RISKS Forum mailing list archives
Risks Digest 30.53
From: RISKS List Owner <risko () csl sri com>
Date: Thu, 18 Jan 2018 11:54:05 PST
RISKS-LIST: Risks-Forum Digest Thursday 18 January 2018 Volume 30 : Issue 53 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/30.53> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: [Once again, heavily backlogged elsewise and RISKS-wise.] Are Implanted Medical Devices Creating A 'Danger Within Us'? (NPR via Richard M Stein) Russia admits $45m satellite launch failed because programmers put in co-ordinates for the WRONG launch site (Daily Mail) Phoenix Pay System Disaster Continues (John C. Bauer) Ernst & Young report on Vancouver Island iHealth project mismanagment (Kelly Bert Manning) Erie, PA household electric bill for US$ 284B (WashPo) Programming error results in too many winning lottery tickets (The State via Steve Golson) 500 rupees, 10 minutes, and you have access to billion Aadhaar details (The Tribune India via Prashanth Mundkur) Massive security breach in India (Mark Thorson) Who's liable in driverless train accident? (The Straits Times) "LA-Tokyo flight turns back after passenger 'boards with wrong ticket'" (BBC) Rise of the Robo-Judge (Dan Jacobson) Hawaiian False Missile Alert Command Confirmation Bias Strikes Again (NYTimes et al.) War Risk 2018 with North Korea (Rob Wilcox) Drones keep entering no-fly zones over Washington, raising security concerns (WashPo) What Happens If Russia Attacks Undersea Internet Cables (WiReD) New Rules Announced for Border Inspection of Electronic Devices (Gabe Goldberg) Is the Answer to Phone Addiction a Worse Phone? (NYTimes) Apple said a software problem caused its heating system to break, which caused icicles to form on the roof of its Chicago store (Gabe Goldberg) Meltdown/Spectre/GoogleZero (The Verge) Microsoft's patches brick AMD PCs (Money via Barry Gold) Antivirus: the perfect spying tool!! (Nicole Perlroth) Infected USB sticks handed out at security conference (Taipei Times) Cybersecurity in self-driving cars: University of Michigan releases threat identification tool (Mike Chinni) BlackBerry Jarvis Checks Autonomous Car Software for Security Flaws (EWeek) Firms buy insurance 'in mad panic' as cyber-attacks soar (BBC) Health Care Is Hemorrhaging Data. AI Is Here to Help (WiReD) Romanian Hackers Compromised DC Security Cameras Prior to Inauguration (TRK) Indiana Hospital Hacked for Ransom: An Argument for Decentralized Data Dan Jacobson) Chanticleer to use blockchain for its rewards program (Gabe Goldberg) How to lose $8k worth of bitcoin in 15 minutes with Verizon and Coinbase.com (Dan Jacobson) Egypt's grand mufti says bitcoin 'forbidden' by Islam (The Times of Israel) How The Banks Bought Bitcoin (Lightning Network) Your Mother's Maiden Name Is Not a Secret (NYTimes) Risks of not using a bookstore? (Newsweek) Why you'll fire Siri and do the job yourself (ComputerWorld) Always allow removing comments (Dan Jacobson) Five copyright claims against youtube video of white noise (BBC via Mark Thorson) The Geography of Risks (Spencer Cheng) How Adding Accelerometers to Keys Will Thwart Car Thieves (IEEE Spectrum) Re: The Unstoppable Momentum of Self-Driving Cars (Amos Shapir) Re: Vehicle Satellite Navigation (Chris Drewe) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Thu, 18 Jan 2018 11:07:56 +0800 From: Richard M Stein <rmstein () ieee org> Subject: Are Implanted Medical Devices Creating A 'Danger Within Us'? (NPR) https://www.npr.org/2018/01/17/578562873/are-implanted-medical-devices- creating-a-danger-within-us LENZER: "So I went back to the FDA certain the company was going to get slammed. I mean, here it is. Here's a device on the market over a decade after it was approved, and yet, they'd never done a study looking at deaths, nor would they release the death data. And when I brought all this to the FDA, the FDA said, it's safe. And I said, how can you say it's safe when we don't have death data? And their answer -- and I have it in writing -- is we never asked the company to count the number of deaths. We only asked them to characterize death." This NPR interview reveals many worrisome issues, including corporate control fraud and an apparent failure to incorporate lessons learned for public safety benefit. Worth a read for anyone who has an implantable device, is contemplating implantation, or knows someone who has one. Given the "free market" regulatory structure for implantables -- in the US at least -- there is little cause for manufacturers to be concerned about selling 'high risk' devices which induce fatalities. Caveat emptor. "DAVIES: You know, most of us ordinary patients in the world aren't going to do research about medical devices, right? We're going to trust doctors to know what works and what is safe. Broadly speaking, should we? LENZER: "This is a terrific problem. I mean, I have a medical device implanted. I'm very happy with it, but I got to confess. I didn't research it because the truth is we are dependent on the research that comes out of these companies. And that's where I wanted to alert the public that we need to make some structural changes so that we can trust these devices. As you said, we can't individually research them because we don't have the capability to do it. Even if we read the studies that are released, we don't know that we can trust them. "And I'll give you two examples of just how difficult the situation is. One of the people I talk about in the book is a man who was harmed by a hip implant. Well, it turns out that man is also an orthopedic surgeon who specializes in hip replacements, and yet he landed up being poisoned by his hip implant from cobalt that leaked out of the hip and destroyed his muscles and tissues and even caused some degree of heart damage. "Another example is a Medtronic executive that I report on who had a Medtronic device implanted in her spine and suffered just terribly disabling and painful effects from that device. So even people who are insiders and who should know don't really know." The FDA's MAUDE (Manufacturer and User Facility Device Experience Database apparently documents only 1% of historical events attributed to implantable device incidence. <https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfMAUDE/search.CFM> LENZER: "Well, first of all, there's a study showing that only about 1 percent of all serious adverse events make it into the FDA's adverse event database. And something that really surprised me was, it turns out that the more serious the event was, the less likely it was to be reported. Manufacturers are supposed to report these adverse events. And there is some leeway granted to them about determining whether the device event was related or not to the device. "So, you know, sometimes people cough and sneeze when they have a device. It doesn't mean the device caused it. The problem is is that there's no independent party assessing whether these problems are related to the device or not. So leaving that decision to the company presents a real conflict of interest." The MAUDE page states, "Each year, the FDA receives several hundred thousand medical device reports (MDRs) of suspected device-associated deaths, serious injuries and malfunctions. The FDA uses MDRs to monitor device performance, detect potential device-related safety issues, and contribute to benefit-risk assessments of these products. The MAUDE database houses MDRs submitted to the FDA by mandatory reporters 1 (manufacturers, importers and device user facilities) and voluntary reporters such as health care professionals, patients and consumers." MAUDE only retains reports for the previous 10 years. [There was also a recent article in The Townsend Letter this month, relating to severe metal toxicity in hip replacements. PGN] ------------------------------ Date: Wed, 27 Dec 2017 11:57:04 -1000 From: geoff goodfellow <geoff () iconia com> Subject: Russia admits $45m satellite launch failed because programmers put in co-ordinates for the WRONG launch site (Daily Mail) http://www.dailymail.co.uk/sciencetech/article-5215871/Russia-says-satellite-launch-failure-programming-error.html ------------------------------ Date: Tue, 02 Jan 2018 17:12:17 -0500 From: "John C. Bauer" <johncbauer.xx () gmail com> Subject: Phoenix Pay System Disaster Continues The problems with the Canadian federal government's Phoenix pay system are continuing apace. The system is outlined and its problems were originally noted at: http://catless.ncl.ac.uk/Risks/29/76#subj10.1 Things have gotten worse since the September 2016 post. The system now contains 589,000 unresolved pay problems with an average resolution time of three months. The number of problems is up from a previous number of 520,000. Evidently half of all payments issued are incorrect. The estimated cost of "fixing" the system is now at $600M, up from an estimate of $25M in August of 2016, and still rising. http://nationalpost.com/opinion/john-ivison-the-phoenix-fiasco-isnt-shocking-government-is-just-not-very-good-at-doing-things Perhaps it is time to change "too big to fail" to "big enough to guarantee failure". On the other hand the wholesale condemnation of government in the above article containing the facts quoted can be seen as being over the top. [The Phoenix was known to rise from its ashes. One wonders whether the name was chosen wisely or serendiptiously. PGN] ------------------------------ Date: Sat, 13 Jan 2018 13:25:57 -0500 (EST) From: Kelly Bert Manning <Kelly.Manning () ncf ca> Subject: Ernst & Young report on Vancouver Island iHealth project mismanagment A new Ernst & Young report has been prepared about the failed iHealth Electronic Records project at Nanaimo General Hospital. Direction of the project has been taken away from the Hospital and roll out to other Hospitals on Vancouver Island has been suspended until existing problems are fixed, if possible. http://www.timescolonist.com/news/local/nanaimo-electronic-health-records-mismanaged-report-says-1.23143541 https://news.gov.bc.ca/releases/2018HLTH0003-000038 https://vancouverisland.ctvnews.ca/nanaimo-electronic-health-records-system-over-budget-mismanaged-report-1.3757733 "It confirmed that it wasn't only a small group of physicians, but the majority of healthcare workers who were concerned about the technology. It also showed those feelings haven't changed since a 2016 independent report by Dr. Doug Cochrane, who identified potential for errors, decreased productivity and other problems with the system." "The report found less than half of staff and physicians surveyed agreed it would be possible to work collaboratively to make IHealth a success" One innovation to be implemented is that staff who report problems with iHealth should no longer expect workplace reprisals. The earlier Cochrane reported identified a "blame the user" response to problem reports as a root cause of failure to address the issues. http://ihealth.islandhealth.ca/the-cochrane-report/ A report from the Vector Group had identified Nanaimo General as having a "toxic" top down bullying culture . That may have played a role in the iHealth project getting it so wrong and failing to correct problems reported by users. https://vancouverisland.ctvnews.ca/toxic-culture-of-fear-bullying-tearing-apart-nanaimo-hospital-report-1.3670885 https://www.cheknews.ca/culture-report-says-nanaimo-hospital-is-leading-to-self-destruction-385673/ One man had to have heart surgery after notes about an infection were not visible to Physicians. He was sent home with an inappropriate prescription and readmitted when his heart problem became more grave. A similar electronic Health Record project in the Vancouver Coastal Health Authority is also over budget, behind schedule and nowhere near as effective as expected. http://vancouversun.com/news/politics/more-delays-cost-overruns-hit-vancouver-electronic-health-project A common assumptions failure in these projects, and in the Federal Government's failed Phoenix system, is that improved efficiency would quickly be realised. That led to an assumption that all 3 projects could be funded out of operational budgets, because of the assumed payback. It also led to a rush to roll out flawed systems, to realise the anticipated "savings". Instead the systems require more staff time than the previous applications they were supposed to replace, have gone far over budget, and show no hope of realising operational savings by making staff more efficient. They also have operational errors and user interface issues. It reminds me of the repeating mistake of assuming that Data Base Systems would be less expensive to operate that the sorted Master File Systems they replaced. Systems Analysts had a hard time understanding the difference between a sequential tape or disk file read and a non sequential Data Base record retrieval. In some cases they justified DB projects by a proposal to "eliminate the operational cost of sorting". My experience with CODASYL, Hierarchical, and Relational DBs is that Sorting is often a method of reducing the overhead of Direct Access I/O. With both Phoenix and the Electronic Patient Records systems the current BC and Canadian Federal governments are dealing with the legacy of projects initiated under previous Right Wing Administrations. There are of echoes of the project management failures of the various attempts to develop a Case Management System for the FBI in the USA. https://www.computer.org/cms/Computer.org/ComputingNow/homepage/2012/0712/rW_CO_WhytheFBI.pdf https://spectrum.ieee.org/riskfactor/computing/it/fbis-500-million-sentinel-case-management-system-still-has-major-operational-kinks-ig-reports ------------------------------ Date: Wed, 27 Dec 2017 16:51:35 +0800 From: Richard M Stein <rmstein () ieee org> Subject: Erie, PA household electric bill for US$ 284B (WashPo) https://www.washingtonpost.com/news/business/wp/2017/12/26/woman-gets-284-billion-electric-bill-wonders-whether-its-her-christmas-lights/ I'm shocked, shocked to learn this brand outrage incident occurred from a production defect escape into our maze of technology traps. Must be a feature. At least First Energy cops to the fault. This incident would make a good April Fools risks contribution, if the event wasn't true. It should qualify for "Ripley's Believe It or Not" as the most erroneous bill amount ever submitted to a consumer. Good thing First Energy uses 64-bit arithmetic to totalize their bills. [RMS] [Also noted by Bernhard Riedel: $284.46 electricity bill turns into $284,460,000,000. http://www.bbc.com/news/world-us-canada-42489666 PGN] ------------------------------ Date: Thu, 28 Dec 2017 12:40:26 -0500 From: Steve Golson <sgolson () trilobyte com> Subject: Programming error results in too many winning lottery tickets http://www.thestate.com/news/local/article191818114.html Excitement and joy turned to anger and frustration Wednesday as dozens of people expecting to collect lottery winnings instead left the South Carolina Education Lottery offices empty handed. State lottery officials say a *programming error* with the lottery's computer vendor, Intralot, affected the Holiday Cash Add-A-Play tickets on Christmas Day.
From 5:51 p.m. to 7:53 p.m. Monday, the same play symbol was repeated in all
nine available play areas on tickets, which would result in a top prize of $500, officials have said. No more than five identical play symbols should appear for a single play. There was no word Wednesday on how many winning tickets were generated, or whether those with winning tickets would collect any prize money. The South Carolina Education Lottery is telling players who purchased Add-A-Play tickets on Christmas Day during the affected time period to hold on to their tickets until a review is completed. I wonder how many programming errors have lead to *fewer* than expected winning tickets? Who would notice? And it's rather ironic that this is the Education Lottery! ------------------------------ Date: Thu, 4 Jan 2018 09:52:45 +0530 From: Prashanth Mundkur <prashanth.mundkur () gmail com> Subject: 500 rupees, 10 minutes, and you have access to billion Aadhaar details (The Tribune, India) Rs 500, 10 minutes, and you have access to billion Aadhaar details Rachna Khaira, Tribune News Service, Jalandhar, January 3 2018 http://www.tribuneindia.com/news/nation/rs-500-10-minutes-and-you-have-access-to-billion-aadhaar-details/523361.html It was only last November that the UIDAI asserted that Aadhaar data is fully safe and secure and there has been no data leak or breach at UIDAI Today, The Tribune *purchased* a service being offered by anonymous sellers over WhatsApp that provided unrestricted access to details for any of the more than 1 billion Aadhaar numbers created in India thus far. It took just Rs 500, paid through Paytm, and 10 minutes in which an agent of the group running the racket created a gateway for this correspondent and gave a login ID and password. Lo and behold, you could enter any Aadhaar number in the portal, and instantly get all particulars that an individual may have submitted to the UIDAI (Unique Identification Authority of India), including name, address, postal code (PIN), photo, phone number and email. What is more, The Tribune team paid another Rs 300, for which the agent provided software that could facilitate the printing of the Aadhaar card after entering the Aadhaar number of any individual. [Rs 500 is less than $10.] ------------------------------ Date: Fri, 5 Jan 2018 11:41:29 -0800 From: Mark Thorson <eee () dialup4less com> Subject: Massive security breach in India If you build it, they will come. http://marginalrevolution.com/marginalrevolution/2018/01/security-breach-india.html ------------------------------ Date: Sat, 06 Jan 2018 09:15:21 +0800 From: Richard M Stein <rmstein () ieee org> Subject: Who's liable in driverless train accident? (The Straits Times) http://www.straitstimes.com/singapore/courts-crime/whos-liable-in-driverless-train-accident Insurance premiums may deter the ubiquitous deployment of automated transport systems, especially if/when an incident swarm identifies system operators or component suppliers liable. See RISKS-29.64 [item 11] for a premium guestimate given the moral dilemma underlying deployment choice. ------------------------------ Date: Wed, 27 Dec 2017 16:12:50 +0100 From: Bernhard Riedel <bernhard () netmuc net> Subject: "LA-Tokyo flight turns back after passenger 'boards with wrong ticket'" (BBC) http://www.bbc.com/news/world-us-canada-42492467 "LA-Tokyo flight turns back after passenger 'boards with wrong ticket'" What, then, is the purpose of these boarding scanners? Glorified passenger counters? I had always thought they were there to ensure that only the expected passengers would be on the plane. ------------------------------ Date: Mon, 15 Jan 2018 07:12:12 +0800 From: Dan Jacobson <jidanni () jidanni org> Subject: Rise of the Robo-Judge https://www.linkedin.com/pulse/rise-robo-judge-artificial-intelligence-well-its-way-determining-fox/ Imagine for a second, that you enter the courtroom to see a computer in the place of a judge. You watch the trial robot as it hears the details of a case, and as the "judge-bot" absorbs the evidence, it seems to be drawing conclusions, determining through steely artificial intelligence, if the accused is guilty or not guilty. It seems a bit weird, unsettling, and may not be as farfetched as it sounds. ------------------------------ Date: Sun, 14 Jan 2018 07:04:45 -0700 From: Bob Gezelter <gezelter () rlgsc com> Subject: Hawaiian False Missile Alert Command Confirmation Bias Strikes Again (NYTimes) *The New York Times*, 13 Jan 2018 https://www.nytimes.com/2018/01/13/us/hawaii-missile.html Vern T. Miyagi, the administrator of the agency, said that during the drill, an unidentified employee mistakenly pushed a button on a computer screen to send out the alert, rather than one marked to test it. He said the employee answered *yes* when asked by the system if he was sure he wanted to send the message. [PGN-ed] Computer users are all too familiar with the decades old hazard of "Are you sure you want to *****?" Much havoc has ensured when a user or system manager types a command, only to reflexively confirm it. Systems have shut down, files lost, and many other serious consequences. This feature is present on a wide range of systems, including Tenex, OpenVMS, MS-DOS, and Windows (My recollection is that *IX systems do not ask for confirmation, they just "do it"). Perhaps, critical systems (e.g., Emergency Warning Systems) might be better off adopting a different approach. Users responding to a confirmation prompt all too often fall into the trap of confirming by reflex. A better approach might be to require two operators at different consoles, separated physically by a sufficient distance, to BOTH command critical actions (e.g., sending out an all mobile phones alert). Had such a "two-person" rule applied, it is likely that two independent individuals would not have made the same error. Bob Gezelter, http://www.rlgsc.com [Dave Horsfall added: Now that we know that the automatic bulk alert works just fine, why was there no automatic bulk retraction designed into it? Surely right next to the Big Red Button (no, not that one) should be a Big Red "OOPS!" Button? Lauren Weinstein added: You can excuse the good people of Hawai'i if they consider all future alerts on that system with an extreme degree of skepticism. Any system that permits an error like this needs to be ripped out by the roots and tossed into a dumpster, along with whomever is in charge of it. Rob Wilcox noted this: http://www.hawaiinewsnow.com/story/37271628/officials-release-image-of-hiema-screen-that-triggered-incorrect-missile-alert Gabe Goldberg had this to add: http://www.thegatewaypundit.com/2018/01/hawaiian-emergency-management-officials-hold-interview-post-notes-passwords-computer-screens/ Maybe Amazon can recommend invisible ink when Post-It notes are purchased. PGN] ------------------------------ Date: Mon, 15 Jan 2018 08:04:55 -0800 From: Rob Wilcox <robwilcoxjr () gmail com> Subject: War Risk 2018 with North Korea Many RISKS readers have a deep understanding of computer and human factor nuclear war risks discussed in the early 1980's. (The New York Times) https://www.nytimes.com/2018/01/14/world/asia/hawaii-false-alarm-north-korea-nuclear.html ------------------------------ Date: Sun, 14 Jan 2018 09:52:32 -0500 From: "Dave Farber" <farber () gmail com> Subject: Drones keep entering no-fly zones over Washington, raising security concerns (WashPo) The Washington Post, 13 Jan 2018 https://www.washingtonpost.com/local/trafficandcommuting/drones-keep-entering-no-fly-zones-over-washington-raising-security-concerns-and-illustrating-larger-problems/2018/01/13/1030159a-db7d-11e7-b1a8-62589434a581_story.html ------------------------------ Date: Sat, 6 Jan 2018 14:19:02 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: What Happens If Russia Attacks Undersea Internet Cables (WiReD) https://www.wired.com/story/russia-undersea-internet-cables/?mbid=nl_010518_daily_list1_p1 ------------------------------ Date: Fri, 12 Jan 2018 16:35:40 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: New Rules Announced for Border Inspection of Electronic Devices The U.S. Customs and Border Patrol announced new restrictions on when agents can copy data from digital devices at border crossing points. Agents now need *reasonable suspicion* in advance of searches of phones, computers, tablets, cameras or any other digital device belonging to people entering or leaving the United States. Border agents will also be restricted from accessing data stored remotely in the cloud. The new guidance published on Friday update existing rules introduced in 2009 regarding advanced searches that can be conducted at random and without warrant. <https://www.cbp.gov/sites/default/files/assets/documents/2018-Jan/cbp-directive-3340-049a-border-search-electronic-media.pdf> Under the new rules, border agents would still be able to conduct basic searches with or without suspicion, which entails physical examination of digital devices, such as sorting through photos and examining messages. Advanced searches based on reasonable suspicion will still be permitted and agents can still review, copy, and analyze a digital device's contents. The directive states travelers may be asked to provide passcodes to unlock a device. If the border agent is unable to inspect the device because it is passcode or encryption-protected, the agent may detain the device for up to five days. https://threatpost.com/new-rules-announced-for-border-inspection-of-electronic-devices/129361/ ------------------------------ Date: Mon, 15 Jan 2018 09:44:22 -0500 From: Monty Solomon <monty () roscom com> Subject: Is the Answer to Phone Addiction a Worse Phone? (NYTimes) Is the Answer to Phone Addiction a Worse Phone? https://www.nytimes.com/2018/01/12/technology/grayscale-phone.html A small group of people have turned their phone screens to shades of gray to make them less stimulating. Thatâs the opposite of what tech companies want. ------------------------------ Date: Sat, 6 Jan 2018 14:21:12 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: Apple said a software problem caused its heating system to break, which caused icicles to form on the roof of its Chicago store Apple spokesman Nick Leahy said the building's architects designed the store to be snow-friendly. ``The roof has a warming system that's built into it,'' said Leahy. It needed some fine-tuning and it got reprogrammed today. It's hopefully a temporary problem.'' The store has an ultra-thin carbon roof. Crews closed off sections of the store's outdoor plaza after the icicles to form. The Chicago Apple store has faced criticism... It SNOWS in Chicago? Who knew... The risk? Smart buildings that aren't. ------------------------------ Date: Thu, 11 Jan 2018 15:28:49 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: Windows Meltdown and Spectre patches Microsoft has added a new and very important detail on the support page, describing incompatibilities between AV products and the recent Windows Meltdown and Spectre patches. The update says that Windows users will not receive the January 2018 Patch Tuesday security updates, or any subsequent Patch Tuesday security updates, unless the AV program they are using becomes compatible with the Windows Meltdown and Spectre patches. *AV programs will need to add a special Registry key in the future*. One researcher is keeping of track of which AV programs are updated on this spreadsheet. https://support.microsoft.com/en-us/help/4072699/january-3-2018-windows-security-updates-and-antivirus-software https://docs.google.com/spreadsheets/d/184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ/htmlview?usp=sharing&sle=true ------------------------------ Date: Sun, 7 Jan 2018 13:43:34 PST From: "Peter G. Neumann" <neumann () csl sri com> Subject: Meltdown/Spectre/GoogleZero https://www.theverge.com/2018/1/4/16851132/meltdown-spectre-google-cpu-patch-performance-slowdown Google just gave chipmakers some much needed good news. In a post on the company's Online Security Blog, two Google engineers described a novel chip-level patch that has been deployed across the company's entire infrastructure, resulting in only minor declines in performance in most cases. The company has also posted details of the new technique, called Retpoline, in the hopes that other companies will be able to follow the same technique. If the claims hold, it would mean Intel and others have avoided the catastrophic slowdowns that many had predicted. ------------------------------ Date: Wed, 10 Jan 2018 21:54:40 -0800 From: Barry Gold <barrydgold () ca rr com> Subject: Microsoft's patches brick AMD PCs Microsoft came up with a security patch for the Spectre and Meltdown vulnerabilities, but if the patch is installed on a PC with an AMD chip, it's likely to turn into a boat anchor. M$ is blaming AMD for providing inadequate info on how their chips work. http://money.cnn.com/2018/01/09/technology/business/microsoft-amd-update/index.html ------------------------------ Date: Tue, 02 Jan 2018 16:39:01 -0800 From: Henry Baker <hbaker1 () pipeline com> Subject: Antivirus: the perfect spying tool!! (Nicole Perlroth) What does an antivirus program do? It scans every file in your device looking for *signatures*, and then uploads those files which match the signatures for further analysis by the antivirus provider. So hacking antivirus involves 2 steps: produce signatures for files you want to steal, and then exfiltrate those files. The hard work of scanning for those files is already automated by the antivirus program! Both steps are trivial *if/when you're the antivirus vendor*! Duh! But even when you're not the antivirus vendor, the antivirus technology is the perfect "evil maid" which constantly runs in the background, indexing files for later -- possibly more labor-intensive -- exfiltration. Nicole Perlroth, 1 Jan 2018 How Antivirus Software Can Be Turned Into a Tool for Spying https://www.nytimes.com/2018/01/01/technology/kaspersky-lab-antivirus.html It has been a secret, long known to intelligence agencies but rarely to consumers, that security software can be a powerful spy tool. Security software runs closest to the bare metal of a computer, with privileged access to nearly every program, application, web browser, email and file. There's good reason for this: Security products are intended to evaluate everything that touches your machine in search of anything malicious, or even vaguely suspicious. By downloading security software, consumers also run the risk that an untrustworthy antivirus maker -- or hacker or spy with a foothold in its systems -- could abuse that deep access to track customers' every digital movement. "In the battle against malicious code, antivirus products are a staple," said Patrick Wardle, chief research officer at Digita Security, a security company. "Ironically, though, these products share many characteristics with the advanced cyberespionage collection implants they seek to detect." Mr. Wardle would know. A former hacker at the National Security Agency, Mr. Wardle recently succeeded in subverting antivirus software sold by Kaspersky Lab, turning it into a powerful search tool for classified documents. Mr. Wardle's curiosity was piqued by recent news that Russian spies had used Kaspersky antivirus products to siphon classified documents off the home computer of an NSA developer, and may have played a critical role in broader Russian intelligence gathering. "I wanted to know if this was a feasible attack mechanism," Mr. Wardle said. "I didn't want to get into the complex accusations. But from a technical point of view, if an antivirus maker wanted to, was coerced to, or was hacked or somehow subverted, could it create a signature to flag classified documents?" That question has taken on renewed importance over the last three months in the wake of United States officials' accusations that Kaspersky's antivirus software was used for Russian intelligence gathering, an accusation that Kaspersky has rigorously denied. Last month, Kaspersky Lab sued the Trump administration after a Department of Homeland Security directive banning its software from federal computer networks. Kaspersky claimed in an open letter that "DHS has harmed Kaspersky Lab's reputation and its commercial operations without any evidence of wrongdoing by the company." For years, intelligence agencies suspected that Kaspersky Lab's security products provided a back door for Russian intelligence. A draft of a top-secret report leaked by Edward J. Snowden, the former National Security Agency contractor, described a top-secret, NSA effort in 2008 that concluded that Kaspersky's software collected sensitive information off customers' machines. The documents showed Kaspersky was not the NSA's only target. Future targets included nearly two dozen other foreign antivirus makers, including Checkpoint in Israel and Avast in the Czech Republic. [...] [Excellent long item PGN-truncated for RISKS. The print version (2 Jan 2018) has a different headline: Spies Exploit The Software That Protects.] ------------------------------ Date: Sun, 7 Jan 2018 10:20:18 -0800 From: Mark Thorson <eee () dialup4less com> Subject: Infected USB sticks handed out at security conference Apparently, infected inadvertently and not targeted at the conference. Quickly discovered. http://www.taipeitimes.com/News/taiwan/archives/2018/01/08/2003685393 ------------------------------ Date: Mon, 8 Jan 2018 13:51:08 -0500 From: "Mike Chinni" <mchinni () optonline net> Subject: Cybersecurity in self-driving cars: University of Michigan releases threat identification tool "These three hypothetical scenarios-posited in a new white paper by University of Michigan researchers working with Mcity-illustrate the breadth of the cybersecurity challenges that must be overcome before autonomous and connected vehicles can be widely adopted. While every new generation of auto tech brings new security risks, the vulnerabilities that come along with advanced mobility are both unprecedented and under-studied, the paper states. The white paper introduces a tool called the Mcity Threat Identification Model, which could help academic and industry researchers analyze the likelihood and severity of potential threats. The new model outlines a framework for considering: the attacker's skill level and motivation; the vulnerable vehicle system components; the ways in which an attack could be achieved; and the repercussions, including for privacy, safety and financial loss. The tool is believed to be the first of its kind focused on automated vehicles. Mcity, led by U-M, is the nation's largest public-private partnership working to advance connected and automated mobility." http://ns.umich.edu/new/releases/25354-cybersecurity-in-self-driving-cars-u- m-releases-threat-identification-tool ------------------------------ Date: Thu, 18 Jan 2018 00:35:01 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: BlackBerry Jarvis Checks Autonomous Car Software for Security Flaws Enterprise software vendor BlackBerry is jumping into the autonomous vehicle marketplace with a new cyber-security application called Jarvis that aims to tighten security around the complex computing code that controls driver-less vehicles. BlackBerry Jarvis, which the company says is a "cloud-based, static binary code scanning" application, can be used by automakers to quickly and deeply scan and evaluate the voluminous and critical software code used in autonomous vehicles, cutting such scanning from 30 days down to about seven minutes, according to BlackBerry. [...] "Jarvis is a game-changer for OEMs because for the first time they have a complete, consistent, and near real-time view into the security posture of a vehicle's entire code base along with the insights and deep learning needed to predict and fix vulnerabilities, ensure compliance, and remain a step ahead of bad actors." Jarvis can be used to evaluate the hundreds of software applications that are used in autonomous vehicles, according to BlackBerry. [...] In the future, Jarvis could also be used to help secure critical applications in other industries, including healthcare, industrial automation, aerospace and defense, according to BlackBerry. IT analysts said Jarvis is intriguing and could be a valuable tool for autonomous vehicle makers. http://www.eweek.com/security/blackberry-jarvis-scans-for-security-flaws-in-autonomous-car-software It's magic, no question about that... and maybe it's recursive, can scan itself for flaws. GG ------------------------------ Date: Wed, 17 Jan 2018 14:56:41 +0800 From: Richard M Stein <rmstein () ieee org> Subject: Firms buy insurance 'in mad panic' as cyber-attacks soar (BBC) http://www.bbc.com/news/business-42687937 "One of the biggest issues in cyber-insurance is how to price it effectively and cover indirect as well as direct costs a company suffers following a cyber-attack," says Nik Whitfield, chief executive of Panaseer, a cyber risk assessor. "He anticipates companies like his offering cyber risk assessment services to insurers. Firms seeking insurance would be happy to be assessed in the hope of securing lower premiums, he argues. "Such a service would be the equivalent of a telematics box in your car which tells the insurance company how well you're driving," says Mr Whitfield. How many business and institutional entities are ill-equipped and too poorly funded to sponsor essential defensive operations to actively suppress brand outrage incidents? What happens when the cyber-insurer recommended changes (ala outsource to a vendor) fails to suppress an incident? What happens to the insurer when incident swarm drains claim reserves? Filing cabinets and paper might be due for a strong comeback in light of the Internet of Mistakes. ------------------------------ Date: Tue, 2 Jan 2018 00:02:51 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: Health Care Is Hemorrhaging Data. AI Is Here to Help (WiReD) https://www.wired.com/story/health-care-is-hemorrhaging-data-ai-is-here-to-help/ Could be good news, could be bad news. Likely some of each. We'll see... ------------------------------ Date: Thu, 4 Jan 2018 11:36:54 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: Romanian Hackers Compromised DC Security Cameras Prior to Inauguration (TRK) Washington, DC -- Two Romanian nationals have been arrested and charged with hacking into approximately 123 computers that control outdoor surveillance cameras for the *DC Metropolitan Police Department* in connection with a Ransomware scheme just before Donald Trump's inauguration last January. According to documents recently unsealed, Mihai Alexandru Isvanca, 25, and Eveline Cismaru, 28, of Romania, were arrested on Dec. 15, at the airport in Bucharest, Romania. Both have been charged with conspiracy to commit wire fraud and conspiracy to commit various forms of computer fraud. Isvanca remains in custody in Romania and Cismaru is on house arrest there pending further legal proceedings. ``This case was of the highest priority due to its impact on the Secret Service's protective mission and its potential effect on the security plan for the 2017 Presidential Inauguration,'' the *U.S. Attorney's Office* in DC said in a statement. All surveillance cameras were restored prior to the inauguration. https://www.justice.gov/usao-dc/pr/two-romanian-suspects-charged-hacking-metropolitan-police-department-surveillance-cameras <http://trk.cp20.com/click/lruj4-d6mci4-7fgw0x81/> ------------------------------ Date: Mon, 15 Jan 2018 14:37:56 +0800 From: Dan Jacobson <jidanni () jidanni org> Subject: Indiana Hospital Hacked for Ransom: An Argument for Decentralized Data https://decentralized.tv/indiana-hospital-hacked-ransom-argument-decentralized-data/ ------------------------------ Date: Thu, 4 Jan 2018 10:35:32 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: Chanticleer to use blockchain for its rewards program Insane blockchain magic fairy dust... The speculative mania on anything related to cryptocurrencies is happening again in the new year. Chanticleer Holdings, an owner of burger restaurants, said Tuesday it will use blockchain-related technology for its customer rewards program. The company also owns 9 Hooter's restaurants and is a minority investor in Hooter's of America. "We wanted to expand our existing loyalty program with something that really changes the way our customers can leverage their rewards; Mobivity Merit is real cryptocurrency, leveraging the same infrastructure and principles of Bitcoin, Ethereum, Ripple, Litecoin, and more, and will enable our customers to make use of their rewards in entirely new ways," Michael Pruitt, chairman, president and CEO of Chanticleer Holdings, said in a release <https://globenewswire.com/news-release/2018/01/02/1277006/0/en/Chanticleer-Holdings-to-Deploy-Mobivity-s-Blockchain-Technology-to-Power-Cryptocurrency-Rewards-Program.html>. Chanticleer Holdings rose nearly 50 percent in Tuesday trading to almost $4 a share. The Nasdaq-traded stock had a market value of only $8 million through Friday so it's clearly buyer beware. https://www.cnbc.com/2018/01/02/chanticleer-to-use-blockchain-for-its-rewards-program.html ------------------------------ Date: Thu, 28 Dec 2017 05:12:13 +0800 From: Dan Jacobson <jidanni () jidanni org> Subject: How to lose $8k worth of bitcoin in 15 minutes with Verizon and Coinbase.com https://medium.com/@CodyBrown/how-to-lose-8k-worth-of-bitcoin-in-15-minutes-with-verizon-and-coinbase-com-ba75fb8d0bac It begins with a text message from Verizon 11:31 PM... ------------------------------ Date: Wed, 3 Jan 2018 17:11:03 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: Egypt's grand mufti says bitcoin 'forbidden' by Islam (The Times of Israel) https://www.timesofisrael.com/egypts-grand-mufti-says-bitcoin-forbidden-by-islam/ The risk? Using a forbidden currency. ------------------------------ Date: Fri, 05 Jan 2018 23:54:37 +0800 From: Dan Jacobson <jidanni () jidanni org> Subject: How The Banks Bought Bitcoin (Lightning Network) Lightning Network by Decentralized Thought http://bitthink.info/ https://www.youtube.com/watch?v=UYHFrf5ci_g "-This is the finished version of my original video "The truth about the lightning network" -Treat this video as a menu to start at. As i add videos i will link the relevant ones. Upcoming videos on Bitcoins censorship by r/theymos, Blockstreams connections to the banks, How Blockstream took over Bitcoins development, as well as videos on Asicboost, Jihan Wu, Roger Ver and a variety of other topics." ------------------------------ Date: Thu, 28 Dec 2017 12:44:22 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: Your Mother's Maiden Name Is Not a Secret (NYTimes) NYTimes There has been no shortage of incidents proving that website security questions are far from secure. https://www.nytimes.com/2017/12/28/opinion/sunday/internet-security-questions.html ...and yet they're still widely used. ------------------------------ Date: Wed, 10 Jan 2018 07:03:18 -0500 From: Mark Brader <msb () vex net> Subject: Risks of not using a bookstore? (Newsweek) http://www.newsweek.com/fire-fury-books-michael-wolff-trump-world-war-774048 [People accidently bought the wrong book, with the same title but a completely different subtitle. The name of the book is not a secret either. (Snide comment on the previous item on your mother's maiden name.) PGN] ------------------------------ Date: Tue, 09 Jan 2018 12:09:51 -0800 From: Gene Wirchenko <genew () telus net> Subject: Why you'll fire Siri and do the job yourself https://www.computerworld.com/article/3246088/artificial-intelligence/why-you-ll-fire-siri-and-do-the-job-yourself.html Mike Elgan, Computerworld, 6 Jan 2018 Why you'll fire Siri and do the job yourself: In the world of AI, the best virtual assistant might turn out to be your virtual self. selected text: A company based in Pasadena, Calif., called ObEN built a 3D AI avatar technology that produced what it calls a personal AI (PAI). I spoke to ObEN co-founder and CEO Nikhil Jain this week. He told me ObEN's technology generates a 3D computer-generated representation of the user's face with a single selfie. ObEN also learns to copy your voice. Once it's got your voice down, it can do things with your voice that you cannot speak Chinese, for example, or sing. That *personality* is based not only on how you speak, but on what you know as well. It's even possible to add knowledge manually. In the perfect ObEN universe, different simultaneous instances of your PAI would be off scheduling meetings, answering questions, negotiating rates and even telling bedtime stories to your children, according to Jain, while you are freed up to focus on the stuff that requires human attention and experience. At the end of the day, the user can review everything the PAI did that day. Consider Amy, the x.ai virtual assistant. Amy is AI that interacts via email and schedules meetings. Amy has a personality and can make decisions in an email conversation, such as the meeting participants and the Amy virtual assistant negotiating available times for meetings. Amy is a virtual person, and many people who encounter Amy assume they're interacting with a real human. Possible issues: 1) Review it? If you are so busy that you think you need one of these AI avatars, would you really review everything? 2) Imagine the court case if someone believes something that a professional's AI avatar said -- thinking it was the professional -- and acts on it and suffers loss. [GW] ------------------------------ Date: Wed, 10 Jan 2018 02:30:52 +0800 From: Dan Jacobson <jidanni () jidanni org> Subject: Always allow removing comments https://github.com/fetlife/android/issues/407 Simple copy and paste errors might result in users posting Personally Identifiable Information, bank account passwords, family records, love letters, even entire resumes. With no way to quickly delete [what he now sees that he just accidentally posted], in some cultures that could be pure suicide. What was seen as a liberating website suddenly becomes the worst Outing Machine. Just as one would not want the member database hacked leaking private information, this leak should be plugged too. ------------------------------ Date: Sun, 7 Jan 2018 11:12:36 -0800 From: Mark Thorson <eee () dialup4less com> Subject: Five copyright claims against youtube video of white noise http://www.bbc.com/news/technology-42580523 [If I discover a new largest prime number, could I copyright that? MT Probably not under the old rules when I grew up, where you had to show an implementation! Today it is a different story. Almost any patent application may be issued, leaving it to the lawsuits and the lawyers. PGN] ------------------------------ Date: Wed, 27 Dec 2017 13:35:14 -0500 From: Spencer Cheng <spencer () morphbius com> Subject: The Geography of Risks I have been reading comp.risks for at least 30 years. It has been an incredible source of insight, amusement and food for thought. Like all self-selecting groups, there is a risk that the submitters and readers of comp.risks shares too many similar concerns and educational background. With the explosive growth of the Internet over the last few decades, the nature of risks also changes across national and cultural boundaries. What is a risk in the West, may be much less relevant outside the West. The first real discussion I can find on comp.risks about IMSI-catchers is RISKS-27.33 in 2013. Coincidentally, I was in Beijing around that time and chatting with a PhD student friend who was complaining about the number of SMS UCEMs they were getting. When I inquired further as to they don't just block the sender, it turns out there are plenty of fake base stations in all Chinese urban areas whose raison d'etre is to inject Macau gambling UCEM into every phone it can connect to. The sender number is generated and changes with every UCEM. The cellular operators are not in a position to block these pop-up -catchers. I was told these IMSI catchers were quite cheap to get and operate. While the risk associated with 3PLA capturing and recording every message to/from every phone is an accepted reality in China, there is an additional layer of risks associated with your smartphone being constantly under attack by anyone who could afford a cheap UCEM injector which as far as I know doesn't to exist in Western Europe and North America. I gave this only as an example of risks affected by geographical and Societal context which can easily be diluted or transformed across societal boundaries. It behooves us as computer professionals interested in various computer-related risk to society, to remember that the Internet is not a homogeneous cultural community of interest. The severity and relevance of any risk must be placed in geographical, societal or cultural context. ------------------------------ Date: Thu, 4 Jan 2018 09:42:55 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: How Adding Accelerometers to Keys Will Thwart Car Thieves (IEEE Spectrum) During last week's MEMS and Sensors Executive Congress in San Jose, Calif., designers, researchers, and industry representatives argued for putting MEMS devices, like accelerometers and microphones, and a wide variety of other sensors in just about everything. We heard about an electric snowboard with traction control, voice-controlled garbage cans, and accelerometers placed on the nose to listen for speech in noisy environments. But sometimes the simplest example is the most memorable. In this case, that was a MEMS accelerometer -- like the one in your step-counter -- that thwarts car thieves. https://spectrum.ieee.org/view-from-the-valley/transportation/sensors/how-accelerometers-will-soon-thwart-car-thieves ------------------------------ Date: Thu, 28 Dec 2017 18:48:59 +0200 From: Amos Shapir <amos083 () gmail com> Subject: Re: The Unstoppable Momentum of Self-Driving Cars (RISKS-30.52) The Las Vegas bus incident demonstrates a basic problem of autonomous cars, which no one seems to have addressed yet. As every student driver learns within the first few lessons, operating a vehicle is the easier part; but driving is essentially teamwork. A driver must not just be aware of what other drivers do, but more important, has to use social skills to predict what they wish to do and what are going to do. It's no accident that in many languages, terms used to describe driving originate from the realm of social behavior (e.g. "conduct"). So it seems that the main problem of driving robots is that they have learned to control vehicles, but have not yet learned how to drive. ------------------------------ Date: Thu, 28 Dec 2017 22:28:45 +0000 From: Chris Drewe <e767pmk () yahoo co uk> Subject: Re: Vehicle Satellite Navigation (RISKS-30.51,52) Where I live, five major roads on the east side of town all converge on a single roundabout (traffic circle), which obviously gets congested especially in rush hours. To help the flow there's a flyover (overpass) linking two of the roads directly; this is a rather spindly structure suitable for cars and small vans only, and it's only one lane wide, so the direction of traffic is switched according to demand -- usually into town in the morning and out of town in the afternoon -- from a control room with CCTV monitoring of the surrounding roads. The are mechanically-operated signs at each end, showing either a 'no entry' symbol (if closed), or '30' (speed limit) and car and van symbols (if open) as appropriate. Of course from time to time drivers miss the signs and go the wrong way resulting in a near miss or head-on collision, usually without major casualties luckily as speeds are low, though recovering wrecked vehicles 20 feet (6m) in the air can be a challenge. This has been happening for decades, however in early 2017 the local newspaper reported an increase in incidents in recent years, suggesting that satellite navigation systems could be to blame, with a quick check on several models showing that some tell drivers to use the flyover without checking that it's actually open in their direction first. A representative from one of the makers was quoted as saying that switched-direction roads are used in several parts of the world and navigation systems can handle these, but only if they operate to a regular schedule, which this one doesn't. As I see it, there are two issues here: (1) is it possible/feasible for satellite navigation systems to handle changing road conditions, both for fixed locations like this and/or wider-ranging difficulties like wildfires? And (2) how much detail should navigation systems actually provide for drivers? Telling them to stop at red lights, give way to other vehicles (having a crash is rarely a good idea), avoid hitting pedestrians, etc. seems a little unnecessary. [There's a vaguely similar item in RISKS-30.52: Navigation Apps Are Turning Quiet Neighborhoods Into Traffic Nightmares (Lisa Foderaro)] In the UK there are occasional proposals for road pricing with the aim of reducing traffic congestion while raising valuable funds for road improvements -- the per-mile rate would vary with higher charges for busier roads at busier times. Somebody pointed out that if this made major highways quieter because heavy traffic used country lanes in the middle of the night, would it count as success or failure..? (Presumably smartphone apps or whatever would be developed to calculate lowest-cost routes and times for specific journeys.) Similar approach in London, UK: http://www.telegraph.co.uk/news/2017/12/31/block-streets-stop-smart-apps-turning-sleepy-roads-polluted/ Block off streets to stop smart apps turning sleepy roads into polluted rat runs, say campaigners ------------------------------ Date: Tue, 10 Jan 2017 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-30.00 Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) <http://the.wiretapped.net/security/info/textfiles/risks-digest/> *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 30.53 ************************
Current thread:
- Risks Digest 30.53 RISKS List Owner (Jan 18)