The RISKS Digest
Volume 33 Issue 44

Tuesday, 13th September 2022

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


The Search for Dirt on the Twitter Whistle-Blower
Ronan Farrow via PGN
Twitter's testimony today
Lauren Weinstein
GM's Cruise Recalls Self-Driving Software Involved in June Crash
Be afraid of the Internet of Everything
Gabe Goldberg
Samsung denies Social Security numbers involved in latest breach
The Record by Recorded Future
Careless Errors in Hundreds of Apps Could Expose Troves of Data
Timing of Artemis launch may depend on emergency detonation system
Artemis I launch scrubbed again, new attempt may not come till October
The Washington Post
Four vulnerabilities discovered in popular infusion pumps, WiF batteries
The Record via WashPo
Extreme California heat knocks key Twitter data center offline
How criminals are using jammers, deauthers to disrupt WiFi security cameras
Kiara Hay via Steve Stroh via Dewayne Hendricks via Dave Farber
Apple and eSIM
Rob Slade
Apple's recent iPhone security fix puts spotlight on transparency
USA Today
How Human Traffickers Force Victims Into Cyberscamming
Iranian authorities plan to use facial recognition to enforce new hijab law
The Guardian
Cloudflare drops KiwiFarms
The Washington Post
BBC report that UK Court IT system puts justice at risk
The 1,000 Chinese SpaceX engineers that existed only on LinkedIn
MIT Technology Review
Sky Cuts Queen Elizabeth II-Related Jokes From 'Last Week Tonight With John Oliver' in UK
Hollywood Reporter
Facebook has no idea where to find your data
Facebook and Google, they're SO public spirited...
Gabe Goldberg
Super-rich preppers' planning to save themselves from the apocalypse
The Guardian
Major telecoms sign deal to keep some phone services running during future outages
CBC Canada
Israel: Health Ministry website faces cyberattack, oversea access blocked
I14 News Breaks the Internet
Paul Robinson
This $30 mouse jiggler makes it look like you're working when you're not
Obsessively watching the news can make you mentally and physically sick
Study Finds
Re: High Seas Deception: How Shady Ships Use GPS to Evade International Law
John Stewart
Re: Hand-counting elections riskier than computer counts?
Craig Cottingham
Re: Honda Clocks Are Stuck 20 Years In The Past; There Isn't A Fix
Steve Bacher
Re: 3D gun printing operation busted in Calgary
Henry Baker
Info on RISKS (comp.risks)

The Search for Dirt on the Twitter Whistle-Blower (Ronan Farrow)

Peter G Neumann <>
Tue, 13 Sep 2022 10:14:37 -0700
 [Re: Mudge, the L0pht, and whistle-blowing, RKSKS-33.41 --
    Peiter "Mudge" Zatko's journey from hacker to Twitter whistleblower]

Ronan Farrow, *The New Yorker*, 13 Sep 2022

Many of Peiter (Mudge) Zatko's former colleagues have received offers of
payment for [dirty] information about him.

On 23 Aug, a Slack chat for former employees of the payments company Stripe
began filling with accounts of strange queries about an ex-colleague.
r-whistleblower/> “I'm getting inundated with paid interview requests,''
one of the former employees, Dan Foster, wrote. Another, Marty Wasserman,
later posted that he'd received a similar message via e-mail.  “Hi Marty,
Hope you're having a great week!'' the message read.  “I'm currently
working on a project regarding leadership in tech, and my client is hoping
to speak to an experienced professional about a particular individual you
may have worked with.''  The message requested a 45-60 minute compensated
phone consultation.  Wasserman was suspicious of the timing. “Preeeettyy
sure this is regarding Mudge,'' he wrote, pasting it in the Slack chat with
his former colleagues. “Hard pass.''

Hours earlier, CNN and *The Washington Post* had reported that Twitter's
former head of security, Peiter (Mudge) Zatko, had filed a whistle-blower
disclosure to federal agencies, accusing the social-media platform of
reckless security practices. Zatko's sweeping claims, if proven, could aid
Elon Musk in his attempt to terminate his forty-four-billion-dollar
agreement to acquire Twitter, a legal fight with implications of billions of
dollars for investors. The dozens of e-mails and LinkedIn messages received
by people in Zatko's professional orbit appeared to be mostly from
research-and-advisory companies, part of a burgeoning industry whose clients
include investment firms and individuals jockeying for financial advantage
through information. At least six research outfits—Gerson Lehrman Group
(G.L.G.), AlphaSights, Mosaic Research Management, Ridgetop Research,
Coleman Research Group, and Guidepoint—approached former colleagues of
Zatko's at Stripe, Google, and the Pentagon research agency DARPA.  All
offered to pay for information, sometimes noting that the compensation would
be high or apparently unrestricted. At least two investment firms, Farallon
Capital Management L.L.C. and Pentwater Capital Management L.P., also sought
information from individuals close to Zatko.

  [It's a long and ugly story, truncated for RISKS.  PGN]

"The restrictions highlight the apparent fragility of some of Twitter's most
fundamental systems, a problem Peiter "Mudge" Zatko, Twitter's former head
of security who turned whistleblower, had raised in a disclosure sent to
lawmakers and government agencies in July.  In his whistleblower disclosure,
first reported by CNN and The Washington Post, Zatko warned that Twitter had
"insufficient data center redundancy" that raised the risk of a brief
service outage or even the prospect of Twitter going offline for good.
"Even a temporary but overlapping outage of a small number of datacenters
would likely result in the service [Twitter] going offline for weeks,
months, or permanently," according to Zatko's whistleblower disclosure.
(Twitter has criticized Zatko and broadly defended itself against the
allegations, saying the disclosure paints a "false narrative" of the
company.)  News of the data center outage comes a day before Zatko is due to
testify before the Senate Judiciary Committee."

Twitter agreed in June to pay roughly $7 million to the whistleblower whose
allegations will be part of Elon Musk's case against the company, WSJ
reported Thursday, citing people familiar with the matter.

Twitter's testimony today

Lauren Weinstein <>
Tue, 13 Sep 2022 11:01:49 -0700
> Twitter whistleblower Peiter Zatko will testify before the Senate about
> his allegations of security failures at the social network, the Senate
> Judiciary Committee announced on Wednesday.

> “MMr. Zatko's allegations of widespread security failures and foreign
> state actor interference at Twitter raise serious concerns. If these
> claims are accurate, they may show dangerous data privacy and security
> risks for Twitter users around the world,'' said Sens. Richard J. Durbin
> (D-Ill.) and Charles E. Grassley (R-Iowa), the chair and top Republican on
> the Senate Judiciary Committee.

In my quick review so far of the "Mudge" testimony today, I've seen no
obvious red flags concerning the sort of user data collected. These seem
reasonable and in line with the @Twitter TOS.

Of more concern is the allegation of "unlimited" access to this @Twitter
data by engineers without case-based need to know, and if that access was
properly logged and monitored.

I am less concerned about allegations of large numbers of failed attempts to
login to @Twitter corp systems—that's pretty much standard hacking
attempts—the real issue is how many (if any) *succeeded* at gaining

GM's Cruise Recalls Self-Driving Software Involved in June Crash (WiReD)

Gabe Goldberg <>
Mon, 5 Sep 2022 01:50:13 -0400
After two people were injured in the incident, Cruise blocked its robot
vehicles from making left turns for several weeks before issuing a software

  ...seems following J. Edgar Hoover's orders:

Mr. Schott is a retired special agent. His expose of the bureau includes the
peccadillos of J. Edgar Hoover (who ordered that any vehicle he rode in make
no left turns, hence the title) and the fruitcakes that rose to the rank of
supervisor and/or above.

Be afraid of the Internet of Everything

Gabe Goldberg <>
Mon, 5 Sep 2022 00:23:37 -0400
Ovens with eyes, a chameleon of a fridge, and other electronic
eccentricities at IFA (Fierce Electronics)

Samsung, for example, announced at its press conference Thursday that 100%
of its major appliances would come with WiFi by 2023, while other firms
might as well have been competing to see which one could put the least
likely gadget part a touchscreen? a camera? into a given category of

Samsung denies Social Security numbers involved in latest breach (The Record by Recorded Future)

Gabe Goldberg <>
Fri, 9 Sep 2022 12:03:31 -0400
The company said it collects information like Social Security numbers "to
help deliver the best experience possible with our products and services."

  Wait, what?

Careless Errors in Hundreds of Apps Could Expose Troves of Data (WiReD)

Gabe Goldberg <>
Sun, 11 Sep 2022 21:59:32 -0400
Researchers found that mobile applications contain keys that could provide
access to both user information and private files from unconnected apps.

Researchers from Broadcom's Symantec Threat Hunter team published findings
on Thursday about the prevalence of hard-coded authentication credentials
lurking in the cloud services that underlie hundreds of mainstream
apps. These login credentials are often meant to give the app access to a
single file or service, like a mechanism for an app to display public images
from a company's website or run text through a translation service at a
user's request. But in practice, the researchers found, these same
credentials often grant access to all files stored in a cloud service, like
company data, database backups, and system control components. And when
multiple apps have been created by the same third-party development firm or
incorporate the same publicly available software development kits (SDKs),
these static authentication tokens may even grant access to the
infrastructure and user data of multiple, unconnected apps.

All of this means that if an attacker discovered these access tokens, they
could potentially unlock massive and disparate troves of sensitive data all
by finding one key under one doormat.

Timing of Artemis launch may depend on emergency detonation system (WashPost)

Gabe Goldberg <>
Thu, 8 Sep 2022 00:28:35 -0400
The system, which is designed to destroy the SLS rocket if it veers off
course and threatens population centers, needs to be recharged every few

The problem for NASA is that can only be done in the rocket's assembly
building, meaning they would need to perform the arduous work of rolling the
322-foot-tall rocket off the pad, where it is now, back to the building four
miles away â a journey that can take about eight hours each way.

The risk? No suitable extension cord.

Artemis I launch scrubbed again, new attempt may not come till October (The Washington Post)

Sun, 4 Sep 2022 19:08:08 -0400 From: Gabe Goldberg <>
CAPE CANAVERAL, Fla. It may be several weeks before NASA can attempt to
launch its massive Space Launch System moon rocket after it was unable to
control what agency's officials described as a large, unmanageable hydrogen
leak that forced them to cancel a second flight on Saturday.

The rocket is billions of dollars over budget and years behind schedule, and
by some estimates, each launch will cost between $2 billion and $4 billion.
In creating the rocket, Congress dictated that it recycle engines and
technology from the space shuttle program, which first flew in 1981 and was
developed in the 1970s.

Unlike the rockets used by SpaceX to launch astronauts to the International
Space Station, which return to Earth to be used again, the Space Launch
System is not reusable.

Four vulnerabilities discovered in popular infusion pumps, WiFi batteries (The Record via WashPo)

Richard Marlon Stein <>
Fri, 09 Sep 2022 13:21:47 +0000

"The four bugs revolve around the secure decommissioning of Wireless Battery
Modules (WBMs). Medical devices typically contain network credentials or
other private information that should be removed before a device is
transferred to a new user.

"Heiland told *The Record* that the vulnerabilities offer attackers
information about the network but none of them can be exploited over the
Internet or at great distances. Hackers would need to be within at least
WiFi range of the affected devices, and in some cases, the attacker would
need to have direct, physical access."
From the FDA's TPLC platform product code FRN—Infusion Pump reveals 64
recalls between 01JAN2017 and 31AUG2022. Nearly half (31 of 64) the recalls
occurred between 01JAN2020 and 31AUG2022. 23 of the 31 recalls in this range
are Class I, meaning high risk. The FDA's Class I recall definition: "A
situation where there is a reasonable chance that a product will cause
serious health problems or death." (See

Of the 31 infusion pump recalls in the 2020-2022 range, 7 are attributed to
Baxter devices: 3 Class I and 4 Class II recalls. More than 500K infusion
pumps in aggregate are recall subjects. The TPLC page identifies 19
manufacturers of infusion devices, common among hospitals and outpatient

Extreme California heat knocks key Twitter data center offline (CNN)

the keyboard of geoff goodfellow <>
Tue, 13 Sep 2022 14:25:37 -0700
Extreme heat in California has left Twitter without one of its key data
centers, and a company executive warned in an internal memo obtained by CNN
that another outage elsewhere could result in the service going dark for
some of its users.

Twitter, like all major social media platforms, relies on data centers,
which are essentially huge warehouses full of computers, including servers
and storage systems. Controlling the temperature in those centers is
critical to ensuring the computers don't overheat and malfunction.  To save
on cooling costs, some tech companies have increasingly looked to place
their data centers in colder climates; Google, for example, opened a data
center in Finland in 2011, and Meta has had one center in northern Sweden
since 2013.

“On September 5th, Twitter experienced the loss of its Sacramento (SMF)
datacenter region due to extreme weather. The unprecedented event resulted
in the total shutdown of physical equipment in SMF,'' Carrie Fernandez, the
company's vice president of engineering, said in an internal message to
Twitter engineers on Friday. [...]

How criminals are using jammers, deauthers to disrupt WiFi security cameras (Kiara Hay via Steve Stroh via Dewayne Hendricks via Dave Farber)

Dave Farber <>
Sat, 10 Sep 2022 04:54:29 +0900
Kiara Hay, WXYZ, 6 Sep 2022

(WXYZ) A new warning is being issued for anyone who uses wireless security
cameras like "Ring" to protect their home.

A Detroit woman said her Ring camera didn't capture the moment her car was
stolen from the front of her house, and one local expert said it's because
crooks are becoming more tech-savvy.

Earlier this month, the woman said her car was stolen from her driveway, and
when she went to review her Ring camera footage, she realized hours were

Chris Burns, the owner of Techie Gurus, said security cameras that use WiFi
to record are more about convenience than security. That's because WiFi can
easily be disrupted, preventing the camera from capturing who is around your
home, and criminals are catching on.

"If you're relying on wireless as a security thing, you're looking at it
wrong," Burns said. "Wireless signals are easy to jam or block."

Those crooks can use this like a WiFi jamming device, or a deauther, which
can be the size of an Apple Watch.

A deauther will overwhelm a WiFi system, forcing the WiFi camera to stop
recording if you stand close enough. The accessory only costs about
$10-$50. A jammer on the other hand will cost anywhere between $150 to

They're also highly illegal, so jammers are more difficult to find, but a
powerful jammer can prevent an entire street from recording on WiFI security
cameras with the switch of a button.

A spokesperson from Ring sent a statement saying, "Like any wifi-enabled
device, WiFi signal interference may affect Ring device performance. If
customers are experiencing issues with connectivity, we encourage them to
reach out to Ring Customer Support."

How can customers protect themselves?  [...]

  [My neighborhood has been experiencing sweeps at 3am through entire
  streets, trashing cars that are unlocked, with one theft of a car in
  the driveway with a covering Ring camera, which was just recovered by
  the police 20 miles away—with its catalytic converter removed.  PGN]

Apple and eSIM

Rob Slade <>
Sat, 10 Sep 2022 07:09:59 -0700
In its new line of iPhones, Apple will be doing away with physical SIM
cards, moving instead to a system it refers to as eSIM.  This will be a
software version of identification of the phone handset, and will be
modifiable in order to change to new providers.

For some, this will be convenient.  Therefore, I predict that a) this will
lead to some interesting new attacks on iPhones, and b) that criminals will
come up with ways to fake or spoof the eSIM and therefore 1) use other
people's accounts, 2) use random accounts and numbers for spam calls, and
3) create entirely new versions of "burner" phones.

Apparently the eSIM has been around for a few years, now, so presumably it
has been tested.  But rolling it out for all new phones will increase
market penetration, and therefore the attempts to break it ...

  [An E-SOP fable?  PGN]

Apple's recent iPhone security fix puts spotlight on transparency (USA Today)

Gabe Goldberg <>
Mon, 5 Sep 2022 00:20:26 -0400
When Apple shipped a set of security patches for iPhones, iPads and Macs on
August 17, it notified users with its customary, generic language: “This
update provides important security updates and is recommended for all

But users who clicked through Apple's update-advisory page to see
descriptions of individual fixes got a more alarming cybersecurity story.

"Processing maliciously crafted web content may lead to arbitrary code
execution," a description of iOS 15.6.1 and iPadOS 15.6.1 states. "Apple is
aware of a report that this issue may have been actively exploited."

Translation: Visiting the wrong web site can put malware on your device, and
it looks like attackers are already using this vulnerability.

How Human Traffickers Force Victims Into Cyberscamming (ProPublica)

Monty Solomon <>
Tue, 13 Sep 2022 17:56:14 -0400
Human Trafficking'sNewest Abuse: Forcing Victims Into Cyberscamming

Tens of thousands of people from across Asia have been coerced into
defrauding people in America and around the world out of millions of
dollars. Those who resist face beatings, food deprivation or worse.

Iranian authorities plan to use facial recognition to enforce new hijab law (The Guardian)

Gabe Goldberg <>
Fri, 9 Sep 2022 12:52:16 -0400
Government says it will use technology on public transport in crackdown on
womenâs dress

The Iranian government is planning to use facial recognition technology on
public transport to identify women who are not complying with a strict new
law on wearing the hijab, as the regime continues its increasingly punitive
crackdown on womenâs dress.

The secretary of Iran's Headquarters for Promoting Virtue and Preventing
Vice, Mohammad Saleh Hashemi Golpayegani, announced in a recent interview
that the government was planning to use surveillance technology against
women in public places following a new decree signed by the country's
hardline president, Ebrahim Raisi, on restricting women's clothing. [...]

  [This is a real LoJab.  PGN]

Cloudflare drops KiwiFarms (The Washington Post)

Gabe Goldberg <>
Sun, 4 Sep 2022 19:04:33 -0400
The Company' CEO says the firm had detected imminent threats and that law
enforcement could not keep up with them,

Cloudflare Chief Executive Matthew Prince, who this past week published a
lengthy blog post justifying the company's services defending websites such
as Kiwi Farms, told *The Washington Post* he changed his mind not because of
the pressure but a surge in credible violent threats stemming from the site.

âAs Kiwi Farms has felt more threatened, they have reacted by being more
threatening, “e think there is an imminent danger, and the pace at which
law enforcement is able to respond to those threats we don't think is fast
enough to keep up.''

BBC report that UK Court IT system puts justice at risk

Martyn Thomas <>
Mon, 5 Sep 2022 10:42:10 +0100
*An IT system is causing key information about court cases in England and
Wales to change or disappear and is putting justice at risk, the BBC has
been told.*

One legal adviser revealed how he entered a driving ban in the system,
called Common Platform, only to later discover the result had changed. ...

The 1,000 Chinese SpaceX engineers that existed only on LinkedIn (MIT Technology Review)

Gabe Goldberg <>
Mon, 12 Sep 2022 17:21:36 -0400
LinkedIn users are being scammed of millions of dollars by fake connections
posing as graduates of prestigious universities and employees at top tech

If you were just looking at his LinkedIn page, you'd certainly think Mai
Linzheng was a top-notch engineer. With a bachelor's degree from Tsinghua,
China's top university, and a masterâs degree in semiconductor manufacturing
from UCLA, Mai began his career at Intel and KBR, a space tech company,
before ending up at SpaceX in 2013. Having spent the past eight years and
nine months working in the human race to space, heâs now a senior

Except all is not as it seems.

Upon closer inspection, there are plenty of red flags: Despite having been
in the US for 18 years, Mai has written all his job titles, degrees, and
company locations in Chinese. His bachelor's degree is in business
management, even though his alma mater, Tsinghua, only offers that degree to
student athletes, and Mai was not one. Besides, the man in his profile photo
looks younger than Mai's stated age. The image, as it turns out, was stolen
from Korean influencer Yang In-mo's Instagram.  In fact, none of the
information on this page is true.

The profile of "Mai Linzheng" is actually one of the millions of fraudulent
pages set up on LinkedIn to lure users into scams, often involving
cryptocurrency investments and targeting people of Chinese descent all over
the world. Scammers like Mai claim affiliation with prestigious schools and
companies to boost their credibility before connecting with other users,
building a relationship, and laying a financial trap.

A cryptocurrency scam, I'm shocked and saddened. Oh, the humanity.

Sky Cuts Queen Elizabeth II-Related Jokes From 'Last Week Tonight With John Oliver' in UK (Hollywood Reporter)

Lauren Weinstein <>
Tue, 13 Sep 2022 10:59:05 -0700

Facebook has no idea where to find your data

DJC <>
Thu, 8 Sep 2022 17:04:14 +0200
An article "Facebook Engineers: We Have No Idea Where We Keep All Your
Personal Data" by Sam Biddle has just appeared in "The Intercept":

In a discovery hearing, two veteran Facebook engineers told the court that
the company doesn't keep track of all your personal data.

In March, two veteran Facebook engineers found themselves grilled about the
company's sprawling data collection operations in a hearing for the ongoing
lawsuit over the mishandling of private user information stemming from the
Cambridge Analytica scandal.

The hearing, a transcript of which was recently unsealed, was aimed at
resolving one crucial issue: What information, precisely, does Facebook
store about us, and where is it? The engineers' response will come as little
relief to those concerned with the company's stewardship of billions of
digitized lives: They don't know.

The admissions occurred during a hearing with special master Daniel Garrie,
a court-appointed subject-matter expert tasked with resolving a disclosure
impasse. Garrie was attempting to get the company to provide an exhaustive,
definitive accounting of where personal data might be stored in some 55
Facebook subsystems. Both veteran Facebook engineers, with according to
LinkedIn two decades of experience between them, struggled to even venture
what may be stored in Facebook's subsystems....

Facebook's stonewalling has been revealing on its own, providing variations
on the same theme: It has amassed so much data on so many billions of people
and organized it so confusingly that full transparency is impossible on a
technical level. In the March 2022 hearing, Zarashaw and Steven Elia, a
software engineering manager, described Facebook as a data-processing
apparatus so complex that it defies understanding from within. The hearing
amounted to two high-ranking engineers at one of the most powerful and
resource-flush engineering outfits in history describing their product as an
unknowable machine.

The special master at times seemed in disbelief, as when he questioned the
engineers over whether any documentation existed for a particular Facebook
subsystem. "Someone must have a diagram that says this is where this data is
stored," he said, according to the transcript. Zarashaw responded: "We have
a somewhat strange engineering culture compared to most where we don't
generate a lot of artifacts during the engineering process. Effectively the
code is its own design document often." He quickly added, "For what it's
worth, this is terrifying to me when I first joined as well."

The remarks in the hearing echo those found in an internal document leaked
to Motherboard earlier this year detailing how the internal engineering
dysfunction at Meta, which owns Facebook and Instagram, makes compliance
with data privacy laws an impossibility. "We do not have an adequate level
of control and explainability over how our systems use data, and thus we
can't confidently make controlled policy changes or external commitments
such as âwe will not use X data for Y purpose,'" the 2021 document read.

  If the article is to be believed—and based on my reading of the latest
  court documents, it's credible—then it appears to me that Facebook has
  no hope at all of complying with even the loosest of data privacy laws,
  and certainly not the European GDPR, because they don't know exactly what
  data they have on individuals, nor how it's used, nor where it's stored,
  nor under what technical protections it falls.

  But they sell it.  Pete

Facebook and Google, they're SO public spirited...

Gabe Goldberg <>
Fri, 9 Sep 2022 15:04:10 -0400
I can tell from their massive print/TV ad campaigns in DC area touting how
hard they're working to protect everyone's online security.  This raises the
question, of course, of who's protecting us from them?

I wonder who the ads target—citizens? Politicians? Can anyone believe
that they're anything but self-serving blather denying and distracting from
what these companies do that we need to be protected from?

And, of course—at least the Facebook ad—repeating the message so often
(as bad as local "Len the Plumber"!) is counterproductive, is irritating,
and makes one wonder why they're claiming good intentions so strongly. What
could they be hiding?

Super-rich preppers' planning to save themselves from the apocalypse (The Guardian)

Matthew Kruk <>
Wed, 7 Sep 2022 06:30:18 -0600

Tech billionaires are buying up luxurious bunkers and hiring military
security to survive a societal collapse they helped create, but like
everything they do, it has unintended consequences

Major telecoms sign deal to keep some phone services running during future outages (CBC Canada)

Matthew Kruk <>
Thu, 8 Sep 2022 07:33:35 -0600

Israel: Health Ministry website faces cyberattack, oversea access blocked (I14 News)

Mike Rechtman <>
Fri, 09 Sep 2022 07:21:13 +0300
Pro-Iranian hackers based in Iraq, calling themself Altahrea Team, claimed
responsibility for the cyberattack.  Israel's Health Ministry website faced
disrupted access to users abroad, reportedly due to a cyberattack, the
ministry said Sunday. Breaks the Internet

Paul Robinson <>
Sat, 10 Sep 2022 08:07:32 -0500
I saw an ad for a service that has a lot of features. Then I discover it's
free. It's , offering a bunch of tools that I think I can
use (lots of marketing-related tools), and it claims it's free, no credit
card required, so, based on what the ad showed, I decided to check it out.

One of the things going through my head - which you should always keep in
mind when examining/checking out a free offer - is, "how are they going to
monetize this?" Or more simply, how can they make money from something free?
Because if they can't make money from *somewhere*, they aren't going to be
around long. Very few things are subsidized in a way that someone else isn't
paying, usually involuntarily, such as through taxes. Well, I discover they
do have and are offering is a free tier, with a number of nice looking
features available, but, they have paid tiers as well. This, I don't have a
problem with. Since there are only two industries where the people who
consume their products "users" - software developers and drug dealers - it
is appropriate in both industries to offer a free sample of your wares to
get users hooked, then offer them the pricey stuff. It also mentions that
the prices on these are reduced, if you don't take them at sign up, they
will be more expensive later. This is also not unreasonable; getting people
to take an offering on the expectation that it's a limited-time offer is a
common marketing tactic. Nothing that they are offering in any of the paid
tiers is anything that I would need, the free tier appears to be more than
enough, so I can decline all of them and take the "free forever" tier. So,
it asks for first name, last name, email address, username, password, and
verify password. Nothing unusual here.

Well, anyway, I give the first four items, and am on the "password"
field. Accepting Firefox's suggestion to use a randomly-generated password
it creates for this occasion, I do, and I fill both fields with the same
long string of characters. I click on the submit button - labeled "Register"
I think - and it "bangs back" with an angry, red error message, saying all
fields must be filled in. I'm looking to see if there's any other
fields. Nope, only then I discover both password fields are blanked out. I
must have done something wrong, so I have Firefox insert the random password
in both places and try again. Same problem.

At this point, it kind of dawns on me that maybe the password is *too long!*
I try using a shorter password, and, as too many people do, a password I've
used elsewhere. This, it accepts. Bad practice. Shorter passwords are easier
to crack, and there are not really difficult ways to add tremendous levels
of security, (see for an example on how to increase
password strength exponentially) especially since any conscientious website
does not store passwords, only the hashes of passwords

If you think this is only what I'm complaining about, "just wait, there's

It turns out it's a good idea that I used a password I can remember, because
I'm going to need to use it again, because the screen changes to a blank
page with a black stripe across the top, and the message, "Our app is only
optimized for use in Chrome. Please download it from here" with the last
word being a link that I presume is to Google's download site.

First, it might have been a good idea to tell me this *before* I registered.
Second, if this is what people who will connect to it to see/use whatever I
have used with them - one of the offerings is a free blog system as an
alternative to Wordpress - will be told, that is going to cut off a large
part of the potential audience. Third, the World Wide Web - and the Internet
of which the web is just one of hundreds of services it can offer - are
built on open standards that are [i]not supposed to be proprietary.[/i]
(Yes, I know Chrome is open source, but if you mandate one specific browser,
you've made your site proprietary to whatever features it offers and others
don't.) It is this sort of expletives deleted] that damn near Balkanized
the early web, when people had to implement two versions of their site, one
for Internet Explorer browser users, and one for everyone else. For a lot of
people, this was too much, and if you weren't using IE, you'd be told to
download it. Just like now.

I can see no reason to restrict sites to one browser, and a lot of reasons
not to. First, is common practice. Huge, popular sites: Amazon, Google,
Wikipedia, YouTube, Facebook, Twitter and hundreds of millions of others -
all work satisfactorily on all browsers.

This is bad practice, and just pure laziness, an unwillingness to go along
with the common standards that provide good experiences for website
users. Regressing back to the days of web Balkanization where if you were on
the wrong browser, you got the equivalent treatment to someone from the
ghetto trying to better themselves, and being discriminated against.

This is wrong. Groove, fix your broken website, don't penalize people for
using "the wrong browser," and "play nice with others" by sticking with the
huge number of non-proprietary technical standards that work on all

This $30 mouse jiggler makes it look like you're working when you're not (CNBC)

geoff goodfellow <>
Thu, 8 Sep 2022 10:40:58 -0700
 - As employers surveil employees with productivity-monitoring software,
   workers are turning to mouse jigglers.
 - Mouse jigglers, or mouse movers, simulate cursor movement, preventing
   your computer from going into sleep mode.
 - CNBC's Sofia Pitt tested a mouse jiggler for a day.

Employers are monitoring productivity more than ever, in part thanks to the
boom in remote work.

Employees are turning to gadgets to outsmart monitoring software. One such
tool is a mouse mover, or mouse jiggler, that's supposed to keep your screen
on. I decided to give one a try to see if it works.

I learned about mouse jigglers on TikTok. A mouse mover is a device that
claims to be undetectable by your computer. As the name indicates, the
device simulates mouse movement, preventing your computer from going into
sleep mode.

So-called *tattleware*, or surveillance software is being installed on
company-issued devices track employee screen time, keyboard usage, and
clicks. The mouse jiggler may not help with keyboard usage or clicks, but it
should address screen time monitoring by keeping your computer's display on.
*Here's how a mouse jiggler works*.  [...]


Obsessively watching the news can make you mentally and physically sick (Study Finds)

geoff goodfellow <>
Sat, 10 Sep 2022 16:06:09 -0700
Keeping up with the latest news can be very bad for your health, according
to a new study. Researchers at Texas Tech University found that Americans
who obsessively follow the news are more likely to suffer from both physical
and mental health problems, including anxiety and stress.

Those who constantly check the latest headlines end up with *significantly
greater physical ill-being* than those who tune in less often, according to
the findings. The team adds that constantly keeping on top of the latest
developments can lead to a vicious cycle where people always check for more
updates, rather than tuning out after a quick read.

This can start interfering with people's personal lives, leaving them
feeling powerless and distressed about global events including the pandemic,
the war in Ukraine, and climate change.

“Witnessing these events unfold in the news can bring about a constant
state of high alert in some people, kicking their surveillance motives into
overdrive and making the world seem like a dark and dangerous place,'' says
Bryan McLaughlin, associate professor of advertising at the College of Media
and Communication at Texas Tech University, in a media release, 1 in 6 have
a *severely problematic* news addiction.  [...]

Re: High Seas Deception: How Shady Ships Use GPS to Evade International Law (NYTimes, RISKS-33.43)

John Stewart <>
Wed, 7 Sep 2022 09:49:58 -0400
The issue with spamming AIS is that, AIS transmitters if installed, (at
least for us non-professional boat owners), must have their own GPS decoder
and VHF antenna connection, by law from what I read.

And, the MMSI (ship international registration) number is "program once" in
the AIS box and not able to be changed by the user. (Satellite positioning
-- I'm not sure that qualifies as AIS, but I would not mind to be corrected)
to go dark by turning off the AIS box.

If I wanted to move myself, it would easier to just send a bunch of AIS
traffic from another box, but that is not an above-board commercial product
(as far as I know!) so one would have to some computer smarts to do this.

As an aside - the last time the Canadian SnowBirds aerobatic team were due
to fly over our area, I checked for ADS-B data from them so I could see if
they were getting close, and, well, I guess they don't send ADS-B...

Re: Hand-counting elections riskier than computer counts? (CNN, RISKS 33.43)

Craig Cottingham <>
Mon, 5 Sep 2022 14:50:17 -0500
I am reminded of the old aphorism: âA person with one watch knows what time
it is—but a person with two watches is never sure.

If the computer count and the hand count disagree, which one should be

Re: Honda Clocks Are Stuck 20 Years In The Past; There Isn't A Fix (RISKS-33.43)

Steve Bacher <>
Mon, 5 Sep 2022 07:50:44 -0700
Link to article:

Re: 3D gun printing operation busted in Calgary (Bacher, R-33.43)

Henry Baker <>
Sun, 04 Sep 2022 20:06:52 +0000
[Im]moral hazard?

Houston man sells dozens of 3D-printed guns at city's first gun buyback.
The man traded in 62 3D-printed guns, often referred to as 'ghost guns,' and
received $50 per gun. He claimed making the weapons cost only $3 each.

Which reminds me of other 'bounty' programs gone horribly/LOL wrong:

Please report problems with the web pages to the maintainer