Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit precedence: bulk Subject: Risks Digest 32.35 RISKS-LIST: Risks-Forum Digest Monday 2 November 2020 Volume 32 : Issue 35 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at as The current issue can also be found at Contents: Defective Panels in Solar Arrays (Ben Heubl via Peter Bernard Ladkin) American Pilots To Reassure Passengers Before MAX Flights (avweb.com) Axios Navigate (Axios) U.S. hatches plan to build a quantum Internet that might be unhackable (WashPost) NASA’s new rocket would be the most powerful ever. But it’s the software that has some officials worried. (WashPost) Elon Musk's SpaceX says it will make its own laws on Mars (Independent) Robot Trained in Simulation Performs Better in Real Life (Chris Stokel-Walker) Using AI to control a camera at a sports event -- oops! (IFLScience) Four years since the Mirai-Dyn attack, is the Internet safer? (Techxplore.com) FBI warns of "imminent" ransomware attacks on hospital systems (CBS News) In a first, researchers extract secret key used to encrypt Intel (Dan Goodin) Marriott Hotels fined 18.4m pounds for data breach that hit millions (bbc.com) Two Former eBay Employees Plead Guilty to Aggressive Cyberstalking Campaign Targeting Natick Couple (DoJ) The Unsinkable Maddie Stone, Google's Bug-Hunting Badass (WiReD) Beware a New Google Drive Scam Landing in Inboxes (WiReD) Apple develops alternative to Google search (FT) Senator Brian Schatz of Hawaii calls sec.'s testimony what it really was (Amos Shapir) @Team_Trump45 and the Hazards of Online Sleuthing (WiReD) Wisconsin GOP Lost $2.3 Million in an Email Scam (WiReD) New ‘Media Manipulation Casebook’ from Harvard teaches how to detect misinformation campaigns (WashPost) How a fake persona laid the groundwork for a Hunter Biden conspiracy deluge (NBC News) NSA Pot calling Chinese Kettle Black (Joseph Menn via Henry Baker) Re: How does Google's monopoly hurt you? (Julian Bradfield) Re: Air Force updates code on plane mid-flight (David Alexander) Re: UK national police computer down for 10 hours after engineer pulled the plug (Dick Mills) Re: Censorship or Sensibility? (San Steingold) Re: More on erroneous Alexa/third-party data provider evacuation notices in Boulder County, Colorado (Dan Jacobson) Re: Why cars are more "fragile": more technology has reduced robustness (Martin Ward) Re: F-35s and Teslas? (3daygoaty) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Wed, 28 Oct 2020 07:46:48 +0100 From: Peter Bernard Ladkin Subject: Defective Panels in Solar Arrays The October issue of IET's E&T magazine has a story by Ben Heubl on problems with PV panels. It was originally published in July 2020 on-line https://eandt.theiet.org/content/articles/2020/07/solar-panel-technology-scandal-could-see-millions-of-solar-pv-panels-fail-or-degrade-prematurely ``In February 2020, the power output plummeted at one of South Africa's proudest solar photovoltaic electricity generation sites, the Mulilo Sonnedix Prieska solar farm. .... Usually, PV solar panels last between 20 and 30 years. So how could this happen after less than four? Insiders claim accelerated backsheet degradation is to blame. The backsheet is part of a solar module that seals it from dust and moisture and provides electrical insulation. It is also necessary to protect interior components from mechanical and environmental stresses.'' ... and when a backsheet cracks, the consequences can include electrical short-circuits and fire. So there are safety issues. Heubl found it difficult to get anyone to give him information about the extent of the problem, except that it appears to be significant. It is not clear that anyone knows where panels most susceptible to early degradation are installed. There is surely not just a quality-control problem with newish panels. Panels have a limited functional lifetime in any case and it seems to follow from the report that there are few effective systems in place to identify which ones are faulty, whether after 3 years or 30 years. What about the panels on the roof of your house? Or built-in roofing panels? ------------------------------ Date: Wed, 28 Oct 2020 13:06:58 +0800 From: Richard Stein Subject: American Pilots To Reassure Passengers Before MAX Flights (avweb.com) https://www.avweb.com/aviation-news/american-pilots-to-reassure-passengers-before-max-flights/ "It's not often that passengers hear from the captain days before their flight but American Airlines is employing those calm, soothing voices to ease the reintroduction of the Boeing 737 MAX. As we recently reported, American plans to resume MAX flights starting Dec. 29, assuming all the regulatory approvals are in place. Its plan to gain customer approval for the re-launch is to offer customer tours of the aircraft and to have pilots answer phone and video calls from jittery pax. 'They're the ones that ... really have the credibility to explain the Max,' Alison Taylor, American's chief customer officer, told an online 'town hall' meeting with employees in mid-October." For a business to survive, the brands it sells must project and reliably demonstrate trust to sustain customer loyalty. Consumer expectations are, in part, achieved through unbiased and independent evaluations by regulatory agencies who evaluate these brands. They serve as the last line of defense for public health and safety. All bets are off when these agencies are neutered, or their investigatory and enforcement capabilities are compromised. How do businesses recover and restore brand trustworthiness after a 'Black Swan' shatters that expectation? The Chicago Tylenol murders (https://en.wikipedia.org/wiki/Chicago_Tylenol_murders retrieved on 28OCT2020) details measures a business can responsibly apply to restore and rebuild brand reputation following a deadly trust erosion incident. A "time heals all wounds" approach appears ineffective in the Internet-era where history is easy to retrieve, if curiosity strikes. Will a pilot's pre-flight reassurance be sufficient to sooth public anxiety about the re-engineered MAX's safety? The passenger loyalty consequences from a 'fit to fly' customer-charm offensive defy prediction. Eventually, I suspect this engagement 'pitch' will vanish. For now, that's all the flying public can expect following the Congressional investigations, FAA investigations, Boeing restructuring, liability settlements, MCAS revisions, re-certification efforts, etc. Airlines that offer discount 737-MAX flights will lure passengers and possibly recover revenue. Sustained airline profits from 737-MAX flights depends on over-achievement of historical aircraft safety records and trends. The flying public MIGHT be best served if, at ticket point-of-purchase, a government-mandated disclosure states, "This flight powered by a re-tooled 737-MAX. See this link for fleet history." ------------------------------ Date: Sun, 1 Nov 2020 17:31:46 -0500 From: Gabe Goldberg Subject: Axios Navigate (Axios) Tesla is beta-testing its latest self-driving technology with a small group of early adopters, a move that alarms experts and makes every road user -- including other motorists, pedestrians and cyclists -- unwitting subjects in its ongoing safety experiment. https://www.axios.com/newsletters/axios-navigate-bd1ba2e9-6da7-4c76-91af-2d388ca96ba7.html CAS Comment on AV TEST Data Collection https://www.autosafety.org/cas-comment-on-av-test-data-collection/ Dear Deputy Administrator Owens, The Center for Auto Safety (the Center) appreciates the opportunity to provide comments on the notice and request for comment regarding the Automated Vehicle Transparency and Engagement for Safe Testing (AV TEST) initiative. The Center, founded in 1970, is an independent, member supported, non-profit consumer advocacy organization dedicated to improving vehicle safety, quality, and fuel economy. In 2020, we are celebrating 50 years of advocacy for consumer automotive safety and informed choice. The AV TEST initiative proposes using government resources for the purpose of providing ``information to the public about Automated Driving System (ADS) testing operations in the U.S. and applicable State and local laws, regulations, and guidelines.'' Instead, the public would be better off visiting the promotional website of each AV manufacturer after conducting their own Google search. At least that way, there would not be any confusion about the biased nature of the promotion or the lack of government oversight. Motor vehicle crashes remain one of the primary causes of premature death, and the leading cause of death for those under age 30. These crashes cost the U.S. approximately $1 trillion every year. Sadly, NHTSA has estimated the first six months of 2020 have resulted in the highest death rate per vehicle mile traveled in the U.S. in over a decade. The Center firmly believes ADS technology can play a significant role in a safer transportation future and is committed to seeing its successful and safe integration into our transit ecosystem. Yet, NHTSA's refusal to even require the submission of test data relating to ADS development is an implicit encouragement of the deployment of unproven technology guided by artificial intelligence on public roads. These self-described self-driving vehicles are being unleashed on America in the hope that nothing too horrible will happen, in the absence of NHTSA analyzing validated engineering data demonstrating safe ADS performance. ------------------------------ Date: October 28, 2020 5:07:30 JST From: Dewayne Hendricks Subject: U.S. hatches plan to build a quantum Internet that might be unhackable (WashPost) [vis Dave Farber, who notes: Typical PR piece. There has been an International activity to conceptualize such a network for a while now -- Japan , USA, EU, etc. It is at the early research stage but advancing at a fast pace. Dave Farber ] U.S. hatches plan to build a quantum Internet that might be unhackable The new network would sit alongside the existing Web, offering a more secure way to send and process information Jeanne Whalen, *The Washington Post*, 23 Jul 2020 https://www.washingtonpost.com/technology/2020/07/23/us-plan-quantum-internet/ U.S. officials and scientists unveiled a plan Thursday to pursue what they called one of the most important technological frontiers of the 21st century: building a quantum Internet. Speaking in Chicago, one of the main hubs of the work, they set goals for forging what they called a second Internet -- one that would function alongside the globe's existing networks, using the laws of quantum mechanics to share information more securely and to connect a new generation of computers and sensors. Quantum technology seeks to harness the distinct properties of atoms, photons and electrons to build more powerful computers and other tools for processing information. A quantum Internet relies on photons exhibiting a quantum state known as entanglement, which allows them to share information over long distances without having a physical connection. David Awschalom, a professor at the University of Chicago's Pritzker School of Molecular Engineering and senior scientist at Argonne National Laboratory, called the Internet project a pillar of the nation's quantum-research program. ``It's the birth of a new technology. It's becoming a global competition. Every major country on earth has launched a quantum program, because it is becoming clearer and clearer there will be big impacts,'' he said in an interview. The United States' top technology rival, China, is investing heavily in quantum technology, a field that could transform information processing and confer big economic and national security advantages to countries that dominate it. Europe is also hotly pursuing the research. The Energy Department and its 17 national labs will form the backbone of the project. How exactly the work will be funded wasn't clear. The Energy Department did not announce a funding figure for the project Thursday. Speaking to reporters, Paul Dabbar, the Energy Department's undersecretary for science, said the federal government invests about $500 to $700 million a year in quantum information technology, suggesting some of that money would fund the new Internet. In an interview, Dabbar said there would probably be further funding announcements for the project in the future. Panagiotis Spentzouris, head of quantum science at the Chicago-area Fermi National Accelerator Laboratory, or Fermilab, said in an interview that more resources, and a clearer project structure, will be needed to carry out the blueprint published Thursday. The 38-page document lays out research priorities and milestones to aim for, but it doesn't assign detailed tasks to particular parties. Initial users of a quantum Internet could include national security agencies, financial institutions and health-care companies seeking to send data more securely, researchers said. The networks promise to be more secure -- some even say unhackable -- because of the nature of photons and other quantum bits, known as qubits. Any attempt to observe or disrupt these particles would automatically alter their state and destroy the information being transmitted, scientists say. A quantum Internet could also be used to connect various quantum computers with one another, helping boost their total computing power. Quantum computers are still at an early stage of development and not yet as powerful as classical computers, but connecting them via an Internet could help accelerate their use for solving complex problems like finding new pharmaceuticals or new high-tech materials, Awschalom said. Eventually consumers might also tap into the quantum Internet, to buy products with less risk of their credit card details being hacked, or to send and receive sensitive personal information such as health records or social security numbers, Spentzouris said. It is possible consumers will surf seamlessly between the regular and quantum Internets as they make purchases and send information, without necessarily knowing they are switching platforms, he said. In a sign of the potential economic rewards that quantum technology could bring, Illinois Gov. J.B. Pritzker and Chicago Mayor Lori Lightfoot both spoke at the announcement Thursday, expressing hope that there would be spillover effects for the city's tech community. Universities and labs in the region have established the Chicago Quantum Exchange to try to accelerate innovation and economic development. [...] ------------------------------ Date: Sun, 1 Nov 2020 20:03:09 -0500 From: Monty Solomon Subject: NASA’s new rocket would be the most powerful ever. But it’s the software that has some officials worried. (WashPost) As NASA moves towards the SLS's first flight, putting the Orion spacecraft in orbit around the moon, there are concerns not with the rocket's engines but rather with the computer software embedded in all its systems. https://www.washingtonpost.com/technology/2020/10/31/nasa-sls-moon-rocket/ ------------------------------ Date: Fri, 30 Oct 2020 08:03:59 -1000 From: geoff goodfellow Subject: Elon Musk's SpaceX says it will make its own laws on Mars (Independent) *No Earth-based government has authority or sovereignty over Martian activities, SpaceX claims* SpaceX will not recognise international law on Mars, according to the Terms of Service of its Starlink Internet project. Elon Musk's space company will instead reportedly adhere to a set of *self-governing principles*" that will be defined at the time of Martian settlement. [...] https://www.independent.co.uk/life-style/gadgets-and-tech/elon-musk-spacex-mars-laws-starlink-b1396023.html ------------------------------ Date: Wed, 28 Oct 2020 12:59:16 -0400 (EDT) From: ACM TechNews Subject: Robot Trained in Simulation Performs Better in Real Life (Chris Stokel-Walker) Chris Stokel-Walker, *New Scientist*, 21 Oct 2020 via ACM TechNews, Wednesday, October 28, 2020 Researchers at the Swiss Federal Institute of Technology, Zurich (ETH Zurich) trained a neural network algorithm designed to control a four-legged robot in a simulated environment resembling a video game. The ETH Zurich team told the algorithm which direction the simulated robot should be attempting to move in, and restricted how fast it could turn, in order to reflect the capabilities of the actual robot. The researchers started with a neural network preprogrammed with knowledge about the environment so the algorithm could absorb and recall inputs from virtual sensors, then transferred this knowledge to a large network controlling the real robot. As a result, the robot was able to move on uneven, mossy terrain more than twice as fast as it was able to with its default programming. https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-27b91x225f47x066975& [As noted in RISKS many times, Flaws in simulations can lead to huge risks in the systems that are being modeled. Here is a case of the tail wagging the dog, happily. Please remember, relevant success stories are always welcome here, although they do not show up often enough. PGN] ------------------------------ Date: Fri, 30 Oct 2020 13:36:06 -0700 From: Barry Gold Subject: Using AI to control a camera at a sports event -- oops! (IFLScience) https://www.iflscience.com/technology/ai-camera-ruins-soccar-game-for-fans-after-mistaking-referees-bald-head-for-ball/ A bald linesman distracts a camera aimed by a computer. On Beta, we'd have earrings for that. You could buy them in any jewelry store. http://www.conchord.org/xeno/bdgsig.html ------------------------------ Date: Sat, 31 Oct 2020 10:19:34 +0800 From: Richard Stein Subject: Four years since the Mirai-Dyn attack, is the Internet safer? (Techxplore.com) https://techxplore.com/news/2020-10-years-mirai-dyn-internet-safer.html "'It seems that the lessons learned from the 2016 Dyn attack have only been acted upon by a handful of websites that were directly impacted,' says Aqsa Kashaf, a Ph.D. student in Electrical and Computer Engineering (ECE) and lead author of the new study. "The Mirai-Dyn attack in 2016 was successful because of what Kashaf and her team refer to as critical dependencies. The domains affected by the Mirai-Dyn attack were critically dependent on Dyn, a third-party DNS. In other words, they relied solely on Dyn, so when Dyn went down, so did they." The Mirai-initiated DDoS disabled ~180K domains and inconvenienced 10s of millions of website users. The research shows that BAU (business as usual) practices remain in place. Of the top 100Kwebites, 89% of them rely on a 3rd party DNS provider. In turn, these DNS providers rely on cloud services to support their operations. These shared dependencies and inter-dependencies comprise an attack perimeter that can cripple e-commerce. Service consumption favors provider availability/uptime over integrity characteristics that confer assault resilience. Core service providers (DNS, Content Delivery, Certification Authorities) should be required to disclose site hardening qualification results. That information can assist procurement decisions to improve industry readiness that helps deter the next meltdown. ------------------------------ Date: Thu, 29 Oct 2020 09:26:09 -1000 From: geoff goodfellow Subject: FBI warns of "imminent" ransomware attacks on hospital systems (CBS News) Federal agencies warned that cybercriminals are unleashing a wave of data-scrambling extortion attempts against the U.S. healthcare system designed to lock up hospital information systems, which could hurt patient care just as nationwide cases of COVID-19. are spiking. In a joint alert Wednesday, the FBI and two federal agencies warned that they had "credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers." The alert said malicious groups are targeting the sector with attacks that produce "data theft and disruption of healthcare services." The cyberattacks involve ransomware, which scrambles data into gibberish that can only be unlocked with software keys provided once targets pay up. Independent security experts say it has already hobbled at least five U.S. hospitals this week and could impact hundreds more. [...] https://www.cbsnews.com/news/fbi-warns-ransomware-attack-us-healthcare-system-hospitals/ ------------------------------ Date: Thu, 29 Oct 2020 12:00:45 -0400 From: Monty Solomon Subject: In a first, researchers extract secret key used to encrypt Intel (Dan Goodin) Hackers can now reverse-engineer updates or write their own custom firmware. Dan Goodin, 28 Oct 2020 [PGN-enhanced: added middle para] Researchers have extracted the secret key that encrypts updates to an assortment of Intel CPUs, a feat that could have wide-ranging consequences for the way the chips are used and, possibly, the way they're secured. An independent researcher, working with two researchers from security firm Positive Technologies, extracted the secret key that encrypts updates to Intel central processing units (CPUs). Hackers who got their hands on the key would be able to decrypt updates Intel issues to plug security holes or update other aspects of chip operation. Independent researcher Maxim Goryachy said, "At the moment, it is quite difficult to assess the security impact" of being able to obtain such a key. Added Positive Technologies' Mark Ermolov, "For now, there's only one but very important consequence: independent analysis of a microcode patch that was impossible until now." The key makes it possible to decrypt the microcode updates Intel provides to fix security vulnerabilities and other types of bugs. Having a decrypted copy of an update may allow hackers to reverse-engineer it and learn precisely how to exploit the hole it’s patching. The key may also allow parties other than Intel -- say a malicious hacker or a hobbyist -- to update chips with their own microcode, although that customized version wouldn't survive a reboot. [...] https://arstechnica.com/gadgets/2020/10/in-a-first-researchers-extract-secret-key-used-to-encrypt-intel-cpu-code/ ------------------------------ Date: Sat, 31 Oct 2020 10:35:56 +0800 From: Richard Stein Subject: Marriott Hotels fined 18.4m pounds for data breach that hit millions (bbc.com) https://www.bbc.com/news/technology-54748843 "In some ways you can feel sorry for Marriott. "In all the boardroom discussions about the company's takeover of Starwood, I bet it never realised that a hacker was already lurking inside the valuable databases they were buying. "The cyber-criminals had been in the systems for years, and were effectively thrown into the merger deal without Marriott having a clue." https://catless.ncl.ac.uk/Risks/30/93#subj5.1 reports this incident. Lesson learned: Do not neglect an IT infrastructure audit, and incident review/mitigation effort, before acquisition acceptance. ------------------------------ Date: Sat, 31 Oct 2020 19:34:37 -0400 From: Monty Solomon Subject: Two Former eBay Employees Plead Guilty to Aggressive Cyberstalking Campaign Targeting Natick Couple (DoJ) https://www.justice.gov/usao-ma/pr/two-former-ebay-employees-plead-guilty-aggressive-cyberstalking-campaign-targeting-nati-0 Department of Justice, U.S. Attorney's Office, District of Massachusetts Thursday, October 29, 2020 Two Former eBay Employees Plead Guilty to Aggressive Cyberstalking Campaign Targeting Natick Couple BOSTON – Two former employees of eBay, Inc. pleaded guilty today to their roles in a cyberstalking campaign targeting the editor and publisher of a newsletter that eBay executives viewed as critical of the company. Brian Gilbert, 52, of San Jose, Calif., a former Senior Manager of Special Operations for eBay's Global Security Team, and Stephanie Stockwell, 26, of Redwood City, Calif., the former manager of eBay's Global Intelligence Center, pleaded guilty to conspiracy to commit cyberstalking and conspiracy to tamper with witnesses. U.S. District Court Judge William G. Young scheduled sentencing for Stockwell on March 11, 2021, and for Gilbert on May 6, 2021. On Oct. 8, 2020, co-defendants Stephanie Popp, 32, and Veronica Zea, 26, pleaded guilty to the same charges and are scheduled to be sentenced on Feb. 25, 2021. On Oct. 27, 2020, co-conspirator Philip Cooke, 55, pleaded guilty and is scheduled to be sentenced on Feb. 24, 2021. Former eBay executives, James Baugh, 45, and David Harville, 48, were arrested and charged on June 15, 2020. According to the charging documents, the victims of the cyberstalking campaign were a Natick couple who are the editor and publisher of an online newsletter that covers ecommerce companies, including eBay. Members of eBay's executive leadership team followed the newsletter's posts, often taking issue with its content and the anonymous comments underneath the editor's stories. It is alleged that in August 2019, the defendants executed a three-part harassment campaign against the Natick couple, which included the defendants sending anonymous and disturbing deliveries to the victims' home; sending private Twitter messages and public tweets criticizing the newsletter's content and threatening to visit the victims in Natick; and traveling to Natick to surveil the victims and install a GPS tracking device on their car. In connection with his plea today, Gilbert admitted to drafting threatening Twitter messages for Popp to send and planning the surveillance trip with various co-defendants. Gilbert also proposed bringing a dossier of documents to the Natick Police Department (NPD) -- whom the victims had involved -- that would make the victims *look crazy* and contacting the victims to offer help with the threatening messages that the defendants had sent. Lastly, Gilbert made false statements to the NPD about Zea and Harville's reason for being in Boston. Stockwell admitted to, at Baugh’s direction, purchasing a laptop for use in harassing the victims, and using an anonymous email account to order online live spiders and a prepaid debit card to purchase a late-night pizza delivery to the victims' home. Stockwell also prepared an eBay `Person of Interest' report for the Bay Area -- a fictions list of potential suspects to provide to the NPD to deflect the police from suspecting that eBay employees were actually harassing the victims. The charges of conspiracy to commit cyberstalking and conspiracy to tamper with witnesses each carry a sentence of up to five years in prison, three years of supervised release, a fine of up to $250,000 and restitution. Sentences are imposed by a federal district court judge based upon the U.S. Sentencing Guidelines and other statutory factors. United States Attorney Andrew E. Lelling; Joseph R. Bonavolonta, Special Agent in Charge of the Federal Bureau of Investigation, Boston Field Division; and Natick Chief of Police James G. Hicks made the announcement today. eBay provided valuable assistance and cooperation with the federal investigation. Assistant U.S. Attorney Seth B. Kosto, Deputy Chief of Lelling's Securities, Financial & Cyber Fraud Unit is prosecuting the case. The details contained in charging documents are allegations. The remaining defendants are presumed innocent unless and until proven guilty beyond a reasonable doubt in a court of law. ------------------------------ Date: Mon, 2 Nov 2020 00:18:01 -0500 From: Gabe Goldberg Subject: The Unsinkable Maddie Stone, Google's Bug-Hunting Badass (WiReD) The Project Zero reverse engineer shuts down some of the world's most dangerous exploits -- along with antiquated hacker stereotypes. https://www.wired.com/story/maddie-stone-project-zero-reverse-engineering/ ------------------------------ Date: Sun, 1 Nov 2020 23:54:43 -0500 From: Gabe Goldberg Subject: Beware a New Google Drive Scam Landing in Inboxes (WiReD) Scammers are luring people into Google Docs in an attempt to get them to visit potentially malicious websites. https://www.wired.com/story/beware-a-new-google-drive-scam-landing-in-inboxes/ ------------------------------ Date: Wed, 28 Oct 2020 08:01:52 -1000 From: geoff goodfellow Subject: Apple develops alternative to Google search (FT) *iPhone maker pushes to build its own search tools as ties to Google come under antitrust scrutiny* Apple is stepping up efforts to develop its own search technology as US antitrust authorities threaten multibillion-dollar payments that Google makes to secure prime placement of its engine on the iPhone. In a little-noticed change to the latest version of the iPhone operating system, iOS 14, Apple has begun to show its own search results and link directly to websites when users type queries from its home screen. That web search capability marks an important advance in Apple's in-house development and could form the foundation of a fuller attack on Google, according to several people in the industry. The Silicon Valley company is notoriously secretive about its internal projects, but the move adds to growing evidence that it is working to build a rival to Google's search engine. [...] https://www.ft.com/content/fd311801-e863-41fe-82cf-3d98c4c47e26 ------------------------------ Date: Sat, 31 Oct 2020 17:29:17 +0200 From: Amos Shapir Subject: Senator Brian Schatz of Hawaii calls sec.'s testimony what it really was (YouTube) A very clear explanation of how Section 230 had become a Republican political tool: https://www.youtube.com/watch?v=kc-hh_uhEOA (It's a bit funny how he criticizes Republicans for turning a Congressional hearing into political campaigning, while actually doing the same...) [On the eve of a highly political event in the U.S., we generally eschew political items. This is one on truthiness vs truthfulness, which is a long-time consideration in RISKS, irrespective of politics. PGN] ------------------------------ Date: Mon, 2 Nov 2020 00:06:25 -0500 From: Gabe Goldberg Subject: @Team_Trump45 and the Hazards of Online Sleuthing (WiReD) A pro-Trump Twitter troll posted fundraising pleas for a child he said had cancer. Debunking-Twitter pounced. A tale of collateral damage in the disinformation age. https://www.wired.com/story/team-trump45-twitter-hazards-online-sleuthing/ ------------------------------ Date: Sun, 1 Nov 2020 23:46:57 -0500 From: Gabe Goldberg Subject: Wisconsin GOP Lost $2.3 Million in an Email Scam (WiReD) The Wisconsin Republican party this week revealed that they had been swindled out of $2.3 million, money that had been earmarked for Donald Trump's reelection campaign. Rather than a sophisticated hack of a bank account, the incident appears to be yet another case of business email compromise, a category of scam that has netted billions of dollars for attackers over the past few years alone. The attackers apparently sent invoices to GOP officials that looked like they were from official vendors, but with banking information that routed the money to the schemers instead. It's the kind of mistake that could happen to anyone -- but is especially inconvenient coming so close to the election. Cryptocurrency Scammers Hack Donald Trump's Campaign Website In other "Republicans compromised by avoidable scam" news, hackers managed to alter Donald Trump's campaign website, albeit for less than 30 minutes. The hackers made the dubious claim that they had accessed "internal and secret conversations" relating to Trump, along with links to send them Monero cryptocurrency. Defacing a website is a far cry from actually hacking a candidate, though, and it seems unlikely that this amounts to anything more than an act of digital vandalism. https://www.wired.com/story/wisconsin-gop-email-scam-ransomware-security-news/ ------------------------------ Date: Sun, 1 Nov 2020 19:54:06 -0500 From: Monty Solomon Subject: New 'Media Manipulation Casebook' from Harvard teaches how to detect misinformation campaigns (WashPost) And other lessons on spotting fake news from the News Literacy Project. https://www.washingtonpost.com/education/2020/10/28/new-media-manipulation-casebook-harvard-teaches-how-detect-misinformation-campaigns/ ------------------------------ Date: Fri, 30 Oct 2020 08:44:07 -0700 From: Lauren Weinstein Subject: How a fake persona laid the groundwork for a Hunter Biden conspiracy deluge (NBC News) https://www.nbcnews.com/tech/security/how-fake-persona-laid-groundwork-hunter-biden-conspiracy-deluge-n1245387?cid=sm_npd_nn_tw_ma ------------------------------ Date: Fri, 30 Oct 2020 15:39:30 -0700 From: Henry Baker Subject: NSA Pot calling Chinese Kettle Black () No way the NSA would do that! Huawei? Black ops matter! Do we really want unelected NSA spooks to be purposely sabotaging our cybersecurity? And with code that *will* be repurposed by other state actors and criminals into weapons and ransomware used against U.S. companies and citizens? The NSA deliberately inserting vulnerabilities into U.S. products is completely equivalent to the so-called "gain-of-function" virus research (Google it) that the U.S. accuses China of performing, because there is no way to control the "blowback" against both friends and enemies. "NSA now requires that before a back door is sought, the agency must weigh the potential fallout and arrange for some kind of *warning* if the back door gets discovered and manipulated by adversaries." Ha! Both the CIA and NSA have already had their "Oh Shit!" moments due to their cyberweapons being exposed and repurposed against the U.S. A mere "warning" won't be sufficient. https://www.reuters.com/article/uk-usa-security-congress-insight/spy-agency-ducks-questions-about-back-doors-in-tech-products-idINKBN27D1DP https://www.cnbc.com/2020/10/28/spy-agency-ducks-questions-about-back-doors-in-tech-products.html Joseph Menn, Reuters Spy agency ducks questions about 'back doors' in tech products SAN FRANCISCO (Reuters) - The U.S. National Security Agency is rebuffing efforts by a leading Congressional critic to determine whether it is continuing to place so-called back doors into commercial technology products, in a controversial practice that critics say damages both U.S. industry and national security. The NSA has long sought agreements with technology companies under which they would build special access for the spy agency into their products, according to disclosures by former NSA contractor Edward Snowden and reporting by Reuters and others. These so-called back doors enable the NSA and other agencies to scan large amounts of traffic without a warrant. Agency advocates say the practice has eased collection of vital intelligence in other countries, including interception of terrorist communications. The agency developed new rules for such practices after the Snowden leaks in order to reduce the chances of exposure and compromise, three former intelligence officials told Reuters. But aides to Senator Ron Wyden, a leading Democrat on the Senate Intelligence Committee, say the NSA has stonewalled on providing even the gist of the new guidelines. "Secret encryption back doors are a threat to national security and the safety of our families -- it's only a matter of time before foreign hackers or criminals exploit them in ways that undermine American national security," Wyden told Reuters. "The government shouldn't have any role in planting secret back doors in encryption technology used by Americans." The agency declined to say how it had updated its policies on obtaining special access to commercial products. NSA officials said the agency has been rebuilding trust with the private sector through such measures as offering warnings about software flaws. "At NSA, it's common practice to constantly assess processes to identify and determine best practices," said Anne Neuberger, who heads NSA's year-old Cybersecurity Directorate. "We don't share specific processes and procedures." Three former senior intelligence agency figures told Reuters that the NSA now requires that before a back door is sought, the agency must weigh the potential fallout and arrange for some kind of warning if the back door gets discovered and manipulated by adversaries. The continuing quest for hidden access comes as governments in the United States, the United Kingdom and elsewhere seek laws that would require tech companies to let governments see unencrypted traffic. Defenders of strong encryption say the NSA's sometimes-botched efforts to install back doors in commercial products show the dangers of such requirements. Critics of the NSA's practices say they create targets for adversaries, undermine trust in U.S. technology and compromise efforts to persuade allies to reject Chinese technology that could be used for espionage, since U.S. gear can also be turned to such purposes. In at least one instance, a foreign adversary was able to take advantage of a back door invented by U.S. intelligence, according to Juniper Networks Inc, which said in 2015 its equipment had been compromised. In a previously unreported statement to members of Congress in July seen by Reuters, Juniper said an unnamed national government had converted the mechanism first created by the NSA. The NSA told Wyden staffers in 2018 that there was a "lessons learned" report about the Juniper incident and others, according to Wyden spokesman Keith Chu. "NSA now asserts that it cannot locate this document," Chu told Reuters. NSA and Juniper declined to comment on the matter. JUNIPER'S COMPROMISE The NSA has pursued many means for getting inside equipment, sometimes striking commercial deals to induce companies to insert back doors, and in other cases manipulating standards - namely by setting processes so that companies unknowingly adopt software that NSA experts can break, according to reports from Reuters and other media outlets. The tactics drew widespread attention starting in 2013, when Snowden leaked documents referencing these practices. Tech companies that were later exposed for having cut deals that allowed backdoor access, including security pioneer RSA, lost credibility and customers. Other U.S. firms lost business overseas as customers grew wary of the NSA's reach. All of that prompted a White House policy review. "There were all sorts of 'lessons learned' processes," said former White House cybersecurity coordinator Michael Daniel, who was advising then-president Barack Obama when the Snowden files erupted. A special commission appointed by Obama said the government should never "subvert" or "weaken" tech products or compromise standards. The White House did not publicly embrace that recommendation, instead beefing up review procedures for whether to use newly discovered software flaws for offensive cyber-operations or get them fixed to improve defense, Daniel and others said. The secret government contracts for special access remained outside of the formal review. "The NSA had contracts with companies across the board to help them out, but that's extremely protected," said an intelligence community lawyer. The starkest example of the risks inherent in the NSA's approach involved an encryption-system component known as Dual Elliptic Curve, or Dual EC. The intelligence agency worked with the Commerce Department to get the technology accepted as a global standard, but cryptographers later showed that the NSA could exploit Dual EC to access encrypted data. RSA accepted a $10 million contract to incorporate Dual EC into a widely used web security system, Reuters reported in 2013. RSA said publicly that it would not have knowingly installed a back door, but its reputation was tarnished and the company was sold. Juniper Networks got into hot water over Dual EC two years later. At the end of 2015, the maker of Internet switches disclosed that it had detected malicious code in some firewall products. Researchers later determined that hackers had turned the firewalls into their own spy tool by altering Juniper's version of Dual EC. Juniper said little about the incident. But the company acknowledged to security researcher Andy Isaacson in 2016 that it had installed Dual EC as part of a "customer requirement," according to a previously undisclosed contemporaneous message seen by Reuters. Isaacson and other researchers believe that customer was a U.S. government agency, since only the U.S. is known to have insisted on Dual EC elsewhere. Juniper has never identified the customer, and declined to comment for this story. Likewise, the company never identified the hackers. But two people familiar with the case told Reuters that investigators concluded the Chinese government was behind it. They declined to detail the evidence they used. The Chinese government has long denied involvement in hacking of any kind. In a statement to Reuters, the Chinese foreign ministry said that cyberspace is "highly virtual and difficult to trace. It is extremely irresponsible to make accusations of hacker attacks without complete and conclusive evidence. At the same time, we also noticed that the report mentioned that it was the U.S. intelligence agency - the National Security Agency - that created this backdoor technology." NERVOUS COMPANIES Wyden remains determined to find out exactly what happened at Juniper and what has changed since as the encryption wars heat up. This July, in previously unreported responses to questions from Wyden and allies in Congress, Juniper said that an unidentified nation was believed to be behind the hack into its firewall code but that it had never investigated why it installed Dual EC in the first place. "We understand that there is a vigorous policy debate about whether and how to provide government access to encrypted content," it said in a July letter. "Juniper does not and will not insert back doors into its products and we oppose any legislation mandating back doors." A former senior NSA official told Reuters that many tech companies remain nervous about working covertly with the government. But the agencies' efforts continue, the person said, because special access is seen as too valuable to give up. Reporting by Joseph Menn; editing by Jonathan Weber and Edward Tobin ------------------------------ Date: Wed, 28 Oct 2020 08:42:14 +0000 From: Julian Bradfield Subject: Re: How does Google's monopoly hurt you? (RISKS-32.34) Back in > 2008, Brent Simmons published That New Sound, about The Clash's London > Calling. Here's a challenge: Can you find either of these with Google? > Even if you read them first and can carefully conjure up exact-match > strings, and then use the site: prefix? I can't. [...] Google t bray lou reed animal and you are taken straight to the review. Google "Brent Simmons" "That New Sound" and you are taken straight to the review. There, that wasn't hard, was it? Whether Bray's complaint was ever true, it isn't now. ------------------------------ Date: Wed, 28 Oct 2020 15:00:34 +0000 (GMT) From: David Alexander Subject: Re: Air Force updates code on plane mid-flight (Baker, RISKS-32.34)) Henry Baker wonders what code could be updated on an airframe dating back to the 1950s when computers wouldn't fit into an aircraft, especially one as small as a U2. It's quite simple, newsflash -- they updated it, and more than once. Aircraft receive modifications periodically, some for safety reasons (e.g., Boeing 737 Max) and some for performance improvement -- for flight, fighting, longevity, sensing or survival. When I signed the F700 for an RAF airframe before strapping it on back in the late 70s and 80s they regularly had an entry documenting an update/upgrade of some sort that the 'driver, airframe' needed to be aware of. When I got back and signed the airframe in I had to make note of anything I thought needed attention before anyone else took it skywards ("don't worry Chiefy, you can buff that out..."). Sensors packages get better, computers get smaller and lighter and technology moves on. Making those changes and integrating technology brings benefits but also might create all sorts of risks that have been discussed many times before on this list. I won't repeat the list or approaches for treating them when you can search the archive. It's not just built-in computing power either. There is a (long) interview with a U2 pilot on Youtube where he describes the use of an iPad for navigational purposes, using Foreflight and checking the weather. [I'm sure Peter Ladkin will have much more to say on the subject.] ------------------------------ Date: Wed, 28 Oct 2020 18:07:30 -0400 From: Dick Mills Subject: Re: UK national police computer down for 10 hours after engineer pulled the plug (RISKS-32.34) "it is at once hard and easy to believe that such a critical system could be vulnerable to total failure through the action of one person "switching it off"." I can easily imagine an even bigger outcry if other certain systems were found to be impossible to switch off by the actions of a single person. ------------------------------ Date: Wed, 28 Oct 2020 18:59:08 -0400 From: Sam Steingold Subject: Re: Censorship or Sensibility? (Gold, RISKS-32.34) > If a company owns newspaper delivery trucks doesn't want to deliver > newspapers with a story its owners don't like, that's their privilege. > And the newspapers can decide not to use that company any more. Alas, today all the newspaper delivery trucks are owned by Facebook, Twitter and Google. In this oligopoly environment, your argument does not apply. > "Freedom of the press belongs to the man who owns the press." Same > with the delivery company. Precisely. > "unique legal benefits": those same legal benefits protect Reddit and 4chan > and Tumbler, and a BBS that I help moderate and several "furry" that I use, > all of which include some sexually-oriented material. I think section 230 of > the Communications Decency Act is the greatest boon to free speech ever > passed by Congress. (And to think it appeared in a law that attempted to > impose censorship on the Internet...) I think the exact opposite. CDA230 created a 3rd option for communications providers: in addition to "wire providers" (think ATT: no control over content, no responsibility for it) and "information providers" (think CNN: full control over content, full responsibility), we now have FB/Twitter/Google who have full control and no responsibility. How about applying CDA230 only to _small_ players? If you have more than 10% of all US users, you cannot censor content. If you want to censor content, split up the company. >> Facebook outright ``has monopoly power in the market for social >> networking,'' and that power is ``firmly entrenched and unlikely to be >> eroded by competitive pressure'' from anyone at all due to `high entry >> barriers' including strong network effects, high switching costs, and >> Facebook's significant data advantage -- that discourage direct >> competition by other firms to offer new products and services. > > Okay, so FB has a lot of economic power. Why? Because they have been highly > successful in satisfying consumer demand for a place to talk to each other. > > I should note that there are a lot of very rich Republicans. I would guess > that over 75% of billionaires lean Conservative in their views. Let them > take some of their money and start right-slanted competitors to Facebook and > Twitter. It's not cheap, but it's well within the reach of any ten > billionaires, and if they do it right they might get even richer in the > process. Gab tried, and is being suppressed by the existing infrastructure. In a marketplace ruled by monopolies, the standard libertarian free market arguments do not apply. > That's what the competition in the marketplace is supposed to be about. If > the "barrier to entry" is simply that you need to invest some money, that is > no barrier in an age when the the US alone has over 500 billionaires, over > 2,000 worldwide. No, the barrier to entry is "preferential attachment" (as in random graph theory). In the computer communication space the marginal cost of an additional user is 0, and the benefit for a user of an existing user base is huge ("everyone is on twitter, so who will I talk to on gab?") This leads to monopolies: Google, FB, Twitter have no competitors in their respective core spaces. (The only competition is in the area of AI personal assistants and the political message of all the offerings is virtually identical). ------------------------------ Date: Thu, 29 Oct 2020 02:44:14 +0800 From: Dan Jacobson Subject: Re: More on erroneous Alexa/third-party data provider evacuation notices in Boulder County, Colorado (RISKS-32.34) My case is I am at home in Firstburg, with my cellphone connected to a tower in Secondburg, and I am getting warnings meant for Thirdsburg. Because that part of Thirdsburg is too far away from Thirdsburg Town Hall, all those addresses have been, by the government, by "temporary arraignment" changed to Secondburg. Yup, within that remote part of Thirdsburg all the house addresses say Secondburg in their names, not Thirdsburg. However actually changing the boundaries is too scary for the elected officials. So the informal arraignment persists, despite my protests to them that those boring boundaries stored in geographical information systems do affect real life. And there is no way to disable (Taiwan) "Presidential level" cellphone warnings, beyond "airplane mode". OK, let's say one day they fix the situation, and I start getting the Secondburg warnings that I deserve. But house is in Firstburg in the first place. OK, then they should be sending me messages for where my house is registered, not what cell tower I am connected to. But wait, what if today I am at a friends home in Secondburg, and a disaster is approaching? OK, (automatically) subscribe me to warnings for both where I am and where I live. And be sure to say the area name in the warning. ------------------------------ Date: Thu, 29 Oct 2020 18:29:09 +0000 From: Martin Ward Subject: Re: Why cars are more "fragile": more technology has reduced robustness (Drewe, RISKS-32.32) Wols Lists > aiui, UK law defines a "historic vehicle" as one over 25 years old > ... these cars are exempt from tax, they're now exempt from the MOT Actually it is over *40* years old, and there has to be no "substantial changes" made to the vehicle in the last 30 years, for example replacing the chassis, body, axles or engine to change the way the vehicle works: https://www.gov.uk/historic-vehicles ------------------------------ Date: Wed, 28 Oct 2020 13:26:21 +1100 From: 3daygoaty Subject: Re: F-35s and Teslas? (Re: RISKS-32.34) F-35 crashes and Tesla self-drive deployed? It's perhaps a risk that Teslas don't have an eject feature when the CPU is overloaded? ------------------------------ Date: Mon, 1 Aug 2020 11:11:11 -0800 From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume/previous directories or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00 ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: ------------------------------ End of RISKS-FORUM Digest 32.35 ************************ .