The RISKS Digest
Volume 33 Issue 4

Thursday, 27th January 2022

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


First Felony Charges in Fatal Crash Involving Autopilot
When Mind Melds With Machine, Who's in Control?
Why the Belarus Railways Hack Marks a First for Ransomware
Patched Safari Flaws Exposed Webcams, Online Accounts, and More
Backdoor Found in Themes and Plugins from AccessPress Themes
A bug lurking for 12 years gives attackers root on every major Linux distro
Ars Technica
Automation Could Make 12 Million Jobs in Europe Redundant
AI's Potential Boon to Businesses
Manufacturers have less than five days' supply of some computer chips, Commerce Department says
High number of Omicron mutations render antibodies ineffective
Is the Media Doomed?
UK's Telecomm Provider(s) Switching to Digital Phone Lines
paul cornish
Google Assistant will now stop talking if you just say STOP!
Lauren Weinstein
Re: Spam, spam, spam, spam …
Amos Shapir
Re: Alexa tells 10-year-old girl to touch live plug with penny
John Levine
Re: Fake QR Codes on Parking Meters
Bernie Cosell
Re: maybe not such a big crisis, was U.S. airline officials warn of crisis in aviation with new 5G service
John Levine
The 5G Airline Controversy: What Is It About?
James Fallows
Is 5G More Important Than Aircraft Safety?
Jon Nash
Info on RISKS (comp.risks)

First Felony Charges in Fatal Crash Involving Autopilot (AP)

ACM TechNews <>
Mon, 24 Jan 2022 12:11:58 -0500 (EST)

Stefanie Dazio and Tom Krisher, Associated Press, 18 Jan 2022

The driver of a Tesla on Autopilot that ran a red light and killed two people in another car in 2019 faces two counts of vehicular manslaughter. Kevin George Aziz Riad, who has pleaded not guilty, appears to be the first person in the U.S. to be charged with a felony for a fatal crash involving the use of a partially automated driving system. Charges were filed by prosecutors in Los Angeles County, CA, in October, as the National Highway Traffic Safety Administration and the National Transportation Safety Board continues to investigate the widespread misuse of Autopilot. The University of South Carolina's Bryant Walker Smith said Tesla could be “criminally, civilly, or morally culpable” if courts determine it put a dangerous technology on the road.

When Mind Melds With Machine, Who's in Control? (WiReD)

“Gabe Goldberg” <>
Sun, 23 Jan 2022 17:32:35 -0500

These aren't hypothetical questions for a distant future. We're wrestling with them today. How do we assign responsibility when self-driving cars hit pedestrians, or when passenger planes crash on autopilot? In the Air France 447 and Boeing 737 Max crashes, the autonomous systems got confused by faulty sensor information and the pilots couldn;t recover from the malfunction. This belies the promise, touted by many corporations, that keeping humans in the loop will prevent things from spiraling out of control. It may, in fact, just be a legal sleight of hand to pin liability on an entity that courts are already equipped to hold responsible. A key difference, however, is that a brain interface is part of the body, which makes responsibility harder to demarcate.

There are also, of course, major privacy and security questions with brain interfaces. By virtue of the fact that many signals are globally available throughout the brain, a recording device could be picking up signals about your sensory experience, your perceptual processes, your conscious cognition, your emotional states. Ads could be targeted not to your clicks but to your thoughts and feelings. These signals could even potentially be used for surveillance. Ten years ago, members of Jack Gallant's lab at UC Berkeley were able to hazily reconstruct visual scenes from the brain activity of people watching video clips. The technique has gotten better with time. If, one day in the far future, someone tapped into your wireless neural receiver, imagine what they could see and hear. Certainly a lot more than if they hacked your webcam or smart speaker. Through our own eyes and ears, we might become the unwitting operatives of a distributed panopticon.

Direct brain-to-brain communication is just as ethically fraught. It's a beautiful, utopian impulse—the sense that if only we could fully see what's inside one another contentions would cease. Should it prove technically possible, however, the question of privacy becomes all the more salient. In the same way that social media companies must grapple with content moderation, brain devices would need to filter inter-brain communication for harmful, hateful, or violent thoughts. There might even be patterns of problematic neural activity that can be passed between people like computer viruses. Epileptic seizures, for example, can be learned by the brain in a process known as kindling. Like arsonists setting fire to a city, malicious actors might seek to inject such maladaptive brain activity in a bid to harm other users.

The history of technology, the history of humankind, is one of relentlessly extended agency—exerting control over materials, plants, animals, and perhaps, one day, minds. The invention of computers has transmuted that agency to a programmable realm, wherein a hand can control a mouse that is by turns a digital paintbrush, a text cursor, or a drone's gun sight. While I’m still hopeful about what brain-machine interfaces will be able to do for people with impaired motor function, we should acknowledge where good intentions might be obfuscating a potential ethical catastrophe. We've got to reckon with the implications of agency and privacy as they pertain to AI today, before they’re interfaced with our bodies and minds. We’re being promised new avenues of human control, when it is precisely control we’d be ceding in what could be the largest deprivatization of thought since the invention of language.

Why the Belarus Railways Hack Marks a First for Ransomware (WiReD)

“Gabe Goldberg” <>
Wed, 26 Jan 2022 20:08:25 -0500

The politically motivated attack represents a new frontier for hacktivists — and won't be the last of its kind.

Patched Safari Flaws Exposed Webcams, Online Accounts, and More | (WiReD)

“Gabe Goldberg” <>
Wed, 26 Jan 2022 20:14:07 -0500

Apple awarded a $100,500 bug bounty to the researcher who discovered the latest major vulnerability in its browser.

In October, Apple patched the vulnerability in Safari's WebKit engine and made revisions in iCloud. And in December it patched a related vulnerability in its Script Editor code automation and editing tool.

Another good reason to install updates.

Backdoor Found in Themes and Plugins from AccessPress Themes (Jetpack)

“Gabe Goldberg” <>
Tue, 25 Jan 2022 23:16:21 -0500

While investigating a compromised site we discovered some suspicious code in a theme by AccessPress Themes (aka Access Keys), a vendor with a large number of popular themes and plugins. On further investigation, we found that all the themes and most plugins from the vendor contained this suspicious code, but only if downloaded from their own website. The same extensions were fine if downloaded or installed directly from the directory.

Due to the way the extensions were compromised, we suspected an external attacker had breached the website of AccessPress Themes in an attempt to use their extensions to infect further sites.

We contacted the vendor immediately, but at first we did not receive a response. After escalating it to the plugin team, our suspicions were confirmed. AccessPress Themes websites were breached in the first half of September 2021, and the extensions available for download on their site were injected with a backdoor.

A bug lurking for 12 years gives attackers root on every major Linux distro (Ars Technica)

Peter Neumann <>
Wed, 26 Jan 2022 11:08:40 PST

This highlights a problem with running old versions of OSes that aren't getting software updates. (Ubuntu Advantage has patches in 14.04 and 16.04 for subscribers.

proof-of-concept code is available:

Automation Could Make 12 Million Jobs in Europe Redundant (ZDNet)

ACM TechNews <>
Mon, 24 Jan 2022 12:11:58 -0500 (EST)

Owen Hughes, ZDNet, 20 Jan 2022, via ACM TechNews, Monday, January 24, 2022

Automation could render up to 12 million jobs in Europe superfluous over the next 20 years as companies compete to boost productivity and fill skills gaps amid an aging workforce, reports research company Forrester. Retail, food services, and leisure and hospitality occupations could face the largest losses, with mid-labor jobs involving simple, routine tasks most vulnerable. A total of 49 million jobs in France, Germany, Italy, Spain, and Britain could potentially be automated by 2040, imperiling casual work and low-paid, part-time labor. Pandemic-reduced productivity is prompting organizations to consider automation to restore efficiency, while sectors that were already using automation have increased investment to grow service delivery and mitigate pandemic constraints. Academic forecasts of jobs potentially lost to automation vary, with Forrester noting machine learning experts “imagine future computer capabilities without understanding enterprise technology adoption constraints and the cultural barriers within an organization that resist change.”

AI's Potential Boon to Businesses (USC)

ACM TechNews <>
Mon, 24 Jan 2022 12:11:58 -0500 (EST)

Greg Hardesty, USC Viterbi School of Engineering, 19 Jan 2022

E-commerce companies can more efficiently organize products and help customers find what they want with artificial intelligence created by researchers at Yahoo and the University of Southern California's Viterbi School of Engineering (USC Viterbi). USC Viterbi's Mayank Kejriwal said the Taxonomy Induction over Concept Labels (TICL) algorithm enables Web-based companies to quickly and inexpensively build a customizable taxonomy (classifying data into tree-like structures) from thousands of product labels “in seconds,” and these trees ”are of similar quality to any that you might be able to build.” Said Kejriwal, “Systems like TICL do the drudgery of organizing our information for us so we can focus on creative and strategic tasks that are, frankly, more fun,” he said.

Manufacturers have less than five days' supply of some computer chips, Commerce Department says (WashPost)

“Gabe Goldberg” <>
Wed, 26 Jan 2022 20:10:27 -0500

Wafer-thin inventories leave factories vulnerable to shutdowns if their chip deliveries are interrupted by weather or covid-19

High number of Omicron mutations render antibodies ineffective (JPost)

geoff goodfellow <>
Sat, 22 Jan 2022 10:09:28 -1000

Is the Media Doomed?

geoff goodfellow <>
Sat, 22 Jan 2022 10:42:16 -1000

From a Big Tech crackdown to the rebirth of local news, 16 future-minded thinkers predict where journalism will be in 15 years…

It's almost conventional wisdom right now that the news media is in a fast-moving crisis, with mainstream news sources collapsing and Americans increasingly divided not only in what they read, but even what facts they choose to believe. How much worse will it get? Or is there a way out?

The changes in the media industry make it nearly impossible to guess. When POLITICO was born 15 years ago, a digital-first politics site was considered downright disruptive in Washington, D.C. Today, that sounds almost quaint compared to what was on the way: Facebook was a baby, and Instagram was just a twinkle in a code developer's eye. Pandemic meant the Spanish Flu of 1918—and Zoom was a kids' show from the '70s <>. Information now flows in ways nobody was even considering in 2007, and over the next decade and a half, media is poised to change even more dramatically.

How? We at POLITICO Magazine decided to take advantage of our milestone — our 15th birthday—to press some experts and media thinkers on what media will look like in the next 15 years. What will be the biggest transformations—and how will they affect our public life? Are you optimistic? If so, how do we get to the good part? If you're concerned, what can we do to avoid the worst outcomes?

Here's what they had to say. […]

UK's Telecomm Provider(s) Switching to Digital Phone Lines

“paul cornish” <>
Tue, 25 Jan 2022 11:27:26 -0000

Openreach the provider of the UK's telecomm's infrastructure is switching to ‘Digital Voice’ which appears to be replacing the copper wired analogue exchange to residence connection with one based on broadband technology. See The changeover will be done by 2025. It looks like they are migrating the entire country onto VOIP. Also, the way handsets connect to the service inside the house is changing to one using DECT.

The consequences include:

  1. Householders having to re-arrange their domestic phone systems—to establish a connection to their router. Or replace their handsets with a Digital Voice compatible one.
  2. However, BT Digital Voice appears to only work with the routers (Smart Hub 2) they provide!
  3. BT state that if consumers have a monitored alarm that's connected to their landline (like a health pendant or monitored burglar alarm) they'll need to speak to their alarm provider before moving to Digital Voice. Apparently these systems will stop working.
  4. Oh and if there's a power cut or your broadband fails, you'll be unable to make calls using Digital Voice, including calls to 999
  5. Some areas have no broadband services / or they fail often

Risks: very limited news / announcements about the programme, issues over requiring householders to change their equipment / undertake technical re-configuration with limited / little support. Elderly / vulnerable residents a risk.

Google Assistant will now stop talking if you just say STOP!

Lauren Weinstein <>
Wed, 26 Jan 2022 09:33:58 -0800

Google Assistant will now stop talking if you just say STOP!

Super! Google Assistant will now stop talking if you just say STOP. No need to do the “Hey Google” first. Yeah, just say STOP—just like on Star Trek!

Re: Spam, spam, spam, spam … (Rob Slade, RISKS-33.03)

Amos Shapir <>
Wed, 26 Jan 2022 12:09:00 +0200
> Anybody else getting lots of Media Message Service messages, ostensibly from twelve-digit phone numbers?

Maybe it's because of this:

It seems that when a message is sent from an Apple device to multiple recipients, it's sent to Android devices using SMS / MMS protocol. What's worse, this creates an ad hoc text message group which includes all recipients—but Android users have no way to leave the group, so they keep receiving these messages whenever anyone replies to the group.

Re: Alexa tells 10-year-old girl to touch live plug with penny (Sudia, RISKS-33.01)

“John Levine” <>
23 Jan 2022 13:35:26 -0500
> Aren't these so-called smart speakers really driven by humans in the back
> room, pretending to be AI?

No, they're computers, but in many cases they record the interactions and have humans later listen and annotate them so they can improve the voice recognition software, which I suppose in some sense is the worst of both worlds.

Amazon does have Mechanical Turk in which you can pay people small amounts of money to do online tasks, but that's different.

Re: Fake QR Codes on Parking Meters (Leichter, RISKS-33.03)

“Bernie Cosell” <>
Sat, 22 Jan 2022 20:25:39 -0500

How does the attack work? I have a Samsung tablet that doesn't do QR codes natively and so I installed one and I've tried it on a bunch of different QR codes and all it does is show me what the QR code resolves to and, basically, asks me what to do. Granted that it takes some smarts to recognize a bogus URL but the same risk happens with URLs in email messages..

Do some QR-capable devices really just go to the url they scan without giving you a chance to intervene? If so that strikes me as the bigger risk, rather than the bogus QR codes…

Re: maybe not such a big crisis, was U.S. airline officials warn of crisis in aviation with new 5G service (Cornish, RISKS-33.03)

“John Levine” <>
22 Jan 2022 23:03:41 -0500

This week's update: the FAA has what's known as an AMOC (Alternative Means Of Compliance) which means that certain altimeters have adequate filters to deal with 5G signals.

By Thursday, Jan 20, they'd issued AMOCs for 13 kinds of altimeter which include all of the mainline jets used in the US and most of the regional jets, for 78% of the fleet.

More details here, including the possibility that the FAA will rerun this fiasco in July:

The 5G Airline Controversy: What Is It About?

Dewayne Hendricks <>
January 27, 2022 18:47:32 JST

James Fallows, Jan 20 2022

It could be an issue. But it will probably be resolved soon. What to know the next time you hear it come up.

This post is a basic who-what-why primer on the controversy involving new 5G wireless networks, and airline operations at major U.S. airports. It's not meant to be conclusive but instead an introduction, with links to more detailed discussions.

Update January 21 10am ET: Please see additional links, new information, and answers to some reader queries at bottom of this post.

Short version: 5G versus the airlines is potentially a real issue, rather than a bogus threat. But it's likely that the parties involved will work out adjustments soon. Which is a good thing.

Now, the longer version, Q-and-A style:

Could cell phones really affect airline safety?

The new ones, yes.

(And to be clear, I'm referring not to individual phones but to the transmission systems and new broadcast towers that enable very high-speed 5G data speeds.)

We've all become numbed to routine, never-enforced warnings to turn off cell phones on takeoff and landing aboard airlines. They have seemed like security theater, and in practical terms the goal might have been mainly to pry people's attention away from their phones during important phases of a flight.

The new 5G networks, which were activated yesterday, are different. That is because the part of the broadcast spectrum they use is closer-than-comfortable to a part used by a specific aviation device, called a radio altimeter. (Also radar altimeter or radalt. They all refer to the same thing; I'll use radio.) The chart below, from a technical report that's been the basis of recent controversy, introduces the overall idea.

The central question is: could transmissions and emissions on the newly authorized 5G part of the spectrum overlap and interfere with the signals that an airliner's radio altimeter relies on, for safe guidance of a plane? Especially if the transmission towers are directly along the landing paths that aircraft follow?

The aviation world says: maybe they could, so let's be careful before taking the risk.

What is a radio altimeter?

If you've seen an airplane cockpit in photos or in real life, you have seen a regular (or barometric) altimeter. It's the device that looks like a clock dial, with a hand indicating the plane's altitude. In the shot below, of a pre-GPS-era cockpit, it's the dial at top center (showing an altitude of 700 feet).

A radio altimeter works on an entirely different principle. A barometric altimeter gauges the plane's altitude by comparing air pressure outside the plane (which goes down, as the plane goes up) with sea-level pressure. It's indispensable but is not a high-precision instrument.

A radio altimeter gives much more exact, moment-by-moment readings of the plane's distance from the ground. It does so by transmitting signals downward and measuring how long it takes them to bounce back. Let's say the Denver airport has an elevation of 5,500 feet. If a plane were 500 feet up, on final approach to land, the barometric altimeter would show 6,000 feet above sea level. The radio altimeter would say 500 feet above the ground, and it would keep ticking off the exact distance as the plane glided down.1

Why does a radio altimeter matter?

In clear weather, a flight crew could get a plane safely on the ground even if both kinds of altimeters had failed. You wouldn't want that, but pilots are trained to use countless visual cues to judge their height above the runway and the path down to a landing. Nearly every airport big enough to handle airline flights has runways with visual glideslope indicators—a combination of red and white lights to show continuous guidance on whether you're high, low, or on the right vertical path down.

It's different in bad weather. Everything complicated in aviation involves guiding planes from takeoff to touchdown if the pilots can't see where they are going.

A big step in modern, high-volume, all-weather airline travel is equipping airplanes to land safely even if fog or clouds block the pilots' view. That is where the radio altimeters crucially come in. With their very accurate second-by-second, foot-by-foot measurements of the plane's distance above the runway, they can in principle allow a plane to land itself.

The aviation term for this kind of procedure is a Cat III ILS landing. The YouTube video below, by a Boeing 777 pilot named Juan Browne, gives a professional pilot's view of the whole situation. The first two minutes distill what these landings are like, and the role a radio altimeter plays. In essence, the radalt is how the plane knows how far away the ground is, and how it can safely touch down.

As the Juan Browne video develops at length, the concern is that 5G transmitters near airports could block, scramble, or distort the radio altimeter signals. This could, in turn, interfere with operations where radio altimeters are crucial—namely, approaches in low visibility and bad weather.

And it could matter more broadly. John Herron, a former naval aviator who is now an airline pilot, sent me an email today on the larger importance of radio altimeter signals:

It's difficult for lay people to grasp the importance of radio altimeters to modern commercial aircraft. Many think, what's the big deal? After all, the pilots have a barometric altimeter too?

Well, the big deal is this gem of an instrument gives pilots the real precise distance from the ground at the precise moment in time, and has been incorporated into so many systems that have been developed and evolved to improve safety for everyone - the pilots, travelers and those who reside below. This is not just an issue of low visibility approaches.


What, exactly, is the airlines' concern about 5G?

It is that the new ground-station transmitters for 5G are so much more powerful than the radio-altimeter transmitters aboard airplanes, and have been located so close to major runways and on approach paths, that interference is possible. And that it's better to recognize this problem before a close call (or worse), rather than after.

In the meantime, better safe than sorry ( flight cancellations have ripple effects through an air-travel industry that has relentlessly boiled away excess capacity and slack. A disruption anywhere becomes congestion everywhere.

Below you see an illustration from a 2020 report by the technical group RTCA on possibilities for 5G interference with aviation. The red and yellow lines are an aircraft's approach path to Runway 27L at O'Hare airport. The blue markers are cell phone transmission stations. The point of the illustration is how closely they match up. […]

Is 5G More Important Than Aircraft Safety?

“Jon Nash” <>
Sun, 23 Jan 2022 09:31:15 -0500

The greed and stupidity of the big telecoms knows no bounds .

Good discussions by Juan Brown, who is an airline pilot.

In Europe the 5G frequencies are a bit farther away from the radar frequency and and not as powerful. Also they kept the 5G towers at least 2 miles from certain airports .

Someone pointed out that the heads of the FCC recently have been lawyers , not engineers who would have better understood this situation.

Please report problems with the web pages to the maintainer