RISKS Forum mailing list archives
Risks Digest 31.30
From: RISKS List Owner <risko () csl sri com>
Date: Fri, 21 Jun 2019 13:54:55 PDT
RISKS-LIST: Risks-Forum Digest Friday 21 June 2019 Volume 31 : Issue 30 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/31.30> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Pilots fret over fire safety of Dreamliner planes, also used by El AL (The Times of Israel) Top AI researchers race to detect deepfake videos: ``We are outgunned.'' (Drew Harwell) Zuckerfake (Vice) Hackers behind dangerous oil and gas intrusions are probing US power grid (Ars Technica) Chinese Cyberattack Hits Telegram, App Used by Hong Kong Protesters (NYTimes) Auto-renting bugs (Amos Shapir) Google: Our way or the Huawei! (Henry Baker) Android/iPhone fun -- security, risks...(ToI and UK Mirror) New security warning issued for Google's 1.5B Gmail/Calendar Users (Forbes) How spammers use Google services (Kaspersky) This 'most dangerous' hacking group is now probing power grids (Steve Ranger) Masters ticket lottery scheme involved identity theft, millions of emails (WashPost) Facial Recognition: How Emotion Reading Software Will Change Driving (Fortune) DJI's New Drone for Kids Is a $500 Tank That Fires Lasers and Pellets (Bloomberg) Your Cadillac Can Now Drive Itself More Places (WiReD) Four Ways to Avoid Facial Recognition Online and in Public (Gabe Goldberg) Breaking ground, IBM Haifa team holds live robot debate fed by crowd arguments (The Times of Israel) Apple spent $10,000 repairing his MacBook Pro. There was nothing wrong with it. (ZDNet) Autonomous vehicles don't need provisions and protocols? (Rob Slade) Info stealing Android apps can grab one time passwords to evade 2FA protections (ZDNet) Facebook Plans Global Financial System Based on Cryptocurrency (NYTimes) Libra (Rob Slade) Porn trolling mastermind Paul Hansmeier gets 14 years in prison. (Ars Technica) Mudslide warning system depends on proper boundary file (Dan Jacobson) Mom used phone tracking app after daughter missed curfew, found her pinned under car 7 hours later (FoxNews) In Stores, Secret Surveillance Tracks Your Every Move (NYTimes) Was your flight delay due to an IT outage? What a new report on airline IT tells us. (ZDNet) Patients frustrated over computer system outage at Abrazo Health Hospitals (AZFamily) Power outage at Greensboro apartments has unintended consequence, reveals alleged Medicaid scheme (Monty Solomon) Is Target still down? Chain says registers working now after outage. (USA Today) Instagram Outage Follows Disruption To PlayStation Network (Deadline) The PlayStation Network Is Back Up. Here's the Latest on the PSN Outage (Digital Trends) In the Wiggle of an Ear, a Surprising Insight into Bat Sonar (Scientific American) 'RAMBleed' Rowhammer attack can now steal data, not just alter it (ZDNet) Ransomware halts production for days at major airplane parts manufacturer (Catalin Cimpanu) Study finds that a GPS outage would cost $1 billion per day (Ars Technica) Re: GPS Degraded Across Much of U.S (jared gottlieb) Did I Tweet that? (Rob Slade) Bull and backdoors (Rob Slade) Ross Anderson's non-visa (Rob Slade) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Mon, 17 Jun 2019 15:21:16 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Pilots fret over fire safety of Dreamliner planes, also used by El AL (The Times of Israel) Airline pilots have expressed concern over the safety of the Boeing 787 Dreamliner aircraft after an engine firefighting system was found to be faulty. ... However, the Federal Aviation Administration (FAA) is not grounding 787s even though it says the switch presents a `risk to the flying public'. ... ``If there was an engine fire on a transatlantic flight and the aircraft had one of the defective fire switches, then we would have to fly with a burning wing for up to three hours before we could safely land,'' a British airline pilot, who was not identified, told the Observer. ... The US aircraft manufacturing giant said less than 1 percent of the switches have failed and that it is assisting airlines in dealing with the issue. ... ``Engine fires are a very unlikely event and there have been no observed engine fires in the 787 fleet history,'' the spokesperson said. https://www.timesofisrael.com/pilots-fear-for-fire-safety-of-dreamliner-planes-also-used-by-el-al-report/ Oh, OK then. ------------------------------ Date: June 14, 2019 at 4:09:14 AM GMT+9 From: Richard Forno <rforno () infowarrior org> Subject: Top AI researchers race to detect deepfake videos: ``We are outgunned.'' (Drew Harwell) Drew Harwell, WashPost, 12 Jun 2019 https://www.washingtonpost.com/technology/2019/06/12/top-ai-researchers-race-detect-deepfake-videos-we-are-outgunned/ Top artificial-intelligence researchers across the country are racing to defuse an extraordinary political weapon: computer-generated fake videos that could undermine candidates and mislead voters during the 2020 presidential campaign. And they have a message: We're not ready. The researchers have designed automatic systems that can analyze videos for the telltale indicators of a fake, assessing light, shadows, blinking patterns -- and, in one potentially groundbreaking method, even how a candidate's real-world facial movements -- such as the angle they tilt their head when they smile -- relate to one another. But for all that progress, the researchers say they remain vastly overwhelmed by a technology they fear could herald a damaging new wave of disinformation campaigns, much in the same way fake news stories and deceptive Facebook groups were deployed to influence public opinion during the 2016 election. Powerful new AI software has effectively democratized the creation of convincing deepfake videos, making it easier than ever to fabricate someone appearing to say or do something they didn't really do, from harmless satires and film tweaks to targeted harassment and deepfake porn. And researchers fear it's only a matter of time before the videos are deployed for maximum damage -- to sow confusion, fuel doubt or undermine an opponent, potentially on the eve of a White House vote. ------------------------------ From: the keyboard of geoff goodfellow <geoff () iconia com> Date: Thu, 13 Jun 2019 03:52:31 -0700 Subject: Zuckerfake (Vice) *A fake video of Mark Zuckerberg giving a sinister speech about the power of Facebook has been posted to Instagram. The company previously said it would not remove this type of video.* EXCERPT: Two artists and an advertising company created a deepfake of Facebook founder Mark Zuckerberg saying things he never said, and uploaded it to Instagram. The video, created by artists Bill Posters and Daniel Howe in partnership with advertising company Canny, shows Mark Zuckerberg sitting at a desk, seemingly giving a sinister speech about Facebook's power. The video is framed with broadcast chyrons that say ``We're increasing transparency on ads," to make it look like it's part of a news segment... https://www.vice.com/en_us/article/ywyxex/deepfake-of-mark-zuckerberg-facebook-fake-video-policy ------------------------------ Date: Sun, 16 Jun 2019 01:02:20 -0400 From: Monty Solomon <monty () roscom com> Subject: Hackers behind dangerous oil and gas intrusions are probing US power grid (Ars Technica) https://arstechnica.com/information-technology/2019/06/hackers-behind-dangerous-oil-and-gas-intrusions-are-probing-us-power-grids/ ------------------------------ Date: Sun, 16 Jun 2019 00:30:40 -0400 From: Monty Solomon <monty () roscom com> Subject: Chinese Cyberattack Hits Telegram, App Used by Hong Kong Protesters (NYTimes) https://www.nytimes.com/2019/06/13/world/asia/hong-kong-telegram-protests.html An attack against the messaging app Telegram and the arrest of a user show how the Hong Kong clash is unfolding digitally, with growing sophistication on both sides. ------------------------------ Date: Fri, 14 Jun 2019 09:10:22 +0300 From: Amos Shapir <amos083 () gmail com> Subject: Auto-renting bugs The city of Tel Aviv operates an in-city car renting service named Autotel <www.autotel.co.il> controlled by a smartphone application. Users download the application and register a credit card; then they can locate a car nearby and reserve it for up to 15 minutes. When reaching the car, the application is used to unlock the car (the keys are inside); and then to lock it at the end of the trip. The following tweet by a poster identified as "Nur Lan", has been making the rounds lately (my translation): "I reserved a car in the application, and after a long walk discovered that the car is not parked where it was supposed to be on the map. While looking around, I noticed that the application indicates that the car is in motion for the past few minutes. So I pressed "end trip"; a minute later I got a call from Autotel: "We do not know how it had happened, but someone else took the car on your reservation, and now he called in to complain that the engine had turned off in the middle of the trip" The tweet continues "There are two reasons this is a case of glorious misconduct: The first bug, which enables one user to collect another user's reservation, is mainly stupid. The second bug, which enables shutting down the engine remotely, is negligence which might be lethal. There should be no way to shut down an engine remotely, certainly not by a user's application". "I received a compensation of 20 shekels [about $5.50] for the taxi trip. I hope that the other driver's compensation had made his near-death experience more profitable". There were reports lately of similar occurrences being possible on some smart car models, but these at least required hacking the car's system first! ------------------------------ Date: Wed, 12 Jun 2019 08:27:56 -0700 From: Henry Baker <hbaker1 () pipeline com> Subject: Google: Our way or the Huawei! ``Google's recent discussions with the US government actually argue that the Huawei ban is bad for national security. Google is reportedly asking for an exemption from the export ban.'' I asked Google Translate what to make of this Googledegook, and she provided several possibilities: ``Nice little Android monopoly you have there, Google; it would be a shame if anything happened to it.'' ``"NSA on Huawei's new OS plans: we're forked!'' https://arstechnica.com/gadgets/2019/06/report-google-argues-the-huawei-ban-would-hurt-its-android-monopoly/ Keep your friends close, and your enemies closer -- Report: Google argues the Huawei ban would hurt its Android monopoly Export ban would create a competitor to US operating systems, argues Google. Ron Amadeo - Jun 7, 2019 8:15 pm UTC The Trump administration would probably describe its Huawei export ban as a move that improves national security by keeping China's pet telecom company out of the US market. According to a report from The Financial Times, Google's recent discussions with the US government actually argue that the Huawei ban is bad for national security. Google is reportedly asking for an exemption from the export ban. The argument, reportedly, is that Huawei is currently dependent on Google for its Android smartphone software, and that dependence is a good thing for the US. The Financial Times quotes "one person with knowledge of the conversations" as saying, "Google has been arguing that by stopping it from dealing with Huawei, the US risks creating two kinds of Android operating system: the genuine version and a hybrid one. The hybrid one is likely to have more bugs in it than the Google one, and so could put Huawei phones more at risk of being hacked, not least by China. Today, non-Google Play versions of Android exist in China, but it's rare that any of them are significantly different from a Google version of Android beyond the pre-loaded app selection. Chinese manufacturers are still global smartphone distributors, so they all build Google-approved Android OSes for the non-Chinese market. What usually happens is that a single OS goes through the Google testing process, then it gets split into two versions. Internationally, it gets the Google Apps; in China, it gets a China-centric app selection. So while these Chinese Android OSes are still technically Android forks, because they don't ship with Google Play, they are not that different from Google-approved Android. Google's control over the Android ecosystem -- even when devices don't use the Google apps -- means there is still some level of security and updatability going into these devices. Google's first argument in that Financial Times report is that more secure devices are better for national security. The second argument in the above quote is that a ban would `create two kinds of Android' and hurt Google's monopoly over Android. If you're a smartphone manufacturer looking for a smartphone OS, Android is the only game in town. The latest worldwide OS market share numbers from the IDC show an 86.6/13.3 percent share between Android and iOS, respectively, with "Other" clocking in at 0.0 percent market share. Taken as a whole, the US has a smartphone OS monopoly. For companies that aren't Apple, it's Android or nothing, and Google controls Android, both the direction of the OS itself and the OS's app ecosystem. Weaning Huawei off its Google dependence would theoretically lead the company to create some kind of viable, China-powered, China-controlled Android operating system that would then be distributed to the rest of the world. Android is open source, so there's nothing stopping anyone from doing this now, but part of Google's control strategy is to create tools and updates that are so good that no one wants to compete with them. Cutting Huawei off from those updates would force that company to create a competitor. Banning Huawei from dealing with US companies is definitely a double-edged sword. Huawei would have a tough time building smartphones or an app ecosystem without the help of US-originated technology and app developers, but US hardware and software companies would lose access to the second largest smartphone maker in the world. Really, the two outcomes here, if the export ban holds up, are that either (1) Huawei can't handle the export ban and shuts down, like ZTE did, or (2) Huawei weathers the storm and rises as a rebuilt, fully US independent smartphone company. Google's argument is basically along the lines of that old saying, ``Keep your friends close and your enemies closer.'' Ron Amadeo Ron is the Reviews Editor at Ars Technica, where he specializes in Android OS and Google products. He is always on the hunt for a new gadget and loves to rip things apart to see how they work. Email ron () arstechnica com // Twitter @RonAmadeo https://www.pocket-lint.com/phones/news/huawei/148345-huawei-hongmeng-os-faster-than-android-oppo-vivo Huawei's alternative OS said to be faster than Android, attracting the attention of other vendors Chris Hall | 12 June 2019 ------------------------------ Date: Mon, 17 Jun 2019 17:10:53 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Android/iPhone fun -- security, risks...(ToI and UK Mirror) Israeli tech company says it can break into all iPhones ever made, some Androids | The Times of Israel https://www.timesofisrael.com/israeli-tech-company-says-it-can-break-into-all-iphones-ever-made-some-androids/ Android warning: Dangerous malware discovered pre-installed on THESE smartphones https://www.mirror.co.uk/tech/dangerous-malware-discovered-pre-installed-16529887 ------------------------------ Date: Sat, 15 Jun 2019 20:21:17 -0400 From: Monty Solomon <monty () roscom com> Subject: New security warning issued for Google's 1.5B Gmail/Calendar Users (Forbes) Google's Gmail email service is used by upwards of 1.5 billion people. The Google Calendar app, meanwhile, has been downloaded more than a billion times from the Play Store. Security researchers have this week warned that threat actors are exploiting the popularity of both in order to target users with a credential-stealing attack. Here's what you need to know. https://www.forbes.com/sites/daveywinder/2019/06/11/new-security-warning-issued-for-googles-1-5-billion-gmail-and-calendar-users/%233d17ba95565e ------------------------------ Date: Sat, 15 Jun 2019 20:22:08 -0400 From: Monty Solomon <monty () roscom com> Subject: How spammers use Google services (Kaspersky) Kaspersky, 10 Jun 2019 As you know, Google is not just a search tool, but multiple services used by billions of people every day: Gmail, Calendar, Google Drive, Google Photos, Google Translate, the list goes on. And they are all integrated with each other. Calendar is linked to Gmail, Gmail to Google Drive, Google Drive to Google Photos, and so on. It's all very handy -- register once and away you go. And there's no need to mess around moving files and data between services; Google does everything for you. The downside is that online fraudsters have learned to exploit the convenience of Google services to send spam or worse. https://usa.kaspersky.com/blog/spam-through-google-services/17799/ ------------------------------ Date: Tue, 18 Jun 2019 11:11:01 -0700 From: Gene Wirchenko <gene () shaw ca> Subject: "This 'most dangerous' hacking group is now probing power grids" (Steve Ranger) Steve Ranger, Cyberwar and the Future of Cybersecurity, 14 Jun 2019 https://www.zdnet.com/article/this-most-dangerous-hacking-group-is-now-probing-power-grids/ This 'most dangerous' hacking group is now probing power grids Hackers that tried to interfere with the safety systems of an industrial plant are now looking at power utilities too. opening text: A hacking group described at the 'most dangerous threat' to industrial systems has taken a close interest in power grids in the US and elsewhere, according to a security company. ------------------------------ Date: Tue, 18 Jun 2019 16:02:55 -0400 From: Monty Solomon <monty () roscom com> Subject: Masters ticket lottery scheme involved identity theft, millions of emails (WashPost) https://www.washingtonpost.com/sports/2019/06/18/texas-family-gamed-masters-ticket-lottery-using-identity-theft-millions-emails/ ------------------------------ Date: Wed, 12 Jun 2019 15:10:49 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Facial Recognition: How Emotion Reading Software Will Change Driving (Fortune) This will mean that automakers may come to build vehicles that may adjust comfort factors like heat, lighting, and entertainment based on visual cues from their individual occupants -- features that could be especially appealing as more autonomous cars hit the roads. ``It's really important technology not only have IQ, but lots of EQ too,'' said el Kaliouby, speaking on Tuesday morning at Fortune's CEO Initiative in New York. She added that building empathy into machines is especially important given that humans use words for only 7% of their communications. The other 93%, el Kaliouby says, consists of vocal intonations, expression, and body language. http://fortune.com/2019/06/11/facial-recognition-cars/ Car tweaking entertainment, heat, lighting (?!) is about as appealing as a visit from one of the bad Terminators. ------------------------------ Date: Thu, 13 Jun 2019 03:51:26 -0700 From: the keyboard of geoff goodfellow <geoff () iconia com> Subject: DJI's New Drone for Kids Is a $500 Tank That Fires Lasers and Pellets (Bloomberg) *The king of quadcopters is betting on a build-your-own set to get students excited about robotics.* EXCERPT: DJI, the world's largest drone maker, has come down to Earth. On June 11, the company most closely associated with quadcopters plans to unveil a toaster-size robotic tank called the RoboMaster S1. Made of plastic and metal, it has four wheels, a rectangular base, and a gun turret that can swivel and fire lasers or tiny plastic pellets. Unlike DJI's flying drones, which do everything from taking pretty pictures to fertilizing fields, the RoboMaster is part teaching tool and part battle bot. The odd contraption ships as a kit that people must assemble, learning about robotics and software along the way. ``By doing the assembly process, you get to understand what each part is used for and what the principles are behind it''. says Shuo Yang, one of the lead engineers. ``We want it to look like an interesting toy that then teaches basic programming and mechanical knowledge.'' Once built, the RoboMaster S1 can be used to blast away at other S1s during some good, old-fashioned at-home family combat... https://www.bloomberg.com/news/articles/2019-06-12/dji-s-robomaster-s1-drone-tank-fires-lasers-and-pellets ------------------------------ Date: Mon, 17 Jun 2019 23:05:42 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Your Cadillac Can Now Drive Itself More Places (WiReD) Cadillac Super Cruise, the luxury automaker's hands-off driver assistance system, will by the end of the year work on more than 200,000 miles of highway in the US and Canada, 35 percent more territory than it covered when it launched in 2017. The bulk of the new miles come from divided highways -- the sort of road where Tesla's Autopilot system has suffered two high-profile deadly crashes, and where Cadillac's engineers are confident their system can do better. Super Cruise drivers -- the system is available only on the CT6 sedan, and is moving to the CT5 sedan next year -- have to trek to their dealer to get the software upgrade to take advantage of the newly added parts of the map. The process is free, and takes about an hour. After that, Cadillac will send out the updated maps via over-the-air software updates starting this summer and into the fall. https://www.wired.com/story/your-cadillac-can-now-drive-itself-more-places/ Yum -- tasty updates over-the-air. What could go wrong? ------------------------------ Date: Tue, 11 Jun 2019 16:06:51 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Four Ways to Avoid Facial Recognition Online and in Public 1. Disabling Facial Recognition on Facebook 2. Use FaceShield When Uploading Photos 3. Use Hair and Makeup to Fool Facial Recognition 4. Use Clothing to Distract Facial Recognition https://www.makeuseof.com/tag/avoid-facial-recognition/ Pretty funny. Wait, not entirely... ------------------------------ Date: Tue, 18 Jun 2019 17:00:26 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Breaking ground, IBM Haifa team holds live robot debate fed by crowd arguments (The Times of Israel) The tech, when commercialized, could help companies and governments collect opinions, make more informed decisions. https://www.timesofisrael.com/breaking-ground-ibm-haifa-team-holds-live-robot-debate-fed-by-crowd-arguments/ ...or deliberately/inadvertently biased decisions, or decisions that common sense would rule out. And, most likely, decisions that can't be explained. ------------------------------ Date: Wed, 12 Jun 2019 09:52:58 -0700 From: Gene Wirchenko <gene () shaw ca> Subject: Apple spent $10,000 repairing his MacBook Pro. There was nothing wrong with it. (ZDNet) Apple spent $10,000 repairing his MacBook Pro. There was nothing wrong with it This may be the most absurd, convoluted Apple repair story you've ever heard. Chris Matyszczyk for Technically Incorrect | June 12, 2019 https://www.zdnet.com/article/apple-spent-10000-repairing-his-macbook-pro-there-was-nothing-wrong-with-it/ selected text: Don't turn your screen brightness off. The Pro may go dark for a very long time. "So after losing about two weeks of my time, >$10,000 in Apple warranty repairs (two logic boards, new cables, and a complete replacement of a
$7,000 computer), troubleshooting input from several Apple Geniuses, level
1 and 2 tech support from Apple Corporate, diagnostic tests at the Apple Store, and diagnostic tests twice at Apple's repair facility in Texas; what was the root issue?" says Benz, knowing how to hang a cliff hanger. He seems, you see, to be made of determined innards. He went to yet another Apple Genius and this one proved to be true to his moniker. Or, perhaps, he just stopped and thought a little longer than his fellow experts. You see, he diagnosed there was nothing wrong with Benz's MacBook Pro. The issue, if you want to call it that, was that the screen brightness was turned all the way off. ------------------------------ Date: Fri, 14 Jun 2019 11:36:49 -0700 From: Rob Slade <rmslade () shaw ca> Subject: Autonomous vehicles don't need provisions and protocols? I'm at a conference on "Smart Cities." Lots of verbiage on IoT, etc. Last speaker of the day is pontificating on all kinds of security and technology buzzwords. And, at one point, he says that cities have to work on protocols for the provision of "autonomous vehicles." Excuse me? I mean, there are all kinds of transport and transit systems, and some of them involve a lot of technology, and a number of them will need provisions and protocols. But ... What part of "autonomous" do you not understand? Autonomous means that it works by itself. It doesn't need your provision. It doesn't need your protocols. It is designed, as far as possible, to work by itself. That means your protocols are basically irrelevant. OK, you can design some regulatory protocols if you wish. But you are one city. Even if you are New York, you are a small part of the vehicle market. The manufacturers are going to build what they think will sell. Worldwide. If you want to create a regulatory protocol, fine. Just don't expect anyone to care, if it gets in the way of functions or sales. ------------------------------ Date: Tue, 18 Jun 2019 11:32:01 -0700 From: Gene Wirchenko <gene () shaw ca> Subject: "Info stealing Android apps can grab one time passwords to evade 2FA protections" (ZDNet) https://www.zdnet.com/article/info-stealing-android-apps-can-now-access-passwords-to-avoid-2fa-protections/ Info stealing Android apps can grab one time passwords to evade 2FA protections Google restricted SMS controls. Hackers found a way around it. Charlie Osborne for Zero Day | 18 Jun 2019 ------------------------------ Date: Tue, 18 Jun 2019 11:07:26 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Facebook Plans Global Financial System Based on Cryptocurrency (The New York Times) https://www.nytimes.com/2019/06/18/technology/facebook-cryptocurrency-libra.html News that sounds like a joke. WHAT could go wrong... ------------------------------ Date: Tue, 18 Jun 2019 12:00:36 -0700 From: Rob Slade <rmslade () shaw ca> Subject: Libra Facebook wants to start a cryptocurrency, and become your bank. Yes, that Facebook, the one that has proven to be so untrustworthy with all the data entrusted to it so far. Now you want to give it details on all your banking transactions and purchases? Besides, with most current cryptocurrency implementations, don't you get to "unmask" all the transactions if you own the whole blockchain? And who is going to own the whole Libra blockchain? Then there is the spin on this. Facebook is "doing good" with Libra, because almost two billion people don't have bank account, and with Libra, they can! (Only, if they don't have bank accounts now, how on earth are they going to put money into Libra, or get it out?) And, given that estimates for Bitcoin operation (let alone mining) approximates the power and carbon footprint of a medium-sized country, what is going to happen to global warming with Facebook pushing Libra to all of it's mindless zombie hordes? OK, Libra is going to be a "stablecoin," and therefore mining isn't an issue, but how extensively has it been tested before you release it for trial by every hacker in the world? OK, yes, the major credit cards are on board (is SET coming back?), but is it really ready for prime time? ------------------------------ Date: Sun, 16 Jun 2019 01:04:05 -0400 From: Monty Solomon <monty () roscom com> Subject: Porn trolling mastermind Paul Hansmeier gets 14 years in prison. (Ars Technica) https://arstechnica.com/tech-policy/2019/06/porn-trolling-mastermind-paul-hansmeier-gets-14-years-in-prison/ ------------------------------ Date: Sat, 15 Jun 2019 08:07:12 +0800 From: Dan Jacobson <jidanni () jidanni org> Subject: Mudslide warning system depends on proper boundary file No matter how good a mudslide warning system is, if a government boundary file places cell towers in the wrong district, phones in district B will get warnings intended for district A, and phones in district A won't get any warnings at all. ------------------------------ Date: Sat, 15 Jun 2019 20:14:44 -0400 From: Monty Solomon <monty () roscom com> Subject: Mom used phone tracking app after daughter missed curfew, found her pinned under car 7 hours later (FoxNews) http://www.fox13news.com/news/mom-used-phone-tracking-app-after-daughter-missed-curfew-found-her-pinned-under-car-7-hours-later ------------------------------ Date: Sun, 16 Jun 2019 01:54:02 -0700 From: geoff goodfellow <geoff () iconia com> Subject: In Stores, Secret Surveillance Tracks Your Every Move (NYTimes) *As you shop, `beacons' are watching you, using hidden technology in your phone.* EXCERPT: Imagine you are shopping in your favorite grocery store. As you approach the dairy aisle, you are sent a push notification in your phone: 10% off your favorite yogurt! Click here to redeem your coupon. You considered buying yogurt on your last trip to the store, but you decided against it. How did your phone know? Your smartphone was tracking you. The grocery store got your location data and paid a shadowy group of marketers to use that information to target you with ads. Recent reports have noted how companies use data gathered from cell towers, ambient Wi-Fi, and GPS. But the location data industry has a much more precise, and unobtrusive, tool: Bluetooth beacons. These beacons are small, inobtrusive electronic devices that are hidden throughout the grocery store; an app on your phone that communicates with them informed the company not only that you had entered the building, but that you had lingered for two minutes in front of the low-fat Chobanis. Most location services use cell towers and GPS, but these technologies have limitations. Cell towers have wide coverage, but low location accuracy: An advertiser can think you are in Walgreens, but you're actually in McDonald's next door. GPS, by contrast, can be accurate to a radius of around five meters (16 feet), but it does not work well indoors. Bluetooth beacons, however, can track your location accurately from a range of inches to about 50 meters. They use little energy, and they work well indoors. That has made them popular among companies that want precise tracking inside a store.... https://www.nytimes.com/interactive/2019/06/14/opinion/bluetooth-wireless-tracking-privacy.html [Also noted by Gabe Goldberg. PGN] ------------------------------ Date: Sat, 15 Jun 2019 20:18:27 -0400 From: Monty Solomon <monty () roscom com> Subject: Was your flight delay due to an IT outage? What a new report on airline IT tells us. (ZDNet) ... From 2015 through 2017, most airline IT outages were serious enough to disrupt flights, according to a government agency, but the full impact of the industry's IT problems is hard to calculate. https://www.zdnet.com/article/was-your-flight-delay-due-to-an-it-outage-what-a-new-report-on-airline-it-tells-us/ ------------------------------ Date: Sat, 15 Jun 2019 20:16:23 -0400 From: Monty Solomon <monty () roscom com> Subject: Patients frustrated over computer system outage at Abrazo Health Hospitals. (AZFamily) https://www.azfamily.com/news/patients-frustrated-over-computer-system-outage-at-abrazo-health-hospitals/article_099c9d74-8f23-11e9-8030-2b5b391b080a.html ------------------------------ Date: Sat, 15 Jun 2019 20:17:30 -0400 From: Monty Solomon <monty () roscom com> Subject: Power outage at Greensboro apartments has unintended consequence, reveals alleged Medicaid scheme https://www.greensboro.com/power-outage-at-greensboro-apartments-has-unintended-consequence-reveals-alleged/article_5f215b6e-3713-567d-908a-7873cfea3a6b.html ------------------------------ Date: Sat, 15 Jun 2019 20:10:14 -0400 From: Monty Solomon <monty () roscom com> Subject: Is Target still down? Chain says registers working now after outage. (USA Today) https://www.usatoday.com/story/money/2019/06/15/target-registers-down-shoppers-reporting-outage-saturday/1465476001/ ------------------------------ Date: Sat, 15 Jun 2019 20:15:25 -0400 From: Monty Solomon <monty () roscom com> Subject: Spotify outage not related to today's update, company is working on a fix. (TechCrunch) https://techcrunch.com/2019/06/13/spotify-outage-not-related-to-todays-update-company-is-working-on-a-fix/ ------------------------------ Date: Sat, 15 Jun 2019 20:13:40 -0400 From: Monty Solomon <monty () roscom com> Subject: Instagram Outage Follows Disruption To PlayStation Network (Deadline) https://deadline.com/2019/06/instagram-outage-follows-disruption-to-playstation-network-1202632448/ ------------------------------ Date: Sat, 15 Jun 2019 20:16:45 -0400 From: Monty Solomon <monty () roscom com> Subject: The PlayStation Network Is Back Up. Here's the Latest on the PSN Outage (Digital Trends) https://www.digitaltrends.com/gaming/playstation-network-psn-down-outage-updates/ ------------------------------ Date: Mon, 17 Jun 2019 16:43:01 -0700 From: Richard Stein <rmstein () ieee org> Subject: In the Wiggle of an Ear, a Surprising Insight into Bat Sonar (Scientific American) https://www.scientificamerican.com/article/in-the-wiggle-of-an-ear-a-surprising-insight-into-bat-sonar/ "...the two researchers developed an artificial horseshoe bat ear out of silicon, with devices called 'fast actuators' that move different parts of the ear in the same way bats do. These movements also added Doppler shifts to incoming sounds." Bats apply Doppler shift detection from echolocation stimulus to locate meals, navigate, and dodge flying or static obstacles. The research suggests that delivery drones might someday be equipped with artificial bat ears to assist drone navigation of the sky. The sky is "complicated and unpredictable": trees, telephone poles, aircraft, birds, bugs -- all kinds of obstacles that can interfere with drone delivery. Delivery zones with buried power lines, and sparse foliage or tree cover might only require GPS navigation to complete their route. But a heavy population center or a suburban landscape with telephone poles, or tree-lined streets might require echolocation and GPS to reach their destination. Correlating GPS and echolocation signals to reach fixed coordinates presents a complicated, challenging problem. Cruise missiles (CMs) can achieve payload delivery using nap-of-the-earth navigation and RADAR, though CMs are unlikely concerned with telephone poles, foliage, road signs, bill boards, etc. Risk: Ultrasonic sensor overload, sensor image correlation failure. ------------------------------ Date: Wed, 12 Jun 2019 09:43:20 -0700 From: Gene Wirchenko <gene () shaw ca> Subject: 'RAMBleed' Rowhammer attack can now steal data, not just alter it (ZDNet) https://www.zdnet.com/article/rambleed-rowhammer-attack-can-now-steal-data-not-just-alter-it/ 'RAMBleed' Rowhammer attack can now steal data, not just alter it Academics detail new Rowhammer attack named RAMBleed. By Catalin Cimpanu for Zero Day | June 11, 2019 -- 17:00 GMT (10:00 PDT) | opening text: A team of academics from the US, Austria, and Australia, has published new research today detailing yet another variation of the Rowhammer attack. The novelty in this new Rowhammer variety -- which the research team has named RAMBleed -- is that it can be used to steal information from a targeted device, as opposed to altering existing data or to elevate an attacker's privileges, like all previous Rowhammer attacks, have done in the past. ------------------------------ Date: Fri, 14 Jun 2019 10:05:38 -0700 From: Gene Wirchenko <gene () shaw ca> Subject: "Ransomware halts production for days at major airplane parts manufacturer" (Catalin Cimpanu) Catalin Cimpanu for Zero Day | June 12, 2019 https://www.zdnet.com/article/ransomware-halts-production-for-days-at-major-airplane-parts-manufacturer/ Ransomware halts production for days at major airplane parts manufacturer Nearly 1,000 employees sent home for the entire week, on paid leave. opening text: ASCO, one of the world's largest suppliers of airplane parts, has ceased production in factories across four countries due to a ransomware infection reported at its plant in Zaventem, Belgium. ------------------------------ Date: Sun, 16 Jun 2019 01:51:40 -0400 From: Monty Solomon <monty () roscom com> Subject: Study finds that a GPS outage would cost $1 billion per day (Ars Technica) https://arstechnica.com/science/2019/06/study-finds-that-a-gps-outage-would-cost-1-billion-per-day/ ------------------------------ Date: Sun, 16 Jun 2019 19:06:52 -0600 From: jared gottlieb <jared () netspace net au> Subject: Re: GPS Degraded Across Much of U.S (RISKS-31.29) This event seems to be a software bug in a system processing GPS data. A bulletin from one manufacturer discussing one model of a commercial aviation GPS receiver, (https://www.duncanaviation.aero/files/intellegence/GPS_CustomerComm_FINAL.pdf Our team has been actively working to determine a root cause. We found that a software design error resulted in the system misinterpreting GPS time updates due to a leap-second event, which typically occurs once every 2.5 years within the U.S. Government GPS satellite almanac update. Our GPS-4000S-100 version software's timing calculations have reacted to this leap second by not tracking satellites upon power-up and subsequently failing. The U.S. Government distributed a regularly scheduled almanac update with this leap second on 0:00GMT, Sunday, June 9, 2019, and the failures began to occur soon after. The next scheduled update by the U.S. Government to the GPS constellation is set for next Sunday, June 16 at 00:00Z. At this time, we do not believe this update will have the time failures began to occur soon after. The next scheduled update by the U.S. Government to the GPS constellation is set for next Sunday, June 16 at 00:00Z. At this time, we do not believe this update will have the time information that triggers this error. We are testing additional impact of this next almanac update. ...>> Handling leap seconds is a software risk which has affected many systems beyond GPS receivers (a few of which have appeared in comp.risks). GPS receivers have had other time concerns, perhaps most recently the 6 April 2019 week number rollover if a receiver used the legacy 10bit value and firmware updates were not available or applied. What the almanac update issue was nor why it would be experienced using the one update is not clear. There has not been a leap second for more than two years and none is currently planned (IERS Bulletin C ...announcements of the leap seconds… https://datacenter.iers.org/data/latestVersion/16_BULLETIN_C16.txt Testing of this receiver's software is extended by the 'power-up’ pre-condition mentioned in the bulletin; an aircraft manufacturer's notice illustrates the complexity of this unit's initiation https://support.cessna.com/custsupt/contacts/pubs/ourpdf.pdf%3Fas_id%3D50304 ------------------------------ Date: Sat, 15 Jun 2019 10:22:39 -0700 From: Rob Slade <rmslade () shaw ca> Subject: Did I Tweet that? A researcher has noted that Twitter reference URLs can be manipulated to make it appear someone said/tweeted something when they actually didn't. https://www.bleepingcomputer.com/news/security/twitter-urls-can-be-manipulated-to-spread-fake-news-and-scams/ So, I tweeted a warning: https://www.twitter.com/rslade/status/1087839317534363648 Well, of course, actually, no I didn't. If you look closely at the resulting page, you'll see it isn't my account at all. Twitter doesn't care what account you put in the URL: it just cares about the tweet status ID. Donald Trump is so concerned that he retweeted my warning: https://www.twitter.com/realDonaldTrump/status/1087839317534363648 So did the Queen: https://www.twitter.com/RoyalFamily/status/1087839317534363648 ------------------------------ Date: Fri, 14 Jun 2019 09:34:06 -0700 From: Rob Slade <rmsladeshaw.ca> Subject: Bull and backdoors We're binge-watching a TV show called "Bull." (For years I've had to be careful about watching movies and TV with a high tech or security theme, since they make so many mistakes. Apparently, having spent a couple of decades teaching American law to Americans, I now have to avoid legal TV shows and movies as well.) In one episode (s3e4) they have a computer expert (someone who can program) giving testimony. He is to explain a "backdoor." Now, as everyone here knows, a backdoor (aka trapdoor) is a technical means of circumventing a technical control or safeguard, usually to do with access control. There are some legitimate uses for backdoors, generally in development, but they are generally considered a "bad thing" in production. The "expert" explains that a backdoor is a means of evading a control, but it's a (presumably technical, because he programmed it) means of evading a policy or regulatory control. This piece of dialogue is a really interesting mix of fact and serious misunderstanding. Yes, a backdoor is a means of evading a control. But the backdoor and the control are of different types. Generally a technical evasion cannot evade a policy or regulatory control (although it might obfuscate the issue). To someone who only partially understands the situation, it might seem reasonable, but, in fact, in reality it makes no sense at all. (Oh, come on. I wrote a *dictionary*, and you expect me to put up with this?) (Yes, I know. This is why you don't want to watch technically themed movies and TV shows with me. Gloria has to put up with these kinds of interruptions and explanations *a lot*.) ------------------------------ Date: Sat, 15 Jun 2019 10:57:26 -0700 From: Rob Slade <rmslade () shaw ca> Subject: Ross Anderson's non-visa Ross Anderson (yes, *that* Ross Anderson, the one who wrote "Security Engineering," the best single volume for security and the one I recommend to anyone taking the exam, and he even put it online for everyone) was to receive an award at a ceremony in Washington, DC (richly deserved, whatever it was). And the U.S. wouldn't give him a visa to come get it. (By the way, *anything* Anderson writes is worth reading. Even if it's not your immediate field.) [The visa situation is actually a bit more complicated, in that Ross did not need a visa if he had only been receiving the award -- the desired trip had another purpose as well. Nevertheless, the rejection seems utterly ridiculous. PGN] ------------------------------ Date: Mon, 14 Jan 2019 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00 Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 31.30 ************************
Current thread:
- Risks Digest 31.30 RISKS List Owner (Jun 21)