The RISKS Digest
Volume 33 Issue 8

Saturday, 5th March 2022

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Massive satellite disruption affecting almost 6000 wind turbines in Europe
Market Screener
Surprisingly many risky infusion pumps? Are you part of the IoT?
Small cyberphysical watermarks could prevent huge headaches caused by fake meds
Sophisticated new Chinese hacking tool found, spurring U.S. warning to allies
DHS calls out firmware and open source as the biggest software risks
Researchers Can Steal Data During Homomorphic Encryption
Flaws Discovered in Cisco's Network Operating System for Switches
The Hacker News
Robust Radar: AI Sensor Technology for Autonomous Driving
Christoph Pelzl
Computer Security Researchers Aim to Prevent Tech Abuse
Cornell Chronicle
Stolen certificates
The Register
Ban from China Made Bitcoin Less Friendly to Climate
Surgeon General Demands Data on COVID-19 Misinformation From Major Tech Firms
The Hill
Humans Will Live In Metaverse Soon, Claims Mark Zuckerberg. What About Reality?
The metaverse will steal your identity
Proctorio subpoenas digital rights group in legal spat with student
The Verge
Here Comes the Full Amazonification of Whole Foods
Cecilia Kang
Move Over Candy Bars, New York Vending Machine Now Sells NFT Art
Daniel Fasterberg
Relevant bumper crop in today's NYTimes
More on Ukraine-related risks
Cyberwarfare likely to hit U.S., allies, say experts
Carolyn Said
As Tanks Rolled Into Ukraine, So Did Malware. Then Microsoft Entered the War
David E. Sanger et al.
The Impossible Suddenly Became Possible
Anne Applebaum
Ukraine's Vital Tech Industry Carries on Amid Russian Invasion
Sam Schechner
Google temporarily disables Google Maps live traffic data in Ukraine
Conti Ransomware Source Code Leaked by Ukrainian Researcher
Bleeping Computer
Russia's War in Ukraine Could Spur Another Global Chip Shortage
The Internet and Putin's War
Lauren Weinstein
Re: New Bill Would Bring Mobile Voting To WashDC
Jay Libowe
Re: Some Mazda cars stuck on a Seattle Station
Martin Ward
Info on RISKS (comp.risks)

Massive satellite disruption affecting almost 6000 wind turbines in Europe (Market Screener)

Lauren Weinstein <>
Mon, 28 Feb 2022 18:48:35 -0800

Surprisingly many risky infusion pumps? Are you part of the IoT?

Peter Neumann <>
Fri, 4 Mar 2022 11:53:40 PST

Three out of four infusion pumps used to deliver medications and fluids to patients have cybersecurity flaws, putting them at increased risk of being compromised by hackers, according to a new study by Palo Alto Networks' Unit 42 threat research service.

An analysis of more than 200,000 infusion pumps from seven medical device manufacturers, using crowd-sourced data supplied by healthcare organizations, found more than half of the devices were susceptible to “critical” and “high” severity cybersecurity vulnerabilities. “Security lapses in these devices have the potential to put lives at risk or expose sensitive patient data,” states the report, noting that infusion pumps can number in the thousands in a large hospital or clinic.

The Palo Alto Networks study mirrors results from a January research report <> by security firm Cynerio, which found that IV infusion pumps make up 38% of a hospital's typical Internet of Things (IoT) footprint, with 73% of those devices having a vulnerability “that would jeopardize patient safety, data confidentiality, or service availability if it were to be exploited by an adversary.”

Infusion pumps are the most common connected medical devices in hospitals and “possess the lion's share” of cybersecurity risk, concluded Cynerio's January report. The Palo Alto Networks study, released on 2 Mar 2022 identified more than 40 different vulnerabilities and over 70 different security alerts among infusion pumps, with one or more affecting 75% of the 200,000 devices analyzed on the networks of mostly U.S. healthcare organizations.

One of the most striking findings was that 52% of all infusion pumps scanned were susceptible to two known vulnerabilities that were disclosed in 2019—one with ‘critical’ severity, the other with ‘high’ severity, respectively: <> <>

The study also points out that the average infusion pump has a life of eight to 10 years, resulting in the widespread use of legacy devices that have hampered efforts to improve cybersecurity.

Becton Dickinson's Alaris System vulnerabilities listed in the Palo Alto Networks report were disclosed by the company in 2017, 2019 and 2020. BD made software updates available to fix these vulnerabilities and encouraged customers to update to BD Alaris PCU version 12.1.2, which became available in July 2021, according to the report's researchers.

Still, despite the availability of a patch last year, the Common Vulnerabilities and Exposures (CVEs) in the BD pumps “still had a 50.39% and 39.54% representation in the hospitals,” according to Chris Gates, director of product security at medical device engineering firm Velentium.

“While BD has been a responsible manufacturer, the hospitals have not been updating their pumps,” which is “magnified by the long service life of these pumps in the hospital,” Gates said.

Other cybersecurity experts such as Harbor Labs' Director of Medical Security Mike Rushanan, who has worked with a wide variety of infusion systems, are not impressed with the security practices of much of the infusion pump industry.

“Some infusion pump manufacturers do cybersecurity right, and you don't see them on this list. Others, like BD, you'll see over and over,” Rushanan said. At the same time, Gates is critical of Baxter's response to known vulnerabilities in their infusion pumps. “The Baxter pumps have a raft of high scoring vulnerabilities,” Gates said. “These types of vulnerabilities display a complete disregard for cybersecurity by the manufacturer, this isn't some advanced attack by a nation-state or newly discovered vulnerability in a third-party component. No, this is just not meeting their responsibility as a medical device manufacturer.”

In an emailed statement, Baxter said that the company “self-identified, investigated and disclosed” vulnerabilities related to its devices that were noted in the study.

“Securing medical devices, including infusion pumps, is not a one-time event. It requires ongoing vigilance throughout the lifecycle and operation of the pump,” it said. “Baxter's product security team is continuously monitoring for potential vulnerabilities in our medical devices.”

A spokesperson at BD said the company planned to issue a statement about the matter today. It wasn't made available at the time of publication.

Baxter's recent infusion pump safety notification, which regards improper device use, adds to the cybersecurity concerns with the machines. BD has similarly had recent problems with its pumps, issuing multiple recalls over the last several years due to machine malfunctions. <>

“Recalls, whether due to mechanical failure or cybersecurity vulnerability, can be a source of anxiety for supply chain managers, clinical engineers and IT security teams,” Palo Alto Networks said in the study. “The at-risk devices must be identified, found and retired or repaired per the instruction of a given recall. An oversight or a miss in any of these areas ” whether the devices need repair, maintenance, software patches or updates “ can put patient lives or sensitive information at risk.”

The Palo Alto Networks study called on the healthcare industry to “redouble efforts to protect against known vulnerabilities” in infusion pumps. Still, Velentium's Gates is skeptical that both hospitals and medical device manufacturers are up to the task, despite the continuing risks to patient safety. “I would love to see these studies repeated in a year to see how many are still unpatched and still in use in the hospitals. Sadly, I would suspect they would find very similar numbers,” Gates said.

Small cyberphysical watermarks could prevent huge headaches caused by fake meds (

“Richard Stein” <>
Wed, 2 Mar 2022 12:26:23 +0800

“Counterfeit medications and pharmaceutical products are just a click away from being purchased from online pharmacies via smartphone.”

The Pharmaceutical Security Institute summarizes grim statistics about arrests, drug categories, and the global geographic distribution for counterfeit medicines for incidents greater than US$ 100K in product value. No aggregated revenue information about the crimes are disclosed. See retrieved on 02MAR2022.

The AARP, via (retrieved on 02MAR2022), estimates the phony drug market size @ ~US$ 200B in 2014.

To deter incentives to forge and sell into the marketplace, a silk-based watermark will be imprinted on each pill or tablet to establish the manufactured medicine's bona fides. Human digestive processes gracefully degrade silk and the marking ink.

A cellphone app can be used to examine the watermark and confirm or refute authenticity.

Risk: False negative/positive app outcome.

[Unclear how consumers can apply the app via pre-sale sample and buy. Law enforcement can benefit by not having to subject the suspected goods to rigorous chemical authenticity testing. Wonder if law enforcement use of the app might be subject to illegal search and seizure challenges.]

Sophisticated new Chinese hacking tool found, spurring U.S. warning to allies (SCMP)

geoff goodfellow <>
Mon, 28 Feb 2022 21:17:07 -1000

- Cybersecurity firm Symantec says the malware, which it calls Daxin, has been used to target high level, non-Western government agencies in Asia and Africa - Researchers say the discovery is noteworthy because of the scale of the intrusions and the advanced nature of the tool

Security researchers with US cybersecurity firm Symantec said they have discovered a highly sophisticated Chinese hacking tool that has been able to escape public attention for more than a decade.

The discovery was shared with the US government in recent months, who have shared the information with foreign partners, said a US official. Symantec, a division of chip maker Broadcom, published its research about the tool, which it calls Daxin, on Monday.

“It's something we haven't seen before,” said Clayton Romans, associate director with the US Cybersecurity Infrastructure Security Agency (CISA). “This is the exact type of information we’re hoping to receive.”

CISA highlighted Symantec's membership in a joint public-private cybersecurity information sharing partnership, known as the JCDC, alongside the new research paper. […]

DHS calls out firmware and open source as the biggest software risks (DHS)

Peter G Neumann <>
Sat, 5 Mar 2022 10:31:49 PST Supply Chain Report_0.pdf

Assessment of the Critical Supply Chains Supporting the U.S. Information and Communications Technology Industry

23 February 2022

“In summary, open-source software and firmware are integral to the ICT industrial base, enabling the development and functionality of nearly all types of ICT software and hardware products. However, the nature of these products in addition to the software supply chain itself present several risks. First, the dynamic nature of software development exposes the supply chain to countless sources of both known and unknown vulnerabilities, from insecure open-source software to zero-day exploits. Second, the growing reliance on open-source software increases the risk and potential impact of software supply chain attacks through methods such as package typo squatting and malicious injects. Finally, firmware presents a large and ever-expanding attack surface as the number of electronic devices grows and the ICT supply chain increases in complexity. Product integrity assurance throughout the ICT industry is important to ensure secure and reliable products.”

Researchers Can Steal Data During Homomorphic Encryption (NCState)

ACM TechNews <>
Fri, 4 Mar 2022 12:00:30 -0500 (EST)

Matt Shipman, NC State University News, 2 Mar 2022, via ACM TechNews; 4 Mar 2022

Researchers at North Carolina State University (NC State) and Turkey's Dokuz Eylul University have cracked next-generation homomorphic encryption via side-channel attacks. Homomorphic encryption renders data unreadable to third parties, while still permitting third parties and third-party technologies to perform operations using the data. NC State's Aydin Aysu said the process consumes much computing power, and the researchers were able to read data during encryption by monitoring power consumption in the data encoder using Microsoft's SEAL Homomorphic Encryption Library. “We were able to do this with a single power measurement,” Aysu noted, and the team confirmed the flaw in the library up through least version 3.6.


Flaws Discovered in Cisco's Network Operating System for Switches (The Hacker News)

ACM TechNews <>
Mon, 28 Feb 2022 12:04:13 -0500 (EST)

Ravie Lakshmanan, The Hacker News 24 Feb 2022, via ACM TechNews, 28 Feb 2022

Technology conglomerate Cisco has issued software patches to correct four security flaws that hackers could exploit to commandeer affected systems. The most critical patch fixes a command injection flaw in the NX-API feature of Cisco NX-OS software, stemming from insufficient input validation of user-supplied data. Cisco warned, “A successful exploit could allow the attacker to execute arbitrary commands with root privileges on the underlying operating system.” Other bugs the patches target include two high-severity denial-of-service (DoS) vulnerabilities in NX-OS in the Cisco Fabric Services Over IP and Bidirectional Forwarding Detection traffic functions. The fourth patch corrects a DoS flaw in the Cisco Discovery Protocol service of Cisco FXOS Software and Cisco NX-OS Software, which could “allow an unauthenticated, adjacent attacker to cause the service to restart, resulting in a denial of service condition.”


Robust Radar: AI Sensor Technology for Autonomous Driving (Christoph Pelzl)

ACM TechNews <>
Fri, 4 Mar 2022 12:00:30 -0500 (EST)

Christoph Pelzl, Graz University of Technology (Austria), 23 Feb 2022, via ACM TechNews; 4 Mar 2022

An artificial intelligence (AI) system for automotive radar sensors developed by researchers at Austria's Graz University of Technology (TU Graz) filters out interfering signals from other radar sensors to improve object detection. The researchers built model architectures for automatic noise suppression based on convolutional neural networks (CNNs). To make them more efficient, the researchers trained the neural networks with noisy data and desired output values, then compressed the most efficient models further by reducing bit widths, resulting in an AI model with high filter performance and low energy consumption. Said TU Graz's Franz Pernkopf, “We want to make CNNs' behavior a bit more explainable. We are not only interested in the output result, but also in its range of variation. The smaller the variance, the more certain the network is.”


Computer Security Researchers Aim to Prevent Tech Abuse (Cornell Chronicle)

ACM TechNews <>
Mon, 28 Feb 2022 12:04:13 -0500 (EST)

Adam Conner-Simons, Cornell University Chronicle, 24 Feb 2022, via ACM TechNews, 28 Feb 2022

76A model developed by Cornell University researchers aims to help domestic abuse survivors prevent assailants from hacking into their devices and social media. With a focus on “continuity of care,” the model matches survivors of such abuse with a volunteer consultant who understands their needs and provides a seamless relationship over time, giving them multiple ways to communicate with their consultant safely, and securely storing their tech abuse history and concerns. Cornell's Emily Tseng said, “In an ideal world, the people on the ‘Geek Squad’ would be able to treat tech abuse with the sensitivity of a social worker.”


Stolen certificates (The Register)

“Arthur T.” <>
Sat, 05 Mar 2022 01:49:19 -0500

Extortionists started leaking data they stole from Nvidia. It includes a code-signing certificate. There is already malware in the wild signed by it.

There is an important question I have that this article doesn't mention: Other software companies have had data stolen. Has any of their stolen data included signing certificates? If they aren't leaked (as was Nvidia's) we might never know that criminals have those certificates in their possession, since those who pay ransoms generally don't publicize what kind of data was taken (if they even know).

Ban from China Made Bitcoin Less Friendly to Climate (NYTimes)

Peter G Neumann <>
Sat, 26 Feb 2022 13:37:16 PST

Hiroko Tabuchi, The New York Times Business, B8,26 Feb 2022

The exodus of bitcoin miners from China (after last year's government crackdown on cryptocurrencies) made cryptomining even worse for the climate. Miners lost their access to cheap hydro-electric power in China, and migrated (e,g., to Kazakhstan and the U.S.), resulting in the overall use of more fossil fuels. Researchers estimated Bitcoin mining may be responsible for about 65 megatons of carbon dioxide annually. (PGN-ed)

Surgeon General Demands Data on COVID-19 Misinformation From Major Tech Firms (The Hill)

ACM TechNews <>
Fri, 4 Mar 2022 12:00:30 -0500 (EST)

Brad Dress, The Hill, 3 Mar 2022, via ACM TechNews; 4 Mar 2022

U.S. Surgeon General Vivek Murthy reportedly has asked major technology companies to disclose data on COVID-19 misinformation. He asked for information about the prevalence and scale of the problem on the firms' Websites, and on social networks, search engines, crowdsourced and e-commerce platforms, and instant messaging systems. Murthy specified that the data should detail demographics impacted by misinformation, misinformation sources, and “exactly how many users saw or may have been exposed to instances of COVID misinformation.” Said Murthy, “Technology companies now have the opportunity to be open and transparent with the American people about the misinformation on their platforms. This is about protecting the nation's health.”


Humans Will Live In Metaverse Soon, Claims Mark Zuckerberg. What About Reality? (Washable)

geoff goodfellow <>
Fri, 4 Mar 2022 08:03:48 -1000

Meta intends to spend the next five to ten years creating an immersive virtual environment that includes fragrance, touch, and sound to allow users to lose themselves in virtual reality… […]

The metaverse will steal your identity (Unherd)

geoff goodfellow <>
Fri, 4 Mar 2022 08:33:15 -1000

Individuality will dissolve into mindless conformity

In 1950, sociologist David Riesman declared that we were The Lonely Crowd.

In 2000, political scientist Robert D. Putnam told us we were Bowling Alone. If the metaverse promises us one thing, it's that we will not be lonely.

Meta (formerly Facebook) and Microsoft (having recently purchased online gaming giant Activision) are enthusiastically talking up the metaverse—a world of virtual reality-enhanced social interactions that will be more real than reality. It will capture the nuances of offline interaction in massively fulfilling virtual experiences and then monetise them. With JPMorgan and Goldman Sachs declaring it a trillion-dollar market, the metaverse, if it succeeds, will be a constant presence in our lives.

If this is, as some say <>, a chilling vision of the future, it's not for the Huxleyesque reasons usually given. If the worry is that people will be drawn away from real life into an online world provided by high-tech devices, that horse has already bolted. Meta's talk of an immersive metaverse belies the fact that we are already well and deeply immersed in online life. […]

Proctorio subpoenas digital rights group in legal spat with student (The Verge)

“Gabe Goldberg” <>
Wed, 2 Mar 2022 19:31:46 -0500

It asks for all the organization's communications related to the proctoring software industry.

The controversial proctoring platform Proctorio has filed a broad subpoena against the prominent digital rights nonprofit Fight for the Future as part of its legal battle with Miami University student Erik Johnson, in what the group describes as an effort to silence critics through legal maneuvering.

The fight between Johnson and the company began in September of 2020 when the student published a lengthy Twitter thread criticizing Proctorio's practices, including excerpts of the platform's source code that he’d posted on PasteBin. Proctorio filed a copyright takedown notice. Three of the tweets were removed but later reinstated. The Electronic Frontier Foundation then sued Proctorio on Johnson's behalf, arguing that the takedown had “interfered with Johnson’s First Amendment right.”

Proctorio is one of the most prominent software platforms that schools use to watch for cheating on remote tests. It records students through their webcams as they work, monitoring their head positioning, and flags possible signs of cheating to professors.

Here Comes the Full Amazonification of Whole Foods (Cecilia Kang)

ACM TechNews <>
Fri, 4 Mar 2022 12:00:30 -0500 (EST)

Cecilia Kang, The New York Times, 28 Feb 2022 via ACM TechNews; 4 Mar 2022

Amazon has almost completely automated a Whole Foods store in Washington, DC's Glover Park neighborhood. The store incorporates Just Walk Out technology, a network of cameras, sensors, and deep learning software that analyzes shopping habits. Shoppers can activate virtual shopping by scanning their palms at kiosks or by scanning quick response codes in the Amazon phone app. Just Walk Out detects when shoppers lift sensor-affixed products, itemizes their picks, and charges their Amazon account when they exit the store, skipping checkout lines. Amazon, which has tested such automation for over four years, plans to open a second prototype automated Whole Foods store in Los Angeles this year.


Move Over Candy Bars, New York Vending Machine Now Sells NFT Art (Daniel Fasterberg)

ACM TechNews <>
Fri, 4 Mar 2022 12:00:30 -0500 (EST)

Daniel Fastenberg, Reuters 2 Mar 2022 via ACM TechNews; 4 Mar 2022

The first in-person non-fungible token (NFT) vending machine has been installed in New York City by digital art collecting platform Neon. The “NFT ATM,” located in a small storefront in Lower Manhattan's financial district, sells QR codes connected to pieces of online art ranging in price from $5.99 to $420.49. Customers do not know which piece of digital art they have purchased until they scan the QR code, which allows them to display the art on any smartphone, laptop, or tablet. Neon's Kyle Zappitell said the target customer is “the crypto curious, the people who tried to buy cryptocurrency or they were interested in buying an NFT, but they just hit too many barriers.”


Relevant bumper crop in today's NYTimes

“Peter G, Neumann” <>
Sat, 5 Mar 2022 13:23:43 PST

Main op-ed in the editorial slot:

Lead right-hand page Op-Ed:

Business Section front page:

The risks are enormous all around. PGN

More on Ukraine-related risks (PGN-collected)

Lauren Weinstein <>
Sat, 26 Feb 2022 09:12:15 -0800

Leaders announce selected Russian banks to be cut off from SWIFT

Cyberwarfare likely to hit U.S., allies, say experts (Carolyn Said)

Peter G Neumann <>
Sat, 26 Feb 2022 13:02:05 PST

Carolyn Said (San Francisco Chronicle, 26 Feb 2022

Underscoring how warfare has changed in the Internet era, the aggression includes a wave of cyberattacks against Ukraine seeking to destabilize critical infrastructure. Security experts warn that's just the beginning of the online havoc Russia will try to wreak, which is likely to target the U.S. and its allies as well.

As Tanks Rolled Into Ukraine, So Did Malware. Then Microsoft Entered the War (David E. Sanger et al.)

ACM TechNews <>
Wed, 2 Mar 2022 12:18:05 -0500 (EST)

David E. Sanger, Julian E. Barnes and Kate Conger, The New York Times, 01 Mar 2022, via ACM TechNews; 2 Mar 2022

U.S. technology companies are helping to defend Ukraine against cyberattacks orchestrated alongside the Russian invasion. Shortly before the military incursion began, Microsoft's Threat Intelligence Center responded to previously unseen “wiper” malware targeting Ukraine's government ministries and financial institutions; the center dissected the malware, informed Ukraine's cyberdefense forces, and updated Microsoft's virus detection systems to block the code within hours. Meanwhile, Meta said it had locked down Facebook accounts of Ukrainian military officials and public figures when hackers attempted to spread disinformation through them. Corporate-government partnerships are being tested in the effort to analyze and counter Russia's cyberoffensive tactics, with tech companies a primary source of actionable intelligence.


The Impossible Suddenly Became Possible (Anne Applebaum)

Dewayne Hendricks <>
March 2, 2022 14:33:56 JST

When Russia invaded Ukraine, the West's assumptions about the world became unsustainable.

Anne Applebaum, The Atlantic, 1 Mar 2022

History has accelerated; the impossible has become possible. Shifts that no one imagined two weeks ago are unfolding with incredible speed.

As it turns out, nations are not pieces in a game of Risk. They do not, as some academics have long imagined, have eternal interests or permanent geopolitical orientations, fixed motivations or predictable goals. Nor do human beings always react the way they are supposed to react. Last week, nobody who was analyzing the coming war in Ukraine imagined that the personal bravery of the Ukrainian president and his emotive calls for sovereignty and democracy could alter the calculations of foreign ministers, bank directors, business executives, and thousands of ordinary people. Few imagined that the Russian president's sinister television appearances and brutal orders could alter, in just a few days, international perceptions of Russia.

And yet all of that has happened. Volodymyr Zelensky's courage has moved people, even the hard-bitten CEOs of oil companies, even dull diplomats accustomed to rote pronouncements. Vladimir Putin's paranoid ranting, meanwhile, has frightened even people who were lauding his savvy just a few days ago. He is not, in fact, someone you can do business with, as so many in Berlin, Paris, London, and Washington falsely believed; he is a cold-blooded dictator happy to murder hundreds of thousands of neighbors and impoverish his nation, if that's what it takes to remain in power. However the war ends—and many scenarios are still imaginable—we already live in a world with fewer illusions.

Look at Germany, a nation that has spent nearly 80 years defining its national self-interest in purely economic terms. If the government of some distant place where Germans buy and sell things was repressive, that was never the Germans' fault. If military aggression was reshaping the outer borders of Europe, that was peripheral to Germany, too. Former Chancellor Angela Merkel, although she talked a lot about liberal and democratic values, in practice worried far more about creating good conditions for German business, wherever it was operating. That economy-first attitude infected her nation. Not long after the Russian annexation of Crimea in 2014, I joined a panel discussion in Germany about “the greatest threats to Europe.” Because of the timing, I talked about Russia and assumed the others would too. I was wrong. One of the other panelists called me a warmonger. Another argued vociferously that the greatest threat was a proposed trade agreement that would have allowed Americans to sell chicken washed in chlorine to German supermarkets.

I remember that detail because I hadn't known about the great chlorinated-chicken discussion that was then engulfing Germany, and I had to go home and look it up. But I've had some version of that experience many times since. I was on a German television program two weeks ago, along with three German politicians who were, even then, arguing that—despite the thousands of troops and armored vehicles gathering on the borders of Ukraine — the only conceivable solution was dialog.

On Saturday, in a 30-minute speech, the current German chancellor, Olaf Scholz, threw all of that out the window. Germany, he said, needs “planes that fly, ships that sail, and soldiers who are optimally equipped for their missions.” Germany's military should reflect its size and importance. The German government has done an about-face and will even send weapons to Ukraine: 1,000 anti-tank weapons and 500 Stinger missiles. More incredibly, this 180-degree turn has the support of an astonishing 78 percent of the German public, who now say they support much higher military spending and will gladly pay for it. This is a fundamental change in Germany's definition of itself, in its understanding of its past: Finally, Germans have understood that the lesson of their history is not that Germany must remain forever pacifist. The lesson is that Germany must defend democracy and fight the modern version of fascism in Europe when it emerges.

But the Germans are not the only ones who have changed. Across Europe people are realizing that they live on a continent where war, in their own time, in their own countries, is no longer impossible. Platitudes about European unity and solidarity are beginning to have some meaning, along with common foreign policy, a phrase that, in the European Union, has until now been largely fiction. In theory the EU has a single spokesperson for foreign policy, but in practice European leaders have given that job to people who know little about Russia, and whose fallback position when Russia misbehaves is always the expression of deep concern. The previous European high representative for foreign policy, Federica Mogherini, was more interested in EU relations with Cuba than with Kyiv. The current holder of that office, Josep Borrell, stumbled through a meeting with his Russian counterpart last year, and seemed surprised to be treated with disdain.

But now everything is suddenly different. Deep concern has been exchanged for real action. Less than a week into the invasion, the EU has not only announced harsh sanctions on Russian banks, companies, and individuals — sanctions that will also affect Europeans—but has also offered $500 million of military aid to Ukraine. Individual European states, from France to Finland, are sending weapons as well, and applying their own sanctions. The French say they are drawing up a list of Russian oligarchs' assets, including luxury cars and yachts, in order to seize them.

Europeans have also dropped, abruptly, some of their doubts about Ukraine's membership in their institutions. On Monday, the European Parliament not only asked Zelensky to speak, by video, but gave him a standing ovation. Earlier today the parliamentarians, from all across the continent, voted to accept his application for EU membership for Ukraine. Accession to the EU is a long process, and it won't happen immediately, even if Ukraine emerges intact from this conflict. But the idea has been broached. It is now part of the continent's collective imagination. From being a distant place, badly understood, it is now part of what people mean when they say Europe.

Ukraine itself will never be the same again either. Events are happening so rapidly, with moods and emotions changing every hour of every day, that I can't guess what will happen next, or predict how people will feel about it. But I am certain that the events of this week have changed not only the world's perceptions of Ukraine, but Ukrainians' perceptions of themselves. In the long run-up to this war, the conversation in Washington and Berlin was always focused on Putin and Joe Biden, Sergei Lavrov and Antony Blinken, NATO and Russia. This was the kind of talk that academics and pundits liked: big topics, big countries. In this conversation Ukraine was, as the political scientist John Mearsheimer put it in 2014, nothing more than “a buffer state of enormous strategic importance to Russia.” But the Ukrainians have now put themselves at the heart of the story, and they know it.

As a result, thousands of people are making choices that they too could not have imagined two weeks ago. Ukrainian sociologists, baristas, rappers, and bakers are joining the territorial army. Villagers are standing in front of Russian tanks, shouting occupiers and murderers at Russian soldiers firing into the air. Construction workers on lucrative contracts in Poland are dropping their tools and taking the train back home to join the resistance. A decade's worth of experience fighting Russian propaganda is finally paying off, as Ukrainians create their own counternarrative on social media. They post videos telling Russian soldiers to go home to their mothers. They interview captured teenage Russian conscripts, and put the video clips online. Electronic highway signs leading into Kyiv have been reconfigured to tell the Russian army to f*ck off. Even if this ends badly, even if there is more bloodshed, every Ukrainian who lived through this moment will always remember what it felt like to resist—and that too will matter, for decades to come.

And what about Russia? Is Russia condemned always to be a revanchist state, a backward-looking former empire, forever scheming to regain its old role? Must this enormous, complicated, paradoxical nation always be ruled badly, with cruelty, by elites who want to steal its wealth or oppress its people? Will Russian rulers always dream of conquest instead of prosperity?

Right now many Russians don't even realize what is happening in Ukraine. State television has not yet admitted that the Russian military has attacked Kyiv with rockets, bombed a Holocaust memorial, or destroyed parts of central Kharkiv and Mariupol. Instead, the official propagandists are telling Russians that they are carrying out a police action in Ukraine's far-eastern provinces. The audience gets no information about casualties, or war damage, or costs. The extent of the sanctions has not been reported. Pictures seen around the world—the bombing of the Kyiv television tower today, for example—can't be seen on the Russian evening news.

Ukraine's Vital Tech Industry Carries on Amid Russian Invasion (Sam Schechner)

ACM TechNews <>
Fri, 4 Mar 2022 12:00:30 -0500 (EST)

Sam Schechner, The Wall Street Journal, 02 Mar 2022, via ACM TechNews; 4 Mar 2022

Many software developers in Ukraine continue to produce code for overseas clients amid the Russian invasion. Many also are volunteering for the ad hoc hacking army launching cyberattacks against Russia. Some Ukrainian technology companies are relocating employees to the west, donating money to the war effort, or offering office space as refugee housing, among other things. Said Tufts University's Bhaskar Chakravorti, “There is a serious talent crunch in IT, especially at the higher end where Ukraine was increasingly going. It's hard to imagine there will be too many other places for clients to go.” Stepan Veselovskyi of the Lviv IT Cluster trade group said most tech companies in the city are working. Veselovskyi explained, “It's important for businesses with international clients to be alive and pay taxes and pay salaries to people in a time of war.”


Google temporarily disables Google Maps live traffic data in Ukraine (Reuters)

“Jan Wolitzky” <>
Tue, 1 Mar 2022 10:39:08 -0500

Feb 27 (Reuters) - Alphabet Inc's (GOOGL.O) Google confirmed on Sunday it has temporarily disabled for Ukraine some Google Maps tools which provide live information about traffic conditions and how busy different places are.

The company said it had taken the action of globally disabling the Google Maps traffic layer and live information on how busy places like stores and restaurants are in Ukraine for the safety of local communities in the country, after consulting with sources including regional authorities.

Ukraine is facing attacks from Russian forces who invaded the country on Thursday. As missiles fell on Ukrainian cities, nearly 400,000 civilians, mainly women and children, have fled into neighbouring countries.

Russia calls its actions in Ukraine a “special operation”.

Big tech companies including Google have said they are taking new measures to protect users' security in the region.

Online services and social media sites have also been tapped by researchers piecing together activity around the war.

A professor at California's Middlebury Institute of International Studies said Google Maps helped him track a “traffic jam” that was actually Russian movement towards the border hours before Russian President Vladimir Putin announced the attack. <>

Google said live traffic information remained available to drivers using its turn-by-turn navigation features in the area.

Conti Ransomware Source Code Leaked by Ukrainian Researcher (Bleeping Computer)

ACM TechNews <>
Fri, 4 Mar 2022 12:00:30 -0500 (EST)

Lawrence Abrams, BleepingComputer (1 March 2022), via ACM TechNews; 4 Mar 2022

A Ukrainian researcher has exposed a wealth of content on the Conti cybercrime gang, including their ransomware's source code, after they sided with Russia on the Ukraine incursion. Known on Twitter as @ContiLeaks, the researcher leaked 393 JavaScript Object Notation files containing roughly 60,000 internal messages from the Conti and Ryuk ransomware group's private Extensible Messaging and Presence Protocol chat server. ContiLeaks then released more damaging material: the most exciting disclosure was a password-protected archive featuring the source code for the Conti ransomware encryptor, decryptor, and builder. Another researcher cracked the password, making the ransomware source code accessible to everyone.


Russia's War in Ukraine Could Spur Another Global Chip Shortage (WiReD)

Gabe Goldberg <>
Thu, 3 Mar 2022 20:00:30 -0500

Ukraine is home to half of the world's neon gas, which is critical for manufacturing semiconductor chips.

The Internet and Putin's War

Lauren Weinstein <>
Fri, 4 Mar 2022 09:16:03 -0800

It's impossible to overstate the importance of the Internet in Russia's war on Ukraine. Yes, it can be a source for lies and disinformation, but it also allows the world to monitor the conflict and organize against Putin in ways that never would be possible before. Putin can't hide.

Mainstream media seems to suddenly realize that Big Tech is incredibly important to let the world know what is REALLY going on during events like Putin's war, and that the “All Big Tech is Evil” mantra is a bunch of hooey.

Re: New Bill Would Bring Mobile Voting To WashDC (RISKS-33.07)

Jay Libove <>
Sat, 26 Feb 2022 21:13:22 +0000

I wonder why I've never seen the following discussed:

So, we should do it, and/but we should NOT ONLY do it (that is, it shouldn't be forced on people, just made available).

[What am I missing?]

Re: Some Mazda cars stuck on a Seattle Station (RISKS-33.06-07)

Martin Ward <>
Tue, 1 Mar 2022 15:25:23 +0000

The real problem is that programmers write printf("foo") to print the string “foo”, and it works. So then they go on to write printf(str) to write the string str, which mostly works but fails when the string pointed at by str contains percent characters.

The first argument to printf is supposed to be the format string. To print an arbitrary string the programmer is supposed to write printf("%s", str).

Please report problems with the web pages to the maintainer