The RISKS Digest
Volume 33 Issue 20

Friday, 13th May 2022

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Oops! Looks like your Mirror isn't connected to a network
geoff goodfellow
Companies envision taxis flying above jammed traffic
Global cost of cybercrime topped $6 trillion in 2021
As Cryptocurrencies Melt Down, $300 Billion Evaporaites in Days
Crypto's Audacious Algorithmic Stablecoin Experiment Crumbles
Decade-Old Bugs Discovered in Avast, AVG Antivirus Software
Charlie Osborne
Costa Rica Declares Emergency in Ongoing Cyberattack
Why Twitter May Be Doomed
Lauren Weinstein
Facebook is trying to capitalize on my grief
Rob Slade
EU plans to require backdoor to encrypted messages for child protection
Cellphones have no real off switch
Peter Gutmann
ICE 'now operates as a domestic surveillance agency,' think tank says
ACM, Ethics, and Corporate Behavior
Moshe Vardi CACM March 2022
Did bad interface design lead to the sinking of the Moskva?
Paul Robinson
Re: Bitcoin Is Unlikely to Go Green
John Levine
Re: Squirrels
Elinor Mills
Re: FBI Told Israel It Wanted Pegasus Hacking Tool for Investigations
Jan Wolitzky
Info on RISKS (comp.risks)

Oops! Looks like your Mirror isn't connected to a network

geoff goodfellow <>
Thu, 12 May 2022 18:04:21 -1000

  [That won't work in Red Rock Canyon Park (RISKS-30.72) and many other
  places with no wireless.  PGN]

Companies envision taxis flying above jammed traffic (

Richard Stein <>
Tue, 10 May 2022 16:33:53 +0800

Without or without pilots? Droned if you or droned if you don't!

Global cost of cybercrime topped $6 trillion in 2021 (

Richard Stein <>
Wed, 11 May 2022 09:57:38 +0800

The world's economy, per GDP estimates, is estimated @ US$ ~104T per (retrieved on 11MAY2022).

The essay cites a deficit of ~200K cyber-security professionals, in Europe
specifically, as a possible remedy to reduce grift and cut the skim.
Investing in people, training, and infrastructure is proactive and usually,
with supportive leadership, effective.

The outrage expressed by corporate lobbyists' to recently proposed SEC
regulations (see
indicates that disclosing corporate CxO cyber-skillsets for the investing
public to assess might accelerate essential investments to tame the
cybertheft wildfire.

See "Industry Report" in
(retrieved on 11MAY2022) for a discussion.

As Cryptocurrencies Melt Down, $300 Billion Evaporaites in Days

Peter Neumann <>
Fri, 13 May 2022 15:02:13 PDT
David Yaffe-Bellany, Erin Griffith, and Ephrat Livni
*The New York Times*, 13 May 2022, National Edition front page + A20

Bitcoin fell as low as $26,000, down 60% from its November 2021 peak, and
down 20% in just the past five days.  Just a few months ago, blockchain
proponents were predicting the price would rise as high as $100,000 this

"Stablecoin" TerraUSD imploded to a low of $0.23 (not backed by cash,
and depending on Luna, which lost almost its entire value).

Treasury's leader suggested a *regulatory framework* is needed.

  [See also:
  Cryptocurrencies Melt Down in a 'Perfect Storm' of Fear and Panic

Crypto's Audacious Algorithmic Stablecoin Experiment Crumbles (Bloomberg)

ACM TechNews <>
Wed, 11 May 2022 12:03:17 -0400 (EDT)
Stacy-Marie Ishmael, Bloomberg, 10 May 2022, via ACM TechNews, 11 May 2022

The algorithmic stablecoin cryptocurrency does not provide greater stability
than other cryptocurrencies. Conventional stablecoin issuers say their
tokens are underpinned by "real" assets like cash or highly rated bonds, and
can theoretically maintain stability because they can be readily swapped for
cash or highly liquid cash equivalents. Algorithmic stablecoins try holding
their value through a mix of instructions encoded in algorithms and active
treasury management. The failure of such cryptoassets' price stability
mechanisms could carry systemic ramifications for other coins and protocols,
as CoinMarketCap counts roughly 18.5 billion TerraUSD stablecoins in
circulation. Said Kyle Samani at the Multicoin Capital investment firm, "The
biggest losers from all of this will be retail [investors] that didn't
understand the risks they were taking."

Decade-Old Bugs Discovered in Avast, AVG Antivirus Software (Charlie Osborne)

ACM TechNews <>
Mon, 9 May 2022 12:08:31 -0400 (EDT)
Charlie Osborne, ZDNet, 5 May 2022, via ACM TechNews, 9 May 2022

Researchers at cybersecurity software company SentinelOne reported two
high-severity bugs in Avast and AVG antivirus products that have gone
undetected for a decade. The researchers said the flaws have existed since
2012, and could have affected "dozens of millions of users worldwide." They
found the bugs in the Avast Anti Rootkit driver, and the first vulnerability
resided in a socket connection handler used by the kernel driver
aswArPot.sys; hackers could hijack a variable during routine operations to
escalate privileges, potentially disable security solutions, or meddle with
target operating systems. The researchers described the second bug as "very
similar" to the first, and rooted in the aswArPot+0xc4a3 function. Sentinel
Labs on Dec. 20 informed Avast of the vulnerabilities, and the company had
patched them by Feb. 11, with no active exploitation in the wild indicated.

Costa Rica Declares Emergency in Ongoing Cyberattack (ABC)

ACM TechNews <>
Fri, 13 May 2022 12:20:02 -0400 (EDT)
Javier Cordoba, ABC News, 12 May 2022 via ACM TechNews; 13 May 2022

Costa Rica has declared a state of emergency after enduring a month of
ransomware attacks that have hobbled critical systems. The siege began last
month when Costa Rica's Finance Ministry reported that its tax collection,
customs, and other systems were affected; the hackers also targeted the
nation's social security agency human resources system and its Labor
Ministry. The Russian-speaking Conti gang took credit for the attack. Costa
Rica's emergency declaration describes the perpetrators as "cybercriminals"
and "cyberterrorists." The U.S. State Department said the gang has
orchestrated hundreds of ransomware attacks over the past two years,
collectively targeting more than 1,000 victims and extorting them for more
than $150 million as of January 2022.  '

Why Twitter May Be Doomed

Lauren Weinstein <>
Mon, 9 May 2022 14:56:01 -0700
If a Musk "new regime" ruling @Twitter permits all speech that "is legal" --
Twitter is doomed. Because the parade of legal (in the U.S.)  hate speech
that will flood the platform will drive away most advertisers, brands, and
support services that Twitter needs to operate.

Facebook is trying to capitalize on my grief

"Rob Slade, greatgrandpa and widower" <>
Fri, 13 May 2022 05:49:22 -0700
So, I posted what I thought was a bit of a joke (albeit maybe a dark one)
about being pathetically lonely following bereavement.

And posted it various places, including Facebook.

Facebook has decided that either I am trying to raise money, or that I need
to raise money.  (Facebook, being obsessed with money?  I think I'll have a
heart attack and die from **NOT** being surprised.)  Facebook has somehow
flagged my post with a suggestion that I ask my "community" for "support,"
that is, money.  They even include a link to a page that will help you
create "a fundraiser on Facebook in a few quick steps."  (The page opens
with a grid of 15 options for different categories of fundraisers, including

I mean, I understand that you have zero privacy on Facebook.  I understand
that Facebook considers everything you post there to be Facebook's property.
I understand that they have programs that automatically read, categorize,
and harvest everything you post.  But, somehow, this seems more than vaguely
creepy.  I assume that Facebook is, somehow, going to monetize (for
themselves) any funding that anyone does raise using Facebook.  (I don't
know those business models, but I assume that, at the very least, any money
they raise for **anyone** helps them sell themselves as a fundraising
vehicle to major charities.)  But flagging (I assume) the word "bereaved"
and then tying it to a pitch to raise money just seems a bit beyond the
pale.  Facebook is trying to capitalize on my (and others') grief.

EU plans to require backdoor to encrypted messages for child protection (Apple)

Lauren Weinstein <>
Wed, 11 May 2022 07:53:40 -0700

Cellphones have no real off switch

Peter Gutmann <>
Fri, 13 May 2022 10:24:39 +0000
  [This is an old topic in RISKS—devices that are never off.  PGN]

WiSec has an upcoming paper on this for the specific case of iPhones:

The full paper is available via the parallel-publication mechanism on arXiv:

ICE 'now operates as a domestic surveillance agency,' think tank says (Engadget)

Dewayne Hendricks <>
May 11, 2022 at 18:53:10 GMT+9
  [Note:  This item comes from friend David Rosenthal.  DLH]

ICE 'now operates as a domestic surveillance agency,' think tank says A
study by the Center on Privacy and Technology found that ICE uses data
brokers to avoid restrictions.

By K. Holt, Engadget, 10 Nay 2022

Although it's supposed to be restricted by surveillance rules at local,
state and federal levels, Immigration and Customs Enforcement (ICE) has
built up a mass surveillance system that includes details on almost all US
residents, according to a report from a major think tank. Researchers from
Georgetown Law's Center on Privacy and Technology said ICE "now operates as
a domestic surveillance agency" and that it was able to bypass regulations
in part by purchasing databases from private companies.

"Since its founding in 2003, ICE has not only been building its own capacity
to use surveillance to carry out deportations but has also played a key role
in the federal government's larger push to amass as much information
as possible about all of our lives," the report's authors state. "By
reaching into the digital records of state and local governments and buying
databases with billions of data points from private companies, ICE has
created a surveillance infrastructure that enables it to pull detailed
dossiers on nearly anyone, seemingly at any time."

The researchers spent two years looking into ICE to put together the
extensive report, which is called "American Dragnet: Data-Driven Deportation
in the 21st Century." They obtained information by filing hundreds of
freedom of information requests and scouring more than 100,000 contracts and
procurement records.

The agency is said to be using data from the Department of Motor Vehicles
and utility companies, along with the likes of call records, child welfare
records, phone location data, healthcare records and social media posts. ICE
is now said to hold driver's license data for 74 percent of adults and can
track the movement of cars in cities that are home to 70 percent of the
adult population in the US.

The study shows that ICE, which falls under the Department of Homeland
Security, has already used facial recognition technology to search through
driver's license photos of a third of adults in the US. In 2020, the agency
signed a deal with Clearview AI to use that company's controversial
technology. In addition, the report states that when 74 percent of adults
hook up gas, electricity, phone or Internet utilities in a new residence,
ICE was able to automatically find out their updated address.

The authors wrote that ICE is able to carry out these actions in secret and
without warrants. Along with the data it acquired from other government
departments, utilities, private companies and third-party data brokers, "the
power of algorithmic tools for sorting, matching, searching and analysis has
dramatically expanded the scope and regularity of ICE surveillance," the
report states.

Spending transactions reviewed by the researchers showed that, between 2008
and last year, ICE spent around $2.8 billion on "new surveillance, data
collection and data-sharing initiatives." It spent approximately $569
million on data analysis, including $186.6 million in contracts with
Palantir Technologies to help it make sense of its vast troves of
data. Records showed that ICE also spent more than $1.3 billion on
geolocation tech during that timeframe and $389 million on telecom
interception, which includes tech that helps the agency track someone's
phone calls, emails, social media activity and real-time Internet use.

In addition, the findings suggest the agency started engaging in certain
surveillance activities much earlier than previously believed. The
researchers found a contract from 2008 that granted ICE access to the Rhode
Island motor vehicle department's facial recognition database. Prior to
that, it was understood that ICE started conducting facial recognition
search es on state and local data sets in 2013.

ACM, Ethics, and Corporate Behavior (Moshe Vardi, CACM March 2022)

"Diego.Latella" <>
Tue, 10 May 2022 09:26:40 +0200
A *great* note by Moshe Vardi.  Sorry for late dissemination:

ACM, Ethics, and Corporate Behavior

Did bad interface design lead to the sinking of the Moskva?

"Paul Robinson" <>
Sun, 8 May 2022 11:45:17 +0000 (UTC)
 "Bad design can kill: Missile defense and user fatigue"

Russian Cruiser Moskva was sank by the Ukrainian Army. This was a
significant win for Ukraine, because the Moskva was the Flagship of the
Russian Navy, and its sinking is an irreplaceable loss, since Russia can't
build ships due to various problems in its shipyards, as well as sanctions.

Now, of course, most of us reading this are glad this happened, but what
does it have to do with Risks? I'm glad you asked. Here's why.

There is a significant weakness in Russian defense systems, and it may be
the reason or a significant reason why the Moskva failed to defend itself
against incoming missiles: he user interface of the operator consoles, and
operator fatigue. There are some who say the reason the Moskva was sunk was
due to holes in radar coverage (like thinking ship's radar only provides 180
degrees of coverage), and thus the ship was blind to the  approaching
missiles. This opinion is a misunderstanding how ship's radar works.
Instead, it is argued the problem was because the radar operators missed
seeing the missiles, and might actually not have been paying attention.
Russian military doctrine generally makes soldiers follow the exact plan and
not to deviate. This does not promote innovative or "out of the box"
thinking. But, however, life has a nasty habit of making plans ineffective
or useless.

Russian ships tend to be heavily dependent on manual operation. Data from
tracking systems is subject to human interpretation, and data in one system
has to be transferred by hand. Russian navigation radar tends to be of the
classic concentric circles, with refresh caused by a rotating line circling
around the radius of the display, technology that was state of the art --
back in the 1980s. Now, it is not that old stuff doesn't work, it is capable
of very good performance. The problem is, it's labor-intensive. To be
effective in this environment, crews must be of high quality and
performance, in order for these manual systems to work.

which then moves to the elephant in the room: operator fatigue. Now, in
exercises and otherpractice drills, people are often very alert because
the exercises are timed and the crew know something is going to happen. On
real-world missions, the assumption is that there won't be any events. So
imagine a sailor in the combat information center in a Russian warship is
watching a green, circular "rotating cursor" radar display, for hours on
end. Modern radar displays provide much more information, in ways that
aren't effectively hypnotic. The average person—or even the average sailor
-- probably could not stare at that display for 30 solid minutes and
maintain focus.

Now, consider that sailor is staring at that screen, eight hours a day for
seven weeks, and nothing happened. I think it is very likely that it would
be difficult to maintain focus. So operator fatigue sets in. Consider that,
with incoming missiles, the operator has about two minutes from first
appearance of a dot on the radar until the missile hits. This demands
immediate action to engage the missile, not enough time to call battle
stations or their commanding officer for orders.

So, after weeks of intense boredom, the operator might be distracted, half
asleep, or smoking. The operator might not have seen the missile for maybe a
minute, or never saw it at all, and even if the alarm was sounded, there is
now not enough time to stop the missile from striking the ship. In short,
only a well-trained crew and defined procedures to handle the attack could
have saved them.

So, this is one example of the potential risk of badly designed operator

Re: Bitcoin Is Unlikely to Go Green (RISKS-33.18)

"John Levine" <>
8 May 2022 18:42:57 -0400
> The most illuminating aspect of Proof of Stake is that it shows that many
> blockchain technologists/boosters are entirely innocent of any knowledge
> of business, or, at least, the history of business failures and frauds.

Considering that they equally don't know economic history, such as why every
country abandoned the gold standard, why deflation makes countries
miserable, and why hyperinflation was always a political decision, it's not

Re: Squirrels

Peter G Neumann <neumann@CSL.SRI.COM>
Mon, 9 May 2022 06:52:03 -0700
  [Thanks to Elinor Mills.  PGN]

Free *Washington Post* article:
Kicking off Squirrel Week 2022 with some squirrels in the news

"Meanwhile, in early March, the power went out in 4,000 homes in three New
Orleans neighborhoods. A squirrel got the blame.

We look out here and we can see the squirrels, Jim Bulling told WWL-TV
squirrels commuting along the power lines."
Bulling lives across the street from a substation and every morning watches...

Re: FBI Told Israel It Wanted Pegasus Hacking Tool for Investigations (NYTimes)

Jan Wolitzky <>
Fri, 13 May 2022 05:20:08 -0400
  [See RISKS-33.02,03,05,06 for earlier items on this.  PGN]

WASHINGTON—The FBI informed the Israeli government in a 2018 letter that
it had purchased Pegasus, the notorious hacking tool, to collect data from
mobile phones to aid ongoing investigations, the clearest documentary
evidence to date that the bureau weighed using the spyware as a tool of law

The FBI's description of its intended use of Pegasus came in a letter from a
top FBI official to Israel's Ministry of Defense that was reviewed by *The
New York Times(. Pegasus is produced by an Israeli firm, NSO Group, which
needs to gain approval from the Israeli government before it can sell the
hacking tool to a foreign government.

Please report problems with the web pages to the maintainer