The RISKS Digest
Volume 33 Issue 16

Tuesday, 19th April 2022

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


NASA Will Roll Back Its SLS Rocket for Repairs
CatalanGate: Extensive Mercenary Spyware Operation against Catalans Using Pegasus and Candiru
Insteon is down and may not be coming back
Stacey on IoT
Creating an Information Security Program from Scratch
Walter Williams
Hundreds of Brockton drivers failed exam after getting licenses with no test
The Boston Globe
Why I deleted the ACM election email
Cliff Kilby
Crypto Is Poised to Reshape Taxes—and Cities
Beanstalk DAO falls to a corporate raid, funded by flash loan junk bonds: Attack of the 50-foot Blockchain
David Gerard
Re: recent NYT slips on tech coverage
Prashanth Mundkur
Re: The Uncanny Future of Romance With Robots Is Already Here
Rob Slade. Craig Cottingham
Re: What Can Hackers Do With Stolen Source Code?
Bernie Cosell
Re: Hackers Steal About $600 Million in One of the Biggest Crypto
Kevin Kostolo
Re: Driverless Cars Can Be Tricked into Seeing Red Traffic Lights as Green
Jan Wolitzky
Info on RISKS (comp.risks)

NASA Will Roll Back Its SLS Rocket for Repairs (WiReD)

Gabe Goldberg <>
Tue, 19 Apr 2022 18:51:29 -0400

After three attempts to run through a test of the Space Launch System, engineers spotted a leak and a faulty valve. The fixes may delay the first Artemis moon mission.

NASA engineers hope to have their massive moon-bound Space Launch System ready for liftoff in a couple of months, but so far they've encountered some bumps in the road. On March 17, NASA rolled the world's most powerful rocket out onto the launchpad at Kennedy Space Center in Florida to ready it for the Artemis program's inaugural lunar mission later this year. Since then, technicians have completed a raft of checks on the huge rocket's systems, but after three tries they haven't been able to make it through the final test, a practice countdown called the “wet dress rehearsal test.”

The key problems have been a faulty helium check valve and a liquid hydrogen leak, which led to several pushbacks of the test countdown. Finally, NASA officials decided over the weekend to disconnect the rocket and, starting next Tuesday, carefully roll the SLS and Orion crew capsule back to the Vehicle Assembly Building, a facility with the equipment needed for them to perform rocket surgery. They hope to have a quick turnaround, returning to the pad soon afterward to complete the countdown test, but the first Artemis mission around the moon—originally planned for early June—might be delayed.

“The mega moon rocket is still doing very well. The one check valve is literally the only real issue we've seen so far. We're very proud of the rocket,” said Tom Whitmeyer, a deputy associate administrator at NASA headquarters in Washington, at a press conference this afternoon. “But we have a little bit more work in front of us.”

Aside from that one thing, Mrs. Lincoln…

CatalanGate: Extensive Mercenary Spyware Operation against Catalans Using Pegasus and Candiru (CitizenLab)

=?iso-8859-1?Q?Jos=E9_Mar=EDa?= Mateos <>
Mon, 18 Apr 2022 11:11:55 -0400

Summary of the findings:

Insteon is down and may not be coming back (Stacey on IoT)

Gabe Goldberg <>
Sun, 17 Apr 2022 23:52:16 -0400

Internet of Things news and analysis

Author writes: Is your Insteon smart home system down? I'm getting reports from dozens of Insteon users that as of Friday their smart home hubs have stopped working. So far, none of them have heard from the company, and Insteon's Twitter account hasn't been updated since June 2021. I reached out to Rob Lilleness, the president and chairman of Smartlabs, the company that owns Insteon and have not yet heard back.

A friend commented:

I have probably four or five Insteon devices plus a hub. Their technology has been pretty decent and their support was excellent. They suddenly disappeared last Friday without a trace. No explanation, no apology. The woman who wrote the article above did some digging and it sure looks like they're gone.

What I'd like to do (aside from replacing my now-useless Insteon devices) is follow the careers of the perps named in the article and write scathing reviews of any company that hires any of them, pointing to this article, to let customers know that the same thing could happen to them with such disrespectful people in management.

One of the comments made the excellent point that incidents like this are going to erode consumer trust in IoT, especially products that require Internet access to a server somewhere in order to function at all.

Creating an Information Security Program from Scratch (Walter Williams)

“Rob Slade, greatgrandpa and widower” <>
Mon, 18 Apr 2022 08:58:03 -0700

There are plenty of tools we could talk about for those who already have a security program in place. What have we got if you don't?

(There are, of course, those long in the field, who seriously wish that they could start over from scratch. This book might act as a reminder that might get them out of the weeds long enough to see an approach or tool they might have overlooked.)

Walter Williams has taken on that task. What happens when you, as possibly the crack firewall expert on the tech team, are suddenly noticed by the boss, who, out of the blue, decides that the company needs a CISO, and you're it. You've got the whole corporate infosec world in= your hands, and you'd better not drop it.

Chapter one correctly states that you can start with either risk assessment or compliance, and lists, in detail, that tools available to you for both. Williams includes the top level security frameworks that can act as your guides into the labyrinth that is information security, and notes the strengths, and areas of emphasis, of each. This provides you with not only a starting point, but resources that will aid your throughout your security career.

>From there, Williams moves into policy, and the supporting documentation
around it.  Without policy you can have no security, because you don' know
what it is you are protecting, and why.  Included in this chapter is an
initial foray into the importance of planning, which will come back in
myriad forms as you move deeper into security processes.

Asset management jumps from the high level viewpoint down into the weeds and details. However, that is a jump that you frequently have to make in security. You have no security without an overall vision, but you have no protection without having the correct controls in place and working. Assets, and the controls meant to protect them, have vulnerabilities, and so managing those is vital as well.

Overall planning is important, but very soon you are going to be putting out fires, known in the trade as incidents. Note that Williams does not, at this point, give you a full guide to business continuity or disaster recovery planning, which would require an entire book of its own. He does, however, point you to yet more frameworks in the fields, which will get you started in that direction.

Then it's back to assets, in this case the =E2=80=9Cendpoint,=E2=80= =9D or what the user tends to interact with. The author provides an overview of both the various problems which you will likely encounter in this realm, and a variety of protections you may wish to choose, depending upon your specific security posture. From there Williams moves to email security, an issue common to pretty much any end user these days.

From the user, it is back to the technical team, and the issues with your networking and telecommunications. Note that I say issues: the full range of every possible detail that you need to know would need a very fat book indeed, and several of those are available when you want to go there. Somewhat more detail, or at least the structures and processes that you will need, are addressed in the chapter on software development.

After the introduction to incidents, earlier in the work, Williams now turns to disasters, and disaster recovery. This is addressed from the disaster recovery, rather than the business continuity, angle, which is probably wise, as a company in the first round of a security program probably has neither the maturity, nor the resources, to prepare a full business continuity plan.

In the chapter on access control, Williams spends a good deal of time outlining some of the formal theories and models behind the controls. This is far from a waste of time. Tuning an access control system in terms of details can waste a good deal of effort and resources if those controls do not protect in the way you think or assume that they will. Looking at the formal models should get you used to understanding what a system will, and won't, do for you.

Spend a lot of time with chapter twelve, Human Issues. As the author notes up front, too many security specialists take it for granted that people are the problem. People are your greatest weakness, in security, but they are, paradoxically and at the same time, your greatest security asset. Make your people aware, and get them onside.

Williams finishes with the concept of organizational maturity. This is an important concept, but readers may be distracted by the accompanying material on metrics and data presentation.

This is a solid, and comprehensive, guide for those who have to start securing an enterprise from square one. It may appear to jump around from topic to topic, and from the overall view to the details. Get used to it. That's what security is like.

Hundreds of Brockton drivers failed exam after getting licenses with no test (The Boston Globe)

Monty Solomon <>
Tue, 19 Apr 2022 17:06:00 -0400

Why I deleted the ACM election email

Cliff Kilby <>
Mon, 18 Apr 2022 11:04:38 -0400

And why you should have too.

They used my name, isn't that enough? Nope. Purchasing email-to-name services (legal and/or questionable) is cheap and readily available.

They said ACM. I am proud of my membership in the ACM, this is just a public fact.

They pointed a URL to the ACM website. Even marginally good phishers refer to their target website. Sometimes even loading their CSS or images directly.

They bounced between several domains that aren't associated with ACM in the email. This alone is sufficient to reject an email at a glance.

They referred to a URL shortener. URL shorteners are notorious for being used to plaster over a suspicious reference to another domain, and cannot be easily tested. Another reason to delete on sight. authenticated the email.

That's nice. I don't know who they are, and if they really had permission to pretend to be ACM, why isn't this email on ACM's domain (DKIM auth grant)?

There is something that looks like a password in this email.

They call it a PIN so it may be a username, but an email with an unsolicited authenticator in it goes straight to garbage.

In other news, it's time for ACM general elections.

Crypto Is Poised to Reshape Taxes—and Cities (WiReD)

Gabe Goldberg <>
Mon, 18 Apr 2022 19:32:35 -0400

Taxes, CityCoins founder Patrick Stanley says, can stop being a mind-numbing civic ritual and become an exercise in freedom—if we tokenize and calibrate them the right way. Stanley's crypto-based invention is what he calls an opt-in tax of opportunity, as opposed to obligation, wherein boosters tithe a particular city with crypto because they have faith in the municipality and its mission. […]

Within the CityCoins matrix, miners receive a city-specific coin, like MiamiCoin or NYCCoin, by trading in STX, the token for Stacks, a protocol that operates on top of the Bitcoin network. […]

Beyond CityCoins' undetermined future, it remains to be seen whether crypto writ large will usher in a technocratic nirvana, wither the way of Dutch tulips, collapse like an audited Ponzi scheme, or lead to unforeseen outcomes. Regardless, the capitalist urge to turn a civic tradition into a financial instrument will survive whether CityCoins fizzles out or not. TurboTax has already done this for its shareholders; CityCoins or some future avatar will lead the charge in democratizing those gains for others. But the civic tradition of birthing political movements by confronting unjust financial tools remains alive and well, too. Whatever comes next, we can all agree the IRS leaves ample room for improvement.

Tokenize? Calibrate? Tithe? Tulips/Ponzi, yes.

Beanstalk DAO falls to a corporate raid, funded by flash loan junk bonds: Attack of the 50-foot Blockchain (David Gerard)

Gabe Goldberg <>
Mon, 18 Apr 2022 20:41:55 -0400

Beanstalk DAO is a DeFi lender running on the Ethereum blockchain. It was raided just before 12:30 UTC on Sunday 17 April for 24,830 ETH.

Smart contracts are famously prone to hacks. But this wasn't a hack at all — this was a corporate raid. Even the project concedes that everything worked according to the rules of the project.

The story of the Beanstalk raid is the end of a long chain of slapdash and incompetent financial engineering, by people who just found out why regulations evolved. […]

The aftermath

Beanstalk is probably screwed, and BEAN's dollar peg has been broken utterly.

The Beanstalk project has gone to exchanges asking them to block the ether from the transaction—and even to the FBI. The project's anonymous founder, Publius, did not clarify to CoinTelegraph under just what law the FBI would have recourse to help them. [CoinTelegraph]

This was an outrageous shenanigan. But it's not clear that it was any more illegal than the securities law violations that Beanstalk was already committing. The raider completely obeyed the project's rules.

Publius [Beanstalk founders] said on the project Discord: “It's unfortunate that the same governance procedure that put beanstalk in a position to succeed was ultimately its undoing.”

Re: recent NYT slips on tech coverage

Prashanth Mundkur <>
Tue, 19 Apr 2022 14:05:50 -0400

Some correctives to recent NYT tech coverage:

  1. The (Edited) Latecomer's Guide to Crypto by Molly White et al., March 25, 2022.

    On March 20, 2022, the New York Times published a 14,000-word puff piece on cryptocurrencies, both online and as an entire section of the Sunday print edition. Though its author, Kevin Roose, wrote that it aimed to be a “sober, dispassionate explanation of what crypto actually is”, it was a thinly-veiled advertisement for cryptocurrency that appeared to have received little in the way of fact-checking or critical editorial scrutiny. It uncritically repeated many questionable or entirely fallacious arguments from cryptocurrency advocates, and it appears that no experts on the topic were consulted, or even anyone with a less-than-rosy view on crypto. This is grossly irresponsible.

    Here, a group of around fifteen cryptocurrency researchers and critics have done what The New York Times apparently won't.

  2. On NYT Magazine on AI: Resist the Urge to be Impressed by Emily M. Bender, April 17, 2022

    On April 15, 2022, Steven Johnson published a piece in the New York Times Magazine entitled AI Is Mastering Language. Should We Trust What It Says? I knew this piece was coming, because I had been interviewed for it, over email, a couple of weeks ago. I read it with some trepidation, because I had the sense that Johnson's question and goals going into the article did not maintain sufficient skepticism of the claims of AI boosters. At the same time, I was also fairly confident my words weren't going to be taken out of context because I'd been contacted by a fact checker who was verifying the quotes they intended to use. On reading the article, my expectations were met on both counts. Ordinarily, when I encounter AI hype in media coverage of research/products that claim to be AI, I get inspired to write tweet threads aiming to educate folks on how to spot and thus resist such hype. (Here's a recent example.) Johnson's article is ~10k words long, though, and so I've decided to try to do the same in blog form, rather than as a tweet thread.

Re: The Uncanny Future of Romance With Robots Is Already Here (RISKS-33.15)

Rob Slade <>
Mon, 18 Apr 2022 19:13:25 -0700
> Some people wanted to build a replica of themselves, …

As a grieving widower, I am more than a little freaked out by the implications of this. Being able to build a “perfect” friend is one level of self delusion. But the bereaved are already in danger from inappropriate relationships. The bereaved suffer extreme and desperate loneliness, not just from the loss of a loved one, but from social isolation, because most of their friends and family do not understand the depth of real grief. Couple that with the existing tendency to “converse” with the dead loved one (which can be healthy at some point in the grieving process, but can become an obsession), and the temptation to recreate a “Markov chain” replica (Replika?) can create a really (psychologically) dangerous situation.

(I've got a whole bunch of Gloria's email messages, going back possibly thirty years. Should I try it out? Would the “uncanny valley” freak me out? Would I become obsessed if it was too good?)

Re: The Uncanny Future of Romance With Robots Is Already Here (RISKS-33.15)

Craig Cottingham <>
Tue, 19 Apr 2022 09:57:24 -0500

This is more-or-less the plot of the Black Mirror episode Be Right Back

Art may imitate life, but life also imitates art.

Re: What Can Hackers Do With Stolen Source Code? (RISKS-33.15)

“Bernie Cosell” <>
Mon, 18 Apr 2022 19:25:18 -0400

Considering that MS patches scores of bugs, many of them serious, it isn't so difficult to suspect that some group getting the source code could, perhaps, find next month's bugs and the month after that's bugs and … before MS does.

Re: Subject: Hackers Steal About $600 Million in One of the Biggest Crypto (RISKS-33.15)

Kevin Kostolo <>
Tue, 19 Apr 2022 10:35:01 -0500
> [Incidentally, I received a copy of the full text from Gabe Goldberg, but
> for some reason it came in as rampant gibberish, so I decided not to try
> to unscramble the rest of it after what I hav added here.  PGN]

I read elsewhere there was an msn version of the link floated about with the same gibberish.

Re: Driverless Cars Can Be Tricked into Seeing Red Traffic Lights as Green (JW)

Jan Wolitzky <>

A racing car driver, Eugene,
Had the swiftest machine on the scene.
  Nearly faster than light,
  With no cops in sight,
He'd blue-shift the red lights to green.

Please report problems with the web pages to the maintainer