The RISKS Digest
Volume 33 Issue 39

Tuesday, 16th August 2022

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


'Ring Nation' Is Amazon's Reality Show for Our Surveillance Dystopia
Meta finds new way of tracking users across websites
The Guardian
Amazon, Oracle shrug off lawmaker fears of abortion data sales
Zoom's Auto-Update Feature Came With Hidden Risks on Mac
A Single Flaw Broke Every Layer of Security in MacOS
Michigan plot to breach voting machines points to a national pattern
On TikTok, Election Misinformation Thrives Ahead of Midterms
How Frustration Over TikTok Has Mounted in Washington
A New Jailbreak for John Deere Tractors Rides the Right-to-Repair Wave
Workplace Productivity: Are You Being Tracked?
How thieves are using cell phones to see what's inside your car
The Hacker News
Sloppy Software Patches Are a Disturbing Trend
Sloppy Use of Machine Learning Is Causing a Reproducibility Crisis in Science
You can lose health data de-centrally as well
Debora Weber-Wulff
Buying real estate in the metaverse is 'dumbest' idea ever
Mark Cuban
What do ordinary computer users NOT care about? Breaking up Big Tech
Lauren Weinstein
It's Potentially Illegal: As Crypto Crashed, Coinbase Stopped Some Notifications
Mother Jones
It Might Be Our Data, But It's Not Our Breach
Krebs on Security
How Russia Took Over Ukraine's Internet in Occupied Territories
Why Is Web3 Security Such a Garbage Fire? Let Us Count the Ways
The Danger of Posting Selfies
Quote of The Day
Edward Snowden
Bruce Schneier PGN excerpted
Re: "Dr. Birx ADMITS She 'Knew' COVID...
Steve Lamont
Re: Tesla faces new probes into motorbike deaths, false advertising
Steve Bacher
Re: What about Signal or Whatsapp, etc. vs. voice callsignal or Whatsapp, etc. vs. voice calls privacy/security?
John Levine
Re: Tech giants, including Meta, Google, and Amazon, want to put an end to leap-seconds
Arthur T.
Re: Chinese Hackers Backdoored MiMi Chat App to Target Windows, Linux, macOS Users
via geoff goodfellow
Re: Rainwater everywhere on Earth unsafe to drink due to *forever chemicals*, study finds
Craig S. Cottingham
Re; Doug Jones's review
Mark Brader
Info on RISKS (comp.risks)

'Ring Nation' Is Amazon's Reality Show for Our Surveillance Dystopia (Deadline)

geoff goodfellow <>
Fri, 12 Aug 2022 18:01:02 -0700
*Amazon's newest effort to normalize its surveillance network will feature
footage from Ring surveillance cameras and commentary from comedian Wanda

Amazon's propaganda campaign to normalize surveillance is about to hit a
higher gear: Wanda Sykes is going to host a new show featuring videos taken
from Ring surveillance cameras, Deadline reported
on Thursday. It will be called *Ring Nation*.

The show is being produced by MGM Television, which is owned by Amazon, and
Big Fish Entertainment, which ran another dystopian reality show: a piece of
copaganda called *Live PD* which centered on commentary of police footage.

According to Deadline, the show will feature lighthearted viral content
captured on Ring cameras, such as "neighbors saving neighbors, marriage
proposals, military reunions and silly animals." These types of videos
frequently go viral online, but hardly represent the reality of what Ring is
used for. Besides home surveillance, Ring is a source of surveillance video
for police departments in the U.S. and abroad.

Amazon has done a lot of work to turn the U.S. into a Ring nation
off-camera. Ring's surveillance cameras and surveillance network have been
aggressively rolled out by Amazon mainly by cultivating fear in suburbs
<> about crime, and by entering partnerships with police departments
<> to give them unfettered access
<> to surveillance footage
<>.  Last year, advocacy
groups pushed for Amazon's Ring to be banned entirely
<> by the Federal Trade Commission over concerns
its facial surveillance technology could fuel criminalization of Black and
brown people in public spaces.  [...]

Meta finds new way of tracking users across websites (The Guardian)

paul cornish <>
Sat, 13 Aug 2022 07:57:22 +0100
Following Apple's introduction of blocks that stopped Facebook from tracking
users activity across many websites it looks like Meta has developed a
Facebook Mobile Browser to do just that.

Clicking a hyperlink in Facebook does NOT open your preferred browser but a
browser from Facebook.  They also modify the websites pages by inserting
code (surely a copyright issue?!) that enables the tracking.

From that browsers Settings menu it appears Facebook are recording data used
to complete any forms and also payment details.

As a user our response is to turn off the saving of data and to remember to
click the bottom right on the Facebook browser window and select Open in

Amazon, Oracle shrug off lawmaker fears of abortion data sales (

Richard Marlon Stein <>
Sun, 14 Aug 2022 22:37:48 +0000

'While all the companies detailed ways they keep data anonymized, "similar
practices and policies at a number of brokers have already proven
insufficient, even before the overturning of Roe raised the stakes for tens
of millions of women," Trahan said Friday in a statement to Bloomberg.'

Does business calculate brand outrage risk arising from data breach? Yes,
but they repeatedly trivialize financial fallout as a cost of doing business
-- an operating expense passed along to the consumers via shrink-flation
product prices traced to rising cyber-incident insurance premiums.

If breach penalties imposed minimum mandatory jail time for the CxOs and
boards of directors, one would expect businesses to adopt risk mitigation
measures with greater sincerity and purpose.

While there's no guarantee that criminal penalties can motivate data breach
reduction, attempted compliance with CISA standards and measures can reduce
breach potential.

Alternatively, restricting indemnification from product terms of services --
excluding data breach from indemnification coverage—will remind business
governance that their own personal freedom is as much at risk as the
consumer data they readily exploit for profit.

Zoom's Auto-Update Feature Came With Hidden Risks on Mac (WiReD)

Gabe Goldberg <>
Sat, 13 Aug 2022 16:56:04 -0400
The popular video meeting app makes it easy to keep the software up to
dateâbut it also introduced vulnerabilities.

To exploit any of these flaws, an attacker would need to already have an
initial foothold in a target's device, so you're not in imminent danger of
having your Zoom remotely attacked. But Wardle's findings are an important
reminder to keep updatingâautomatically or not.

A Single Flaw Broke Every Layer of Security in MacOS (WiReD)

Gabe Goldberg <>
Sat, 13 Aug 2022 20:29:54 -0400
Mac exposure—esoteric and not exploited—yet

An injection flaw allowed a researcher to access all files on a Mac.  Apple
issued a fix, but some machines may still be vulnerable.

There is no evidence to date that the vulnerability has been exploited in
the real world. However, the flaw shows how, in some instances, it may be
possible for attackers to move through an entire operating system,
increasingly being able to access more data. In the description for his
talk, Alkemade says that as local security on macOS moves more toward an iOS
model, this highlights that multiple parts of the system need to be

Michigan plot to breach voting machines points to a national pattern (WashPost)

Monty Solomon <>
Mon, 15 Aug 2022 09:14:20 -0400
A state inquiry found evidence of a conspiracy that has echoes elsewhere in
the country.

On TikTok, Election Misinformation Thrives Ahead of Midterms (NYT)

Monty Solomon <>
Sun, 14 Aug 2022 11:28:58 -0400
On TikTok, Election Misinformation Thrives Ahead of Midterms

The fast-growing platformâs poor track record during recent voting abroad
does not bode well for elections in the U.S., researchers said.

How Frustration Over TikTok Has Mounted in Washington (NYTimes)

Monty Solomon <>
Sun, 14 Aug 2022 10:54:42 -0400
National security concerns over the Chinese-owned viral video app remain
unresolved. Lawmakers and regulators are increasingly pushing for action.

A New Jailbreak for John Deere Tractors Rides the Right-to-Repair Wave (WiReD)

Gabe Goldberg <>
Tue, 16 Aug 2022 00:45:02 -0400
A hacker has formulated an exploit that provides root access to two popular
models of the companyâs farm equipment.

John Deere did not respond to WIRED's request for comment about the

Workplace Productivity: Are You Being Tracked? (NYTimes) The Rise of the Worker Productivity Score

Monty Solomon <>
Mon, 15 Aug 2022 22:58:23 -0400
Across industries and incomes, more employees are being tracked, recorded
and ranked. What is gained, companies say, is efficiency and
accountability. What is lost?

How thieves are using cell phones to see what's inside your car (The Hacker News)

geoff goodfellow <>
Sun, 14 Aug 2022 15:45:38 -0700
Another reason not to leave personal belongings inside your vehicle.
Memphis police say car thieves are using their cell phone cameras to look
through tinted windows.

During a crime forum in the Cooper-Young neighborhood
Crump station officers said it was a new tool being used by the bad guys
looking for items to steal.

They told the group it doesn't matter how dark the tint is on your windows;
when you put a cell phone in camera mode up to the windows, you can see
right through them.

We put a cell up to a back window; sure enough, you could see everything in
the backseat. [...]

Sloppy Software Patches Are a Disturbing Trend (WiReD)

Gabe Goldberg <>
Sun, 14 Aug 2022 21:13:07 -0400
The Zero Day Initiative has found a concerning uptick in security updates
that fail to fix vulnerabilities.

ZDI researchers say that bad patches happen for a variety of reasons.
Figuring out how to fix software flaws can be a nuanced and delicate
process, and sometimes companies lack the expertise or haven't made the
investment to generate elegant solutions to these important problems.
Organizations may be rushing to close bug reports and clear their slate and
may not take the time needed to conduct "root cause" or "variant" analysis
and assess underlying issues so deeper problems can be comprehensively

Sloppy Use of Machine Learning Is Causing a Reproducibility Crisis in Science (WiReD)

Gabe Goldberg <>
Mon, 15 Aug 2022 16:05:58 -0400
As Will Knight reports, when the Princeton researchers looked more closely,
they realized the original researchers failed to properly separate the pools
of data used to train and test their codeâs performance.  The mistake,
termed “data leakage, results in a system after being provided the
answers. When the Princeton researchers fixed those errors, they found that
modern AI offered virtually no advantage over more conventional statistical
methods. Further investigation showed that incorrect use of machine learning
in scientific research is a widespread problem.

You can lose health data de-centrally as well

Debora Weber-Wulff <>
Sat, 13 Aug 2022 23:04:33 +0200
A little story from Germany:

The German security research group "Zerforschung" (literally breaking
something with research, a made-up word) published an account in German on
August 11, 2022 of how they in just one night session managed to pull over a
million health files from the de-central health provider management system,
"InSuite" from DocCirrus (in German):

I will try and summarize the gory details in English here:

One of the group got irritated at their doctor who refused to send them
results of blood work by email. It had to be sent to them by way of this
portal. This person couldn't sleep and was chatting with another person from
the group who was up late. They thought the site looked a bit fishy, so they
fired up their browser development tools.

First thing they saw was Google Maps being loaded with every page.  And the
payloads that were being returned were JSON with minified JaveScript code.

And there it was, the SMTP access data for that person's doctor's office, in
the minified code. They hoped this would be for an extra, external mailbox
so that they could only send emails as the office, but not read them. They
were wrong. They were able to access the entire email correspondence of the
doctor's office.

Where there is smoke, there is fire.

The key point of this product is that the data is stored de-centrally in
each office in a "data safe". But: the patients log on to a central server
and see all the doctor's offices they are registered for. It turns out that
the list of document IDs and their links are end-to-end encrypted. But the
files themselves are not.

Just for giggles they tried out requesting information via API endpoint
without putting in the name of the receiver of the information. They
expected an error message. Instead they were given the information,

They started tinkering with URL paths. Instead of
they tried
And were given a list of all the documents the doctor's office had stored
about the first person, the one who kicked this off.  All sick notes,
prescriptions, diagnoses, consultations with other doctors, everything.

So they thought: Hmm. What else does a doctor's office have?
Right, patients! So they tried

And were rewarded with a long list of over a thousand records of patient
data from this doctor's office. With name, address, birth date, insurance,
telephone number, email-address, medicine. ...

There was more, of course. Ah, an Audit-Log was also there. Fine, then at
least someone could see what was happening - except the requests from the
evening had not been logged to the audit file.

They wondered if they could get data from other doctor's offices by guessing
the office number. Since this was only a 4-digit number, they ran a small
brute force program. Then they found a list on the central server with all
the valid numbers.

They didn't download all the data, just requested the number of patients for
all of the offices. Then they wrote up a report and early in the morning
followed the protocol: sent the report to the company, the Berlin data
privacy office, the national CERT and the federal information security

They were amazed that the company reacted quickly: They just turned off the
system. Nationwide. Which was, indeed, necessary. However, it appears that
the legal obligation to inform all of the patients that their data had been
potentially compromised was not fulfilled.  One friend saw on their doctor's
web page that there was a notice that the document server system was getting
an "security update" so that ePrescriptions can be written [that is a
disaster story for another day].

The company did put out a little press notice:
two weeks after they were informed of the security issues. The site was
offline for almost a month, now the company says that all the issues have
been dealt with.

The publication about the security issues was put online another 2 weeks
after the site was back online.

German media have reported on this:

(probably both only available in German)

They have formulated three demands:

1. All the patients need to be informed that their data was out in the clear.

2. The data privacy office should fine the company. According to the
   European GDPR, this could be up to 20 million Euros.

3. Software producers need to take data security and IT security
   seriously. If their product is storing personal data, it must be able to
   keep this data private.

I would perhaps add: they need to learn cryptography, too. Minification is
not encryption. And end-to-end encryption must be done right!

Buying real estate in the metaverse is 'dumbest' idea ever (Mark Cuban)

Gabe Goldberg <>
Wed, 10 Aug 2022 17:24:23 -0400
In some cases, virtual real estate went for as much as a physical house.
Republic Realm, an investment firm that owns and develops virtual real
estate, dropped a massive $4.3 million on a digital property located within
The Sandbox, one of the largest metaverse platforms, according to the Wall
Street Journal.

A virtual plot next to Snoop Dogg's digital mansion within The Sandbox was
purchased for $450,000 by an NFT collector who goes by the name "P-Ape" in

However, the virtual housing bubble may have popped.

"investment firm that owns and develops virtual real estate"—what can you
say to that? Oh: That word ("investment") does not mean what you think it

What do ordinary computer users NOT care about? Breaking up Big Tech

Lauren Weinstein <>
Tue, 16 Aug 2022 13:34:04 -0700
When I talk with ordinary computer users (not activists), they never
bring up an interest in "breaking up" Big Tech. They just say devices
are too confusing, there's too much malware and security concerns, and
so on. All things breaking up Big Tech would make worse. -L

  [Congresscritters are clearly not "ordinary computer users".  PGN]

It's Potentially Illegal: As Crypto Crashed, Coinbase Stopped Some Notifications (Mother Jones)

Gabe Goldberg <>
Wed, 10 Aug 2022 18:53:41 -0400
The exchange's emailed price alerts ended right when customers may have
needed them the most.

Coinbase's decision to stop email notifications in the middle of a dramatic
cryptocurrency crash has not been previously reported. But academics who
spoke to Mother Jones note that Coinbase’s decision likely contributed to
losses for retail crypto investors who may otherwise have sold their
holdings ahead of further devaluation. The change to price updates could run
afoul of federal or state consumer protection laws, they said, particularly
if it hurt the wallets of any of the relatively inexperienced traders who
flocked to crypto in droves during the pandemic

If Coinbase didn't promise updates, are they on the hook for stopping them?
A while ago I bought a pittance of Bitcoin/Eth and have occasionally checked
their value. I don't expect Coinbase to notify me of changes—that would
be annoying—any more than I expect a broker to do that. Are cryptoheads
such snowflakes as to need hand-holding?

It Might Be Our Data, But It's Not Our Breach (Krebs on Security)

Monty Solomon <>
Sat, 13 Aug 2022 00:08:52 -0400

How Russia Took Over Ukraine's Internet in Occupied Territories (The New York Times)

Gabe Goldberg <>
Tue, 16 Aug 2022 14:59:51 -0400
Internet traffic in Kherson is being diverted through Russia. Internet
routing data for a service provider in Kherson shows traffic beginning to
flow through Russian networks in May before fully transitioning by early

"Several weeks after taking over Ukraine’' southern port city of Kherson,
Russian soldiers arrived at the offices of local Internet service providers
and ordered them to give up control of their networks.  They came to them
and put guns to their head and just said, 'Do this,'" said Maxim Smelyanets,
who owns an Internet provider that operates in the area and is based in
Kyiv. "They did that step by step for each company."

Russian authorities then rerouted mobile and Internet data from Kherson
through Russian networks, government and industry officials said. They
blocked access to Facebook, Instagram and Twitter, as well as to Ukrainian
news websites and other sources of independent information.  Then they shut
off Ukrainian cellular networks, forcing Kherson's residents to use Russian
mobile service providers instead.

Why Is Web3 Security Such a Garbage Fire? Let Us Count the Ways (PCMag)

Gabe Goldberg <>
Sun, 14 Aug 2022 23:57:23 -0400
A Black Hat talk unpacks how blockchain-based projects can break so easily
and inflict such catastrophic damage.

LAS VEGAS: o-called Web3 ventures have suffered enough meltdowns to keep an
entire site ("Web3 is going just great") busy chronicling them in multiple
posts per day. But what has made this category of sites providing
cryptocurrency and other services based on blockchain technology seem so

A briefing at the Black Hat information-security conference here outlined
common aspects to recent high-profile Web3 hacks that have resulted in the
theft of hundreds of millions of dollars' worth of cryptocurrencies. The
single biggest factor: how quickly an attacker can turn a vulnerability into

"Simple mistakes can have immediate and devastating consequences," said
Nathan Hamiel, senior director of research at Kudelski Security(Opens in a
new window). "Gone In 60 Seconds isn't just a terrible Nicolas Cage movie,
it's also what happens to all your money."

...and the counting's just begun.

The Danger of Posting Selfies (NowIKnow)

Gabe Goldberg <>
Sun, 14 Aug 2022 20:28:24 -0400
In September of 2019, a 20-year-old Japanese pop singer (whose name I'm
omitting because almost all of the press reports similarly kept her
anonymous) was attacked outside her apartment. Her attacker was a stalker
named Hibiki Sato â a self-described fan whose obsession with the singer
took a very violent turn. Physically, she was okay after a short recovery
period; mentally and emotionally, it's difficult to tell how she managed to
move forward.

Unfortunately, many famous people have similar fears. Stalkers, particularly
in a world where you're expected to share the details of your lives
publicly, are a constant threat. Many celebrities take common-sense
precautions as a result, such as hiding their home address as much as
possible. That means not taking selfies in or near your home, and if you do,
never showing any notable landmarks that a would-be attacker can use to
sleuth out your location. By all accounts, the Sato's victim had taken all
of these precautions, though. He, however, had seen this not as a barrier,
but as a challenge. All he needed to do was stare into his victim's eyes.

According to Japan Today, "Sato said he'd been able to determine where his
target lived by looking at selfies she'd posted on social media,
specifically by looking at the reflection in her eyes of the surrounding
scenery in outdoor shot." While those images were tiny and often not quite
in focus, Sato was undeterred. He took whatever limited information he could
glean from her eyes and cross-referenced it with images from Google Street
View. At some point, the singer's eyes reflected an image of a railway stop
and Sato was able to find that location; from there, he was able to
increasingly narrow the radius around her apartment. Per CBS News, he "also
told police he studied seemingly innocuous details in videos the woman shot
in her apartment, such as curtain placement and the direction of natural
light entering the window, to figure out which building she lived in."
Ultimately, he had enough information to make a 30 km (18 miles) trip from
his home to where he correctly deduced she lived. Then, he just lay in wait
for her to return home, and finally, he attacked.

Quote of The Day (Edward Snowden)

geoff goodfellow <>
Mon, 15 Aug 2022 08:54:52 -0700
*"Look, I'm just going to say it:*

*At a certain point, our corrupt and moribund political culture has no hope
of solving humanity's problems. You either bet on science and technology, or
you bet on extinction."*

CRYPTO-GRAM (where crypto means cryptography, not that other stuff)

Bruce.Schneier <>
Mon, 15 Aug 2022 07:32:46 +0000
Table of Contents from Bruce's latest CRYPTO-GRAM, 15 Aug 2022

  [Your subscribing is recommended, because I cannot pick and choose just
  one or a few!  However, I recommend particularly Bruce's coverage of items
  that have not been covered adequately already in RISKS.  PGN]

  [For back issues of CRYPTO-GRAM, or to subscribe, visit Crypto-Gram's web
    page: <>]

  1. San Francisco Police Want Real-Time Access to Private Surveillance
  2. Facebook Is Now Encrypting Links to Prevent URL Stripping
  3. NSO Group's Pegasus Spyware Used against Thailand Pro-Democracy
     Activists and Leaders
  4. Russia Creates Malware False-Flag App
  5. Critical Vulnerabilities in GPS Trackers
  6. Apple's Lockdown Mode
  7. Securing Open-Source Software
  8. New UEFI Rootkit
  9. Microsoft Zero-Days Sold and Then Used
 10. Ring Gives Videos to Police without a Warrant or User Consent
 11. Surveillance of Your Car
 12. Drone Deliveries into Prisons
 13. SIKE Broken
 14. NIST's Post-Quantum Cryptography Standards
 15. Hacking Starlink
 16. A Taxonomy of Access Control
 17. Twitter Exposes Personal Information for 5.4 Million Accounts
 18. Upcoming Speaking Engagements

Re: "Dr. Birx ADMITS She 'Knew' COVID... (Lamont, RISKS-33.38)

Steve Lamont <>
Sat, 13 Aug 2022 06:25:55 -0700
>     [So who has the definitive data?  Apparently no one?  PGN]

For some reason my posting was truncated, leaving off important
reference material about VAERS and its use and *misuse*.

  About VAERS

  Established in 1990, the Vaccine Adverse Event Reporting System (VAERS) is
  a national early warning system to detect possible safety problems in
  U.S.-licensed vaccines. VAERS is co-managed by the Centers for Disease
  Control and Prevention (CDC) and the U.S. Food and Drug Administration
  (FDA). VAERS accepts and analyzes reports of adverse events (possible side
  effects) after a person has received a vaccination. Anyone can report an
  adverse event to VAERS. Healthcare professionals are required to report
  certain adverse events and vaccine manufacturers are required to report
  all adverse events that come to their attention.

  VAERS is a passive reporting system, meaning it relies on
  individuals to send in reports of their experiences to CDC and
  FDA. VAERS is not designed to determine if a vaccine caused a health
  problem, but is especially useful for detecting unusual or
  unexpected patterns of adverse event reporting that might indicate a
  possible safety problem with a vaccine. This way, VAERS can provide
  CDC and FDA with valuable information that additional work and
  evaluation is necessary to further assess a possible safety concern.

To wit, an inclusion of a report in VAERS does not necessarily
establish a causal relationship. Sometimes coincidences happen.  I can
speak for personal experience on that.

The RISK? Post-hoc, propter-hoc reasoning.

Re: Tesla faces new probes into motorbike deaths, false advertising (RISKS-33.38)

Steve Bacher <>
Sat, 13 Aug 2022 09:17:04 -0700
Someone forgot to include the link:

Re: What about Signal or Whatsapp, etc. vs. voice callsignal or Whatsapp, etc. vs. voice calls privacy/security? (LW, RISKS-33.38)

"John Levine" <>
13 Aug 2022 15:27:44 -0400
Modern phone systems were designed to be tapped, both recording the contents
of calls and, with considerably less protection, pen registers that record
who you called and who called you.  While I believe that judges will apply
the law correctly when asked to authorize a tap, it is already obvious that
in states where abortion is illegal, a whole lot of stuff is illegal and
would authorize a tap.  We have also seen way too many cases where people
skip the process and listen in without authorization.

Signal uses open source software written and maintained by a guy who has a
good reputation in the cryptography and security communities. I think it is
credible when they say your conversations are encrypted in ways they cannot
decode and they don't keep logs. Whatsapp uses the same encryption as Signal
so I think it's a reasonable second choice.

Re: Tech giants, including Meta, Google, and Amazon, want to put an end to leap-seconds (Ross, RISKS-33.38)

"Arthur T." <>
Sun, 14 Aug 2022 15:21:54 -0400
Not everyone writing software has the financial backing of a major
government. Nor do they necessarily have the level of quality control such
funding can yield. If you look in the RISKS archives, you'll find instances
(some fairly recent) of programs not even coding properly for leap *years*.

It is easier to not screw up something simple than something complex. Not
only are leap seconds more complex than not using them, they're
unpredictable and ad hoc.

I am not trying to directly address the complex question of whether leap
seconds should be continued. I am merely trying to explain some of the

Re: Chinese Hackers Backdoored MiMi Chat App to Target Windows, Linux, macOS Users (noted in RISKS-33.38 without details)

geoff goodfellow <>
Sat, 13 Aug 2022 21:17:47 -0700
A pair of reports from cybersecurity firms SEKOIA
 and Trend Micro
light on a new campaign undertaken by a Chinese threat actor named Lucky
Mouse that involves leveraging a trojanized version of a cross-platform
messaging app to backdoor systems.

Infection chains leverage a chat application called MiMi, with its
installer files compromised to download and install HyperBro samples for
the Windows operating system and rshell artifacts for Linux and macOS.

As many as 13 different entities located in Taiwan and the Philippines have
been at the receiving end of the attacks, eight of whom have been hit with
rshell. The first victim of rshell was reported in mid-July 2021.

Lucky Mouse, also called APT27
<>, Bronze
Union, Emissary Panda, and Iron Tiger, is known to be active since 2013 and
has a history of gaining access to targeted networks in pursuit of its
political and military intelligence-collection objectives aligned with

The advanced persistent threat actor (APT) is also adept at exfiltrating
high-value information using a wide range of custom implants such as
HyperBro <>,
and PlugX.

The latest development is significant, not least because it marks the
threat actor's introductory attempt at targeting macOS alongside Windows
and Linux. [...]

Re: Rainwater everywhere on Earth unsafe to drink due to *forever chemicals*, study finds (EuroNews, RISKS-33.38)

"Craig S. Cottingham" <>
Mon, 15 Aug 2022 13:26:19 -0500
I’m not disputing the conclusions of the researchers, but I'd really like to
see some numbers before I take back my grain of salt.

* What is the accepted safe level?
* What is the current level (different for different areas, I assume)?
* What is the adjusted level of mortality due to higher levels of these

I've seen too many doom-and-gloom reports of the form of “you're ten times
more likely to get cancer if you do''—where it turns out that the
probability over a lifetime goes from 0.001% to 0.01%.

  [There is no one accepted safe level.  People with severe allergies
  have to be considered.  PGN]

Re; Doug Jones's review (RISKS-33.37)

Mark Brader <msb@Vex.Net>
Sun, 14 Aug 2022 06:11:13 -0400 (EDT)
May I suggest adding a note to Doug Jones's review in the second-last issue,
either pointing to my correction in the following issue or just giving
noting the correct information?

  (By the way, I have bought the book.  Haven't started reading it yet,

BTW, Is your autoresponder no longer in use?  I was surprised not to receive
a response when sending the correction, and I just checked my spam bucket
and it isn't there either.

   [Beats me.  I have no idea how it is generated.  PGN]

Please report problems with the web pages to the maintainer