, hashing, FFT's, AI/ML and the general efficiencies of the O(1) access time RAM ('random access memory') model.
By contrast, garbage-collected languages like Lisp can form the basis of an operating system, but only by hiding a huge amount of ‘firmware’ that implements the garbage-collector and lots of other heavyweight machinery under the hood, where ‘security by obscurity’ vainly attempts to rule.
The paper “Safe Systems Programming in Rust” in the April 2021 issue of CACM is an extremely lucid explanation of Rust's advantages.
“[Rust] tackles this challenge using a strong type system based on the ideas of ownership and borrowing, which statically prohibits the mutation of shared state. This approach enables many common systems programming pitfalls to be detected at compile time.”
“There are a number of data types whose implementations fundamentally depend on shared mutable state and thus cannot be type-checked according to Rust's strict ownership discipline. To support such data types, Rust embraces the judicious use of unsafe code encapsulated within safe APIs.”
“For example, consider data races: unsynchronized accesses to shared memory (at least one of which is a write). Even though data races effectively constitute undefined (or weakly defined) behavior for concurrent code, most ‘safe’ languages (such as Java and Go) permit them, and they are a reliable source of concurrency bugs. In contrast, Rust's type system rules out data races at compile time.”
“Rust's approach generalizes beyond memory management: other resources like file descriptors, sockets, lock handles, and so on are handled with the same mechanism, so that Rust programmers do not have to worry, for instance, about closing files or releasing locks.”
“The proof technique of semantic type soundness, together with advances in separation logic and machine-checked proof, has enabled us to begin building rigorous formal foundations for Rust as part of the RustBelt project.”
I applaud the use of strong type systems and machine-checkable proof systems to provide assurances of safety in OS-level kernel code. (AI may eventually prove (!) useful for developing a machine-checkable proof, but AI will never replace the need for the proof itself.)
Once we have a solid theoretical foundation in the form of a suitably expressive systems programming language like Rust, it will be time to revisit what changes & optimizations might be useful at the HW level — e.g., in the form of specialized instruction sets, cache designs and MMU designs — to further increase the efficiency and reduce the cost of CPU implementations.
Safe Systems Programming in Rust https://dl.acm.org/doi/pdf/10.1145/3418295?download=true
Just days after President Biden demanded that President Vladimir V. Putin of Russia shut down ransomware groups attacking American targets, the most aggressive of the groups suddenly went off-line early Tuesday.
The mystery is who made it happen.
The group, called REvil, short for “Ransomware evil,” has been identified by U.S. intelligence agencies as responsible for the attack on one of America's largest beef producers, JBS. Two weeks after Mr. Biden and Mr. Putin met in Geneva last month, REvil took credit for a hack that affected thousands of businesses around the world over the July 4 holiday.
U.S. “cyber-retaliation” against Russia for the actions of non-state-actors located in Russia conducting cyberattacks aren't likely to stop the attacks, but are likely to do a lot of collateral damage to innocent parties. It's really, really, tough to know where exactly to aim.
The world’s largest crypto exchange has no headquarters, making it difficult for disgruntled traders to complain about the May crash
Justin Jouvenal, WashPost, 12 Jul 2021
A secret algorithm is transforming DNA evidence. This defendant could be the first to scrutinize it. Prosecutors have used software to help convict thousands but have never revealed its source code. A Virginia defendant has won the right to examine it for errors.
A listening device (blamed on Israeli Shin Bet) found in a sofa at an advanced Jewish religious school (Kollel) at Kiryat Arba, in Israel.
Video [Omitted here; please contact Gadi. PGN]
[via geoff goodfellow]
If we are to believe this meta study, the risk of getting a brain tumor increases from about 1 in 150 to about 1 in 100 due to excessive use of cell phones. There is no credible scientific evidence that I am aware of that low level non-ionizing radiation has any effect on the human body. There is a huge amount of evidence that the connectivity offered by cell phones has reduced poverty, enhanced education, increased social interaction (which increases longevity), and has the potential to improve health care. One might also ask whether the use of cell phones reduces the need for automobile travel. The probability that a person will die during a lifetime in an auto accident is roughly one percent. That’s a statistic, not a meta-study.
Thomas Koenig's message in RISKS 32.76 gives the impression that the German ministry for education and science proposes a Chinese-style social credit system for Germany.
In reality, the study is an attempt to forecast societal trends: “The role of Strategic Foresight is to anticipate technological, economic, legal and geopolitical developments.” The study also points out that “It is currently unclear which developments will take hold in the long term and which will not.”
The study describes six different scenarios, one of which predict the emergence of Chinese-style social credit system.
Lars-Henrik Eriksson, PhD, Senior Lecturer Computing Science, Dept. of Information Technology, Uppsala University, Sweden
> The German ministry for education and science (BMBF) has published a study in which it puts forward a Chinese-style social credit system for Germany.
I think Charlie Booker already imagined what this would look like in a Western society: https://en.wikipedia.org/wiki/Nosedive_(Black_Mirror) . Not surprisingly, his vision differs from the BMBF version.
Th.Koenig in the article “Social-credit score system for Germany” writes “The German ministry for education and science (BMBF) has published a study in which it puts forward a Chinese-style social credit system for Germany.”
This is absolutely wrong and biased.
The study of the BMBF describes 6 possible scenarios of the future, the “social-credit score system” being just one of it. The BMBF writes “none of the six scenarios is particularly likely or unlikely. Rather, the study aims to capture which developments are possible for multifaceted futures, in order to use these in turn as a basis for discussion.”
That's easily solved. Just click here and read all about it. https://www.supremecourt.gov/opinions/20pdf/20-297_4g25.pdf
>Is this as f**ked up as it sounds?
Yes indeed. The dissent which starts on page 32 explains in detail.
Thanks, John. I have skimmed the decision, it pains me to agree with Clarence Thomas (being a long standing lefty in Canada).
Incidentally, I used to read many US Supreme decisions; and the more I read, the less respect I have for them. When I started reading, decades ago, the Justices would at least pretend to have some integrity and consistency, but over the decades, as the political atmosphere change in the US, people like Scalia didn't even pretend anymore. I have now mostly stopped reading the decisions.
Anyway, thanks for the link,
I am impressed by this new paper from Jenny Blessing, Mike Specter and Danny Weitzner:
By collating data on bugs in crypto-code, they provide empirical support to the proposition that complexity is the enemy of security. Expect to add another vulnerability for every thousand lines of code. Worth reading in its entirety.
Even by the uneven standards of Tech Review, that is a truly dreadful article. It is full of FUD, and plain old errors.
All the app does is to display a 2-D barcode which is a JSON blob of the data with a digital signature so it can be verified offline. Any generic barcode scanner can scan it and show you the JSON. Since it's just showing a barcode, you can equally well print the barcode from the pass' web site, no app needed, indeed no phone needed. I don't know why it took four tries for the author to get his barcode, other than perhaps the usual difficulty of typing accurately on a tiny screen. I've had no trouble getting the barcodes for my wife and me.
I have also used the scanner app which does what it says, it scans the barcode from screen or paper, and if it's valid shows you the info, name, age, pass expiration date. If it's sucking up data and saving it. I don't know where it's doing so since it's not saving it anywhere I can see it, and since I haven't told them who or where I am, it is not obvious what the point would be.
EFF just published a piece pointing out the problems with the Calif version, noting I think that it was worse than the NY version. Given the history of apps screwing up when it comes to data privacy, particularly when the government is involved, it's hard to see why anyone should trust these apps, even if we make the dubious assumption that they are free of relevant bugs.
A bill to ban fossil fuel powered cryptocoin mining has passed the NY Senate and is currently in front of the house.
I live about 1/2 hr from Seneca Lake and they can't pass it soon enough.
I'll forgive President Biden, the NSTC and the OSTP for committing the Santayana Sin of attempting to repeat the uglier events of history; they certainly aren't the first nor will they be the last.
If one compares the goals of Biden's “Scientific Integrity” task force and those of an earlier “Inquisition” task force, one finds that they are roughly equivalent: to prevent the suppression or distortion of dogma.
The heart of the problem is that scientific ‘truths’—unlike mathematical truths—are contingent and contextual, because they must contingently rely on a host of other contingent and contextual truths. Attempting to stamp out scientific ‘untruths’ (‘distruths’ ?) throws the baby out with the bath-water. There is NO scientific progress without heresy!
Examples are embarrassingly common and recent: ‘eugenics’ was ‘settled science’ in the early 20th C.; Supreme Court language such as “three generations of imbeciles are enough” led directly to the Nazi Holocaust. Aussie scientists Barry Marshall and Robin Warren couldn't get funding due to their heretical belief that stomach ulcers were caused by some sort of a bug.
Just recently, Katalin Kariko was finally proven correct about the incredible potential of mRNA-based vaccines with the Moderna and Pfizer COVID vaccines. “She migrated from lab to lab, relying on one senior scientist after another to take her in. She never made more than $60,000 a year.”
Innovation in science is a messy, chaotic business which doesn't respect race, language, age, tuition amount, gender or gender preference, religion, or political boundaries.
Mao was correct:
“Letting a hundred flowers blossom and a hundred schools of thought contend is the policy for promoting progress in the arts and the sciences…”
while cynically psychopathic:
“[Mao's] initiative [may have been] a deliberate attempt to flush out dissidents by encouraging them to show themselves as critical of the regime. Whether or not it was a deliberate trap isn't clear but it is the case that many of those who put forward views that were unwelcome to Mao were executed.”
We don't need any more inquisitional ‘task forces’ which will demoralize inventive scientific thought; on the contrary, we need to instead encourage more risk-taking through a wider distribution of research grants.
Please report problems with the web pages to the maintainer