RISKS Forum mailing list archives
Risks Digest 30.18
From: RISKS List Owner <risko () csl sri com>
Date: Wed, 15 Mar 2017 11:58:26 PDT
RISKS-LIST: Risks-Forum Digest Wednesday 15 March 2017 Volume 30 : Issue 18 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/30.18> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Hacking Our Nuclear Weapons (Bruce G. Blair) Caveat Emptor Redux: vibrations are remotely tracked! (PGN) Malware found preinstalled on 38 Android phones used by 2 companies (Gabe Goldberg) Why is it so hard to trace an anonymous bomb threat? (The Verge) Secrecy surrounds White House cybersecurity staff shakeup (ZDNet) Scamville visit (WiReD via Gabe Goldberg) The night Zombie Smartphones Took Down 911 (Ryan Knutson) Police typo in IP address led to an innocent father's arrest for pedophilia (Matthew Champion) There's always a [mis]use case for data (Jeremy Epstein) FBI Director James Comey: "Americans have no right to expect absolute privacy" (CNN) Aging voting machines: an old risk (jared gottlieb) The World Wide Web's inventor warns it's in peril on 28th anniversary (Jon Swartz) 92% of Federal Sites Fail to Meet Security, Performance Standards (ITIF via Gabe Goldberg) Dangerous industrial robots (Nancy Leveson) AI's PR Problem (MIT Tech Review) These Adorable Robots are Roaming DC Streets with Food Inside (Patch via Gabe Goldberg) Consumer Reports Launches Digital Standard to Measure Privacy, Security (via Gabe Goldberg) Avast Cybercapture of personal files (Benoit Goas) Prominent English-language newspaper removed from Wikipedia (Mark Thorson) Re: Hinckley and Pres. Reagan, was: How the Secret Service Protects the President ... (danny burstein) Re: Science (Sue Willis, Gerrit Muller) Re: Google's anti-trolling AI can be defeated by typos (Dave Horsfall) Re: CRISPR assassinations (Robert R. Fenichel) Re: Hard Drive LED Allows Data Theft From Air-Gapped PCs (Kelly Bert Manning) Re: California Law Enforcement Union Sues To Block Police Accountability (Al (Sam Steingold) Re: Software Engineer detained by U.S. Customs (Kelly Bert Manning) Wheeler, David A" <dwheeler () ida org> Non-detachable "What-is-this" metadata should be included in information (David A Wheeler) Re: A warning from Bill Gates, Elon Musk, and Stephen Hawking (Arthur Flatau) Risks of automated fast-food service (Paul Robinson) Re: The AI Threat Isn't Skynet (Chris Drewe) Re: Wired (John Alexander Stewart) GOP senators to let ISPs sell, without opt-out opportunity: your PII; geo travels; Web browsing data (Ars Tech) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Tue, 14 Mar 2017 10:12:13 PDT From: "Peter G. Neumann" <neumann () csl sri com> Subject: Hacking Our Nuclear Weapons (Bruce G. Blair) Bruce G. Blair, *The New York Times*, 14 Mar 2017) It is tempting for the United States to exploit its superiority in cyberwarfare to hobble the nuclear forces of North Korea or other opponents. As a new form of missile defense, cyberwarfare seems to offer the possibility of preventing nuclear strikes without the firing of a single nuclear warhead. But as with many things involving nuclear weaponry, escalation of this strategy has a downside: U.S. forces are also vulnerable to such attacks. The subtitle of this article is this: ``Loose security invites a cyberattack with possibly horrific consequences.'' The chickens are coming home to roost -- or is it the Russians and the Chinese who have been eating our lunch? RISKS readers know that nothing is secure enough, and that almost everything is vulnerable. Also, misinformation abounds to mask or otherwise obfuscate the truth. ------------------------------ Date: Tue, 14 Mar 2017 16:18:36 PDT From: "Peter G. Neumann" <neumann () csl sri com> Subject: Caveat Emptor Redux: vibrations are remotely tracked! http://www.npr.org/sections/thetwo-way/2017/03/14/520123490/vibrator-maker-to-pay-millions-over-claims-it-secretly-tracked-use http://ottawacitizen.com/business/local-business/lawsuit-over-internet-connected-sex-toys-settled-for-3-75-million-us [Several of you noted this egregious and flagrant privacy violation. Here's just one more example of trusting something that is inherently untrustworthy! PGN] ------------------------------ Date: Mon, 13 Mar 2017 19:15:46 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Malware found preinstalled on 38 Android phones used by 2 companies Interesting because these phones *come* with malware, aren't infected during use... https://arstechnica.com/security/2017/03/preinstalled-malware-targets-android-users-of-two-companies/ ------------------------------ Date: Wed, 15 Mar 2017 10:08:28 -0400 From: Monty Solomon <monty () roscom com> Subject: Why is it so hard to trace an anonymous bomb threat? (The Verge) http://www.theverge.com/2017/3/14/14913118/jcc-bomb-threats-anonymous-phone-calls-pdx-hacking ------------------------------ Date: Wed, 15 Mar 2017 12:31:23 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Secrecy surrounds White House cybersecurity staff shakeup The Chief Information Security Officer for the White House's Executive Office of the President has been removed from his position, sources have confirmed. Cory Louie was appointed to the position by former President Obama in 2015, charged with keeping safe the staff closest to the president -- including the president himself -- from cyber-threats posed by hackers and nation-state attackers. But circumstances surrounding his departure, weeks after President Donald Trump took office, remain unclear. It's thought he was either fired or asked to resign last Thursday evening, and he was escorted out from his office in the Eisenhower Executive Office Building across the street from the West Wing. http://www.zdnet.com/article/white-house-chief-information-security-officer-departs/ Brilliant, politicize cybersecurity. Meanwhile, Trump was given a new smartphone, a similar lock-down device that his predecessor had, but reportedly also uses his old, outdated Samsung Galaxy phone to tweet -- stirring frustration and mockery alike from security experts. ------------------------------ Date: Mon, 13 Mar 2017 18:35:27 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Scamville visit Listen to Tech Support Scam Calls That Bilk Victims Out of Millions https://www.wired.com/2017/03/listen-tech-support-scam-calls-bilk-millions-victims/ ------------------------------ Date: Sat, 4 Mar 2017 18:56:01 PST From: "Peter G. Neumann" <neumann () csl sri com> Subject: The night Zombie Smartphones Took Down 911 (Ryan Knutson) Ryan Knutson, *The Wall Street Journal*, 3 Mar 2017 https://www.wsj.com/articles/how-a-cyberattack-overwhelmed-the-911-system-1488554972 ------------------------------ Date: Mon, 13 Mar 2017 11:50:48 -0600 From: Jim Reisert AD1C <jjreisert () alum mit edu> Subject: Police typo in IP address led to an innocent father's arrest for pedophilia (Matthew Champion) This Is What It's Like To Be Wrongly Accused Of Being A Pedophile Because Of A Typo By Police Matthew Champion, *BuzzFeed*, Mar. 10, 2017, at 1:06 a.m. https://www.buzzfeed.com/matthewchampion/this-mans-life-was-destroyed-by-a-police-typo "[Nigel Lang] was told that when police requested details about an IP address connected to the sharing of indecent images of children, one extra keystroke was made by mistake, sending police to entirely the wrong physical location." ------------------------------ Date: Thu, 9 Mar 2017 08:28:02 -0500 From: Jeremy Epstein <jeremy.j.epstein () gmail com> Subject: There's always a [mis]use case for data In my work over the past few decades, I'm often asked when I suggest that a vulnerability might cause an unacceptable risk, "but *why* would someone want to do that". (I'm sure this happens to all of us in the security business.) And sometimes it's hard to identify a believable use case, and as a result the risk gets dismissed. It's frustrating, because I don't always have a crystal ball, but readers of this list know that almost anything good will also be used for evil at some point. And here's an example: the risk is that tracking data for wild animals frequently isn't encrypted. The initial response might be "so what", they don't have the same privacy concepts as people do. But it turns out that photographers are using the information to find & photograph the animals (which makes them less afraid of people), and poachers are using the information to find & kill the animals. The technical risks aren't surprising at all; the use case is what I found interesting. https://www.helpnetsecurity.com/2017/03/06/hack-animal-tracking-systems/ ------------------------------ Date: Thu, 9 Mar 2017 10:49:10 -1000 From: geoff goodfellow <geoff () iconia com> Subject: FBI Director James Comey: "Americans have no right to expect absolute privacy" FBI Director James Comey -- who has previously attacked Apple for refusing to create a weak version of iOS to allow government access to iPhones -- has said that Americans have no right to expect absolute privacy. *CNN* has a video clip of Comey making the statement yesterday at a Boston College conference on cybersecurity. ------------------------------ Date: Sun, 12 Mar 2017 13:53:22 -0600 From: jared gottlieb <jared () netspace net au> Subject: Aging voting machines: an old risk In recent years computer risk discussion about voting machines has focused on high-tech issues. A recent AP newswire item reminds us of an old risk -- obsolete media. States scramble for funding to upgrade aging voting machines http://bigstory.ap.org/article/0bd8b3ceec964c43865c726072eb6ac8/states-scramble-funding-upgrade-aging-voting-machines At least once a year, staffers in one of Texas' largest election offices scour the web for a relic from a bygone technology era: Zip disks. ... ------------------------------ Date: Sat, 11 Mar 2017 17:46:45 -1000 From: geoff goodfellow <geoff () iconia com> Subject: The World Wide Web's inventor warns it's in peril on 28th anniversary (Jon Swartz) Jon Swartz, USA Today, 11 Mar 2017 Tim Berners-Lee, who invented the World Wide Web, now wants to save it. The computer scientist who wrote the blueprint for what would become the World Wide Web 28 years ago today is alarmed at what has happened to it in the past year. "Over the past 12 months, I've become increasingly worried about three new trends, which I believe we must tackle in order for the web to fulfill its true potential as a tool which serves all of humanity," he said in a statement issued from London. He cited compromised personal data and fake news, which he says has "spread like wildfire." "Even in countries where we believe governments have citizens' best interests at heart, watching everyone, all the time is simply going too far," he said, in an allusion to WikiLeaks' disclosure of what documents claim is a vast CIA surveillance operation. "It creates a chilling effect on free speech and stops the web from being used as a space to explore important topics, like sensitive health issues, sexuality or religion." <http://www.usatoday.com/story/news/2017/03/07/11-tools-tricks-and-hacks-cia-leak-target-users/98867416/> <https://motherboard.vice.com/en_us/article/chilling-effect-of-mass-surveillance-is-silencing-dissent-online-study-says> When Berners-Lee submitted his original proposal for the Web, he imagined it as an open platform that would allow everyone, everywhere to share information, access opportunities and collaborate across geographic and cultural boundaries. But his faith, and those of privacy advocates and cybersecurity experts, has been badly shaken by a series of high-profile hacks and the dissemination of fake news through the use of data science and armies of bots. <http://www.usatoday.com/story/tech/talkingtech/2017/03/11/carl-bernstein-fake-news-cnn-sxsw/99058792/> Front and center: The WikiLeaks bombshell. The treasure trove of more than 8,000 pages reads like a John Le Carre spy novel overrun with Edward Snowden-like protagonists. The CIA, with sophisticated hacking tools, has been angling to turn popular consumer devices such as iPhones, Samsung TVs and Android smartphones into surveillance devices, the documents indicate. <http://www.usatoday.com/story/tech/talkingtech/2017/03/11/how-keep-safe-digitally-wikileaks-age/99020126/>, Imagine that Big Brother scenario extended to the millions of smart devices such as digital thermostats and fire alarms feeding the Internet of Things ecosystem, and you have a problem that could eviscerate the privacy of billions of people, say security experts. Berners-Lee is just the latest high-profile technologist to share concerns over what former Cisco Systems executive Monique Morrow calls a fundamental assault on privacy and cybersecurity, with critical infrastructure -- banking systems, the grid -- hanging in the balance. "How do we use technology responsibly?" she asked at a SXSW talk in Austin Saturday... http://www.usatoday.com/story/tech/news/2017/03/11/world-wide-webs-inventor-warns-s-peril/99005906/ ------------------------------ Date: Thu, 9 Mar 2017 16:58:50 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: 92% of Federal Sites Fail to Meet Security, Performance Standards Washington, DC -- A staggering 92% of federal government website fail to meet basic standards for security, speed, mobile friendliness or accessibility, according to a new study by the DC-based *Information Technology and Innovation Foundation (ITIF)*, an independent research and educational institute. To reach that figure, co-authors *Alan McQuinn *and*Daniel Castro* analyzed 297 of the most popular federal sites -- including all U.S. government websites in the top 1 million globally -- assessing their security, speed, mobile friendliness and accessibility. In addition to scoring them in each of these areas, the authors ranked them using a composite score to give an overall view of how well the most popular sites adhere to federal requirements and industry best practices. The five highest-performing websites included healthdata.gov, healthfinder.gov, consumerfinance.gov, whitehouse.gov (*Trump* administration) and usembassy.gov, while the five worst were usphs.gov, fmc.gov, osti.gov, trade.gov and ipcc-wg2.gov. "Despite years of progress in digital government, a striking number of federal websites do not even meet many of the U.S. government's own requirements, let alone private-sector best practices," said McQuinn. "Considering that many constituents rely on federal websites to interact with government, it is incumbent upon the new administration, supported by *Congress*, to make websites more convenient, accessible and secure." https://itif.org/publications/2017/03/08/92-percent-most-popular-federal-government-websites-fail-meet-basic <http://m1e.net/c?47971208-AcY751vibl2Jo%40389518396-VXriqdFjt3Qsg> ------------------------------ Date: Tue, 14 Mar 2017 10:03:17 -0400 From: Nancy Leveson Subject: Dangerous industrial robots A rogue robot is blamed for a human colleague's gruesome death. https://qz.com/931304/a-robot-is-blamed-in-death-of-a-maintenance-technician-at-ventra-ionia-main-in-michigan/?utm_source=qzfb Usually when people worry about machines and work, they are concerned that automation will take away their livelihoods, not their lives. But a new lawsuit claiming a rogue robot is responsible for killing a human colleague reveals additional nightmarish possibilities. In July 2015, Wanda Holbrook, a maintenance technician performing routine duties on an assembly line at Ventra Ionia Main, an auto-parts maker in Ionia, Michigan, was ``trapped by robotic machinery'' and crushed to death. On March 7, her husband, William Holbrook, filed a wrongful death complaint in Michigan federal court, naming five North American robotics companies involved in engineering and integrating the machines and parts used at the plant: Prodomax, Flex-N-Gate, FANUC, Nachi, and Lincoln Electric. Holbrook's job involved keeping robots in working order. She routinely inspected and adjusted processes on the assembly line at Ventra, which makes bumpers and trailer hitches. One day, Holbrook was performing her regular duties when a machine acted very irregularly, according to the lawsuit reported in Courthouse News. Holbrook was in the plant's six-cell 100 section when a robot unexpectedly activated, taking her by surprise. The cells are separated by safety doors and the robot should not have been able to move. But it somehow reached Holbrook, and was intent on loading a trailer-hitch assembly part right where she stood over a similar part in another cell. The machine loaded the hardware onto Holbrook's head. She was unable to escape, and her skull was crushed. Co-workers who eventually noticed that something seemed amiss found Holbrook dead. ``The robot from section 130 should have never entered section 140, and should have never attempted to load a hitch assembly within a fixture that was already loaded with a hitch assembly. A failure of one or more of defendants' safety systems or devices had taken place, causing Wanda's death,'' the lawsuit alleges. William Holbrook seeks an unspecified amount of damages, arguing that before her gruesome death, his wife ``suffered tremendous fright, shock and conscious pain and suffering.'' He also names three of the defendants -- FANUC, Nachi, and Lincoln Electric -- in two additional claims of product liability and breach of implied warranty. He argues that the robots, tools, controllers, and associated parts were not properly designed, manufactured or tested, and not fit for use. ``At all relevant times, technically feasible alternative design and engineering practices were available that could have prevented the harm without significantly impairing the usefulness or desirability of the automation system to users and without creating equal or greater risk of harm to others,'' Holbrook's family argues. According to the US Department of Labor's Occupation Safety and Health Administration, robots are ``generally used to perform unsafe, hazardous, highly repetitive, and unpleasant tasks.'' But despite any potential safety advantages, OSHA writes, ``studies indicate that many robot accidents occur during non-routine operating conditions, such as programming, maintenance, testing, setup, or adjustment. During many of these operations the worker may temporarily be within the robot's working envelope where unintended operations could result in injuries.'' ------------------------------ Date: Sun, 12 Mar 2017 14:21:56 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: AI's PR Problem (MIT Tech Review) via NNSquad https://www.technologyreview.com/s/603761/ais-pr-problem/ Artificial intelligence, it seems, has a PR problem. While it's true that today's machines can credibly perform many tasks (playing chess, driving cars) that were once reserved for humans, that doesn't mean that the machines are growing more intelligent and ambitious. It just means they're doing what we built them to do. The robots may be coming, but they are not coming for us--because there is no "they." Machines are not people, and there's no persuasive evidence that they are on a path toward sentience. ------------------------------ Date: Thu, 9 Mar 2017 18:01:32 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: These Adorable Robots are Roaming DC Streets with Food Inside WASHINGTON, DC â Food delivery app Postmates officially rolled out a fleet of delivery robots in D.C. created by Starship Technologies on Wednesday, and they're something to behold. The group of 20 robots will make trips off less than a mile in the Georgetown and 14th Street corridor areas, according to a Washingtonian report, which notes that the service is likely to expand to more neighborhoods later. If a Postmates user orders some items from a nearby store, the vendor gets a notification and a robot is sent to a nearby designated hub. The vendor puts the goods in the bag, which is temperature-controlled and sealed, and then the bot wheels its way to the customer. The customer is given a code that is necessary to open the container. http://patch.com/district-columbia/washingtondc/these-adorable-robots-are-roaming-dc-streets-food-inside-video That's 20 ... 19 ... 18 ... etc. robots making deliveries while the others appear on milk cartons' "Have you seen this robot?" appeals. ------------------------------ Date: Mon, 6 Mar 2017 17:47:52 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: Consumer Reports Launches Digital Standard to Measure Privacy, Security Washington, DC -- *Consumer Reports* said Monday is will begin evaluating products, apps and services based on their privacy and data security. Developed in partnership with several privacy, security and consumer rights organizations, including DC-based nonprofit *Ranking Digital Rights*, the publication said it will use the new standard to evaluate connected products such as baby monitors, security cameras, routers and even cars. The standard asks companies to require consumers to create unique usernames and passwords for Internet-connected devices. It also calls on them to delete consumer data from their servers upon request, encrypt personal data and be transparent about how personal information is shared with other companies. "Our research shows that users lack adequate information about how companies' policies and practices affect their privacy, security and other rights like freedom of expression," said *Rebecca MacKinnon*, the director of Ranking Digital Rights. "We believe that this effort can help people make more informed decisions about how they use technology. We also believe that the digital standard will help companies do a better job of protecting and respecting users' rights." The initial version of the standard, is available at the top link below. https://thedigitalstandard.org <http://m1e.net/c?47971208-Hj1MQUH6fvTAQ%40389487218-Jc9u5tYJ5ih/Y> http://www.consumerreports.org/privacy/consumer-reports-to-begin-evaluating-products-services-for-privacy-and-data-security/ <http://m1e.net/c?47971208-wLfA8BzTasINw%40389487223-YAlUG.JFB5pQc> ------------------------------ Date: Tue, 7 Mar 2017 18:44:58 +0100 From: Benoit Goas <goasben () hawk iit edu> Subject: Avast Cybercapture of personal files I just downloaded a set of (obviously personal) medical images from an imaging lab, which allows downloads only as executable zip file (their website runs only with silverlight, but that's not the main issue). As indicated on https://blog.avast.com/cybercapture-protection-against-zero-second-attacks, since around mid 2016 Avast antivirus has a new function to protect our computers against "zero second attacks". So it saw my download of an executable file, and sent it to their cloud as it was a "very rare program file" that they "needed to study". Indeed, my personal medical images are quite unique! But I didn't expect them to be sent anywhere, especially without asking me. So I now disabled that option, but some problems were: - letting my computer auto update without knowing what it's adding (lots of auto updates are running...) - automatically sending personal files outside of private computers without asking first - hence "forcing" me to disable that feature that could protect me another day - making us download executable files to begin with, to just send us a compressed folder - not giving any option to contact the software provider, as it appears that part of the company no longer exists (and I'm sure the imaging place wouldn't care, as it's a nice service they provide, and can't change the tools) - Forgetting to put a correct title to this email and either being flagged as spam or being delivered twice (in that case, sorry!) And probably more... Best regards, B. GOAS ------------------------------ Date: Sat, 4 Mar 2017 14:02:54 -0800 From: Mark Thorson <eee () sonic net> Subject: Prominent English-language newspaper removed from Wikipedia No longer considered a reliable source for citations. On the one hand, I consider the Daily Mail to be poorly sourced, poorly written, and poorly edited, but not much more so than many other more-respected newspapers. This treatment, if true, seems harsh. http://www.dailymail.co.uk/news/article-4280502 ------------------------------ Date: Sat, 4 Mar 2017 15:24:11 -0500 (EST) From: danny burstein <dannyb () panix com> Subject: Re: Hinckley and Pres. Reagan, was: How the Secret Service Protects the President ... (Goldberg, RISKS-30.17)
When it comes to protection, there is danger from lone lunatics like John Hinckley Jr., who tried to shoot President Ronald Reagan but was foiled as brave Secret Service agents used their bodies to block bullets.
Not quite. Those of us of a certain age recall that Hinckley did, in fact, shoot and seriously wound the President, did critical damage to James Brady, and also injured Secret Service agent Timothy McCarthy and Police Officer Thomas Delahanty. ------------------------------ Date: Sat, 4 Mar 2017 20:34:15 +0000 (UTC) From: Sue Willis <uusuzanne () yahoo com> Subject: Re: Science (RISKS-30.16)
My beef with the modern Science world is that so much scientific stuff is written in the third person. ...
I agree. When I was a graduate student, and our group was publishing my dissertation research, we wrote our abstract in the first person (plural, since there were a bunch of us). It was rewritten by the journal editors in the third person. The article itself was left in the first person, thank goodness. This was Physics Review Letters in the late 1970s. ------------------------------ Date: Sun, 5 Mar 2017 09:55:51 +0100 From: Gerrit Muller <gerrit.muller () gmail com> Subject: Re: Science (Wols Lists, RISKS-30.17) Problem is that current scientific mores forbids the use of the first person (single and plural), and promotes passive voice. The reason that people give for these rules is that this makes the paper more objective. Others tell me that journal guidelines from a.o. IEEE prescribe this style. As Wols Lists explains, the opposite is happening: the source of the statement or the person(s) taking the action are obfuscated. When instructing and supervising students, I explain the use of active and passive voice to them. I provide them with a few links: See http://writingcenter.unc.edu/handouts/passive-voice/, https://owl.english.purdue.edu/owl/owlprint/539/ , and http://www.whitesmoke.com/passive-voice-in-english. These links explicitly explain that writers in general should avoid passive voice. However, there are circumstances in which the use of passive voice is OK. The Purdue guidelines state, ``Passive voice makes sense when the agent performing the action is obvious, unimportant, or unknown or when a writer wishes to postpone mentioning the agent until the last part of the sentence or to avoid mentioning the agent at all. The passive voice is effective in such circumstances because it highlights the action and what is acted upon rather than the agent performing the action.'' In addition, they state ``Don't trust the grammar-checking programs in word-processing software. Many grammar checkers flag all passive constructions, but you may want to keep some that are flagged. Trust your judgment, or ask another human being for their opinion about which sentence sounds best.'' What is really worrisome is that academics do not question these rules and apparently prefer a false sense of objectivity. ------------------------------ Date: Sun, 5 Mar 2017 08:12:53 +1100 (EST) From: Dave Horsfall <dave () horsfall org> Subject: Re: Google's anti-trolling AI can be defeated by typos Lauren Weinstein writes that anti-troll measures can be defeated by unusual punctuation and deliberate misspellings etc. Spammers have been using this technique for years in order to defeat body filters, so it was only a matter of time before another class of abusers caught up. ------------------------------ Date: Sat, 04 Mar 2017 13:49:39 -0800 From: "Robert R. Fenichel" <bob () fenichel net> Subject: Re: CRISPR assassinations (RISKS 30.17) DNA-selective biowarfare vectors are not a new idea. They were the central gimmick of Vector, a novel (ISBN 0-312-94446-2) by Rob Swigart published in 1986. ------------------------------ Date: Sat, 4 Mar 2017 17:13:15 -0500 (EST) From: Kelly Bert Manning <Kelly.Manning () ncf ca> Subject: Re: Hard Drive LED Allows Data Theft From Air-Gapped PCs This reminds me of claims that data could be captured by monitoring the blinking of the data light on a stand alone modem. Good luck with that at 56 kbps. I had a hard time getting useful information about data rates and file sizes from the linked video. The text portion of the article gave a rate of 4800 bps with a range of 10 meters. 1. First you have to infect the target ted computer. OK, that is a challenge, but it is done millions of times each year, so assume that is doable. https://www.statista.com/statistics/266169/highest-malware-infection-rate-countries/ 2. Next you have to get something that can detect the transmission within 10 meters, without being noticed. You also rely on the indicator being oriented toward a window that is not covered with a blind, curtain, or aluminized sun / heat reflective coating. Good Luck with that, but assume you did it somehow, perhaps by compromising a phone with a camera, or you rely on another data link, or the drone version of tapes in a station wagon or optical disks in a bike courier satchel to retrieve it. 3. Once you do that, assuming that no other disk activity or indicator flashing is happening, you are running at 1988 V.27ter dial up speeds. How nostalgic, but given the time and other constraints not a lot of use of anything beyond log in IDs, passwords or small text files. If there is other activity your data rate goes down and you need trellis parity or other fault detection and recovery methods that eat up your useful data rate. What is the maximum blink rate of a typical modem or disk LED? http://www.instructables.com/community/anyone-know-the-maximum-flash-rate-of-an-LED/ http://electronics.stackexchange.com/questions/118141/high-frequency-blinking-leds-and-sensor-for-that Can the exposure be overcome by using a phosphor to smooth out the sharp transitions? Phosphors are commonly used in "white" LEDs, to down convert blue or UV wavelengths. The human eye can only detect blinks of 30 Hz, and with a disk activity LED you would probably want the activity rate to be exaggerated by prolonging the pulse length, to make activity easier to notice. I have good ears, despite my 6 decades, and rely on sound to tell me when Microsoft, McAfee, ... has decided to start hitting my disks with high disk head movement rates. ------------------------------ Date: Tue, 07 Mar 2017 14:10:49 -0500 From: Sam Steingold <sds () gnu org> Subject: Re: California Law Enforcement Union Sues To Block Police Accountability (Al Mac, RISKS-30.17)
300 deputies who have a history of past misconduct -- such as domestic violence, theft, bribery and brutality The 300 persons are about 3% of the total 9,100 force.
I wonder what percentage of the general population has such "past misconduct". ------------------------------ Date: Sat, 4 Mar 2017 17:26:10 -0500 (EST) From: Kelly Bert Manning <Kelly.Manning () ncf ca> Subject: Re: Software Engineer detained by U.S. Customs At least he was only delayed and subjected to inane questions. Worse things have happened. The ordeal of Telecommunications Engineer and college Prof Maher Arar is a cautionary tale. https://en.wikipedia.org/wiki/Maher_Arar http://www.theglobeandmail.com/news/national/how-canada-failed-citizen-maher-arar/article1103562/?page=all This type of inane question harassment is not confined to engineers. USA tax dollars at work providing Security Theatre. http://www.theglobeandmail.com/news/world/boxing-legend-muhammad-alis-son-detained-at-florida-airport-asked-are-you-muslim/article34137579/ https://en.wikipedia.org/wiki/Security_theater https://www.ted.com/talks/bruce_schneier ------------------------------ Date: Mon, 6 Mar 2017 11:48:41 -0500 From: "Wheeler, David A" <dwheeler () ida org> Subject: Non-detachable "What-is-this" metadata should be included in information Was: Oscars screwup Dan Skwire:
And are they the ones who stuff the envelopes? Probably not. So who is
legally "liable" for the damages to the Academy Awards show? Were there any "damages" at all? Was there economic loss of any sort or is there a net gain because more people will watch next year, hoping for a similar car crash? When if matters, I think answers (e.g., to queries) should include "what-is-this" metadata, and ideally that metadata should be non-detachable from the answer. In this case, since envelopes can be mis-stuffed, the internal letter should have said something like "2017 Oscars - Best Picture" at the top, followed by the answer. In HTML, JSON, or XML, you can easily insert the original or "what this is" as part of the response. Including this metadata would reduce the risk of misinterpreting received data. Just receiving an answer isn't enough - was that the answer to the question I expected? Many science fiction stories hinge in part on the misinterpretation of received data and/or disconnecting the question from the answer (including WarGames, Ender's Game, The Matrix, and The Hitchhiker's Guide to the Galaxy' s "42"). I haven't seen that as a generally-recommended good practice... but maybe it should be. [Just a little stronger typing of the award category might have helped sort this one out. PGN] ------------------------------ Date: Mon, 6 Mar 2017 15:14:49 -0600 From: Arthur Flatau <flataua () acm org> Subject: Re: A warning from Bill Gates, Elon Musk, and Stephen Hawking (Larson, RISKS-30.17) I do believe that many lower skilled jobs will disappear because of automation. However I believe that it will be quite a bit more difficult to get rid of some of these jobs quickly. Witness the self-checkout lanes at many grocery and other stores. These have been ubiquitous for at least 10 years, but at most stores, most checkout lines are human staffed. While I hesitate to speak for everyone, I only use them when the lines at the human staffed checkout lanes are long. There is no doubt that the self-checkout procedure is significantly longer than the human staffed ones. The only reason to use them is it is often the case that the lines to get checkout are shorter for self-checkout so that the total time to get out the door is (hopefully) shorter. The self-checkout procedure is longer, largely because the store management seems to trust their employees more than their customers. Self-checkout requires you to place your items on the carousal to be weighed to verify that the are (likely) the items you scanned. ------------------------------ Date: Sun, 5 Mar 2017 07:05:02 +0000 (UTC) From: Paul Robinson <paul () paul-robinson us> Subject: Risks of automated fast-food service In 1985, Harry Harrison wrote "A Stainless Steel Rat is Born." The title character -- Jim DiGriz -- wants to become a master criminal because life on his home planet is boring. So he arranges to break the planet's greatest criminal out of jail. They escape to hide out in the storage area of a completely automated fast-food restaurant where the only person ever there is the once-a-week refill truck operator, from whom they have a system to hide while he is restocking. The customers order food in the main order area (or presumably at the drive through), the items are combined automatically, flash cooked, set on the tray, and once payment is received is delivered to the customer all automatically. There are no employees on site, ever. An automated robot cleans the place at various times. When I was reading this I realized that the reason it wasn't done in our world was that it was too expensive to automate or it was not possible to automate the tasks involved in the preparation of food. Twenty-one years later that's not so true and the problem is existing restaurants probably can't be converted economically to fully automated operations. But that doesn't mean someone can't eventually run the numbers and figure out when it would be cheaper to build a fully-automated restaurant, I'm guessing that the long-term cost of automation vs. employees currently makes using people cheaper. But if a science fiction writer could see it just over 20 years ago, how long before some new entrepreneur sees it and discovers long term that constructing a new restaurant for full unattended operation makes financial sense over the hassles and expense of having employees? Meanwhile, in the story, Jim orders some food through the maintenance console, then, even though it's in front of him and he could have just taken it without paying, deposits funds in the cashier slot like any other customer. His mentor is shocked, wondering if Jim - a master thief - has had an attack of conscience. Jim explains he isn't honest, just pragmatic. "The accounting for food here measures everything used and delivered. The totals must be exactly right, balanced to the last gram of food and fraction of a Galactic Credit, or someone will come check to see why. When we're ready to leave, then it's safe for me to not pay for our food, and to rob the cash box and safe on the way out." Clearly, Jim DiGriz understood the risks of drawing attention when you don't want it. ------------------------------ Date: Mon, 06 Mar 2017 21:50:53 +0000 From: Chris Drewe <e767pmk () yahoo co uk> Subject: Re: The AI Threat Isn't Skynet (RISKS-30.17) This seems to assume that there's a fixed amount of work which can either be done by humans or automation. As an alternative, just think back to the 1980s; if governments had decided that desk-top computers and the Internet were a threat to the employment of secretaries, typists, filing clerks, mailmen, etc. and thus had banned them or taxed them highly, then there would now be more of these jobs around, *but* many of today's jobs and business opportunities wouldn't exist without the World-Wide Web and the dotcom revolution.
I'm genuinely worried it will end with a lot of people starving.
As I've posted here before with some hyperbole, in the UK a lifetime on welfare is a not-unknown career choice, but the Government needs the tax revenues from business activity to fund the welfare bill. (As it happens, at the moment unemployment is low in the UK, the concern is poor productivity.) My worry is that if politicians try to control technological developments such as AI, we'll end up with a planned economy like Cuba. ------------------------------ Date: Tue, 7 Mar 2017 17:56:09 -0500 From: John Alexander Stewart <ivatt260 () gmail com> Subject: Re: Wired (Spencer, RISKS-30.17)
"The web becomes unusable if to read, say, 45K of text, your browser attempts to fetch 2M or more of assorted javascript, video, cycling image sequences and more."
It is even worse than that - I worked in a site where, one task (which I failed at) was to write a white paper on how to reduce signaling for conservation of RF-transmitted data. I took the approach that the major bandwidth waster was all the "tracking and cruft", with about 80% of the bandwidth lost, but the recipient was more interested in the wireless protocols, not HTML (etc) data. Oh well... I had fun researching HTML cruft... ------------------------------ Date: Wed, 8 Mar 2017 12:36:46 -0600 From: "Alister Wm Macintyre \(Wow\)" <macwheel99 () wowway com> Subject: GOP senators to let ISPs sell, without opt-out opportunity: your PII; geo travels; Web browsing data (Ars Tech) GOP senators' new bill would let ISPs sell your Web browsing data Senate resolution would throw out FCC's entire privacy rulemaking. Mar 8, 2017 Republican senators introduced legislation that would overturn new privacy rules for Internet service providers. If the Federal Communications Commission rules are eliminated, ISPs would not have to get consumers' explicit consent before selling or sharing Web browsing data and other private information with advertisers and other third parties. [...] [As usual, the legislation does one thing, while the legislators paint a confusing different story.] The FCC privacy order had several major components. The requirement to get the opt-in consent of consumers before sharing information covered geo-location data, financial and health information, children's information, Social Security numbers, Web browsing history, app usage history, and the content of communications. This requirement is supposed to take effect on December 4, 2017. Flake's co-sponsors are US Sens. John Barrasso (R-Wyo.), Roy Blunt (R-Mo.), John Boozman (R-Ark.), Shelly Moore Capito (R-W.Va.), Thad Cochran (R-Miss.), John Cornyn (R-Texas), Tom Cotton (R-Ark.), Ted Cruz (R-Texas), Deb Fischer (R-Neb.), Orrin Hatch (R-Utah), Dean Heller (R-Nev.), James Inhofe (R-Okla.), Ron Johnson (R-Wisc.), Mike Lee (R-Utah), Rand Paul (R-Ky.), Pat Roberts (R-Kan.), Marco Rubio (R-Fla.), Richard Shelby (R-Ala.), Dan Sullivan (R-Ark.), John Thune (R-S.D.), Roger Wicker (R-Miss.), Ron Johnson (R-Wisc.), and Jerry Moran (R-Kan.). Democratic senators support consumer privacy protections US Sen. Brian Schatz (D-Hawaii) blasted Flake's proposal. "If this [resolution] is passed, neither the FCC nor the FTC will have clear authority when it comes to how Internet service providers protect consumers' data privacy and security," Schatz said in a statement issued yesterday. "Regardless of politics, allowing ISPs to operate in a rule-free zone without any government oversight is reckless." Sen. Edward Markey (D-Mass.) offered similar criticism. "Big broadband barons and their Republican allies want to turn the telecommunications marketplace into a Wild West where consumers are held captive with no defense against abusive invasions of their privacy by internet service providers," Markey said. "Consumers will have no ability to stop Internet service providers from invading their privacy and selling sensitive information about their health, finances, and children to advertisers, insurers, data brokers or others who can profit off of this personal information, all without their affirmative consent." https://arstechnica.com/tech-policy/2017/03/gop-senators-new-bill-would-let-isps-sell-your-web-browsing-data/ ------------------------------ Date: Tue, 10 Jan 2017 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-30.00 Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) <http://the.wiretapped.net/security/info/textfiles/risks-digest/> *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 30.18 ************************
Current thread:
- Risks Digest 30.18 RISKS List Owner (Mar 15)