The RISKS Digest
Volume 32 Issue 94

Wednesday, 1st December 2021

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


The End of Trust
The Atlantic
The makers of EyeDetect promise a new era of truth-detection, but many experts are skeptical
Apple sues NSO Group over Pegasus spyware
The Car Key of the Future—is still in your pocket
Locked Out of God Mode, Runners Are Hacking Their Treadmills
Sorry I'm late, my car had a 500 error.
Israel and Iran Broaden Cyberwar to Attack Civilian Targets
India to ban almost all private cryptocurrencies including Bitcoin in new clampdown
Dutch Tax Office algorithm targeted low-income households
Kees Huyser
Crowd-Sourced Suspicion Apps Are Out of Control
GoDaddy says data breach exposed over a million user accounts
He Leaked U.S. Missile Secrets. It Turned Into ‘a Dark Comedy of Errors.’
Amazon's Dark Secret: It Has Failed to Protect Your Data
The Zelle Fraud Scam: How it Works, How to Fight Back
Krebs on Security
Wikipedia Tests AI for Spotting Contradictory Claims in Articles
New Scientist
Apple, Facebook, privacy, voter turnout efforts, and differential privacy
Rob Slade
Google hacking
Devious Tardigrade Malware Hits Biomanufacturing Facilities
The unbearable fussiness of the smart home
YANCV: Yet Another New CoVID Variant
Rob Slade
Re: Unconsidered automatic filtering creates damaging side-effects
John Levine
Re: Scammers impersonate guest editors to get sham papers published
Martin Ward
CISA Should Assess the Effectiveness of its Actions to Support the Communications Sector
GAO Critical Infrastructure Protection
Info on RISKS (comp.risks)

The End of Trust (The Atlantic)

“Richard Stein” <>
Sat, 27 Nov 2021 10:14:14 +0800

“Trust. Without it, Adam Smith’s invisible hand stays in its pocket; Keynes’s ‘animal spirits’ are muted. ‘Virtually every commercial transaction has within itself an element of trust,’ the Nobel Prize–winning economist Kenneth Arrow wrote in 1972.“

“But trust is less quantifiable than other forms of capital. Its decline is vaguely felt before it’s plainly seen. As companies have gone virtual during the coronavirus pandemic, supervisors wonder whether their remote workers are in fact working. New colleagues arrive and leave without ever having met. Direct reports ask if they could have that casual understanding put down in writing. No one knows whether the boss’s cryptic closing remark was ironic or hostile.“

Businesses deserve to fail, and governments convulse, when public trust continues to be abused for selective advantage without accountability for preventable technological maintenance and operational errors.

Proactive and effective Internet safeguards—regulatory enforcement of cybersecurity standards with strict oversight accountability for non-compliance—is essential to rebuild public trust, an essential social virtue sensitized to spontaneously erode via multiple tipping points.

Every data breach, ransomware incident, and critical infrastructure assault dilutes public trust in the Internet's utility. Without stern incentives to comply, diminished accountability for these abuses and outrages, attributed to both businesses and governments, feed a sense of popular futility. Egregious and repeat oversight failures reveal their audacious impunity.

As long as professional and business ethics remain trivialized by profit, convenience, ignorance, and lassitude, organizational effectiveness and accountability—pillars of public trust resilience—will remain vulnerable to nefarious exploitation.

The makers of EyeDetect promise a new era of truth-detection, but many experts are skeptical (WashPost)

“Gabe Goldberg” <>
Sat, 27 Nov 2021 15:17:52 -0500

Is the ocular product EyeDetect a leap ahead of the polygraph? Or just the same dubiousness in a more high-tech box?

EyeDetect is the product of the Utah company Converus. “Imagine if you could exonerate the innocent and identify the liars . . . just by looking into their eyes,” the company’s YouTube channel promises. “Well, now you can!” Its chief executive, Todd Mickelsen, says they’ve built a better truth-detection mousetrap. He believes eye movements reflect their bearer far better than the much older and mostly discredited polygraph. Its popularity may be growing: The company says EyeDetect has gone from 500 customers in 2019 to 600 now.

Its critics, however, say the EyeDetect is just the polygraph in more algorithmic clothing. The machine is fundamentally unable to deliver on its claims, they argue, because human truth-telling is too subtle for any data set.

And they worry that relying on it can lead to tragic outcomes, like punishing the innocent or providing a cloak for the guilty.

EyeDetect raises a question that draws all the way back to the Garden of Eden: Are humans so wired to tell the truth we’ll give ourselves away when we don’t?

Apple sues NSO Group over Pegasus spyware (WashPost)

“Gabe Goldberg” <>
Tue, 23 Nov 2021 14:44:46 -0500

The lawsuit comes just weeks after the U.S. Commerce Department added NSO to its list of entities barred from doing business with American companies. …

“State-sponsored actors like the NSO Group spend millions of dollars on sophisticated surveillance technologies without effective accountability. That needs to change,” said Craig Federighi, Apple’s senior vice president of Software Engineering, in a blog post announcing the lawsuit.

“Apple devices are the most secure consumer hardware on the market — but private companies developing state-sponsored spyware have become even more dangerous,” he wrote. “While these cybersecurity threats only impact a very small number of our customers, we take any attack on our users very seriously, and we’re constantly working to strengthen the security and privacy protections in iOS to keep all our users safe.”

The Car Key of the Future—is still in your pocket (NYTimes)

“Gabe Goldberg” <>
Sun, 28 Nov 2021 16:22:32 -0500

They’re in fobs or on phones, and digital or “smart,” and they can do far more than just open doors and start the engine.

Sometimes, however, one might wish for a real key; the alternatives are not bulletproof. Tesla drivers recently punched up the smartphone app they use to unlock and start their cars. The app was not responding, as a server had gone down. The Tesla key “card” would work — Tesla’s version of a fob — but drivers who depended on their phones were stuck. The problem was sorted out fairly quickly, and Elon Musk, the company’s chief, tweeted apologies.

Several vehicle operating functions have already been outsourced to smartphones. For example, an app for some BMWs can remotely start the auto; it will run for 15 minutes, heating or cooling the cabin, before automatically shutting off. But some type of hardware — a wireless fob, round or square, with tiny buttons to open and close doors, hatches, windows and sunroofs, and perhaps a “panic” function to set off the car’s alarm system — will most likely remain until mobile devices “eliminate the need for a physical piece of hardware altogether,” said Todd Parker, director of global design for General Motors.

Eliminate need for hardware? Mobile devices look to me like pieces of “hardware”, just more prone to failure or compromise than a key or fob.

Locked Out of God Mode, Runners Are Hacking Their Treadmills (WiReD)

Gabe Goldberg <>
Sun, 21 Nov 2021 15:36:57 -0500

NordicTrack customers were watching Netflix using a simple trick—until the company blocked their access.

What next? Fox (or MSNBC)-only TV sets? Cell phones only able to call people on same network?

Sorry I'm late, my car had a 500 error.

geoff goodfellow <>
Tue, 23 Nov 2021 10:22:16 -1000

Tesla servers throwing 500 errors. People unable to unlock their cars.


Israel and Iran Broaden Cyberwar to Attack Civilian Targets (NYTimes)

Jan Wolitzky <>
Sun, 28 Nov 2021 05:50:48 -0500

Millions of ordinary people in Iran and Israel recently found themselves caught in the crossfire of a cyberwar between their countries. In Tehran, a dentist drove around for hours in search of gasoline, waiting in long lines at four gas stations only to come away empty.

In Tel Aviv, a well-known broadcaster panicked as the intimate details of his sex life, and those of hundreds of thousands of others stolen from an LGBTQ dating site, were uploaded on social media.

For years, Israel and Iran have engaged in a covert war, by land, sea, air and computer, but the targets have usually been military or government related. Now, the cyberwar has widened to target civilians on a large scale.

India to ban almost all private cryptocurrencies including Bitcoin in new clampdown (Euronews)

“Gabe Goldberg” <>
Tue, 23 Nov 2021 14:41:50 -0500

India is on track to ban all but a few private cryptocurrencies after the government announced on Tuesday it was introducing a new financial regulation bill.

The ‘Cryptocurrency and Regulation of Official Digital Currency’ bill will create a facilitative framework for an official digital currency to be issued by the Reserve Bank of India, and ban all private cryptocurrencies, such as Bitcoin and Ethereum.

Earlier this month, Prime Minister Narendra Modi said all democratic nations must work together to ensure cryptocurrency “does not end up in wrong hands, which can spoil our youth” - his first public comments on the subject. …

The new rules are also likely to discourage marketing and advertising of cryptocurrencies, to dull their allure for retail investors, said an industry source who was part of a separate parliamentary panel discussion held on Monday.

But … banning cigarette ads on TV didn't ban smoking. Cryptocurrency “spoiling youth”? Ah, this is for the children…

Dutch Tax Office algorithm targeted low-income households

“Kees Huyser” <>
Tue, 23 Nov 2021 13:19:03 +0100

The tax office specifically targeted people with low incomes when checking for potential fraud involving childcare benefits.

Between 2013 and July 2020, the tax office used a self-learning algorithm based on a risk classification system to decide who should face extra checks. The system was scrapped last year following a damning report.

Crowd-Sourced Suspicion Apps Are Out of Control (Electronic Frontier Foundation)

“Gabe Goldberg” <>
Wed, 24 Nov 2021 00:08:47 -0500

Technology rarely invents new societal problems. Instead, it digitizes them, supersizes them, and allows them to balloon and duplicate at the speed of light. That’s exactly the problem we’ve seen with location-based, crowd-sourced “public safety” apps like Citizen.

These apps come in a wide spectrum—some let users connect with those around them by posting pictures, items for sale, or local tips. Others, however, focus exclusively on things and people that users see as “suspicious” or potentially hazardous. These alerts run the gamut from active crimes, or the aftermath of crimes, to generally anything a person interprets as helping to keep their community safe and informed about the dangers around them.

That's sure NextDoor here—Fairfax County, VA—which is pretty safe and yet people exaggerate/amplify incidents to bogus catastrophic statistics and trends.

GoDaddy says data breach exposed over a million user accounts (TechCrunch)

Lauren Weinstein <>
Mon, 22 Nov 2021 10:19:17 -0800

GoDaddy says data breach exposed over a million user accounts

He Leaked U.S. Missile Secrets. It Turned Into ‘a Dark Comedy of Errors.’ (DailyBeast)

geoff goodfellow <>
Thu, 25 Nov 2021 10:16:06 -1000

A former Raytheon missile defense engineer <> who recently pleaded guilty to leaking U.S. military secrets claims he did so only because his desperate attempts to correct a potentially deadly software error he accidentally made went completely unheeded by authorities.

“My approach and code were not adequately reviewed,” James Robert Schweitzer told The Daily Beast in his first public comments since his arrest. “I was told to ignore the anomaly that I introduced.”

The federal government, however, saw things quite differently. At the time, Schweitzer was at loggerheads with the Pentagon over his use of medical marijuana, which caused him to be stripped of his top secret security clearance. Unable to continue working in his chosen field, Schweitzer, who had hoped to stay at Raytheon until he retired, decided instead to exact revenge on the company by exposing classified information he believed he shouldn’t have had access to in the first place, according to prosecutors <>. The government’s court filings assert that Schweitzer’s motive was simply to get back at Raytheon for shunting him aside. To that end, Schweitzer told investigators he wanted to bring his supervisors down with him for “illegally” demanding he work on a classified project.

A Missile Engineer’s ‘Dark Fantasy’ and Alleged Revenge Plot <>

Today, Schweitzer, who says he sees himself not as a traitor but a whistleblower, is still reeling from being hauled in by the feds last year, describing the nightmarish experience as “a comedy of errors, as far as I’m concerned—a dark comedy of errors.”

As The Daily Beast exclusively reported at the time <>, Schweitzer, 58, was arrested and charged in December 2020 with malicious mischief and destruction of government property for sharing “national defense information” regarding U.S. missile sensors. Prosecutors said Schweitzer knew some of what he exposed <> “could result in American casualties abroad or in the United States,” which Schweitzer freely admits, insisting that’s why he was so eager to sound the alarm.

Schweitzer, a California resident, claims he reported the alleged software bug to the DoD hotline, the Army, the FBI, and every single member of Congress to no avail. According to him, authorities said they would take care of it, but never did in order to save face after deploying a supposedly broken system that was being used to, among other things, protect the airspace in the Washington, D.C., area, and could have cost thousands of lives. Court filings by investigators and prosecutors, who would not comment on the case, do not mention anything about this supposed anomaly. […]

Amazon's Dark Secret: It Has Failed to Protect Your Data (WiReD)

“Gabe Goldberg” <>
Wed, 24 Nov 2021 00:11:18 -0500

Voyeurs. Sabotaged accounts. Backdoor schemes. For years, the retail giant has handled your information less carefully than it handles your packages.

At that very moment inside Amazon, the division charged with keeping customer data safe for the company's retail operation was in a state of turmoil: understaffed, demoralized, worn down from frequent changes in leadership, and—by its own leaders' accounts—severely handicapped in its ability to do its job. That year and the one before it, the team had been warning Amazon's executives that the retailer's information was at risk. And the company's own practices were fanning the danger.

According to internal documents reviewed by Reveal from the Center for Investigative Reporting and WIRED, Amazon's vast empire of customer data—its metastasizing record of what you search for, what you buy, what shows you watch, what pills you take, what you say to Alexa, and who's at your front door—had become so sprawling, fragmented, and promiscuously shared within the company that the security division couldn't even map all of it, much less adequately defend its borders.

The Zelle Fraud Scam: How it Works, How to Fight Back (Krebs on Security)

Tom Van Vleck <>
Sat, 20 Nov 2021 07:24:34 -0800

Another damn thing to worry about. Faked text messages and phone calls “from your bank.”

Wikipedia Tests AI for Spotting Contradictory Claims in Articles (New Scientist)

ACM TechNews <>
Wed, 24 Nov 2021 12:05:30 -0500 (EST)

Matthew Sparkes, New Scientist, 19 Nov 2021 via ACM TechNews, Wednesday, November 24, 2021

Researchers at Taiwan's National Cheng Kung University, in conjunction with the Wikimedia Foundation, have developed artificial intelligence technology which they say can identify contradictory claims in Wikipedia articles and flag them for human review. The researchers found 2,321 contradiction warnings in all English Wikipedia articles posted by March 2020. They used 80% of 1,105 examples of contradictions and solutions by human editors to train the neural network to detect contradictions on its own. The remaining 20% of the data then was used to test the neural network, which was found to have an accuracy rate of up to 65%.

Apple, Facebook, privacy, voter turnout efforts, and differential privacy

Rob Slade <>
Mon, 22 Nov 2021 11:42:59 -0800

Apple is trying to position itself as “the privacy company.” One of the ways it is doing that is, purportedly, by using differential privacy in a big way.

However, what Apple is mostly doing is making trouble for other companies (like Facebook) trying to get user data. Recently, Apple's iOS devices started not sending click-through and other data to Facebook.

Facebook seems to have responded by not presenting click-thorough type ads to iOS devices. Which has created a problem for various advertisers, including both political parties and social activists.

The thing is, if Apple truly were using differential privacy, it would be easy to resolve this fight by using “privacy by randomized response,” a protocol long used by social scientists. Local differential privacy would add noise to the data, but it could be mathematically removed by companies to provide user privacy, while still allowing a lot of useful overall consumer data to be collected.

The bottom line is, Apple, while pushing its use of differential privacy, doesn't seem to understand it or use it effectively. (And Facebook still doesn't care about your privacy at all …)

Google hacking (Wikipedia)

Gabe Goldberg <>
Mon, 22 Nov 2021 15:01:50 -0500

Google hacking, also named Google dorking,[1][2] is a hacker technique that uses Google Search and other Google applications to find security holes in the configuration and computer code that websites are using.[3] Google dorking could also be used for OSINT.

“Google hacking” involves using advanced operators in the Google search engine to locate specific errors of text within search results. Some of the more popular examples are finding specific versions of vulnerable Web applications. A search query with intitle:admbook intitle:Fversion filetype:php would locate all web pages that have that particular text contained within them. It is normal for default installations of applications to include their running version in every page they serve, for example, “Powered by XOOPS 2.2.3 Final”.

Devices connected to the Internet can be found. A search string such as inurl:“ViewerFrame?Mode=” will find public web cameras.

Another useful search is following intitle:index.of followed by a search keyword. This can give a list of files on the servers. For example, intitle:index.of mp3 will give all the MP3 files available on various types of servers.

Devious Tardigrade Malware Hits Biomanufacturing Facilities (WiReD)

Gabe Goldberg <>
Mon, 22 Nov 2021 19:42:47 -0500

The surprisingly sophisticated attack is “actively spreading” throughout the industry.

When ransomware hit a biomanufacturing facility this spring, something didn't sit right with the response team. The attackers left only a halfhearted ransom note, and didn't seem all that interested in actually collecting a payment. Then there was the malware they had used: a shockingly sophisticated strain dubbed Tardigrade.

As the researchers at biomedical and cybersecurity firm BioBright dug further, they discovered that Tardigrade did more than simply lock down computers throughout the facility. The found that the malware could adapt to its environment, conceal itself, and even operate autonomously when cut off from its command and control server. This was something new.

The unbearable fussiness of the smart home (staceyoniot)

geoff goodfellow <>
Tue, 23 Nov 2021 10:40:17 -1000

As we head into another gifting season and more and more connected devices make their way onto gift guides, I want to offer a cautionary note. The smart home is like a cat — mostly self-sufficient and nice to have, but also possessing a mind of its own that can lead to frustration and confusion for its owner. Indeed, when you gift or get a connected device, ownership turns into active participation with the device and various other ecosystems.

What do I mean? Three weeks ago, three of my devices stopped working — all for different reasons — and required different steps to fix them. This week, one device suddenly start working again, another connected after some initial struggles, and a third became so intrusive I had to move it to another room.

This isn’t a device or brand problem. It’s an industry problem. Smart home products look like hardware but are really software, subject to updates and changes that will break integrations, contain bugs, and add new, unwanted features. For most consumers, there’s a gap between what they expect from hardware and what they get with smart home devices that leads to dissatisfaction, returns, and poor user experiences.

For the manufacturers, there’s a lack of tools and/or research to ensure that software updates don’t cause problems or that new features don’t frustrate users. I’ll offer up a few examples of fussy devices to illustrate these issues. Let me be your cautionary tale before purchasing a smart bulb or speaker. […]

YANCV: Yet Another New CoVID Variant

Rob Slade <>
Fri, 26 Nov 2021 11:24:56 -0800

A new CoVID variant (B.1.1.529) (and named omicron, possibly to avoid “nu” jokes) has arisen. It may be more transmissible. It may be that the existing vaccines are somewhat less effective at protecting against it.

World stock markets are tumbling, and the end of the world is upon us. Just like last time.

Look, we know how to deal with this.

I tend to use the ransomware example: it doesn't matter who is trying to hit you with what new version of ransomware: if you've got a backup, you're good.

The existing vaccines may be slightly less effective. But they will be somewhat effective, and you should get them. Although I would add defence in depth or layered defence. Vaccines aren't perfect, so wash your hands. Handwashing isn't perfect so wear a mask. Masks aren't perfect so avoid crowds. It isn't one of the Five Heroic Acts, it's all of them.

And remember the “Hitchhiker's Guide to the Galaxy”: DON'T PANIC!

Re: Unconsidered automatic filtering creates damaging side-effects (RISKS-32.93)

“John Levine” <>
23 Nov 2021 15:41:27 -0500
>have the sequence “ass” removed, yielding “pion”, “ociation”, and “ume”,
>among others.

This is generally known as the Scunthorpe problem, after a town in England which is chronically blocked by badly written obscenity filters. It has has two Wikipedia pages, one for the town, one for the filtering errors which date from 1996:

Re: Scammers impersonate guest editors to get sham papers published (RISKS-32.93)

“Martin Ward” <>
Thu, 25 Nov 2021 14:38:42 +0000

A related article (“Predatory publishers’ latest scam: bootlegged and rebranded papers”) suggests: “Instead of repeatedly severing heads for new ones to regrow, policy that combats predatory publishing should focus on starving the Hydra of resources.”

An article published in “Nature” cannot, of course, suggest the simplest and most effective solution to the problem: completely starve the Hydra by taking money out of the article publishing enterprise altogether. Authors and reviewers already provide their work for free: this is then “monetized” by predatory journals, such as Nature, who charge exorbitant amounts for copies of papers and make substantial profits out of other people's work without adding any value. (For example, one of the referenced papers listed in this paper is available as a downloadable PDF for a mere £29.95 including VAT).

Make all journals free to access and free to publish in, and take the pressure off academics to continually publish (“publish or perish”). The costs of providing access can be met via small charitable foundations supported by donations from University libraries. The libraries can easily afford these donations since they will no longer have to pay exorbitant subscription fees to journals. The rest of the money that they save can go to fund more research, instead of publisher's profits.

With money taken out of the equation, the main incentive to produce sham papers and sham publications disappears.

Until then, we will have the “legitimate” publishers wringing their hands and complaining about all these “predatory” publishers. They sound to me like so many “legitimate” protection racketeers complaining about all the “predatory” protection racketeers that keep cropping up on their turf!

CISA Should Assess the Effectiveness of its Actions to Support the Communications Sector (GAO Critical Infrastructure Protection)

“Diego.Latella” <>
Mon, 29 Nov 2021 09:19:48 +0100

Please report problems with the web pages to the maintainer