The RISKS Digest
Volume 32 Issue 92

Saturday, 6th November 2021

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

SpaceX Under Fire After Autonomous Rocket Hits Pedestrian
The Onion
9-year-old unlocks unconscious father's iPhone with his face to call 911
Apple Insider via Monty Solomon
AI Is Not A-OK
NY Times
Fake Polls and Tabloid Coverage on Demand: The Dark Side of Sebastian Kurz
NYTimes
Trojan Source Bug Threatens the Security of All Code
KrebsonSecurity
Hackers are stealing data today so quantum computers can crack it in a decade
MIT Tech Review
Using Google search to deliver customers or worse
Mike
Credit-card PINs can be guessed even when covering the ATM pad
BleepingComputer
CoVID dream, risk, and the Newfoundland "cyberattack"
Rob Slade
Will there be vehicle safety tricks or treats this Halloween?
Gabe Goldberg
Re: I *really* hate Hopin ...
John Stewart
Re: Lettering on clothes mistaken for license plate
Andy Walker
Info on RISKS (comp.risks)

SpaceX Under Fire After Autonomous Rocket Hits Pedestrian (The Onion)

Gabe Goldberg <gabe@gabegold.com>
Sun, 31 Oct 2021 16:13:59 -0400
AUSTIN, TX”Calling it a terrible tragedy that could and should have easily
been avoided, investigators slammed SpaceX Thursday after an autonomous
rocket veered off course and struck a pedestrian. “At approximately 11
a.m. CST, a SpaceX Falcon9 rocket launched itself into traffic at 17,000
mph, hitting and subsequently killing a man who was crossing the street,”
read a statement from the National Transportation Safety Board, adding that
despite being programmed with the latest self-guiding software, the rocket
entered traffic, ignored several red lights, and failed to disengage several
high-speed booster rockets at the time of impact. “After striking and
killing the pedestrian, the spaceship continued to accelerate, until it
ultimately flew off of a cliff and collided with a tree, creating an
enormous mushroom cloud visible from the entire city. Sadly, until we can
enter the several hundred foot crater and find the rocket’s data logs, we
may never know what truly happened.” At press time, SpaceX responded that
while they were sorry for the loss of life, they were proud that no cars
were harmed in the accident.

https://www.theonion.com/spacex-under-fire-after-autonomous-rocket-hits-pedestri-1847946787


9-year-old unlocks unconscious father's iPhone with his face to call 911 (Apple Insider)

Monty Solomon <monty@roscom.com>
Thu, 4 Nov 2021 00:50:26 -0400
https://appleinsider.com/articles/21/11/03/9-year-old-unlocks-fathers-iphone-with-his-face-calls-911-as-carbon-monoxide-fills-home


AI Is Not A-OK (NY Times)

"George Sherwood" <sherwood@transedge.com>
Sun, 31 Oct 2021 14:15:48 -0400
Maureen Dowd interviews Eric Schmidt about the future of artificial
intelligence.

  The first time I interviewed Eric Schmidt
  <https://www.nytimes.com/2009/04/15/opinion/15dowd.html?timespastHighlight=e
  ric,schmidt,maureen,dowd> , a dozen years ago when he was the C.E.O. of
  Google, I had a simple question about the technology that has grown
  capable of spying on and monetizing all our movements, opinions,
  relationships and tastes.

  "Friend or foe?" I asked.

  "We claim we're friends," Schmidt replied coolly.

  Now that the former Google executive has a book out Tuesday on "The Age of
  AI
  <https://www.littlebrown.com/titles/henry-a-kissinger/the-age-of-ai/97803162
  73800/> ," written with Henry Kissinger and Daniel Huttenlocher, I wanted
  to ask him the same question about A.I.: "Friend or foe?"

  https://www.nytimes.com/2021/10/30/opinion/eric-schmidt-ai.html


Fake Polls and Tabloid Coverage on Demand: The Dark Side of Sebastian Kurz (NYTimes)

Monty Solomon <monty@roscom.com>
Sat, 6 Nov 2021 13:49:18 -0400
Fake Polls and Tabloid Coverage on Demand: The Dark Side of Sebastian Kurz

The downfall of Austria’s onetime political Wunderkind put a spotlight on
the cozy, sometimes corrupt, relationship between right-wing populists and
parts of the news media.

https://www.nytimes.com/2021/10/17/world/europe/austria-sebastian-kurz-scandal-chancellor.html


Trojan Source Bug Threatens the Security of All Code (KrebsonSecurity)

Tom Van Vleck <thvv@multicians.org>
Mon, 1 Nov 2021 10:19:16 -0700
https://krebsonsecurity.com/2021/11/trojan-source-bug-threatens-the-security-of-all-code/

Normally a scare headline like this would lead me to ignore it.  But this
has Ross Anderson's name on it.

https://www.trojansource.codes/


Hackers are stealing data today so quantum computers can crack it in a decade (MIT Tech Review)

Monty Solomon <monty@roscom.com>
Thu, 4 Nov 2021 00:47:58 -0400
https://www.technologyreview.com/2021/11/03/1039171/hackers-quantum-computers-us-homeland-security-cryptography/


Using Google search to deliver customers or worse

"mike smith" <mike1234z@hotmail.com>
Tue, 2 Nov 2021 03:13:11 +0000
I've run across an interesting way some websites have found to deliver
traffic to themselves.  I was searching for a recipe and one of the Google
search results appeared to have what I needed.  However when I clicked on
the link to ckbk.com<https://app.ckbk.com/> I found that while it was indeed
the recipe I wanted, the actual contents were behind a paywall and I had to
subscribe to see the actual recipe.  It appears the website has found a way
to recognize the Google spider and allow it to index their site but then
lock out those using the search link from Google.

Risks here start with persuading people to give credit card info for
information that was seemingly provided openly on the web.  Who knows what
happens once they have that info.  And if this website can give the spider
one view of their website and the public something else, putting the
promised content behind a paywall is going to be child's play compared to
the other exploits possible.

  [Mike Smith alias Mike Thompson?]


Credit-card PINs can be guessed even when covering the ATM pad (BleepingComputer)

"Gabe Goldberg" <gabe@gabegold.com>
Thu, 4 Nov 2021 15:35:57 -0400
https://www.bleepingcomputer.com/news/security/credit-card-pins-can-be-guessed-even-when-covering-the-atm-pad/

  [I did not dig this one up, but it is obvious to me that hand motions of
  one-finger keyers can be a big giveaway, requiring only one try in certain
  cases of geometric PINs on the standard keypad.  PGN]


CoVID dream, risk, and the Newfoundland "cyberattack"

Rob Slade <rmslade@shaw.ca>
Thu, 4 Nov 2021 11:36:58 -0800
I've had another of my (infrequent) CoVID dreams.  (I don't remember a lot
of details, but the gist is there.)  Somebody (possibly me) is supplying
cleansers, unguents, and potions to the Royal Family.  They are full of
random ingredients, none of them particularly effective.  So, somebody
(possibly me) suddenly, and without warning, insists upon changing the
formulations of the cleansers, unguents, and potion so that they *are*, at
least minimally, effective.  (High- handed, I know, but probably useful.)

In recent days the IT systems underlying the Newfoundland and Labrador
health ministry, and hospitals, and diagnostic services, have ceased to
work.  This, particularly in the middle of a pandemic, could be a problem,
since nothing of a health nature, aside from direct emergency services, is
happening.  Nobody is saying much about it.  The relevant minister, and law
enforcement leaders, have, after more than a day of pretty much useless
pronouncements, finally admitted that the situation is a result of a
"cyberattack."  This is a singularly unhelpful piece of information, given
that it could describe almost anything.  "Sources" are wildly speculating
that it might be "ransomware," with no indication that any of those
"sources" actually knows what "ransomware" *is*, beyond "something that's
recently made problems for a lot of enterprises."  (Similar "sources" are
now saying that the "cyberattack" is the worst in Canadian history, despite
not knowing what it is or how bad.)  The lack of information *may* result
from embarrassment (if, in *this* day and age, *I* had to admit that I'd
suffered a ransomware attack and didn't know how to recover within a day or
so, *I'd* certainly be embarrassed), or, probably more likely, a complete
lack of understanding of what happened.

My mother died recently.  (No, I'm not changing the topic.)  (Yes, thank
you; it was not unexpected; she'd been going downhill; it was a relief;
she'd had a "good innings.")  Lots of people were very grateful to my
mother, for a number of things.  And she gave me one very great gift.  Many
years ago, I read an article from someone who said that *everyone*, these
days, insisted that they worked in "high tech."  And, not everyone could.
So, he provided a guideline for determining whether you actually worked in
high tech.  If your mother understood what you did, you *didn't* work in
high tech.  My mother, very definitively, never, *EVER*, understood what I
did.  In fact, most of my *bosses* never understood what I did.

I think I have this in common with most of you in information security.
Most of us work for managers, supervisors, directors, and ministers who have
only the vaguest notion of what we actually do, and the principles that
drive us.

Since information, and information processing, now basically drives almost
all of the world, this creates a dangerous situation.  There are many
threats to that information, and that processing, and if you don't
understand the threats, you can't take precautions.

Take my original field of research.  The fact that malware has exploded into
myriad different forms makes it *more* important to know and define the
various forms, not less.  Different precautions and controls are effective
against different types of malware.  Some are best handled by security
awareness training of staff (and, sometimes, customers).  Some are addressed
by very specific types of application level proxy firewalls.  Some are
addressed by having a backup.  (Remember backups?)  You need to know,
specifically, what the threats are in order to protect against them.

We, in information security, have always been faced with the problem of
"training up."  We are managed, and our budgets and resources are
controlled, by those above us, in the org chart, who do not understand what
we do.  We need to take every opportunity (often when the metaphorical
building next door metaphorically catches fire) to explain the risks facing
the enterprise, and the precautions that need to be taken against those many
risks.  (And why "cloud" or "blockchain" is not the answer to every security
question.)

(I have a great problem understanding why senior management does not
understand risk management.  After all, if you are a manager, at any level,
of whatever type, you manage two things: people and risk.  But, then again,
the pandemic has demonstrated, over and over again, with a huge number of
illustrations, that we, as a species, are really and utterly terrible at
assessing and managing risk.  It's a wonder we've survived as long as we
have.)

We, in information security, need to step up our efforts to train managers,
media, and the general public about the real risks that we, as a society,
face every day.

Now go make a backup.  (Maybe more than one.)  (Maybe more than one type.)
It'll keep you safe from "ransomware" "cyberattacks."

(Although not from breachstortion.  But that's another story.  Or attack.)


Will there be vehicle safety tricks or treats this Halloween?

"Gabe Goldberg" <gabe@gabegold.com>
Sun, 31 Oct 2021 16:32:50 -0400
Happy Halloween! Remember to drive carefully in your neighborhood
tonight. With all the kids out in their costumes, hurrying for that next
piece of candy, it is amongst the deadliest days of the year for younger
pedestrians. And that’s true even if no one is testing self-driving car
technology in your community.

We recently sat down with National Public Radio’s Marketplace to discuss
what the status of self-driving car regulations are, and how the current
testing set-up works. As we noted, manufacturers are “just putting
vehicles out on public roads, public highways, neighborhood streets,
across the country, and collecting data and seeing how it goes. That is
obviously something that most people aren’t aware of, and no one really
signed up for.” Happy Halloween! Remember to drive carefully in your
neighborhood tonight. With all the kids out in their costumes, hurrying
for that next piece of candy, it is amongst the deadliest days of the
year for younger pedestrians. And that’s true even if no one is testing
self-driving car technology in your community.

We recently sat down with National Public Radio’s Marketplace
<https://www.autosafety.org/the-road-ahead-what-about-regulation-for-self-driving-cars/>
to discuss what the status of self-driving car regulations are, and how the
current testing set-up works. As we noted, manufacturers are *“just putting
vehicles out on public roads, public highways, neighborhood streets, across
the country, and collecting data and seeing how it goes.  That is obviously
something that most people aren’t aware of, and no one really signed up
for.”*

https://mailchi.mp/autosafety.org/october-safety-update?e=91e5c03d94

Check out the full interview here: The road ahead: What about regulation
for self-driving cars?
<https://www.autosafety.org/the-road-ahead-what-about-regulation-for-self-driving-cars/>

  [Also noted by Mark Brader, George Sigut, and Andy Walker.  I am delighted
  that you follow up on such stories.  However, I have a quibble.  I
  sometimes run items that have nothing but a catchy URL.  Sometimes when I
  am curious, I try to PGN-ed it.  But this one was convoluted enough that I
  did not have enough time to verify my own interpretation.  I would greatly
  appreciate submissions with your own version of what is in the URL story,
  to share with RISKS readers.  PGN]


Re: I *really* hate Hopin ...

John Stewart <thompsonstevenssoftware@gmail.com>
Mon, 1 Nov 2021 11:45:50 -0400
It's always interesting what goes on. Like Rob Slade, the organization I
worked for for quite a while (Communications Research Centre, Ottawa) "did"
Internet stuff.

Way back in the mid '90s, us Canadians could participate in EU FP projects.
Could not claim funds, but could participate. One fun one was the UCL-led
MICE and MECCANO projects, "doing" Multicast Audio/Video conferencing,
amongst other things.

Two things came to light:

1) There was no way for two or three researchers to go off into a corner to
quickly discuss some point, without disrupting the audio channel. A shared
text-based white board was the saviour here. It worked really well.

2) Video was ok, but (other than sharing a slide deck) one did not need to
see the face of the current speaker; it did not change that much, and none
of us participants were anywhere near movie-star quality.

I can remember Roy Bennett, the UCL-based facilitator asking on Audio "I
see lots of conversations on the white board, but does anyone want to *say*
anything?"

I did have fun, as a side project, creating a VRML-based 3D front end to
the audio tool, proximity based, so one could group with like minded people
(Avatars) and talk, could see and hear other groups walk by, audio if they
were close, just like real life. I led a little group doing fun things like
that - I think we all enjoyed creating 3D interfaces for all sorts of
things.

Now, in 2021, it appears that:

With Video; the main feature is to have a background (preferably animated,
and of zero relevance) going in the background, which is imperfect at
stitching the user onto the background;

Audio - people are getting better, but the mute button gets ignored too
much, so focus often changes to the coffee-slurpers (like me!) from the
main presenter.

Saying that, the video quality is definitely better than we had back in the
mid 90s but the whole experience has not really progressed much.


Re: Lettering on clothes mistaken for license plate (BBC)

Andy Walker <anw@cuboid.me.uk>
Sun, 31 Oct 2021 23:45:07 +0000
Point of order!  Paula and Dave Knight, who received the fine, had nothing
at all to do with sweater lady, and in particular Mr Knight is not her
husband.  Readers may also have noted the rather feeble attempt at a
personalised number plate, approximating to KNigT.., which is pretty much as
good as it gets for most UK car owners, given the rules by which our plates
are assigned.

  [Similar comments from Mark Brader and George Sigut.  I would be delighted
  if those of you who submit items with only the URL that spells out a
  catchy phrase would provide your own summaries.  PGN]

Please report problems with the web pages to the maintainer

x
Top