RISKS Forum mailing list archives

Previous By Date Next
Previous By Thread Next

Risks Digest 30.76

From: RISKS List Owner <risko () csl sri com>
Date: Fri, 20 Jul 2018 16:05:06 PDT
RISKS-LIST: Risks-Forum Digest  Friday 20 July 2018  Volume 30 : Issue 76

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/30.76>
The current issue can also be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
Top Voting Machine Vendor Admits It Installed Remote-Access Software
  on Systems Sold to States (Kim Zetter)
Rosenstein reveals how the Justice Department is fighting attacks
  on US elections (CNBC)
How the Russians hacked the DNC and passed its emails to WikiLeaks (WashPo)
Russia exploited Twitter for disinformation as early as 2014,
  targeting local news (Boingboing)
We've unleashed AI.  Now we need a treaty to control it. (latimes.com)
AI Innovators Take Pledge Against Autonomous Killer Weapons (npr.org)
The cameras that know if you're happy - or a threat (bbc.com)
Millions of Verizon customer records exposed in security lapse (ZDNet)
Ticketmaster breach was part of a larger credit card skimming
  effort, analysis shows (ZDNet)
Doctors, hospitals sue patients posting negative online comments (USA Today)
Facial Recognition Shows Promise for Data Center Security (EWeek)
Shutting down an entire ATM network (JapanTimes)
Some food stamp recipients may soon lose access to farmers market benefits
  (WashPo)
Tesla Powerwall2 home battery hacking? (Henry Baker)
China Expands Surveillance of Sewage to Police Illegal Drug Use
  (Scientific American)
Hunting the Con Queen of Hollywood (Hollywood Reporter)
Micro SD cards silently switching to read-only when they're "too old"
  (Benoit Goas)
Birds are making expensive roaming calls (The Register)
Robo-calls are getting worse.  And some big businesses soon could
  start calling you even more. (WashPo)
Smart Mouthguard Senses Muscle Fatigue (Scientific American)
Risks on a Friday the 13th ... (Rob Slade)
We're not allowed to die anymore (NYTimes)
'Data is a fingerprint': why you aren't as anonymous as you think
  online (Olivia Stein)
Re: FACEPTION (Rob Slade)
Re: Employees as subjects in clinical trials (Dmitiri Maziuk)
Re: Video: Gavin Williamson hilariously interrupted by Siri (Amos Shapir)
Sami Saydjari: Engineering Trustworthy Systems (PGN)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Tue, 17 Jul 2018 06:46:32 -1000
From: geoff goodfellow <geoff () iconia com>
Subject: Top Voting Machine Vendor Admits It Installed Remote-Access Software
  on Systems Sold to States (Kim Zetter)

Kim Zetter, Motherboard
  Remote-access software and modems on election equipment 'is the worst
  decision for security short of leaving ballot boxes on a Moscow street
  corner.'

Election Systems and Software, ``the nation's top voting machine maker has
admitted in a letter to a federal lawmaker that the company installed
remote-access software on election-management systems it sold over a period
of six years, raising questions about the security of those systems and the
integrity of elections that were conducted with them...''

In a letter sent to Sen. Ron Wyden (D-OR) in April and obtained recently by
Motherboard, Election Systems and Software acknowledged that it had
``provided pcAnywhere remote connection software ... to a small number of
customers between 2000 and 2006'' which was installed on the
election-management system ES&S sold them.

The statement contradicts what the company told me and fact checkers for a
story I wrote for *The New York Times* in February.  At that time, a
spokesperson said ES&S had never installed pcAnywhere on any election system
it sold. ``None of the employees, ... including long-tenured employees, has
any knowledge that our voting systems have ever been sold with remote-access
software,'' the spokesperson said.   [KZ]

http://motherboard.vice.com/en_us/article/mb4ezy/top-voting-machine-vendor-admits-it-installed-remote-access-software-on-systems-sold-to-states

  [Kim Zetter has been superb in her long-time reporting on election
  integrity -- and the lack thereof -- and many other RISKS-related topics.
  Her article is extremely timely, and just one more serious warning of the
  potential risks.  PGN]

------------------------------

Date: Fri, 20 Jul 2018 12:01:46 -0400
From: Gabe Goldberg <gabe () gabegold com>
Subject: Rosenstein reveals how the Justice Department is fighting attacks
  on US elections (CNBC)

The document highlights the increasing critical role that private-sector
companies are playing in national security matters.

http://www.cnbc.com%2F2018%2F07%2F20%2Fhow-the-justice-department-is-fighting-election-threats-cybercrime.html

------------------------------

Date: Sat, 14 Jul 2018 20:02:29 -0400
From: Monty Solomon <monty () roscom com>
Subject: How the Russians hacked the DNC and passed its emails to WikiLeaks
  (WashPo)

The special counsel's indictment of 12 Russian intelligence officers is a
technical guide to the Kremlin's 2016 operation.

https://www.washingtonpost.com/world/national-security/how-the-russians-hacked-the-dnc-and-passed-its-emails-to-wikileaks/2018/07/13/af19a828-86c3-11e8-8553-a3ce89036c78_story.html

------------------------------

Date: Thu, 12 Jul 2018 12:08:38 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: Russia exploited Twitter for disinformation as early as 2014,
  targeting local news (Boingboing)

via NNSquad
http://boingboing.net/2018/07/12/the-troll-factory-pwned-us-all.html

  As early as 2014, Russian operatives working out of the Internet Research
  Agency (IRC) in St. Petersburg were busy creating fake Twitter accounts
  for U.S. local news organizations that did not exist.

------------------------------

Date: Tue, 17 Jul 2018 12:28:21 +0800
From: Richard M Stein <rmstein () ieee org>
Subject: We've unleashed AI.  Now we need a treaty to control it.
  (latimes.com)

http://www.latimes.com/opinion/op-ed/la-oe-frantz-artificial-intelligence-treaty-20180716-story.html

  "The treaty would enshrine certain basic principles. The concept of
  "human-in-command" to guarantee that people retain control over AI should
  be a priority. Standards would be set for monitoring AI
  systems. Fundamental human rights should be specifically protected.  A new
  international body should be created for oversight, similar to the
  International Atomic Energy Agency.

  "The obstacles are apparent, from rogue nations and monopoly-minded
  companies to the sorry state of international cooperation. But advances in
  AI and machine learning are moving so fast that today seems like
  yesterday, making the challenge urgent."

Daniel H. Wilson, the author of "How to Survive a Robot Uprising" is a good
candidate to lead treaty negotiations.

Certain nations do not respect existing treaties governing human rights,
WMDs, or even climate change accelerants. What possible incentives will
motivate treaty compliance and membership in a hypothesized IAAIR -- the
International Agency for Artificial Intelligence and Robotics? 

------------------------------

Date: Thu, 19 Jul 2018 15:33:47 +0800
From: Richard M Stein <rmstein () ieee org>
Subject: AI Innovators Take Pledge Against Autonomous Killer Weapons (npr.org)

http://www.npr.org/2018/07/18/630146884/ai-innovators-take-pledge-against-autonomous-killer-weapons

  "... we the undersigned agree that the decision to take a human life
  should never be delegated to a machine," the pledge says. It goes on to
  say, "... we will neither participate in nor support the development,
  manufacture, trade, or use of lethal autonomous weapons."

Compare with the IEEE Code of Ethics, Article 1 (see
http://www.ieee.org/about/corporate/governance/p7-8.html

  "to hold paramount the safety, health, and welfare of the public, to
  strive to comply with ethical design and sustainable development
  practices, and to disclose promptly factors that might endanger the public
  or the environment;"

The ACM articles (see http://www.acm.org/code-of-ethics)
express similar intent. 

This pledge, while sincere and honorable, ignores long-established
professional ethics and practices. Creativity's thrill apparently infected
our colleagues' judgment, inducing myopia and amnesia toward these legacy
guiding principles. Perhaps research grants were too enticing to refuse
without risking university tenure or employment promotion opportunity?

Open-source neural networks and artificial life training platforms enable
even the smallest nation to initiate an autonomous killer program. These
weapons will likely populate the next battlefield; the "human-in-control"
probably faraway from the conflict zone.  I doubt "Real Steel" engagement
will become an effective tactic during a swarm intelligence battle.

This leads to the question of how to possibly sterilize a battlefield
deployment of AI-driven killers. A micro-EMP (preferably non-nuclear) might
do it. A cluster-bomb of radar-guided or passive-metal-seeking ultra-tazers?

------------------------------

Date: Thu, 19 Jul 2018 15:14:27 +0800
From: Richard M Stein <rmstein () ieee org>
Subject: The cameras that know if you're happy - or a threat (bbc.com)

http://www.bbc.com/news/business-44799239

This technology motivates the old aphorism to "Keep smiling, the boss likes
idiots." I wonder if employers will institute a "smile or frown" score as
part of performance reviews?

------------------------------

Date: Sun, 15 Jul 2018 00:51:30 -0400
From: Monty Solomon <monty () roscom com>
Subject: Millions of Verizon customer records exposed in security lapse
  (ZDNet)

Customer records for at least 14 million subscribers, including phone
numbers and account PINs, were exposed.

https://www.zdnet.com/article/millions-verizon-customer-records-israeli-data/

------------------------------

Date: Sat, 14 Jul 2018 18:57:13 -0400
From: Monty Solomon <monty () roscom com>
Subject: Ticketmaster breach was part of a larger credit card skimming
  effort, analysis shows (ZDNet)

https://www.zdnet.com/article/ticketmaster-breach-was-part-of-a-larger-credit-card-skimming-effort-analysis-shows/

------------------------------

Date: Wed, 18 Jul 2018 09:50:32 -0400
From: Monty Solomon <monty () roscom com>
Subject: Doctors, hospitals sue patients posting negative online comments
  (USA Today)

http://www.usatoday.com/story/news/politics/2018/07/18/doctors-hospitals-sue-patients-posting-negative-online-comments/763981002/

------------------------------

Date: Sat, 14 Jul 2018 11:03:19 -0400
From: Gabe Goldberg <gabe () gabegold com>
Subject: Facial Recognition Shows Promise for Data Center Security
  (EWeek)

While Ramos' trial is still months away, the successful use of computer
technology to confirm a murder suspect's identity made it clear that facial
recognition systems have reached the point where they can perform reliably
enough to identify a random person fairly reliability.

http://www.eweek.com/security/facial-recognition-shows-promise-as-next-step-in-corporate-security

"Fairly reliably" -- new horizons in mistaken identity? New questions needed
for defense lawyers to cross-examine facial recognition systems?

------------------------------

Date: Mon, 16 Jul 2018 19:08:58 +0900
From: Rodney Van Meter <rdv () sfc wide ad jp>
Subject: Shutting down an entire ATM network (JapanTimes)

Mizuho Bank is one of the largest banks in Japan. Today (Monday, Japan time)
is the last day of a three-day weekend. Mizuho decided to shut down *its
entire ATM network* from midnight Friday night until 8a.m. Tuesday, so they
could perform a flag day (maybe even forklift? not sure) upgrade on ATM
software. Apparently, it's not just their own ATMs, but any 7-11 or other
ATMs that would also normally give you access to your account cannot; it's a
backend upgrade as well as frontend.

Short blurb in English:
http://www.japantimes.co.jp/news/2018/07/13/business/mizuho-halt-atm-online-banking-services-three-day-weekend/%23.W0xs8tgzbOQ40c4d5e9075%7C1D

Short article in Japanese:
http://headlines.yahoo.co.jp/hl%3Fa%3D20180714-00010006-bfj-bus_all

*Mizuho nammin*, or *Mizuho refugees*
https://twitter.com/hashtag/%25E3%2581%25BF%25E3%2581%259A%25E3%2581%25BB%25E9%259B%25A3%25E6%25B0%2591%3Fsrc%3Dhash4d9780cdf174bc47fd708d5eb04283b%7C40779d3379c44626b8bf140c4d5e9075%7C1

I'm sure the risks of this are pretty obvious to readers here.  Suffice it
to say, their 24 million customers aren't happy.

------------------------------

Date: Sun, 15 Jul 2018 15:00:58 -0400
From: Gabe Goldberg <gabe () gabegold com>
Subject: Some food stamp recipients may soon lose access to farmers market
  benefits (WashPo)

The Washington Post

Josh Wiles, Novo Dia's founder and president, cited several reasons for the
company's shutdown. The marketplace for SNAP transactions is highly
regulated and requires extra (read: expensive) security measures beyond what
is required for credit cards or debit cards. The profits are small because
markets and individual farmers process micro-payments, often as little as a
few dollars.

The *tipping point*, though, Wiles said, was the decision by the new
administrator of the SNAP equipment program to work with electronic-payment
giant First Data, rather than Novo Dia and its Mobile Market app.

Without continuing to gain new customers and economies of scale, Wiles said,
Novo Dia could not remain financially viable: ``Once it became clear that we
were not going to be part of it, we knew we would not be able to scale in a
manner that allowed us to be profitable or even sustainable.''

https://www.washingtonpost.com/lifestyle/food/some-food-stamp-recipients-may-soon-lose-access-to-farmers-market-benefits/2018/07/09/fafb2caa-838d-11e8-8f6c-46cb43e3f306_story.html

------------------------------

Date: Tue, 17 Jul 2018 14:47:07 -0700
From: Henry Baker <hbaker1 () pipeline com>
Subject: Tesla Powerwall2 home battery hacking?

I'm not the only one who's noticed that the Tesla "Powerwall2" home battery
system uses the same ubiquitous "CAN bus" found in automobiles.  (Duh!  It
appears that the Powerwall2 is basically 1/4 of a standard base Tesla Model
3 battery.)  Many home battery systems utilize several Powerwall2's, and
hence approximate 1/4-3/4 of the energy storage capacity of a Tesla base
Model 3.

After a number of notorious car hacks using this same CAN bus over the past
several years, what could possibly go wrong with a Powerwall2 system --
having the equivalent of several gallons of gasoline stored within its
batteries -- in/on your home?

Furthermore, the Powerwall2 is connected to the Internet through your home
router, so that the Tesla cellphone app can talk to Tesla and hence to your
Powerwall2.

Now Tesla has apparently put in a lot of effort into securing the
communications of its *autos*, but I wonder if this same level of effort has
been invested in the security of the Powerwall2?

Unlike the Tesla automobile, which is connected only sporadically with the
Internet, your home Powerwall2 is presumably capable of being attacked 24x7.

It's also possible that a standard auto OBD-II connector could be installed
by a hacker directly on the Powerwall2 -- after all, many Powerwall2 systems
are mounted *outside the house*.  With an OBD-II and Bluetooth/Wifi, hacking
could then be done discretely from a nearby vehicle, and would completely
bypass any security built into the Powerwall2's own wifi connection.

Click once to turn off the refrigerator; click twice to *halt and catch
fire*.

------------------------------

Date: Tue, 17 Jul 2018 12:32:19 +0800
From: Richard M Stein <rmstein () ieee org>
Subject: China Expands Surveillance of Sewage to Police Illegal Drug Use
  (Scientific American)

https://www.scientificamerican.com/article/china-expands-surveillance-of-sewage-to-police-illegal-drug-use/

April Fools for 2019: The PRC expands surveillance to detect halitosis and BO.

------------------------------

Date: Fri, 13 Jul 2018 22:52:16 -0400
From: Gabe Goldberg <gabe () gabegold com>
Subject: Hunting the Con Queen of Hollywood (Hollywood Reporter)

For more than a year, some of the most powerful women in entertainment --
including Amy Pascal, Kathleen Kennedy, Stacey Snider and a 'Homeland'
director -- have been impersonated by a cunning thief who targets insiders
with promises of work, then bilks them out of thousands of dollars. The
Hollywood Reporter has obtained exclusive audio recordings of the savvy
imposter as victims come forward and a global investigation heats up. ...

For a long time, Linka Glatter thought she was alone in being faked. She
tried to contact the police and the FBI, but neither showed interest.  The
amount of money involved was too small, they told her. She hired a private
investigator, who discovered that the scammers were using burner phones to
cover their tracks and GoDaddy accounts for fake email addresses. She
contacted corporate security at a major Hollywood studio, but that didn't
help either. The calls kept coming. One day, a well-known political
consultant in Washington got in touch.

http://www.hollywoodreporter.com/features/hunting-con-queen-hollywood-1125932

------------------------------

Date: Mon, 16 Jul 2018 23:38:44 +0200
From: Benoit Goas <goasben () hawk iit edu>
Subject: Micro SD cards silently switching to read-only when they're "too old"

The 64G Patriot micro SD I had been using in my cell phone from mid 2014
just decided to turn itself into a read-only memory card.  From what I read,
it most likely reached its maximum number of uses, as it happens at least
with some Samsung cards too.  It would be to protect the card from losing
all its data, after its cells were erased "too many times" (limit number
depending on the card, and appearing to be in the order of 10-100k).  And
according to Internet forums, and card reviews on Amazon, it looks like it's
getting more and more common!

A very bad point is that there were no error messages at all.  I added music
files before a trip, but I had none of the new files available later so at
first I thought I didn't do it correctly (even if the transfer was fine, it
could for example have been to my card backup on an hard drive instead of
going to the actual card).  Then, despite the pictures still being taken
correctly by my phone (browsing was OK, able to delete the bad ones...), I
lost all of the new ones when my phone rebooted. So they were only in a
cache memory somewhere, but nowhere on the SD card (not found by deep
recovery tools either).  More fun, the older ones I deleted came back during
the same reboot...

I understand it would be bothering to have an error message at each card
access, but at least I would have known to change the card and would not
have lost 3 days of pictures!  So beware...

------------------------------

Date: Mon, 16 Jul 2018 23:36:43 +0200
From: Benoit Goas <goasben () hawk iit edu>
Subject: Birds are making expensive roaming calls (The Register)

A new risk when tracking birds (or any other kind of stuff): someone
manage to recover the SIM card from the tracker, and used it!
More detailed story at either
https://www.theregister.co.uk/2018/07/03/stork_mobile_theft/
or
http://www.iflscience.com/plants-and-animals/migrating-stork-racks-up-2700-on-researchers-cell-phone-bill/

------------------------------

Date: Fri, 13 Jul 2018 21:42:47 -0400
From: Monty Solomon <monty () roscom com>
Subject: Robo-calls are getting worse.  And some big businesses soon could
  start calling you even more. (WashPo)

Robocalls ravaged Americans' smartphones in record numbers last month.  But
some of the nation's top businesses are still urging the Trump
administration to make it easier for them to dial and text mobile devices en
masse.

http://www.washingtonpost.com/technology/2018/07/12/robocalls-are-getting-worse-some-big-businesses-soon-could-start-calling-you-even-more/

------------------------------

Date: Fri, 13 Jul 2018 09:33:15 +0800
From: Richard M Stein <rmstein () ieee org>
Subject: Smart Mouthguard Senses Muscle Fatigue (Scientific American)

http://www.scientificamerican.com/podcast/episode/smart-mouthguard-senses-muscle-fatigue/

  "The mouth guard's batteries are rechargeable wirelessly, and the device
  can use low-power Bluetooth to send information to smartphones, watches
  and other electronic devices."

Athlete bio-surveillance provides clues about peak performance and
degradation under physical stress. This telemetry stream, if clear text
and not subject to privacy management protection, can be exploited by
gaming interests.

------------------------------

Date: Fri, 13 Jul 2018 12:14:57 -0700
From: Rob Slade <rmslade () shaw ca>
Subject: Risks on a Friday the 13th ...

Happy Friday the 13th to all you professional paranoiacs out there.

I have previously mentioned some of the risks involved in living here.
http://community.isc2.org/t5/Career/Risk-and-cost-benefit/m-p/12101

In addition, the Lion's Gate Bridge is closed today, due to a "police
incident."  (That probably means a jumper.)  This also means that the
Ironworker's Memorial Second Narrows Bridge (and for risk fans I can
recommend "Tragedy at Second Narrows," by Eric Jamieson) is completely
clogged in both directions, while the Seabus has at least a two, and
possibly as high as four, sailing wait.

But that isn't the risk I wanted to talk about today.

We have bears here.

(When I was a young lad at university, back before there was an Internet, my
residence had a fellow from Cambridge whose family, back in The Olde
Country, were terrified that he would be eaten by a bear.  So, whenever
there were reports of bears in the north side communities, we helpfully cut
out the stories for him to send back to his family.)

Black bears are fairly cute, and not as vicious as grizzlys.  But it is not
a good idea to feed them.  It's dangerous for people, and it's dangerous for
the bears, too.  (They get acclimated, and come to regard people as sources
of food, and then there is trouble, and often the bears get shot.)  So there
are laws, here, prohibiting people from feeding bears.

Some people do it anyway.

http://vancouversun.com/news/local-news/dont-feed-the-bears-north-shore-residents-under-investigation-for-feeding-bears-from-house
or
http://is.gd/mq6okV

Now, if you are going to break the law, it might be a good idea not to post
videos of you doing so on your social media account ...

------------------------------

From: Benoit Goas <goasben () hawk iit edu>
Date: Mon, 16 Jul 2018 23:36:09 +0200
Subject: We're not allowed to die anymore (NYTimes)

We still get some crazy cases with digitized processes: PayPal Apologizes
for Letter Demanding Payment From Woman Who Died of Cancer:
https://www.nytimes.com/2018/07/11/business/paypal-dead-wife-husband-letter-nyt.html

So many corner/special cases to think about!

In the same kind of problems, a(n old) friend of mine died recently, and
facebook want me to organize an event for his birthday later this month.
But at least, despite the posts by his family on his page, I guess facebook
doesn't know he's dead. Not like Paypal!

------------------------------

Date: July 15, 2018 at 6:27:54 AM GMT+9
From: Dewayne Hendricks <dewayne () warpspeed com>
Subject: 'Data is a fingerprint': why you aren't as anonymous as you think
  online (Olivia Stein)

Olivia Solon, *The Guardian*, 13 Jul 2018
So-called *anonymous* data can be easily used to identify everything from
our medical records to purchase histories

http://www.theguardian.com/world/2018/jul/13/anonymous-browsing-data-medical-records-identity-privacy

In August 2016, the Australian government released an `anonymised' data set
comprising the medical billing records, including every prescription and
surgery, of 2.9 million people.

Names and other identifying features were removed from the records in an
effort to protect individuals' privacy, but a research team from the
University of Melbourne soon discovered that it was simple to re-identify
people, and learn about their entire medical history without their consent,
by comparing the dataset to other publicly available information, such as
reports of celebrities having babies or athletes having surgeries.

The government pulled the data from its website, but not before it had been
downloaded 1,500 times.

This privacy nightmare is one of many examples of seemingly innocuous,
de-identified pieces of information being reverse-engineered to expose
people's identities. And it's only getting worse as people spend more of
their lives online, sprinkling digital breadcrumbs that can be traced back
to them to violate their privacy in ways they never expected.

Nameless New York taxi logs were compared with paparazzi shots at locations
around the city to reveal that Bradley Cooper and Jessica Alba were bad
tippers. In 2017 German researchers were able to identify people based on
their `anonymous' web browsing patterns. This week University College London
researchers showed how they could identify an individual Twitter user based
on the metadata associated with their tweets, while the fitness tracking app
Polar revealed the homes and in some cases names of soldiers and spies.

``It's convenient to pretend it's hard to re-identify people, but it's
easy. The kinds of things we did are the kinds of things that any first-year
data science student could do,'' said Vanessa Teague, one of the University
of Melbourne researchers to reveal the flaws in the open health data.

One of the earliest examples of this type of privacy violation occurred in
1996 when the Massachusetts Group Insurance Commission released `anonymised'
data showing the hospital visits of state employees. As with the Australian
data, the state removed obvious identifiers like name, address and social
security number. Then the governor, William Weld, assured the public that
patients' privacy was protected.

Latanya Sweeney, a computer science grad who later became the chief
technology officer at the Federal Trade Commission, showed how wrong Weld
was by finding his medical records in the data set. Sweeney used Weld's zip
code and birth date, taken from voter rolls, and the knowledge that he had
visited the hospital on a particular day after collapsing during a public
ceremony, to track him down. She sent his medical records to his office.

In later work, Sweeney showed that 87% of the population of the United
States could be uniquely identified by their date of birth, gender and
five-digit zip codes.  ``The point is that data that may look anonymous is
not necessarily anonymous,'' she said in testimony to a Department of
Homeland Security privacy committee.

More recently, Yves-Alexandre de Montjoye, a computational privacy
researcher, showed how the vast majority of the population can be identified
from the behavioural patterns revealed by location data from mobile
phones. By analysing a mobile phone database of the approximate locations
(based on the nearest cell tower) of 1.5 million people over 15 months (with
no other identifying information) it was possible to uniquely identify 95%
of the people with just four data points of places and times. About 50%
could be identified from just two points.

The four points could come from information that is publicly available,
including a person's home address, work address and geo-tagged Twitter
posts.

------------------------------

Date: Sat, 14 Jul 2018 19:18:10 -0700
From: Rob Slade <rmslade () shaw ca>
Subject: Re: FACEPTION (Goldberg, RISKS-30.75)

Oi.

Creepy social engineering is one thing.
https://community.isc2.org/t5/Industry-News/quot-The-Spnner-quot-Creepy-social-engineering-fraud-or-prank/m-p/12364 or 
https://is.gd/j5MNCT

Basing law enforcement, physical security, investigations, and job
interviews on highly questionable premises is quite another.

Faception claims to be able to "reveal personality from facial images" and
"dramatically improve public safety, communications, decision-making, and
experiences."  How?  Well, after some buzzword filled marketing jargon about
"first-to-technology and first-to-market with proprietary computer vision
and machine learning technology" and mention of the magic word "biometrics,"
if you persist you may be able to find the theory behind the technology.  It
seems to boil down to the following logic:

1) DNA can determine (certain) personality traits (sometimes to a significant
   extent).  (This is true, with the provisos I've put in parentheses.)
2) DNA can determine how you look.

THEREFORE:

Your personality is determined by how you look.

(Finding the flaws in this argument is left as an exercise for students of
logic.)

I am inescapably reminded of the "bomb detectors" sold to Afghani and Iraqi
security forces that had no detection capabilities at all, and caused large
numbers of deaths.  That's on the false negative side.  The potential damage
caused on the false positive side are likely considerably greater ...

Of course, there's always:


Date: Sat, 14 Jul 2018 08:46:31 -0700
From: "Peter G. Neumann" <neumann () csl sri com>
Subject: Regulation of facial-recognition software? (WashPo)


------------------------------

Date: Sun, 15 Jul 2018 09:02:32 -0500
From: Dmitri Maziuk <dmaziuk () bmrb wisc edu>
Subject: Re: Employees as subjects in clinical trials (Fenichel, RISKS-30.75)

Last I heard El Al ground crews still fly the plane they serviced (always
have), and they still are fully at liberty to seek gainful employment
elsewhere.  I'm not quite sure what makes med AI coders so different --
though in all fairness I would draw the line at family members. I think El
Al does.

------------------------------

Date: Tue, 17 Jul 2018 00:44:04 +0300
From: Amos Shapir <amos083 () gmail com>
Subject: Re: Video: Gavin Williamson hilariously interrupted by Siri
 during statement to Parliament (RISKS-30.75)

It seems that what had triggered Siri was the mention of "*a Syri*an
democratic force".  Conclusion: Don't bring Siri to a discussion about
Syria...

(And also be careful when talking about "*a Lexus*" or "*a court ana*lyzer")

------------------------------

Date: Thu, 19 Jul 2018 9:55:35 PDT
From: "Peter G. Neumann" <neumann () csl sri com>
Subject: Sami Saydjari: Engineering Trustworthy Systems

Here's a book that might be of interest to RISKS readers who are serious
about developing systems that must be much more trustworthy.  It is quite
comprehensive, addressing many problems that have been discussed in RISKS.
It may not be a complete answer on how to fully turn the attainment of
trustworthy systems into a true engineering discipline, but it should be
very helpful to anyone pursuing the creation of such a discipline -- which
today does not seem to exist.

  O. Sami Saydjari
  Engineering Trustworthy Systems:
    Get Cybersecurity Design Right the First Time
  McGraw-Hill Education, 2018
  xlvii+540, $60.00
  ISBN 978-1-260-11817-9

Sami has extensive background (NSA, DARPA), and has managed to squeeze a lot
of it into the book.

http://www.engineeringtrustworthysystems.com

The endorsements on the back cover and front-end material are copious, so I
am not going to even begin to cite some of them here.  They are available at
https://samisaydjari.com/reviews-1/ .

------------------------------

Date: Tue, 5 May 2018 11:11:11 -0800
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest.  Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
 subscribe and unsubscribe:
   http://mls.csl.sri.com/mailman/listinfo/risks

=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that
   includes the string `notsp'.  Otherwise your message may not be read.
 *** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 *** Contributors are assumed to have read the full info file for guidelines!

=> OFFICIAL ARCHIVES:  http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
  http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
  Also,  ftp://ftp.sri.com/risks for the current volume
     or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
  If none of those work for you, the most recent issue is always at
     http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-30.00
  Lindsay has also added to the Newcastle catless site a palmtop version
  of the most recent RISKS issue and a WAP version that works for many but
  not all telephones: http://catless.ncl.ac.uk/w/r
  ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
  <http://the.wiretapped.net/security/info/textfiles/risks-digest/>
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
  Apologies for what Office365 and SafeLinks have done to URLs.  I have
  tried to extract the essence.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 30.76
************************
Previous By Date Next
Previous By Thread Next

Current thread: