MSGID: 1:18/200@fidonet 5cc0b98c
CHRS: CP437 2
TZUTC: -0400
TID: MBSE-FIDO 1.0.7.12 (GNU/Linux-x86_64)
RISKS-LIST: Risks-Forum Digest Tuesday 23 April 2019 Volume 31 : Issue 20
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at as
The current issue can also be found at
Contents:
A Marriage Made in Hell": The growing partnership between Russia's
government and cybercriminals (CBS)
The Mueller Report includes lots of information on Russian election
interference (PGN)
Sometimes Bitcoin makes you easier to trace ... (CNN)
How the Boeing 737 Max Disaster Looks to a Software Developer
(IEEE Spectrum)
A video showed a parked Tesla Model S exploding in Shanghai (qz.com)
Roman Mars Mazda virus (Jeremy Epstein)
Nokia 9 buggy update lets anyone bypass fingerprint scanner with a
pack of gum (Catalin Cimpanu)
How sovereign citizens helped swindle $1 billion from the government
they disavow (NYTimes)
How *not* to kill a news cycle ... (Rob Slade)
"Can Facebook be trusted with a virtual assistant?" (Computerworld)
The trouble with tech unicorns Tech's new stars have it all --
Silicon Valley Came to Kansas Schools. That Started a Rebellion (NYTimes)
Domain transfer at gunpoint ... (CNN via Rob Slade)
Battle for .amazon Domain Pits Retailer Against South American Nations
(E-Week)
Should AI be used to catch shoplifters? (cnn.com)
Facebook Uses Mueller Report to Distract from Security Breach (The Register)
Facial Recognition in NYC (NYTimes)
An Interesting Juxtaposition in RISKS 31.18 (Gene Wirchenko)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Tue, 23 Apr 2019 07:27:27 -1000
From: the keyboard of geoff goodfellow
Subject: A Marriage Made in Hell": The growing partnership between Russia's
government and cybercriminals (CBS)
https://www.cbsnews.com/news/evgeniy-mikhailovich-bogachev-the-growing-partners
hip-between-russia-government-and-cybercriminals-60-minutes/
Assessing the threats in the new "code war":
A new war is taking place online -- and the former head of national security
at the Justice Department says Russia is the biggest threat
https://www.cbsnews.com/news/assessing-the-threats-in-the-new-code-war-60-minut
es-2019-04-21/
https://www.cbs.com/shows/60_minutes/
------------------------------
Date: Mon, 22 Apr 2019 9:31:14 PDT
From: "Peter G. Neumann"
Subject: The Mueller Report includes lots of information on Russian election
interference (various sources)
Here are just three recent items:
National: Mueller report highlights scope of election security challenge
(The Washington Post)
https://www.ccn.com/mueller-report-russian-bitcoin-use-2016-election-manipulati
on
Mueller Report: Russia Funded US Election Snooping, Manipulation with
Bitcoin (CCN)
https://www.ccn.com/mueller-report-russian-bitcoin-use-2016-election-manipulati
on
Mueller report says Russian hacking once went through Arizona server
(Cronkite News)
https://cronkitenews.azpbs.org/2019/04/19/mueller-report-says-russian-hacking-o
nce-went-through-arizona-server/
------------------------------
Date: Sat, 20 Apr 2019 12:10:16 -0700
From: Rob Slade
Subject: Sometimes Bitcoin makes you easier to trace ... (CNN)
Bitcoin, and cryptocurrencies in general, are seen as being anonymous, like
cash transactions.
Not quite.
Bitcoin, and the blockchain, may be encrypted, but, once you've identified
an account of note, you can get all kinds of information about transactions.
https://lite.cnn.io/en/article/h_4257e917945d6897b59d5e2b5d6fbb3c
------------------------------
Date: Tue, 23 Apr 2019 01:06:56 -0400
From: Monty Solomon
Subject: How the Boeing 737 Max Disaster Looks to a Software Developer
(IEEE Spectrum)
https://spectrum.ieee.org/aerospace/aviation/how-the-boeing-737-max-disaster-lo
oks-to-a-software-developer
------------------------------
Date: Mon, 22 Apr 2019 14:06:19 +0800
From: Richard Stein
Subject: A video showed a parked Tesla Model S exploding in Shanghai (qz.com)
https://qz.com/1601177/a-video-showed-a-parked-tesla-model-s-exploding-in-shang
hai/
From the video, the vehicle appears to be in a quiescent state.
Henry Baker noted the vehicle fire risk at home while charging in
http://catless.ncl.ac.uk/Risks/30/76%23subj14.1
The energy density of aiLithium storage battery, per
https://en.wikipedia.org/wiki/Lithium_air_battery
In the same table, TNT (https://en.wikipedia.org/wiki/Trinitrotoluene) is
4.1 MJ/kg.
Risk: Fire via electric-vehicle battery thermal runaway.
------------------------------
Date: Fri, 19 Apr 2019 09:53:23 -0400
From: Jeremy Epstein
Subject: Roman Mars Mazda virus
A flaw in the MP3 player in some Mazda cars causes the MP3 player to lock up
when playing a particular podcast. The problem appears to be the use of the
string "%I" in the name of the podcast, which (based on discussions with the
author of the software) seems to be causing problems with the URI
interpretation software. Unfortunately, the podcast doesn't explore a step
further, looking at whether the flaw can be exploited to take control of
vehicle systems, for example.
The podcast is interesting listening even for geeks (although the answer was
fairly obvious from the beginning), simply to understand how a non-technical
person tries to solve a technical problem. I'd imagine it's the same as a
doctor watching a parent trying to figure out why a baby is crying, without
having much data on how to distinguish the trivial (wet diaper, hungry) from
a serious illness.
https://99percentinvisible.org/episode/the-roman-mars-mazda-virus/
------------------------------
Date: Tue, 23 Apr 2019 10:43:41 -0700
From: Gene Wirchenko
Subject: Nokia 9 buggy update lets anyone bypass fingerprint scanner with a
pack of gum (Catalin Cimpanu)
Catalin Cimpanu for Zero Day | 22 Apr 2019
Only Nokia 9 PureView handsets appear to be impacted.
https://www.zdnet.com/article/nokia-9-buggy-update-lets-anyone-bypass-fingerpri
nt-scanner-with-a-pack-of-gum/
selected text:
A buggy update for Nokia 9 PureView handsets has apparently impacted the
smartphone model's in-screen fingerprint scanner, which can now be bypassed
using unregistered fingerprints or even with something as banal as a pack of
gum.
The update was meant to improve the phone's in-screen fingerprint scanner
module --so that users won't have to press their fingers too hard on the
screen before the phone unlocks-- yet it had the exact opposite effect the
company hoped for.
While initially, the reported issues appeared to be new, a video recorded by
another user showed the same problem (unlocking phones with unregistered
fingerprints) even before the v4.22 update, meaning that the update just
made the unlocking bug worse than it already was.
This means that rolling back the faulty v4.22 firmware update, or waiting on
v4.21, won't fix the fingerprint scanner problems, as even before this
patch, the scanner appeared to have a pretty high false negatives rate,
allowing strangers to bypass the phone's screenlock.
In the meantime, users are advised to switched to another mode of
authentication, such as using facial recognition, a PIN code, or a password.
------------------------------
Date: Fri, 19 Apr 2019 15:15:44 -0400
From: Gabe Goldberg
Subject: How sovereign citizens helped swindle $1 billion from the
government they disavow (NYTimes)
Sovereigns, who sometimes call themselves `freemen' or `state citizens',
have no foundational document, but broadly they subscribe to an alternate
version of American history. The tale can vary from sovereign to sovereign,
but it goes roughly like this: At some point, a corporation secretly usurped
the United States government, then went bankrupt and sought aid from
international bankers. As collateral, the corporation offered the financiers
... us. As sovereigns tell it, your birth certificate and Social Security
card are not benign documents, but contracts that enslave you.
There is, they believe, a pathway to freedom: Renounce these contracts or
otherwise assert your sovereignty. (Mr. Morton said he once told the Social
Security Administration, ``I don't want this number.'' Then no one -- not
the taxman, not the police -- can tell you what to do. Not all sovereigns
are con men, but their belief system lends itself to deceit. You might
declare yourself a `diplomat' from a nonexistent country. (Mr. Morton
represented the Republic of New Lemuria and the Dominion of Melchizedek.) Or
start a fake Native American tribe. Or blow off a court case because the
American flag in the courtroom has gold fringe. Some sovereigns have even
lashed out violently at law enforcement officers, which is why they're
considered a domestic terrorism threat.
https://www.nytimes.com/2019/03/29/business/sovereign-citizens-financial-crime.
html
The risk? Crooks, fools, and an IRS starved for funds.
------------------------------
Date: Tue, 23 Apr 2019 12:15:09 -0700
From: Rob Slade
Subject: How *not* to kill a news cycle ...
OK, now, I don't want to get accused of "controversial political statements"
so I'm not naming any names, all right?
But lets, hypothetically and purely for the sake of argument, say that some
document or piece of news is going to come out, and you want to minimize the
attention paid to it. (Lets call it the Miller Time Report, just for
illustrative purposes.)
Now, the *right* way to ensure that bad news is buried is to release but
distract. For example, if you are a company called "Fact"book, and you have
yet another egregious failure of security and privacy to report, you do it
an hour after the release of the Miller Time Report, which you know lots of
people are interested in. In fact, if you have two pieces of bad news,
release them both at the same time, just after the Miller Time Report, and
that way lots of people don't actually realize that you made two mistakes,
since they are all mostly interested in the Miller Time Report and won't
read yours in any detail.
Now, if you are responsible for releasing the Miller Time Report, and it's a
huge report (say, something along the lines of 400 pages), you might think
it clever to release it in a difficult format, like an unsearchable PDF.
This means that people can't go searching for details they think might be in
it. People, even reporters, are basically lazy, and you might think that
this will discourage them from actually having to read the whole report.
That's actually a bad idea, on two counts. First, it's not that hard for
technically adept people to run the document through OCR (optical character
recognition) and create a searchable document, and release that themselves.
The second issue is that, while most people *are* basically lazy, when a
whole bunch of people are interested in something, then, even if you make it
difficult, they will put in the work. And, if you make it hard for them to
find the highlights, then, by forcing them to read the whole thing, you risk
the fact that they will, over time, find all kinds of interesting bits and
pieces. And, because it's taking them time to read the whole thing, the
bits and pieces get released as they are found, and that extends the "news
cycle" for the Miller Time Report. A kind kind of corollary of the
Streisand Effect takes over, and what you tried to minimize gets extended,
instead.
------------------------------
Date: Sun, 21 Apr 2019 18:56:51 -0700
From: Gene Wirchenko
Subject: "Can Facebook be trusted with a virtual assistant?" (Computerworld)
https://www.computerworld.com/article/3390540/can-facebook-be-trusted-with-a-vi
rtual-assistant.html
Mike Elgan, Computerworld,
A look at recent news has a lot to tell us about Facebook's trustworthiness.
[Given the list of offenses, the author's answer is no.]
------------------------------
Date: Sun, 21 Apr 2019 07:26:36 -1000
From: geoff goodfellow
Subject: The trouble with tech unicorns Tech's new stars have it all --
except a path to high profits (The Economist)
Millions of users, cool brands and charismatic bosses are not enough
EXCERPT:
Investors often describe the world of business in terms of animals, such as
bears, bulls, hawks, doves and dogs. Right now, mere ponies are being
presented as unicorns: privately held tech firms worth over $1bn that are
supposedly strong and world-beating -- miraculous almost. Next month Uber will
raise some $10bn in what may turn out to be this year's biggest initial
public offering (ipo). It will be America's third-biggest-ever tech ipo,
after Alibaba and Facebook. Airbnb and WeWork could follow Lyft, which has
already floated, and Pinterest, which was set to do so as The Economist
went to press. In China, an ipo wave that began last year rumbles on.
Thanks to fashionable products and armies of users, these firms have a
total valuation in the hundreds of billions of dollars. They and their
venture-capital (vc) backers are rushing to sell shares at high prices to
mutual funds and pension schemes run for ordinary people. There is,
however, a problem with the unicorns: their business models.
As we report this week, a dozen unicorns that have listed, or are likely to,
posted combined losses of $14bn last year. Their cumulative losses are $47bn
(see Briefing). Their services, from ride-hailing to office rental, are
often deeply discounted in order to supercharge revenue growth. The
justification for this is the Silicon Valley doctrine of `blitz-scaling' in
order to conquer `winner-takes-all' markets -- or in plain English,
conducting a high-speed land grab in the hope of finding gold.
Yet some unicorns lack the economies of scale and barriers to entry that
their promoters proclaim. At the same time, tighter regulation will
constrain their freedom to move fast and break things. Investors should
demand lower prices in the ipos, or stay away. Tech entrepreneurs and their
backers need to rethink what has become an unsustainable approach to
building firms and commercialising ideas.
Today's unicorn-breeding industry would not have been possible 25 years
ago. In 1994 only $6bn flowed into vc funds, which doled out cheques in the
single-digit millions. Before Amazon staged its ipo in 1997 it had raised a
total of only $10m. Three things changed. Growing fast became easier thanks
to cloud computing, smartphones and social media, which let startups spread
rapidly around the world. Low interest rates left investors chasing
returns. And a tiny elite of superstar firms, including Google, Facebook and
China's Alibaba and Tencent, proved that huge markets, high profits and
natural monopolies, along with limited physical assets and light regulation,
were the secret to untold riches. Suddenly tech became all about applying
this magic formula to as many industries as possible, using piles of money
to speed up the process.
Make no mistake, the unicorns are more substantial than the turkeys of the
2000 tech bubble, such as Pets.com, which went bust ten months after its
ipo. Ride apps are more convenient than taxis, food delivery is lightning
quick, and streaming music is better than downloading files. Like Google
and Alibaba, the unicorns have large user bases. Their core businesses can
avoid owning physical assets by outsourcing their it to cloud providers. As
ipo documents point out, their sales are growing fast...
[...]
https://www.economist.com/leaders/2019/04/17/techs-new-stars-have-it-all-except
-a-path-to-high-profits
------------------------------
Date: Mon, 22 Apr 2019 13:39:58 -0400
From: Gabe Goldberg
Subject: Silicon Valley Came to Kansas Schools. That Started a Rebellion
(NYTimes)
"We're allowing the computers to teach and the kids all looked like
zombies," said Tyson Koenig, a factory supervisor in McPherson, who visited
his son's fourth-grade class. In October, he pulled the 10-year-old out of
the school.
https://www.nytimes.com/2019/04/21/technology/silicon-valley-kansas-schools.htm
l
------------------------------
Date: Mon, 22 Apr 2019 12:17:12 -0700
From: Rob Slade
Subject: Domain transfer at gunpoint ... (CNN)
No, this is not the way to do a domain transfer ...
https://lite.cnn.io/en/article/h_f12d9a252633c427e47b1109a0af7d85
------------------------------
Date: Fri, 19 Apr 2019 02:18:13 -0400
From: Monty Solomon
Subject: Battle for .amazon Domain Pits Retailer Against South American
Nations (E-Week)
https://www.eweek.com/security/oracle-patches-3-year-old-java-deserialization-f
law-in-april-update
------------------------------
Date: Fri, 19 Apr 2019 11:51:36 +0800
From: Richard Stein
Subject: Should AI be used to catch shoplifters? (cnn.com)
https://edition.cnn.com/2019/04/18/business/ai-vaak-shoplifting/index.html
New artificial intelligence software is being used in Japan to monitor the
body language of shoppers and look for signs that they are planning to
shoplift. "The software, which is made by a Tokyo startup called Vaak,
differs from similar products that work by matching faces to criminal
records. Instead, VaakEye uses behavior to predict criminal action."
Perhaps a more effective use of AI would be to deter its own deployment?
Wait...that means AI needs common sense and contextual awareness to
ethically perceive and judge its own actions. No sense holding back the
kitchen sink from being thrown -- throw that too!
Risk: AI interpolation of human intent to shoplift.
Do these bits automatically summon authorities for a Slurpee takedown?
------------------------------
Date: Sat, 20 Apr 2019 11:28:54 -0400
From: Charles Dunlop
Subject: Facebook Uses Mueller Report to Distract from Security Breach
(The Register)
It's common practice for organizations to release bad news at the end of a
week, hoping that it will be buried. But Facebook hit a bonanza, when at
the end of this week the news focus was on the Muller report. See
https://www.theregister.co.uk/2019/04/18/facebook_instagram_passwords/
------------------------------
Date: Fri, 19 Apr 2019 01:04:40 -0400
From: Gabe Goldberg
Subject: Facial Recognition in NYC (NYTimes)
Most people pass through some type of public space in their daily routine ---
sidewalks, roads, train stations. Thousands walk through Bryant Park every
day. But we generally think that a detailed log of our location, and a list
of the people we're with, is private. Facial recognition, applied to the web
of cameras that already exists in most cities, is a threat to that privacy.
https://www.nytimes.com/interactive/2019/04/16/opinion/facial-recognition-new-y
ork-city.html
Privacy? How quaint.
------------------------------
Date: Thu, 18 Apr 2019 21:40:21 -0700
From: Gene Wirchenko
Subject: An Interesting Juxtaposition in RISKS-31.18
RISKS-31.18 has interesting juxtaposition of articles: "Not a burglar after
all" and "Computers Turn an Ear on New York City (Scientific American)". In
the second article, what is going to be the authority for what sounds
represent? The first article has a case of police officers not being able
to identify what sights and sounds represented. They were concerned, and it
could have been a serious situation.
Misidentification could have severe consequences. This could be similar to
GPSs. Some are meant for general use and some for specific areas. (An
example of this is truckers going through villages with roads ill-suited for
this because of the trucker using a run-of-the-garden GPS. Or is that
run-through-the-garden?)
------------------------------
Date: Mon, 14 Jan 2019 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
=> SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an
=> alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
*** Contributors are assumed to have read the full info file for guidelines!
=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
------------------------------
End of RISKS-FORUM Digest 31.20
************************
--- GoldED+/LNX 1.1.5-b20180707
* Origin: Outpost BBS * Limestone, TN, USA (1:18/200)
SEEN-BY: 1/123 15/2 18/200 123/1970 226/17 229/107 200 354 426 452
SEEN-BY: 229/1014 240/5832 249/206 317 400 280/464 317/3 322/757 342/200
SEEN-BY: 393/68 633/280
PATH: 18/200 229/426
|
