Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit precedence: bulk Subject: Risks Digest 32.78 RISKS-LIST: Risks-Forum Digest Tuesday 27 July 2021 Volume 32 : Issue 78 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at as The current issue can also be found at Contents: Russia Disconnects from Internet in Tests as It Bolsters Security (Reuters) ‘Advanced’ Nuclear Reactors? Don’t Hold Your Breath (Scientific American) Space Data Integrator (faa.gov) What Ever Happened to IBM's Watson? (NYTimes) A Severe Drought Is Threatening the Hoover Dam Reservoir -- and Water Throughout the West (Mother Jones) The end of open source? (Shaun O'Meara) Niemoeller's Boiled Frog: Weaponization of App Data (Josephy Cox via Henry Baker) Hoe no! Facebook snafu spells trouble for gardening group (AP News) Hackers Turning to 'Exotic' Programming Languages for Malware Development (The Hacker News) Disinformation for Hire, a Shadow Industry, Is Quietly Booming (Max Fisher) What Should Happen to Our Data When We Die?] (NYTimes) Breast Cancer Patient Attacked by Violent Anti-Mask Protest Outside Los Angeles Clinic (Vice) 'STFU' is anti-science (Tunku Varadarajan via Henry Baker) The Problem With Stealing High-End Electronics and Beer (Now I Know) Re: Traffic Analysis and Herd Immunity (anthony youngman} Re: Rounding errors could make certain stop-watches pick wrong race winners (Jim Garrison) Re: YouTube fined 100 000 Euros delaying court order to restore video (Dick Mills) Re: A secret algorithm is transforming DNA evidence. This defendant could be the first to scrutinize it. (Michael Black)) Re: Some locals say a bitcoin mining operation is ruining one of the Finger Lakes. Here's how. (David B. Horvath) Re: RFI on scientific integrity (David B. Horvath) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Mon, 26 Jul 2021 11:56:56 -0400 (EDT) From: ACM TechNews Subject: Russia Disconnects from Internet in Tests as It Bolsters Security (Reuters) Alexander Marrow and Dmitry Antonov, Reuters, 22 Jul 2021, via ACM TechNews, 26 Jul 2021 Russia reportedly disconnected from the global Internet during tests in June and July, according to a report by the RBC daily that cited documents from the working group responsible for strengthening Russia's Internet security under the 2019 *sovereign Internet* law, which aims to prevent Russia from being cut off from foreign infrastructure. A working group source said the purpose of tests was ``to determine the ability of the 'Runet' to work in case of external distortions, blocks and other threats.'' The Internet Research Institute's Karen Kazaryan said, ``Given the general secrecy of the process and the lack of public documents on the subject, it is difficult to say what happened in these tests.'' https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2c0d1x22c833x072256& ------------------------------ Date: Sun, 25 Jul 2021 10:35:53 +0800 From: "Richard Stein" Subject: ‘Advanced’ Nuclear Reactors? Don’t Hold Your Breath (Scientific American) https://www.scientificamerican.com/article/lsquo-advanced-rsquo-nuclear-reactors-don-rsquo-t-hold-your-breath/ The essay discusses current commercial interests that promote sodium metal-cooled nuclear reactors in the ~300 Mwatt range, but argues against them based on historical evidence. "Nuclear Plant Accidents: Sodium Reactor Experiment" discusses this ~60 year old experimental failure based on an analogous design. https://allthingsnuclear.org/dlochbaum/nuclear-plant-accidents-sodium-reactor-experiment/ While nuclear fission is carbon-free, there's no US-approved repository to safely and permanently dispose of radioactive reactor effluence. Sweden's is operational, and Finland is finishing construction of theirs: See "Into Eternity," https://www.amazon.com/Into-Eternity-Entos-aioniotitas-Onkalo/dp/B07Q39FQV3/ref=sr_1_9 (retrieved on 25JUL2021). Machinery failure (Three Mile Island) or human error (Chernobyl), or combinations of both, contribute to nuke plant accidents. If "fat fingers" in a control room are a cause for concern, what about AI to safely operate a fission reactor? See "AI finds a place in nuclear O&M," https://www.reutersevents.com/nuclear/ai-finds-place-nuclear-om "While AI and machine learning offer a number of benefits for the nuclear power industry as it moves toward a new generation of reactors, its range, for the moment, is limited. "A lack of real, operational data from operating nuclear power stations, a varying degree of opinion as to which systems would work best, and the sometimes-mysterious mechanizations within a so-called 'intelligent' system, or its 'black box' nature, pose potential problems for AI’s use in nuclear." [A machine-based lesson learned can be hazardous to your health.] ------------------------------ Date: Tue, 13 Jul 2021 09:47:50 +0800 From: "Richard Stein" Subject: Space Data Integrator (faa.gov) https://www.faa.gov/news/fact_sheets/news_story.cfm?newsId=23476 Ever experience a commercial flight ground stop? Here's the tool that will minimize delay attributed to an exo-atmospheric vehicle launch or re-entry in the vicinity of your next flight. "The SDI operational prototype is designed to accept launch and reentry vehicle state vector data gathered from operators such as vehicle position, altitude, and speed. SDI will then process the data, display it, and distribute it to Traffic Flow Management System (TFMS). SDI allows the FAA to track the actual versus planned trajectory of launch and reentry operations, the status of various mission events, and the display of Aircraft Hazard Areas (AHAs). SDI sends vehicle position and AHAs to the TFMS for display on the TFMS Traffic Situation Display at the Command Center." Risk: Protracted vehicle launch or reentry delay ------------------------------ Date: Fri, 16 Jul 2021 18:27:49 -0400 From: "Gabe Goldberg" Subject: What Ever Happened to IBM's Watson? (NYTimes) A decade ago, IBM’s public confidence was unmistakable. Its Watson supercomputer had just trounced Ken Jennings, the best human “Jeopardy!” player ever, showcasing the power of artificial intelligence. This was only the beginning of a technological revolution about to sweep through society, the company pledged. “Already,” IBM declared in an advertisement the day after the Watson victory, “we are exploring ways to apply Watson skills to the rich, varied language of health care, finance, law and academia.” But inside the company, the star scientist behind Watson had a warning: Beware what you promise. David Ferrucci, the scientist, explained that Watson was engineered to identify word patterns and predict correct answers for the trivia game. It was not an all-purpose answer box ready to take on the commercial world, he said. It might well fail a second-grade reading comprehension test. His explanation got a polite hearing from business colleagues, but little more. “It wasn’t the marketing message,” recalled Mr. Ferrucci, who left IBM the following year. It was, however, a prescient message. https://www.nytimes.com/2021/07/16/technology/what-happened-ibm-watson.html?referringSource=articleShare ------------------------------ Date: Fri, 16 Jul 2021 18:23:36 -0400 From: "Gabe Goldberg" Subject: A Severe Drought Is Threatening the Hoover Dam Reservoir -- and Water Throughout the West (Mother Jones) Things will be fine: The governor of Utah has resorted to asking  people to pray for rain. Except: The west has gone through periods like this “megadrought”, with only occasional respite, for the past two decades. But scientists have made clear the current conditions would be virtually impossible without human-caused climate change, pointing to a longer-term “aridification ” of the region. All of the water conservation efforts that have kept shortages at bay until now risk being surpassed by the rising heat. [...] Even with these adaptions, however, the decline of Lake Mead has caused the amount of hydropower generated by the dam to drop by around 25 percent. The drought is expected to cause https://www.cnn.com/2021/06/17/us/california-drought-oroville-power/index.html the hydro facility at Lake Oroville, California, to completely shut down, prompting a warning from the United States Energy Association that a “megadrought-induced electricity shortage could be catastrophic, affecting everything from food production to industrial manufacturing”. The association added that such a scenario could even force people to move east, in what is called a “reverse Dust Bowl exodus”. https://www.motherjones.com/environment/2021/07/a-severe-drought-is-threatening-the-hoover-dam-reservoir-and-water-throughout-the-west/ [Why is this RISKS-relevant? Because almost everything is interrelated. PGN] ------------------------------ Date: July 26, 2021 2:13:53 JST From: Dewayne Hendricks Subject: The end of open source? (Shaun O'Meara) [Note: This item comes from friend David Rosenthal. DLH (via Dave Farber) Shaun O’Meara, TechCrunch, 18 Jul 2021 Several weeks ago, the Linux community was rocked by the disturbing news that University of Minnesota researchers had developed (but, as it turned out, not fully executed) a method for introducing what they called “hypocrite commits” to the Linux kernel — the idea being to distribute hard-to-detect behaviors, meaningless in themselves, that could later be aligned by attackers to manifest vulnerabilities. This was quickly followed by the — in some senses, equally disturbing — announcement that the university had been banned, at least temporarily, from contributing to kernel development. A public apology from the researchers followed. Though exploit development and disclosure is often messy, running technically complex “red team” programs against the world’s biggest and most important open-source project feels a little extra. It’s hard to imagine researchers and institutions so naive or derelict as not to understand the potentially huge blast radius of such behavior. Equally certain, maintainers and project governance are duty bound to enforce policy and avoid having their time wasted. Common sense suggests (and users demand) they strive to produce kernel releases that don’t contain exploits. But killing the messenger seems to miss at least some of the point — that this was research rather than pure malice, and that it casts light on a kind of software (and organizational) vulnerability that begs for technical and systemic mitigation. I think the “hypocrite commits” contretemps is symptomatic, on every side, of related trends that threaten the entire extended open-source ecosystem and its users. That ecosystem has long wrestled with problems of scale, complexity and free and open-source software’s (FOSS) increasingly critical importance to every kind of human undertaking. Let’s look at that complex of problems: • The biggest open-source projects now present big targets. • Their complexity and pace have grown beyond the scale where traditional “commons” approaches or even more evolved governance models can cope. • They are evolving to commodify each other. For example, it’s becoming increasingly hard to state, categorically, whether “Linux” or “Kubernetes” should be treated as the “operating system” for distributed applications. For-profit organizations have taken note of this and have begun reorganizing around “full-stack” portfolios and narratives. • In so doing, some for-profit organizations have begun distorting traditional patterns of FOSS participation. Many experiments are underway. Meanwhile, funding, headcount commitments to FOSS and other metrics seem in decline. • OSS projects and ecosystems are adapting in diverse ways, sometimes making it difficult for for-profit organizations to feel at home or see benefit from participation. Meanwhile, the threat landscape keeps evolving: • Attackers are bigger, smarter, faster and more patient, leading to long games, supply-chain subversion and so on. • Attacks are more financially, economically and politically profitable than eve. • Users are more vulnerable, exposed to more vectors than ever before. • The increasing use of public clouds creates new layers of technical and organizational monocultures that may enable and justify attacks. • Complex commercial off-the-shelf (COTS) solutions assembled partly or wholly from open-source software create elaborate attack surfaces whose components (and interactions) are accessible and well understood by bad actors. • Software componentization enables new kinds of supply-chain attacks. • Meanwhile, all this is happening as organizations seek to shed nonstrategic expertise, shift capital expenditures to operating expenses and evolve to depend on cloud vendors and other entities to do the hard work of security. The net result is that projects of the scale and utter criticality of the Linux kernel aren't prepared to contend with game-changing, hyperscale threat models. In the specific case we’re examining here, the researchers were able to target candidate incursion sites with relatively low effort (using static analysis tools to assess units of code already identified as requiring contributor attention), propose “fixes” informally via email, and leverage many factors, including their own established reputation as reliable and frequent contributors, to bring exploit code to the verge of being committed. ------------------------------ Date: Fri, 23 Jul 2021 10:02:27 -0700 From: "Henry Baker" Subject: Niemoeller's Boiled Frog; Weaponization of App Data The heat on Niemoeller's Frog is being turned up as we speak... First they came for the gay priests [...] and [by then] there was no one left to speak for me. https://www.vice.com/en/article/pkbxp8/grindr-location-data-priest-weaponization-app The Inevitable Weaponization of App Data Is Here Joseph Cox 21 Jul 2021 A Substack publication used location data from Grindr to out a priest without their consent. It finally happened. After years of warning from researchers, journalists, and even governments, someone used highly sensitive location data from a smartphone app to track and publicly harass a specific person. In this case, Catholic Substack publication The Pillar said it used location data ultimately tied to Grindr to trace the movements of a priest, and then outed him publicly as potentially gay without his consent. *The Washington Post* reported on Tuesday that the outing led to his resignation. The news starkly demonstrates not only the inherent power of location data, but how the chance to wield that power has trickled down from corporations and intelligence agencies to essentially any sort of disgruntled, unscrupulous, or dangerous individual. A growing market of data brokers that collect and sell data from countless apps has made it so that anyone with a bit of cash and effort can figure out which phone in a so-called anonymized dataset belongs to a target, and abuse that information. "Experts have warned for years that data collected by advertising companies from Americans' phones could be used to track them and reveal the most personal details of their lives. Unfortunately, they were right," Senator Ron Wyden told Motherboard in a statement, responding to the incident. "Data brokers and advertising companies have lied to the public, assuring them that the information they collected was anonymous. As this awful episode demonstrates, those claims were bogus--individuals can be tracked and identified." In short, The Pillar says that Msgr. Jeffrey Burrill, who was the general secretary of the U.S. bishops' conference (USCCB) before his resignation, visited gay bars and other locations while using gay dating app Grindr. "An analysis of app data signals correlated to Burrill's mobile device shows the priest also visited gay bars and private residences while using a location-based hookup app in numerous cities from 2018 to 2020, even while traveling on assignment for the U.S. bishops' conference," the outlet wrote. The Pillar says the location data is "commercially available records of app signal data," and that it obtained the records from "a data vendor" and then authenticated them with a data consulting firm. The data itself didn't contain each mobile phone user's real name, but The Pillar and its partner were able to pinpoint which device belonged to Burrill by observing one that appeared at the USCCB staff residence and headquarters, locations of meetings that he was in, as well as his family lake house and an apartment that has him listed as a resident. In other words, they managed to, as experts have long said is easy to do, unmask this specific person and their movements across time from an supposedly anonymous dataset. A Grindr spokesperson told Motherboard in an emailed statement that "Grindr's response is aligned with the editorial story published by the Washington Post which describes the original blog post from The Pillar as homophobic and full of unsubstantiated innuendo. The alleged activities listed in that unattributed blog post are infeasible from a technical standpoint and incredibly unlikely to occur. There is absolutely no evidence supporting the allegations of improper data collection or usage related to the Grindr app as purported." It is not clear what Grindr sees as "infeasible from a technical standpoint." In January the Norwegian Data Protection Authority fined Grindr $11.7 million for providing its users' data to third parties, including their precise location data. Almost prophetically, Norwegian authorities said at the time that Grindr users could be targeted with this sort of information in countries where homosexuality is illegal. Researchers have repeatedly shown that it is possible to figure out who a phone in an allegedly anonymized set of location data belongs to sometimes with a few points of reference, such as their home or place of work. The spokesperson did not respond to a request to elaborate on what Grindr believes is technically infeasible. "The research from The Pillar aligns to the reality that Grindr has historically treated user data with almost no care or concern, and dozens of potential ad tech vendors could have ingested the data that led to the doxxing," Zach Edwards, a researcher who has closely followed the supply chain of various sources of data, told Motherboard in an online chat. "No one should be doxxed and outed for adult consenting relationships, but Grindr never treated their own users with the respect they deserve, and the Grindr app has shared user data to dozens of ad tech and analytics vendors for years." Journalists have also used location data in similar ways before in their reporting. In February, The New York Times' opinion section married location and advertising data to reveal the movements and identities of specific people who attended the January 6 Capitol riots. "While there were no names or phone numbers in the data, we were once again able to connect dozens of devices to their owners, tying anonymous locations back to names, home addresses, social networks and phone numbers of people in attendance. In one instance, three members of a single family were tracked in the data," the piece read. Last week, Motherboard reported on the so-called "identity resolution" industry, in part by posing as a customer looking to buy sensitive data. These companies promise to match mobile advertising IDs--unique codes assigned to mobile phones by their operating systems, and which tech companies have repeatedly assured consumers are anonymous, or at least pseudonymous--to real-world identities. This makes unmasking people in datasets even easier; why bother trying to figure out which phone belongs to who when you can just buy that information instead. "Anyone and everyone who has a phone and has installed an app that has ads, currently is at risk of being de-anonymized via unscrupulous companies," Edwards told Motherboard at the time when presented with our findings. Senator Wyden called for the Federal Trade Commission to act on the data broker industry. "Last year, I led a bipartisan letter to the FTC calling for a broad probe of the industry. The FTC needs to step up and protect Americans from these outrageous privacy violations, and Congress needs to pass comprehensive federal privacy legislation," he added. Motherboard has also shown how wide spanning the customer base for this sort of location data is, with the U.S. military and various law enforcement agencies also purchasing it, skirting the need to obtain a warrant. And although the data was based on that generated by telecom networks and not apps, we also previously spoke to Ruth Johnson, a woman who was stalked and harassed by someone who gained access to her phone's location. Johnson said T-Mobile put her "life in danger." Motherboard also tied black market location data to the spot of a triple murder. ------------------------------ Date: Sat, 24 Jul 2021 23:51:05 -0400 From: "Gabe Goldberg" Subject: Hoe no! Facebook snafu spells trouble for gardening group (AP News) https://apnews.com/article/lifestyle-technology-oddities-business-gardening-9c9f431f91ba450537974758de4f14d2 [Noe now, brown cow? PGN] ------------------------------ Date: Tue, 27 Jul 2021 12:33:46 -1000 From: geoff goodfellow Subject: Hackers Turning to 'Exotic' Programming Languages for Malware Development (The Hacker News) Threat actors are increasingly shifting to "exotic" programming languages such as Go, Rust, Nim, and Dlang that can better circumvent conventional security protections, evade analysis, and hamper reverse engineering efforts. "Malware authors are known for their ability to adapt and modify their skills and behaviors to take advantage of newer technologies," said Eric Milam, Vice President of threat research at BlackBerry. "That tactic has multiple benefits from the development cycle and inherent lack of coverage from protective products." On the one hand, languages like Rust are more secure as they offer guarantees like memory-safe programming , but they can also be a double-edged sword when malware engineers abuse the same features designed to offer increased safeguards to their advantage, thereby making malware less susceptible to exploitation and thwart attempts to activate a kill-switch and render them powerless. Noting that binaries written in these languages can appear more complex, convoluted, and tedious when disassembled, the researchers said the pivot adds additional layers of obfuscation, simply by virtue of them being relatively new, leading to a scenario where older malware developed using traditional languages like C++ and C# are being actively retooled with droppers and loaders written in uncommon alternatives to evade detection by endpoint security systems. [...] https://thehackernews.com/2021/07/hackers-turning-to-exotic-programming.html ------------------------------ Date: July 26, 2021 21:57:01 JST From: Dewayne Hendricks Subject: Disinformation for Hire, a Shadow Industry, Is Quietly Booming (Max Fisher) Back-alley firms meddle in elections and promote falsehoods on behalf of clients who can claim deniability, escalating our era of unreality. Max Fisher, The New York Times, 25 Jul 2021 In May, several French and German social media influencers received a strange proposal. A London-based public relations agency wanted to pay them to promote messages on behalf of a client. A polished three-page document detailed what to say and on which platforms to say it. But it asked the influencers to push not beauty products or vacation packages, as is typical, but falsehoods tarring Pfizer-BioNTech’s Covid-19 vaccine. Stranger still, the agency, Fazze, claimed a London address where there is no evidence any such company exists. Some recipients posted screenshots of the offer. Exposed, Fazze scrubbed its social media accounts. That same week, Brazilian and Indian influencers posted videos echoing Fazze’s script to hundreds of thousands of viewers. The scheme appears to be part of a secretive industry that security analysts and American officials say is exploding in scale: disinformation for hire. Private firms, straddling traditional marketing and the shadow world of geopolitical influence operations, are selling services once conducted principally by intelligence agencies. They sow discord, meddle in elections, seed false narratives and push viral conspiracies, mostly on social media. And they offer clients something precious: deniability. “Disinfo-for-hire actors being employed by government or government-adjacent actors is growing and serious,” said Graham Brookie, director of the Atlantic Council's Digital Forensic Research Lab, calling it “a boom industry.” Similar campaigns have been recently found promoting India's ruling party, Egyptian foreign policy aims and political figures in Bolivia and Venezuela. Mr. Brookie's organization tracked one operating amid a mayoral race in Serra, a small city in Brazil. An ideologically promiscuous Ukrainian firm boosted several competing political parties. In the Central African Republic, two separate operations flooded social media with dueling pro-French and pro-Russian disinformation. Both powers are vying for influence in the country. A wave of anti-American posts in Iraq, seemingly organic, were tracked to a public relations company that was separately accused of faking anti-government sentiment in Israel. Most trace to back-alley firms whose legitimate services resemble those of a bottom-rate marketer or email spammer. Job postings and employee LinkedIn profiles associated with Fazze describe it as a subsidiary of a Moscow-based company called Adnow. Some Fazze web domains are registered as owned by Adnow, as first reported by the German outlets Netzpolitik and ARD Kontraste. Third-party reviews portray Adnow as a struggling ad service provider. European officials say they are investigating who hired Adnow. Sections of Fazze's anti-Pfizer talking points resemble promotional materials for Russia’s Sputnik-V vaccine. For-hire disinformation, though only sometimes effective, is growing more sophisticated as practitioners iterate and learn. Experts say it is becoming more common in every part of the world, outpacing operations conducted directly by governments. The result is an accelerating rise in polarizing conspiracies, phony citizen groups and fabricated public sentiment, deteriorating our shared reality beyond even the depths of recent years. The trend emerged after the Cambridge Analytica scandal in 2018, experts say. Cambridge, a political consulting firm linked to members of Donald J. Trump’s 2016 presidential campaign, was found to have harvested data on millions of Facebook users. The controversy drew attention to methods common among social media marketers. Cambridge used its data to target hyper-specific audiences with tailored messages. It tested what resonated by tracking likes and shares. The episode taught a generation of consultants and opportunists that there was big money in social media marketing for political causes, all disguised as organic activity. Some newcomers eventually reached the same conclusion as Russian operatives had in 2016: Disinformation performs especially well on social platforms. At the same time, backlash to Russia’s influence-peddling appeared to have left governments wary of being caught -- while also demonstrating the power of such operations. “There is, unfortunately, a huge market demand for disinformation,” Mr. Brookie said, “and a lot of places across the ecosystem that are more than willing to fill that demand.” Commercial firms conducted for-hire disinformation in at least 48 countries last year — nearly double from the year before, according to an Oxford University study. The researchers identified 65 companies offering such services. Last summer, Facebook removed a network of Bolivian citizen groups and journalistic fact-checking organizations. It said the pages, which had promoted falsehoods supporting the country’s right-wing government, were fake. Stanford University researchers traced the content to CLS Strategies, a Washington-based communications firm that had registered as a consultant with the Bolivian government. The firm had done similar work in Venezuela and Mexico. A spokesman referred to the company’s statement last year saying its regional chief had been placed on leave but disputed Facebook’s accusation that the work qualified as foreign interference. Eroding Reality New technology enables nearly anyone to get involved. Programs batch generate fake accounts with hard-to-trace profile photos. Instant metrics help to hone effective messaging. So does access to users’ personal data, which is easily purchased in bulk. The campaigns are rarely as sophisticated as those by government hackers or specialized firms like the Kremlin-backed Internet Research Agency. But they appear to be cheap. In countries that mandate campaign finance transparency, firms report billing tens of thousands of dollars for campaigns that also include traditional consulting services. The layer of deniability frees governments to sow disinformation more aggressively, at home and abroad, than might otherwise be worth the risk. Some contractors, when caught, have claimed they acted without their client's knowledge or only to win future business. Platforms have stepped up efforts to root out coordinated disinformation. Analysts especially credit Facebook, which publishes detailed reports on campaigns it disrupts. Still, some argue that social media companies also play a role in worsening the threat. Engagement-boosting algorithms and design elements, research finds, often privilege divisive and conspiratorial content. Political norms have also shifted. A generation of populist leaders, like Rodrigo Duterte of the Philippines, has risen in part through social media manipulation. Once in office, many institutionalize those methods as tools of governance and foreign relations. In India, dozens of government-run Twitter accounts have shared posts from India Vs Disinformation, a website and set of social media feeds that purport to fact-check news stories on India. India Vs Disinformation is, in reality, the product of a Canadian communications firm called Press Monitor. Nearly all the posts seek to discredit or muddy reports unfavorable to Prime Minister Narendra Modi's government, including on the country’s severe Covid-19 toll. An associated site promotes pro-Modi narratives under the guise of news articles. ------------------------------ Date: Sun, 25 Jul 2021 21:25:41 PDT From: Peter G Neumann Subject: What Should Happen to Our Data When We Die?] (NYTimes) ... expect to be victimized by deep fakes, simulations, and questionable ethical practices ... What could possibly go wrong? PGN https://www.nytimes.com/2021/07/24/style/what-should-happen-to-our-data-when-we-die.html ------------------------------ Date: Fri, 23 Jul 2021 08:42:16 -0700 From: "Lauren Weinstein" Subject: Breast Cancer Patient Attacked by Violent Anti-Mask Protest Outside Los Angeles Clinic (Vice) [Enough!!! LW] https://www.vice.com/en/article/pkbxmg/breast-cancer-patient-attacked-anti-mask-protest ------------------------------ Date: Mon, 26 Jul 2021 12:52:06 -0700 From: "Henry Baker" Subject: 'STFU' is anti-science 'Science' is an institution dedicated to improving human knowledge about natural phenomena, and this institution must progress through amplifying the tiniest bits of 'signal' drowned in vast amounts of 'noise'. For example, the LIGO experiment amplifies its signals at least 21 orders of magnitude to produce a legitimate reading. More cynically, science progresses by a first scientist coming up with an hypothesis, and then amplifying this signal by 10 orders of magnitude until a majority of the O(10 billion) people on the planet are convinced. Unfortunately, this amplification process has to deal not only with noise from Nature, but also active *jamming* from people with political agendas. Jamming is, of course, the active attempt to drown out a signal by brute force: overpowering the signal with counteracting signals which starve the new signal for attention (and funding). Unfortunately, for some scientists, the Hippocratic Oath ('first do no harm') has been replaced by the Hypocritic Oath ('first shoot the messenger'). The famous evolutionary biologist Matt Ridley has been calling out this jamming (albeit without using this term) regarding the so-called COVID 'lab leak hypothesis' (LLH). It's not as if LLH hasn't happened before -- Google sheep in Dugway, Utah and ask the victims from a SARS leak in Beijing in 2004 (see www.cdc.gov). Under the previous administration, the Chinese govt and the main-stream media excoriated everyone who seriously considered LLH. However, MSNBC hosts nearly broke their necks with an Orwell-like whiplash when the Biden administration broke ranks and decided to investigate LLH further. The following is a long article, behind a paywall, but Matt Ridley hasn't been shy about these issues, so there are plenty of other places to read his uncomfortable thoughts. https://www.wsj.com/articles/covid-china-media-lab-leak-climate-ridley-biden-censorship-coronavirus-11627049477 Tunku Varadarajan 23 Jul 2021 How Science Lost the Public's Trust >From climate to Covid, politics and hubris have disconnected scientific institutions from the philosophy and method that ought to guide them. 'Science' has become a political catchword. "I believe in science," Joe Biden tweeted six days before he was elected president." Donald Trump doesn't. It's that simple, folks." But what does it mean to believe in science? The British science writer Matt Ridley draws a pointed distinction between "science as a philosophy" and "science as an institution." The former grows out of the Enlightenment, which Mr. Ridley defines as "the primacy of rational and objective reasoning." The latter, like all human institutions, is erratic, prone to falling well short of its stated principles. Mr. Ridley says the Covid pandemic has "thrown into sharp relief the disconnect between science as a philosophy and science as an institution." Mr. Ridley, 63, describes himself as a "science critic, which is a profession that doesn't really exist." He likens his vocation to that of an art critic and dismisses most other science writers as "cheerleaders."[...] With the Canadian molecular biologist Alina Chan, [Ridley is] finishing a book called "Viral: The Search for the Origin of Covid-19," to be published in November. It will likely make its authors unwelcome in China. As Mr. Ridley worked on the book, he says, it became "horribly clear" that Chinese scientists are "not free to explain and reveal everything they've been doing with bat viruses." That information has to be "dug out" by outsiders like him and Ms. Chan. The Chinese authorities, he says, ordered all scientists to send their results relevant to the virus for approval by the government before other scientists or international agencies could vet them: "That is shocking in the aftermath of a lethal pandemic that has killed millions and devastated the world." Mr. Ridley notes that the question of Covid's origin has "mostly been tackled by people outside the mainstream scientific establishment." People inside not only have been "disappointingly incurious" but have tried to shut down the inquiry "to protect the reputation of science as an institution." The most obvious reason for this resistance: If Covid leaked from a lab, and especially if it developed there, "science finds itself in the dock." Other factors have been at play as well. Scientists are as sensitive as other elites to charges of racism, which the Communist Party used to evade questions about specifically Chinese practices "such as the trade in wildlife for food or lab experiments on bat coronaviruses in the city of Wuhan." Scientists are a global guild, and the Western scientific community has "come to have a close relationship with, and even a reliance on, China." Scientific journals derive considerable "income and input" from China, and Western universities rely on Chinese students and researchers for tuition revenue and manpower. All that, Mr. Ridley says, "may have to change in the wake of the pandemic." In the U.K., he has also noted "a tendency to admire authoritarian China among scientists that surprised some people." It didn't surprise Mr. Ridley. "I've noticed for years," he says, "that scientists take a somewhat top-down view of the political world, which is odd if you think about how beautifully bottom-up the evolutionary view of the natural world is." He asks: "If you think biological complexity can come about through unplanned emergence and not need an intelligent designer, then why would you think human society needs an 'intelligent government'?" Science as an institution has "a naive belief that if only scientists were in charge, they would run the world well." Perhaps that's what politicians mean when they declare that they "believe in science." As we've seen during the pandemic, science can be a source of power. But there's a "tension between scientists wanting to present a unified and authoritative voice," on the one hand, and science-as-philosophy, which is obligated to "remain open-minded and be prepared to change its mind." Mr. Ridley fears "that the pandemic has, for the first time, seriously politicized epidemiology." It's partly "the fault of outside commentators" who hustle scientists in political directions. "I think it's also the fault of epidemiologists themselves, deliberately publishing things that fit with their political prejudices or ignoring things that don't." [...] The politicization of science leads to a loss of confidence in science as an institution. The distrust may be justified but leaves a vacuum, often filled by a "much more superstitious approach to knowledge." To such superstition Mr. Ridley attributes public resistance to technologies such as genetically modified food, nuclear power--and vaccines. [...] Vaccines have been central to the question of "misinformation" and the White House's pressure campaign against social media to censor it. Mr. Ridley worries about the opposite problem: that social media "is complicit in enforcing conformity." It does this "through 'fact checking,' mob pile-ons, and direct censorship, now explicitly at the behest of the Biden administration." He points out that Facebook and Wikipedia long banned any mention of the possibility that the virus leaked from a Wuhan laboratory. "Conformity," Mr. Ridley says, "is the enemy of scientific progress, which depends on disagreement and challenge. Science is the belief in the ignorance of experts, as [the physicist Richard] Feynman put it." Mr. Ridley reserves his bluntest criticism for "science as a profession," which he says has become "rather off-puttingly arrogant and political, permeated by motivated reasoning and confirmation bias." Increasing numbers of scientists "seem to fall prey to groupthink, and the process of peer-reviewing and publishing allows dogmatic gate-keeping to get in the way of new ideas and open-minded challenge." [...] In Mr. Ridley's view, the scientific establishment has always had a tendency "to turn into a church, enforcing obedience to the latest dogma and expelling heretics and blasphemers." ------------------------------ Date: Sun, 25 Jul 2021 16:26:31 -0400 From: "Gabe Goldberg" Subject: The Problem With Stealing High-End Electronics and Beer (Now I Know) If you’re reading this on a smartphone, you have something valuable in your hands — and I’m not talking about the story you’re about to read. The device you’re holding weighs less than 200 grams (7 ounces) and retails for as much as $1,000. It’s not quite worth its weight in gold, but it’s worth more than its weight in silver, which it to say, it’s both valuable and easily portable. As a result, it’s a good target for thieves. In fact, most high-end electronics are. They’re expensive when sold through proper channels and there’s a lot of demand for them. So if you’re able to steal a lot of tech, you can probably find buyers simply by offering a discount. All you need is an easy target and you’ll find yourself a nice, albeit illegal, payday. That’s likely what a couple of thieves were thinking when they learned about a tech startup in their area. Called “Roambee,” the company probably didn’t have a lot of money for things like office security or the like. In June of 2017, they rather easily broke into Roambee's offices. As Roambee'os co-founder, Vidya Subramanian, told the Verge, they simply “jimmied the lock” and gained intro into “the room where we charge our devices, and needless to say there’s computer equipment everywhere, so they thought it was a good place to steal stuff.” The robbers stole computers and boxes filled with what they probably thought were cellphone chargers. Then they grabbed a beer from Roambee's office refrigerator to celebrate. That was a mistake. [This is a long-ish tale of theves. Gabe did not include the last part, omitting the final punchline, so I will simply tell you what they stole -- GPS trackers -- and why they were so easily caught. PGN] http://nowiknow.com/the-problem-with-stealing-high-end-electronics-and-beer/ ------------------------------ Date: Fri, 23 Jul 2021 17:15:09 +0100 From: anthony Subject: Re: Traffic Analysis and Herd Immunity (Slade, RISKS-32.77) > Once we reach herd immunity, the number of cases will drop quite > dramatically. By that measure, we will NEVER reach herd immunity. The number of people being RE-infected is rising. Getting infected, or vaccinated, there's not much difference, only protects you from being (re-)infected by THAT SPECIFIC variant. > It prevents the development of new and more dangerous variants. NOT true! Be it a new or old variant, the biggest indicator of danger is whether you've met CoVid-19 before. The new variants are "more transmissible", i.e., easier to catch. They have to be, given the number of people who are partially or completely immune, if they want to stand a chance of spreading. So yes, get vaccinated. Tell your friends and family to get vaccinated. It *will* protect you and them. What it *won't* do is protect you from catching CoVid (again (and again)). What it *will* do is protect you from ending up in hospital - or worse. [...] Unfortunately, I don't think vaccination has any effect on whether you will suffer long haul CoVid. I suspect I may be one of the UK's earliest CoVid victims. I didn't even realise it was likely to have been CoVid until long after, it was that minor. And the doctor now suspects I may be suffering from long CoVid. We need to drop this focus on how many cases we have, and look at how many of those cases end up in hospital. We're not going to eradicate CoVid, we need to live with it. We need to stop thinking of it as a pandemic that will go away, and think of it as what it is -- a new *en*demic illness -- JUST LIKE THE COMMON COLD. And we've been here before -- it's now thought that the 1890 pandemic was a previous occasion when a corona virus "jumped species". A few years later it had mostly disappeared, and is now thought to be the most common cause of the common cold. ------------------------------ Date: Sat, 24 Jul 2021 12:00:01 -0700 From: "Jim Garrison" Subject: Re: Rounding errors could make certain stop-watches pick wrong race winners (RISKS-32.77) > Where rounding errors occurred, they usually resulted in changes of one > one-hundredth of a second. One raw time of 28.3194 was converted to a > displayed time of 28.21. Sorry, but rounding 28.3194 to 28.21 is not a "rounding error", it's just bad arithmetic due to some other programming error. Unless of course the article is misquoting or misinterpreting the actual numbers. ------------------------------ Date: Mon, 26 Jul 2021 11:08:37 -0400 From: "Dick Mills" Subject: Re: YouTube fined 100 000 Euros delaying court order to restore video (RISKS-32.77) It seems like hubris for the "Higher Regional Court at Dresden" to expect that everyone in the world will recognize that title and recognize the court's authority. A global outfit like Google may receive dozens of official sounding crackpot mail messages every day. It could even come from another Dresden rather than Dresden Germany. It should take a reasonable time to investigate such a message for authenticity. Dresden, Kansas, Dresden, Maine, Dresden, Missouri, Dresden, New York, Dresden, North Dakota, Dresden, Ohio, Dresden, Tennessee, Dresden, Ontario, Canada, Dresden, Staffordshire, England ------------------------------ Date: Fri, 23 Jul 2021 04:13:23 +0000 (UTC) From: "Black Michael" Subject: Re: A secret algorithm is transforming DNA evidence. This defendant could be the first to scrutinize it. (RSKS-32.77) The article on the DNA testing reminds me of working on weighted non-linear least squares problems years ago where I learned how to distrust this process which is used in multiple disciplines to this day (like chemical analysis and I suspect DNA analysis too). I started with doing gamma ray spectroscopy and fitting libraries of radioactive elements to find the best "fit" for a collected spectrum.  This was the technique used by the Naval Research Laboratory for decades to do such fitting on nuclear collections done by them.  Without going into the math it's like finding the best combination of coins to make a certain $ amount.  So to get $1.01 you would get 4 quarters and 1 penny.  And if all you know is quarters and pennies that's the only answer.  But when you add dimes and nickels the number of possible solutions grows dramatically.  Mind you in the real world fits aren't as exact as this example. I was in a meeting with leading people from USAF, NRL, LANL, PNL, SRI, and DOE and a rather aggressive argument broke out between NRL's representative who was doing the least-squares approach and a mathematician from PNL who said he didn't care what the underlying data was but that weighted linear least squares was the wrong way to do it.  NRL took offense as they (he) had been doing it for 30 years and was the national expert on the matter. Our PNL dude ended up creating software to do "all possible combinations" which had been considered intractable but he had a special technique from a Russian mathematician to do it...I wish I still had that reference/software. What the PNL software did was produce a binary matrix and used an F-Test for a cutoff.  So imagine you have a library of 4 elements and you get this matrix where 1 represents the presences of a library element in the fit.  Rank ordered by residual value.1 0 1 1 -- what a least square solution will find 0 1 0 11 1 0 10 0 1 1 -- last item in f-test cutoff0 0 1 00 1 1 01 1 1 01 0 1 01 1 1 10 1 1 10 0 0 10 0 1 10 1 0 01 0 0 11 0 0 0 What we found was if the column was ALWAYS present in all good fits than it was in the sample -- which in the sample above would be elemen#4.  And it turned out to be true in every test we did.  If the items drops in and out of the good solutions presence in the sample was questionable.  One thing the PNL software did not do was try to estimate how much was in the sample as it could not be supported by statistics.  Generally not enough good solutions to provide a valid standard deviation. ------------------------------ Date: Fri, 23 Jul 2021 20:18:49 -0400 From: "David B. Horvath, CCP" Subject: Re: Some locals say a bitcoin mining operation is ruining one of the Finger Lakes. Here's how. (NBC News, RISKS-32.78) On 10 Jul 2021 18:30:46 -0400, "John Levine" <johnl@iecc.com> mentions: > A bill to ban fossil fuel powered cryptocoin mining has passed the NY Senate and is currently in front of the house. Given that electric power (whether created through the use of fossil fuel or other means -- renewable or not) is a fungible commodity, how does the State of New York actually plan on banning it? While they could ban a power plant dedicated to creating power for mining, the fossil plant could sell power to the grid while the mining operation buys power from another state off the grid. Or the power could be sold to the grid and the mining occur in another state. Yet another meaningless law that seems to do good but is really just the wizard hidden behind the curtains. Just to be clear: I'm not complaining about the purpose of the bill, just the implementation or ability to cause a good outcome. ------------------------------ Date: Fri, 23 Jul 2021 20:19:53 -0400 From: "David B. Horvath, CCP" Subject: Re: RFI on scientific integrity (Baker, RISKS-32.77) > Innovation in science is a messy, chaotic business ... Thomas Kuhn's "The Structure of Scientific Revolutions" should be mandatory reading. ------------------------------ Date: Mon, 1 Aug 2020 11:11:11 -0800 From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume/previous directories or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00 ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: ------------------------------ End of RISKS-FORUM Digest 32.78 ************************ .