Risks Digest 32.49

[RISKS List Owner <risko () csl sri com>]

RISKS-LIST: Risks-Forum Digest  Friday 12 February 2021  Volume 32 : Issue 49

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/32.49>
The current issue can also be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:  [Don't forget its Lincoln's birthday.]
Someone tried to poison Oldsmar's water (TampaBay News)
Water supply control system breached and adjusted to dangerous PH level
  (YouTube)
Dangerous Stuff: Hackers Tried to Poison Water Supply of Florida Town
  (NYTimes)
Poor Password Security Led to Recent Water Treatment Facility Hack
  (The Hacker News)
Air pollution linked to irreversible sight loss: study (AFP)
Brain-altering bioweapons' to DNA surveillance: Experts already preparing
  for next biological threat (StudyFinds)
NPR covid variants (NPR)
Cannon Salute at Baby Shower Ends in Death, Police Say (NYTimes)
Scientists propose lithium to cope with high-risk condition in future fusion
  facilities (phys.org)
Doorbell Security Cameras Are Easily Hackable, Researchers Find (Jim Wayner)
Cities Sell Data From 'Smart' Streetlights (Bloomberg)
'Matrix'-style bracelets turn humans into batteries (Reuters)
There Are Spying Eyes Everywhere --  and Now They Share a Brain
There Are Spying Eyes Everywhere -- and Now They Share a Brain
EAC Voluntary Voting System Guidelines 2.0 (WashPost)
How a Dated Cyber-Attack Brought a Stock Exchange to its Knees
AA21-042A: Compromise of U.S. Water Treatment Facility
NSA at Amazon (Matthew D Green)
Key TCP/IP Stacks Found Faulty, Vulnerable (Ars Technica)
New Chrome Browser 0-day Under Active Update Immediately (Chrome Releases)
Over a dozen Chrome extensions caught hijacking Google search results for
  millions (The Hacker News)
New version of Uptane Standard clarifies protection strategies for
  vulnerable vehicles (NYU Tandon School of Engineering)
A Bigger Risk Than GameStop? Beware the Ponzi Scheme Next Door (NYTimes)
Section 230 reform SAFE TECH act would shut down paid Internet services
  (Gizmodo and Techdirt)
The SAFE TECH Act would overhaul Section 230, but law's defenders warn of
  major side effects (TechCrunch)
Where in the world is mobile data? (Andrew Yeomans)
Beware: New Matryosh DDoS Botnet Targeting Android-Based Devices
  (The Hacker News)
British police arrest man over offensive Captain Moore tweet, giving it a
  vast international audience (BoingBoing)
Calling All Ham Radio Operators (Rebecca Mercuri)
You cannot be serious: electronic line judges make Grand Slam debut (AFP)
AI and the List of Dirty, Naughty, Obscene, and Otherwise Bad Words (WiReD)
Data fallacies: Cherry Picking, Data Dredging... (Dan Jacobson)
Quantum computing hash function reversal (Bloomberg)
The Battery Is Ready to Power the World (WSJ)
Fairfax County vs Virginia on vaccinations (Gabe Goldberg)
Re: Terraria port to Google Stadia sunk by bad Google support (Eli Griffin)
Re: The `Dumb Money' Outfoxing Wall Street Titans (Isaac Morland)
Re: The calculus really is complex (Wol)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Mon, 8 Feb 2021 11:24:32 -1000
From: geoff goodfellow <geoff () iconia com>
Subject: Someone tried to poison Oldsmar's water (Tampa Bay News)

*Pinellas Sheriff Bob Gualtieri said the attacker tried to raise levels of
sodium hydroxide, also known as lye, by a factor of more than 100.*

Local and federal authorities are investigating after an attempt Friday to
poison the city of Oldsmar's water supply, Pinellas County Sheriff Bob
Gualtieri said.

Someone remotely accessed a computer for the city's water treatment system
and briefly increased the amount of sodium hydroxide, also known as lye, by
a factor of more than 100, Gualtieri said at a news conference Monday. The
chemical is used in small amounts to control the acidity of water but it's
also a corrosive compound commonly found in household cleaning supplies
such as liquid drain cleaners.

The city's water supply was not affected. A supervisor working remotely saw
the concentration being changed on his computer screen and immediately
reverted it, Gualtieri said. City officials on Monday emphasized that
several other safeguards are in place to prevent contaminated water from
entering the water supply and said they've disabled the remote-access system
used in the attack.  [...]
https://www.tampabay.com/news/pinellas/2021/02/08/someone-tried-to-poison-oldsmars-water-supply-during-hack-sheriff-says/

------------------------------

Date: Mon, 8 Feb 2021 18:00:20 -0500
From: Steve Klein <steven () klein us>
Subject: Water supply control system breached and adjusted to dangerous PH
  level (YouTube)

Here's an official press conference video:
https://www.youtube.com/watch?v=MkXDSOgLQ6M&t=315s

Someone remotely accessed a computer system that controls the chemicals used
for the local water supply in Oldsmar, Florida.  The intruder increased the
amount of Sodium Hydroxide (NaOH) in the water from the proper amount, 100
ppm, to 11,100 ppm.

Sodium Hydroxide, also known as lye, is the main ingredient in liquid drain
cleaners."

The intruder used some kind of remote control software, and the operator of
that computer was sitting in front of it at the time, and was able to
immediately change it back.

I'm neither a programmer nor a security professional, but I'm fortunate to
have a functioning brain.  Some of the risks I see:

* A system which should never be used by anybody off-premises is connected
  to the Internet
* A system which can make critical changes to the water shouldn't have
  remote-control software installed.
* A system which controls chemical additives to the water has no sanity
  checking.

My guess is that RISKS regulars can probably spot problems I overlooked.

(There are systems that monitor water PH, and set off alarms if its
out-of-bands.)

------------------------------

Date: Tue, 9 Feb 2021 00:59:50 -0500
From: Gabe Goldberg <gabe () gabegold com>
Subject: Dangerous Stuff: Hackers Tried to Poison Water Supply of Florida
  Town (NYTimes)

The authorities said the plot unfolded last Friday morning, when an employee
noticed that someone was controlling his computer. He initially dismissed it
because the city has software that allows supervisors to access computers
remotely. But about five and a half hours later, the employee saw that
different programs were opening and that the level of lye changed.

https://www.nytimes.com/2021/02/08/us/oldsmar-florida-water-supply-hack.html

A water company control system is online and is routinely accessed remotely
by supervisors, without coordination or advance notice to on-site workers?
Can this be true?

------------------------------

Date: Thu, 11 Feb 2021 09:34:14 -1000
From: geoff goodfellow <geoff () iconia com>
Subject: Poor Password Security Led to Recent Water Treatment Facility Hack

New details have emerged about the remote computer *intrusion at a Florida
water treatment* facility last Friday, highlighting a lack of adequate
security measures needed to bulletproof critical infrastructure
environments.
<https://thehackernews.com/2021/02/hacker-tried-poisoning-water-supply.html>

The breach, which occurred last Friday, involved an *unsuccessful attempt on
the part of an adversary to increase sodium hydroxide dosage in the water
supply to dangerous levels by remotely accessing the SCADA system at the
water treatment plant. The system's plant operator, who spotted the
intrusion, quickly took steps to reverse the command, leading to minimal
impact.

Now, according to an *advisory* published on Wednesday by the state of
Massachusetts, unidentified cyber-actors accessed the supervisory control
and data acquisition (SCADA) system via TeamViewer software installed on one
of the plant's several computers that were connected to the control system.
<https://www.mass.gov/service-details/cybersecurity-advisory-for-public-water-suppliers>

Not only were these computers running 32-bit versions of the Windows 7
operating system, but the machines also shared the same password for remote
access and are said to have been exposed directly to the Internet without
any firewall protection installed.

It's worth noting that Microsoft Windows 7 reached end-of-life as of last
year, on January 14, 2020.  [...]
https://thehackernews.com/2021/02/poor-password-security-lead-to-recent.html

------------------------------

Date: Mon, 8 Feb 2021 11:33:20 -1000
From: geoff goodfellow <geoff () iconia com>
Subject: Air pollution linked to irreversible sight loss: study (AFP)

Air pollution is likely to increase the risk of irreversible sight loss,
according to the results of a long-term study published Tuesday.

Age-related macular degeneration (AMD) is the leading cause of blindness
among over-50s in richer nations, with roughly 300 million people predicted
to be affected by 2040.

Known risk factors include age, smoking and genetic make-up.

Now researchers have drawn a link between AMD and air pollution, which is
already known to carry a host of health risks including heart and lung
disease.

Writing in the British Journal of Ophthalmology, researchers analysed data
from more than 115,000 participants who reported no eye problems at the
start of the study period in 2006.  [...]
https://www.france24.com/en/live-news/20210126-air-pollution-linked-to-irreversible-sight-loss-study

------------------------------

Date: Sun, 7 Feb 2021 12:52:16 -1000
From: geoff goodfellow <geoff () iconia com>
Subject: Brain-altering bioweapons' to DNA surveillance: Experts already
  preparing for next biological threat (StudyFinds)

For the more than a year now, the world's focus has been squarely on the
COVID-19 pandemic. With over 100 million confirmed cases worldwide and more
than two million dead from the virus, it's hard to imagine how things could
get worse. Despite this, a team of experts is already preparing for the
next global crisis; warning that some of the possibilities would be more
devastating than the current pandemic.

Starting during the summer of 2019, an international team of researchers
set out to list the key questions facing the United Kingdom's biological
security. With help from the Centre for Existential Risk (CSER) at the
University of Cambridge and the BioRISC project at St. Catharine's College,
41 academics, industry, and government officials laid out 450 questions
regarding a possible biological crisis.

After voting and ranking all of these concerns, a list of 80 of the most
urgent questions emerged. Despite compiling this list months before COVID-19
<https://www.studyfinds.org/category/coronavirus/>, lead researcher Dr.
Luke Kemp says this list included major concerns revolving around disease
threats. Some of the concerns focused on what role the climate will play
<https://www.studyfinds.org/weather-impact-covid-19-spread/> on a possible
pandemic, while others questioned the use of social media
<https://www.studyfinds.org/category/society-culture/social-media/> to
track emerging viruses.
Is a biological threat worse than coronavirus coming?

Some of the 80 concerns look at an even more sinister possibility on the
horizon. As DNA testing <https://www.studyfinds.org/tag/dna/> becomes a
more fashionable tool for both governments and everyday people, researchers
warn that threats from ``human-engineered agents'' pose a huge threat to the
entire world.

``We could encounter not just microbes, but anything from brain-altering
bioweapons, to mass surveillance through DNA databases to low-carbon
clothes produced by microorganisms,'' Dr. Kemp says in a university release
<https://www.cam.ac.uk/stories/beyond-the-pandemic-biosecurity>.

``While many of these may seem to lie in the realm of science fiction, such
advanced capabilities could prove to be even more impactful, for better or
for worse than the current pandemic.''
<https://www.studyfinds.org/study-it-takes-just-10-hours-for-virus-dna-to-spread-across-a-hospital/>

Weaponized DNA.   [...]
https://www.studyfinds.org/worse-than-covid-next-threat/

------------------------------

Date: Sun, 7 Feb 2021 21:12:33 -0800
From: Peter Neumann <neumann () CSL SRI COM>
Subject: NPR covid variants (NPR)

https://www.npr.org/sections/goatsandsoda/2021/02/05/964447070/where-did-the-coronavirus-variants-come-from?fbclid=3DIwAR14WvR5ktJXXwWGfUjuiWu9ItSmwDc0h80ftp2iv1KqnfeuvGjZ9NuVHuM

------------------------------

Date: Mon, 8 Feb 2021 15:01:31 -0500
From: Gabe Goldberg <gabe () gabegold com>
Subject: Cannon Salute at Baby Shower Ends in Death, Police Say (NYTimes)

https://www.nytimes.com/2021/02/07/us/baby-shower-cannon-explosion-Michigan.html

  Not exactly Darwin quality, and low-tech risk, but still -- amateurs
  firing artillery, what could go wrong?

------------------------------

Date: Tue, 9 Feb 2021 17:48:38 +0800
From: Richard Stein <rmstein () ieee org>
Subject: Scientists propose lithium to cope with high-risk condition in
  future fusion facilities (phys.org)

https://phys.org/news/2021-02-scientists-lithium-cope-high-risk-condition.html

'"The idea is to inject light impurities such as lithium, boron, or
beryllium into the divertor region so as to radiate away much of the
energy," Ono explained. "The trick will be to go in quickly enough to
protect the divertor with very little radiation affecting the plasma
core. You don't want to inject too much impurity material -- just enough to
do the job."'

Prevent a fusion reactor divertor meltdown by injecting (spraying) metal
atoms into a plasma (operating at a cool 1-2 billion kelvin degrees),
without quenching the fusion core reaction, will be a delicate
operation. The 10 msec window to complete this action seems achievable with
their electromagnetic atomic injector.

Beryllium, if inhaled, can cause berylliosis. If they become commercially
viable, fusion generators might not operate as environmentally clean as
advertised.

------------------------------

Date: Wed, 10 Feb 2021 12:04:35 -0500 (EST)
From: ACM TechNews <technews-editor () acm org>
Subject: Doorbell Security Cameras Are Easily Hackable, Researchers Find
  (Jim Wayner)

Jim Waymer, *Florida Today*, 8 Feb 2021
via ACM TechNews, Wednesday, February 10, 2021

Florida Institute of Technology (FIT) researchers demonstrated that smart
home security systems, including doorbells connected to a wireless camera,
can be hacked easily. FIT's Terrence O'Connor and Daniel Campos identified
flaws in seven models of smart cameras and doorbells made by smart home
device vendor Geeni and parent company Merkury Innovations, by
reverse-engineering the firmware using cybersecurity firm ReFirm Labs'
Binwalk Enterprise Internet of Things devices security tool. The FIT
researchers found that hackers only need to figure out the default password
the device shipped with in order to gain access. Merkury's Sol Hedaya said
updated firmware will be issued this month.

https://orange.hosting.lsoft.com/trk/click?ref=3Dznwrbbrs9_6-29608x22843bx069341&;

------------------------------

Date: Thu, 11 Feb 2021 09:56:59 -1000
From: geoff goodfellow <geoff () iconia com>
Subject: Cities Sell Data From 'Smart' Streetlights (Bloomberg)

*The future of "smart" cities is in street lights*

Cities are rushing to replace their legacy street lights with "smart" LED
fixtures that could one day be able to find you a parking space, monitor air
quality, and announce an oncoming thunderstorm.

Why it matters: Despite a bumpy and controversial start to some smart street
light programs, cities are saving tons of money on energy by banishing
traditional bulbs -- and may soon be able to turn a profit by monetizing
data from smart LED sensors or leasing space on light poles.
<https://www.bloomberg.com/news/articles/2020-08-06/a-surveillance-standoff-over-smart-streetlights>

The big picture: There's been lots of hype about "smart cities," where
connected technology helps governments serve us better -- but also lots of
money wasted on expensive projects that fizzled or caused public outcry over
police use of camera surveillance.

Today, hopes have coalesced around the potential for "smart" street lights,
which bear sensors that can do everything from analyzing traffic patterns
to assisting 911 operators.

   - "Streetlights are becoming the backbone of larger smart city
   initiatives," per a report
   
<http://www.northeast-group.com/reports/Brochure-Global%20Smart%20Street%20Lighting%20&%20Smart%20Cities-Market%20Forecast%202020-2029%20-%20Northeast%20Group.pdf>by
   the Northeast Group, a smart cities market intelligence firm.
   - Cities will invest $8.2 billion in them in the next 10 years, the
   report said.
   - It will take time: "Overall, over 90% of streetlights will be LED by
   2029 and 35% will be connected," Northeast Group said.

Cities large and small -- including Chicago, Atlanta, Los Angeles,
Philadelphia and Cleveland -- have been replacing traditional streetlights
with LEDs, which consume less energy and can be programmed to dim or or
brighten as needed.

   - "Street lighting can be up to 40% of a city's energy bills, so you see
   huge cost savings across the board," Benjamin Gardner, president of the
   Northeast Group, tells Axios.
   - Sensors placed on streetlights have manifold applications and will
   have more in the future.
   - An Intel white paper
   
<https://www.intel.ca/content/dam/www/public/us/en/documents/solution-briefs/smart-street-lights-for-brighter-savings-solutionbrief.pdf>
envisions
   a day when street lights do everything from traffic and parking control to
   guiding people out of danger during an emergency (by flashing in the
   direction of evacuation).

"The vision here is to augment the existing infrastructure via the cloud to
allow data and additional functionality to flow through what was a dumb
asset," Martin Stephenson, head of North America systems & services for
Signify, a major connected lighting vendor, tells Axios.

But, but, but: There's been pushback on various fronts.

   - Surveillance: San Diego got scolded
   
<https://www.techwire.net/news/city-pulls-plug-on-streetlight-cameras-pending-surveillance-ordinance.html#:~:text=3DMayor%20Kevin%20Faulconer%20on%20Wednesday,ordinance%20to%20govern%20surveillance%20technology.&text=3DThe%20city%20hit%20the%20brakes,was%20announced%20%E2%80%94%20also%20a%20surprise.>
by
   community activists after its police started using video from its $30
   million "Smart Streetlights" program.
   - Aesthetics: Light poles gunked up with sensors, cameras and
   advertisements can look hideous.
   - Health: "Cities and towns throughout Northern California are issuing
   ordinances that would exclude new 5G cell sites from residential areas,
   citing supposed health concerns," per the WSJ.
<https://www.wsj.com/articles/cities-are-saying-no-to-5g-citing-health-aestheticsand-fcc-bullying-11566619391https://www.wsj.com/articles/cities-are-saying-no-to-5g-citing-health-aestheticsand-fcc-bullying-11566619391>

Smart street light experts say the industry has taken heed from the San
Diego debacle and pulled back on intrusive applications.

What's next:  [...]

https://www.axios.com/smart-cities-street-lights-859992a6-6931-48e5-81ba-7f0a0b8058d9.html

------------------------------

Date: Thu, 11 Feb 2021 10:02:09 -1000
From: the keyboard of geoff goodfellow <geoff () iconia com>
Subject: 'Matrix'-style bracelets turn humans into batteries (Reuters)

In a move that will give chills to fans of the dystopian movie The Matrix,
scientists have developed a wearable device that could use the human body to
replace batteries.

Echoing world-domineering robots' use of enslaved humans in the 1999
cyberpunk movie, U.S. researchers at the University of Colorado Boulder have
created an environmentally-friendly gadget that harvests body heat and
converts it into energy.

Tech-lovers could power their own watches or fitness trackers by wearing a
stretchy ring or bracelet containing thermoelectric chips that convert heat
into electrical energy, according to research published in the journal
Science Advances.

The idea will sound familiar to lovers of the iconic film, starring Keanu
Reeves, where humans are trapped in the Matrix, a simulated reality, while
hooked up to machines to provide electrical power for robots that have
taken over the world...

[...]
https://www.reuters.com/article/idUSKBN2AA2KV

------------------------------

Date: Sun, 7 Feb 2021 12:50:07 -1000
From: geoff goodfellow <geoff () iconia com>
Subject: There Are Spying Eyes Everywhere -- and Now They Share a Brain
  (WiReD)

Security cameras. License plate readers. Smartphone trackers. Drones.  We're
being watched 24/7. What happens when all those data streams fuse into one?

One afternoon in the fall of 2019, in a grand old office building near the
Arc de Triomphe, I was buzzed through an unmarked door into a showroom for
the future of surveillance. The space on the other side was dark and sleek,
with a look somewhere between an Apple Store and a doomsday bunker. Along
one wall, a grid of electronic devices glinted in the moody downlighting --
automated license plate readers, Wi-Fi-enabled locks, boxy data processing
units. I was here to meet Giovanni Gaccione, who runs the public safety
division of a security technology company called Genetec.  Headquartered in
Montreal, the firm operates four of these ``Experience Centers'' around the
world, where it peddles intelligence products to government
officials. Genetec's main sell here was software, and Gaccione had agreed to
show me how it worked.

He led me first to a large monitor running a demo version of Citigraf, his
division's flagship product. The screen displayed a map of the East Side of
Chicago. Around the edges were thumbnail-size video streams from
neighborhood CCTV cameras. In one feed, a woman appeared to be unloading
luggage from a car to the sidewalk. An alert popped up above her head:
``ILLEGAL PARKING.'' The map itself was scattered with color-coded icons --
a house on fire, a gun, a pair of wrestling stick figures -- each of which,
Gaccione explained, corresponded to an unfolding emergency. He selected the
stick figures, which denoted an assault, and a readout appeared onscreen
with a few scant details drawn from the 911 dispatch center. At the bottom
was a button marked ``INVESTIGATE,'' just begging to be clicked.

To get a clear picture of an emergency in progress, officers often had to
bushwhack through dozens of byzantine databases and feeds from far-flung
sensors, including gunshot detectors, license plate readers, and public and
private security cameras. This process of braiding together strands of
information -- ``multi-intelligence fusion'' is the technical term -- was
becoming too difficult. As one Chicago official put it, echoing a well-worn
aphorism in surveillance circles, the city was ``data-rich but
information-poor.'' What investigators needed was a tool that could cut a
clean line through the labyrinth. What they needed was automated fusion.

Gaccione now demonstrated the concept in practice. He clicked
``INVESTIGATE,'' and Citigraf got to work on the reported assault. The
software runs on what Genetec calls a ``correlation engine,'' a suite of
algorithms that trawl through a city's historical police records and live
sensor feeds, looking for patterns and connections. Seconds later, a long
list of possible leads appeared onscreen, including a lineup of individuals
previously arrested in the neighborhood for violent crimes, the home
addresses of parolees living nearby, a catalog of similar recent 911 calls,
photographs and license plate numbers of vehicles that had been detected
speeding away from the scene, and video feeds from any cameras that might
have picked up evidence of the crime itself, including those mounted on
passing buses and trains. More than enough information, in other words, for
an officer to respond to that original 911 call with a nearly telepathic
sense of what has just unfolded.  [...]
https://www.wired.com/story/there-are-spying-eyes-everywhere-and-now-they-share-a-brain/

------------------------------

Date: Fri, 5 Feb 2021 19:59:30 -0500
From: Gabe Goldberg <gabe () gabegold com>
Subject: There Are Spying Eyes Everywhere -- and Now They Share a Brain
  (WiReD)

Eventually, the Department of Defense hopes to link every plane, satellite,
ship, tank, and soldier into a huge, mostly automated Internet of Wartime
Things. Cloud-connected sensors and weapons will correlate among themselves
while commanders direct the action on a rich, continuously updated digital
chessboard that senior leaders hope will look like Waze. As part of the
effort, the Air Force and the Army have earmarked billions of dollars for
fusion networks from dozens of defense and technology companies, including
Amazon, BAE, and Anduril.

https://www.wired.com/story/there-are-spying-eyes-everywhere-and-now-they-share-a-brain/

  What could go wrong? Look like WAZE? Waze has no moving parts; houses stay
  still and data isn't updated in real time.

------------------------------

Date: Thu, 11 Feb 2021 11:01:12 -0500
From: Peter G Neumann <Neumann () CSL SRI COM>
Subject: EAC Voluntary Voting System Guidelines 2.0 (WashPost)

https://www.washingtonpost.com/politics/2021/02/11/cybersecurity-202-new-voting-machine-security-standards-are-already-drawing-controversy/

  [Voluntary, Schmoluntary.  Is it a step forward, or a tooth for the
  toothless?

------------------------------

Date: Fri, 5 Feb 2021 21:11:09 +0900
From: Dave Farber <farber () gmail com>
Subject: How a Dated Cyber-Attack Brought a Stock Exchange to its Knees
  (Bloomberg)

Jamie Tarabay
How a Dated Cyber-Attack Brought a Stock Exchange to its Knees

DDoS attacks, the cyber equivalent of being mugged, grow in size&nbsp;and
sophistication</p>

https://www.bloomberg.com/news/articles/2021-02-04/how-a-dated-cyber-attack-brought-a-stock-exchange-to-its-knees

------------------------------

Date: Thu, 11 Feb 2021 23:20:49 +0000
From: US-CERT <US-CERT () ncas us-cert gov>
Subject: AA21-042A: Compromise of U.S. Water Treatment Facility

Cybersecurity and Infrastructure Security Agency (CISA) --
Defend Today, Secure Tomorrow

AA21-042A: Compromise of U.S. Water Treatment Facility, 11 Feb 2021
https://us-cert.cisa.gov/ncas/alerts/aa21-042a

Summary

On February 5, 2021, unidentified cyber-actors obtained unauthorized access
to the supervisory control and data acquisition (SCADA) system at a
U.S. drinking water treatment plant. The unidentified actors used the SCADA
systems software to increase the amount of sodium hydroxide, also known as
lye, a caustic chemical, as part of the water treatment process. Water
treatment plant personnel immediately noticed the change in dosing amounts
and corrected the issue before the SCADA systems software detected the
manipulation and alarmed due to the unauthorized change. As a result, the
water treatment process remained unaffected and continued to operate as
normal. The cyber-actors likely accessed the system by exploiting
cybersecurity weaknesses, including poor password security, and an outdated
operating system. Early information indicates it is possible that a desktop
sharing software, such as TeamViewer, may have been used to gain
unauthorized access to the system. Onsite response to the incident included
Pinellas County Sheriff Office (PCSO), U.S. Secret Service (USSS), and the
Federal Bureau of Investigation (FBI).

The FBI, the Cybersecurity and Infrastructure Security Agency (CISA), the
Environmental Protection Agency (EPA), and the Multi-State Information
Sharing and Analysis Center (MS-ISAC)have observed cyber criminals targeting
and exploiting desktop sharing software and computer networks running
operating systems with end of life status to gain unauthorized access to
systems. Desktop sharing software, which has multiple legitimate uses such
as enabling telework, remote technical support, and file transfers can also
be exploited through malicious actors use of social engineering tactics and
other illicit measures. Windows 7 will become more susceptible to
exploitation due to lack of security updates and the discovery of new
vulnerabilities. Microsoft and other industry professionals strongly
recommend upgrading computer systems to an actively supported operating
system. Continuing to use any operating system within an enterprise beyond
the end of life status may provide cyber criminals access into computer
systems.

Click here [
https://us-cert.cisa.gov/sites/default/files/publications/AA21-042A_Joint%20Cybersecurity%20Advisory_Compromise%20of%20U.S.%20Water%20Treatment%20Facility.pdf
]for a PDF version of this report.

Technical Details

Desktop Sharing Software

The FBI, CISA, EPA, and MS-ISAC have observed corrupt insiders and outside
cyber-actors using desktop sharing software to victimize targets in a range
of organizations, including those in the critical infrastructure sectors. In
addition to adjusting system operations, cyber-actors also use the following
techniques:

  * Use access granted by desktop sharing software to perform fraudulent
    wire transfers.
  * Inject malicious code that allows the cyber-actors to
  * Hide desktop sharing software windows,
  * Protect malicious files from being detected, and
  * Control desktop sharing software startup parameters to obfuscate their
    activity.

  * Move laterally across a network to increase the scope of activity.

TeamViewer, a desktop sharing software, is a legitimate popular tool that
has been exploited by cyber-actors engaged in targeted social engineering
attacks, as well as large scale, indiscriminate phishing campaigns. Desktop
sharing software can also be used by employees with vindictive and/or
larcenous motivations against employers.

Beyond its legitimate uses, TeamViewer allows cyber-actors to exercise
remote control over computer systems and drop files onto victim computers,
making it functionally similar to Remote Access Trojans (RATs). TeamViewers
legitimate use, however, makes anomalous activity less suspicious to end
users and system administrators compared to RATs.

Windows 7 End of Life

On January 14, 2020, Microsoft ended support for the Windows 7 operating
system, which includes security updates and technical support unless certain
customers purchased an Extended Security Update (ESU) plan. The ESU plan is
paid per-device and available for Windows 7 Professional and Enterprise
versions, with an increasing price the longer a customer continues
use. Microsoft will only offer the ESU plan until January 2023. Continued
use of Windows 7 increases the risk of cyber actor exploitation of a
computer system.

Cyber-actors continue to find entry points into legacy Windows operating
systems and leverage Remote Desktop Protocol (RDP) exploits. Microsoft
released an emergency patch for its older operating systems, including
Windows 7, after an information security researcher discovered an RDP
vulnerability in May 2019. Since the end of July 2019, malicious RDP
activity has increased with the development of a working commercial exploit
for the vulnerability. Cyber-actors often use misconfigured or improperly
secured RDP access controls to conduct cyberattacks. The xDedic Marketplace,
taken down by law enforcement in 2019, flourished by compromising RDP
vulnerabilities around the world.

Mitigations

General Recommendations

The following cyber hygiene measures may help protect against the
aforementioned scheme:

  * Update to the latest version of the operating system (e.g., Windows 10).
  * Use multiple-factor authentication.
  * Use strong passwords to protect Remote Desktop Protocol (RDP) credentials.
  * Ensure anti-virus, spam filters, and firewalls are up to date, properly
    configured, and secure.
  * Audit network configurations and isolate computer systems that cannot be
    updated.
  * Audit your network for systems using RDP, closing unused RDP ports,
    applying multiple-factor authentication wherever possible, and logging
    RDP login attempts.
  * Audit logs for all remote connection protocols.
  * Train users to identify and report attempts at social engineering.
  * Identify and suspend access of users exhibiting unusual activity.

Water and Wastewater Systems Security Recommendations

The following physical security measures serve as additional protective
measures:

  * Install independent cyber-physical safety systems. These are systems that physically prevent dangerous conditions 
from occurring if the control system is compromised by a threat actor.
  * Examples of cyber-physical safety system controls include:
  * Size of the chemical pump
  * Size of the chemical reservoir
  * Gearing on valves
  * Pressure switches, etc.

The benefit of these types of controls in the water sector is that smaller
systems, with limited cybersecurity capability, can assess their system from
a worst-case scenario. The operators can take physical steps to limit the
damage. If, for example, cyber-actors gain control of a sodium hydroxide
pump, they will be unable to raise the pH to dangerous levels.

TeamViewer Software Recommendations

For a more secured implementation of TeamViewer software:

  * Do not use unattended access features, such as Start TeamViewer with
    Windows and Grant easy access.
  * Configure TeamViewer service to manual start, so that the application
    and associated background services are stopped when not in use.
  * Set random passwords to generate 10-character alphanumeric passwords.
  * If using personal passwords, utilize complex rotating passwords of
    varying lengths. Note: TeamViewer allows users to change connection
    passwords for each new session. If an end user chooses this option,
    never save connection passwords as an option as they can be leveraged
    for persistence.
  * When configuring access control for a host, utilize custom settings to
    tier the access a remote party may attempt to acquire.
  * Require remote party to receive confirmation from the host to gain any
    access other than view only. Doing so will ensure that, if an
    unauthorized party is able to connect via TeamViewer, they will only see
    a locked screen and will not have keyboard control.
  * Utilize the Block and Allow list which enables a user to control which
    other organizational users of TeamViewer may request access to the
    system. This list can also be used to block users suspected of
    unauthorized access.

------------------------------

Date: Sat, 6 Feb 2021 21:29:30 +1030
From: William Brodie-Tyrrell <william.brodie.tyrrell () gmail com>
Subject: NSA at Amazon (Matthew D Green)

Margaret Salter was the author/architect of Dual_EC_DRBG, the best-known
instance of the NSA attempting to subvert civilian cryptography and security
standards.

Margaret Salter is now Director AWS Applied Cryptography at Amazon.

This is perhaps not what one would call ideal in terms of trust in the
security of the world's largest hosting service.
https://twitter.com/matthew_d_green/status/1357139574858911745

------------------------------

Date: Thu, 11 Feb 2021 14:38:49 -0500
From: Paul Hyland <paul () paulhyland com>
Subject: Key TCP/IP Stacks Found Faulty, Vulnerable (Ars Technica)

Unrecognized dependencies represent an important type of vulnerability
related to open-source software, somewhat less evident to many, although
clearly evident to RISKS readers.

Here's an interesting case of how an NPM package naming dispute broke the
Internet for a few hours. npm is the dominant javascript package manager;
once a startup, it is now owned by Microsoft via GitHub. An NPM command
enabled one developer to remove all of his code after this dispute, and one
deleted 17-line program of his was used by countless other software packages
- often without knowing it. This impacted industry and governments
alike. (This could also be a security threat, if such dependency trees could
be used as attack vectors for malware.)

https://arstechnica.com/information-technology/2016/03/rage-quit-coder-unpublished-17-lines-of-javascript-and-broke-the-internet/

------------------------------

Date: Fri, 5 Feb 2021 09:34:44 -1000
From: geoff goodfellow <geoff () iconia com>
Subject: New Chrome Browser 0-day Under Active Update Immediately

Google has patched a zero-day vulnerability in Chrome web browser for
desktop that it says is being actively exploited in the wild.

The company released 88.0.4324.150 for Windows, Mac, and Linux, with a fix
for a heap buffer overflow flaw (CVE-2021-21148) in its V8 JavaScript
rendering engine.
<https://chromereleases.googleblog.com/2021/02/stable-channel-update-for-desktop_4.html>

"Google is aware of reports that an exploit for CVE-2021-21148 exists in the
wild," the company said in a statement.  [...]
https://thehackernews.com/2021/02/new-chrome-browser-0-day-under-active.html

------------------------------

Date: Sat, 6 Feb 2021 12:30:53 -1000
From: geoff goodfellow <geoff () iconia com>
Subject: Over a dozen Chrome extensions caught hijacking Google search
   results for millions (The Hacker News)

New details have emerged about a vast network of rogue extensions for Chrome
and Edge browsers that were found to hijack clicks to links in search
results pages to arbitrary URLs, including phishing sites and ads.

Collectively called "CacheFlow" by Avast, the 28 extensions in question --
including Video Downloader for Facebook, Vimeo Video Downloader, Instagram
Story Downloader, VK Unblock -- made use of a sneaky trick to mask its true
purpose: Leverage Cache-Control
<https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control> HTTP header as a covert channel to retrieve 
commands from an
attacker-controlled server.
<https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/>

All the backdoored browser add-ons have been taken down by Google and
Microsoft as of December 18, 2020, to prevent more users from downloading
them from the official stores.
<https://blog.avast.com/malicious-browser-extensions-avast>

According to telemetry data gathered by the firm, the top three infected
countries were Brazil, Ukraine, and France, followed by Argentina, Spain,
Russia, and the U.S.   [...]
https://thehackernews.com/2021/02/over-dozen-chrome-extensions-caught.html

------------------------------

Date: Sun, 7 Feb 2021 16:40:51 -0500
From: Gabe Goldberg <gabe () gabegold com>
Subject: New version of Uptane Standard clarifies protection strategies for
   vulnerable vehicles (NYU Tandon School of Engineering)

Onboard computing units in cars are similarly vulnerable. The 2020 Global
Automotive Cybersecurity Report, released by UpStream Security in December
2020, notes a 99% increase in cyberattacks on vehicles from 2018 to 2019,
and these attacks have increased 700% since 2016.

Uptane, founded at NYU Tandon in 2016 by Justin Cappos, associate professor
of computer science and engineering at the NYU Tandon School of Engineering,
and Trishank Kuppusamy, who was a Ph.D. student at the time, is an
open-source software security project designed to address this threat. With
direct input from automotive manufacturers and suppliers, its
implementations secure automotive systems by establishing a set of checks
and balances on a vehicle's electronic control units(ECUs) to ensure the
authenticity of incoming software updates. Among its adoptions, Uptane is
part of Automotive Grade Linux, an open-source system currently used by many
large automakers, and has been implemented by suppliers including Airbiquity
and HERE.

https://engineering.nyu.edu/news/new-version-uptane-standard-clarifies-protection-strategies-vulnerable-vehicles

  I've wondered about over-the-air updates/upgrades, haven't yet bought a
  car capable of that.

------------------------------

Date: Sun, 7 Feb 2021 16:38:05 -0500
From: Gabe Goldberg <gabe () gabegold com>
Subject: A Bigger Risk Than GameStop? Beware the Ponzi Scheme Next Door
  (NYTimes)

Experts have seen an increase in the frauds, many of which are preying on
investors who feel they lost out on the market gains of the last few years.

Mr. Pulman knows well. He has spent the past 11 years trying to recover
money lost in Mr. Stanford's scheme. Mr. Pulman said the U.S. Supreme Court
had turned down his group's last appeal to sue one of the insurance brokers
directly -- at the end of 2020.  ``The only people who made money were the
lawyers.  Investors are at a return of 5 to 6 cents on the dollar.''

Yet believers persist. Mr. Pulman had a client in his office several years
ago who said he had received $1,000 every month from a $100,000
investment. When the person he gave the money to came up short, he brought
in other investors.

https://www.nytimes.com/2021/02/05/your-money/ponzi-schemes-stock-market.html

------------------------------

Date: 5 Feb 2021 21:21:58 -0500
From: "John Levine" <johnl () iecc com>
Subject: Section 230 reform SAFE TECH act would shut down paid Internet
  services (Gizmodo and Techdirt)

I wish I was kidding. The proposed bill says you might still have immunity
from suit "unless the provider or user has accepted payment to make the
speech available or, in whole or in part, created or funded the creation of
the speech." That is, if you sell hosting, or take ads, or have Patreon
style sponsors, you are on the hook for anything you host.

It doesn't get any better.  Gizmodo has a good overview:

https://gizmodo.com/democrats-new-section-230-bill-could-devastate-the-inte-1846206984

And Techdirt has some good rants:

https://www.techdirt.com/articles/20210205/10384946193/now-democrats-turn-to-destroy-open-internet-mark-warners-230-reform-bill-is-dumpster-fire-cluelessness.shtml
https://www.techdirt.com/articles/20210205/12142446194/senators-warner-hirono-klobuchar-demand-end-internet-economy.shtml

------------------------------

Date: Fri, 5 Feb 2021 14:32:36 -0800
From: Lauren Weinstein <lauren () vortex com>
Subject: The SAFE TECH Act would overhaul Section 230, but law's defenders
  warn of major side effects (TechCrunch)

The SAFE TECH Act would overhaul Section 230, but law's defenders warn
of major side effects.

Changes to 230 being proposed by the right & left would BOTH ultimately
eliminate most UGC (user generated content) from the Web.  Neither side
understands what they are doing. -L

https://techcrunch.com/2021/02/05/safe-tech-act-section-230-warner/

------------------------------

Date: Sat, 6 Feb 2021 11:15:52 +0000
From: Andrew Yeomans <security () yeomns org uk>
Subject: Where in the world is mobile data?

I've been forced to use a mobile data dongle, after a car demolished the
street junction box (another risk, putting infrastructure in a vulnerable
position). My work activities have been triggering security alerts -- it
appears that I'm rapidly traveling all over the country, from Edinburgh,
Northern Ireland, South Shields, Manchester and now Salisbury -- despite
never leaving my home office! I'm guessing that carrier-grade NAT combined
with GPS or wifi-location from other users' devices has led to this virtual
mobility.

------------------------------

Date: Sat, 6 Feb 2021 12:32:54 -1000
From: geoff goodfellow <geoff () iconia com>
Subject: Beware: New Matryosh DDoS Botnet Targeting Android-Based Devices
  (The Hacker News)

A nascent malware campaign has been spotted co-opting Android devices into a
botnet with the primary purpose of carrying out distributed
denial-of-service (DDoS) attacks.

Called "Matryosh by Qihoo 360's Netlab researchers, the latest threat has
been found reusing the Mirai botnet framework and propagates through exposed
Android Debug Bridge (ADB) interfaces to infect Android devices and ensnare
them into its network.
<https://blog.netlab.360.com/matryosh-botnet-is-spreading-en/>"

ADB is a command-line tool part of the Android SDK that handles
communications and allows developers to install and debug apps on Android
devices.
<https://developer.android.com/studio/command-line/adb>

While this option is turned off by default on most Android smartphones and
tablets, some vendors ship with this feature enabled, thus allowing
unauthenticated attackers to connect remotely via the 5555 TCP port and open
the devices directly to exploitation.  [...]
https://thehackernews.com/2021/02/beware-new-matryosh-ddos-botnet.html

------------------------------

Date: Mon, 8 Feb 2021 10:11:17 -0800
From: Lauren Weinstein <lauren () vortex com>
Subject: British police arrest man over offensive Captain Moore tweet,
  giving it a vast international audience (BoingBoing)

Meet the Streisand Effect

https://boingboing.net/2021/02/08/british-police-arrest-man-over-offensive-captain-moore-tweet-giving-it-a-vast-international-audience.html

------------------------------

Date: Mon, 8 Feb 2021 11:30:40 -0500
From: Rebecca Mercuri <notable () mindspring com>
Subject: Calling All Ham Radio Operators

  I'd have thought if they were smarter they'd have used a more obscure
  code, but this was readily available and reasonably ubiquitous.

https://www.bleepingcomputer.com/news/security/new-phishing-attack-uses-morse-code-to-hide-malicious-urls/

Writer Lawrence Abrams describes the attack as follows:

A email includes an HTML attachment named in such a way as to appear to be
an Excel invoice for the company. These attachments are named in the format
'[company_name]_invoice_[number]._xlsx.hTML.'

The attachments include JavaScript that maps letters and numbers to Morse
code. For example, the letter '*a*' is mapped to '*.-*' and the letter '*b*'
is mapped to '*-...*', etc.

The script then calls a decodeMorse() function to decode a Morse code string
�into a hexadecimal string. This hexadeciimal string is further decoded
into JavaScript tags that are injected into the HTML page.  These injected
scripts combined with the HTML attachment contain the various resources
necessary to render a fake Excel spreadsheet that states their sign-in timed
out and prompts them to enter their password again.

Once a user enters their password, the form will submit the password to a
remote site where the attackers can collect the login credentials.

This campaign is highly targeted, with the threat actor using the
logo.clearbit.com [possible garble here] service to insert logos for the
recipient's companies into the login form to make it more convincing. If a
logo is not available, it uses the generic Office 365 logo.

      These attachments are named in the format
      '[company_name]_invoice_[number]._xlsx.hTML.'

      The attachments includes JavaScript that maps letters and numbers
      to Morse code. For example, the letter '<strong>a</strong>' is
      mapped to '<strong>.-</strong>' and the letter '<strong>b</strong>'
      is mapped to '<strong>-...</strong>', etc.

      The script then calls a decodeMorse() function to decode a Morse code
      string �into a hexadecimal string.  This hexadecimal string is
      further decoded into JavaScript tags that are injected into the HTML
      page.  These injected scripts combined with the HTML attachment
      contain the various resources necessary to render a fake Excel
      spreadsheet that states their sign-in timed out and prompts
      them to enter their password again

      Once a user enters their password, the form will submit the password
      to a remote site where the attackers can collect the login
      credentials.  This campaign is highly targeted, with the threat actor
      using the �logo.clearbit.comservice to insert logos for the
      recipient's companies into the login form to make it more convincing.
      If a logo is not available, it uses the generic Office 365 logo.

------------------------------

Date: Mon, 8 Feb 2021 11:20:37 -1000
From: geoff goodfellow <geoff () iconia com>
Subject: You cannot be serious: electronic line judges make Grand Slam debut
  (AFP)

The days of tennis players arguing whether balls are in or out could be
coming to a close, after the smooth introduction of electronic line judging
at the Australian Open on Monday.

Line calls have been at the centre of many a tennis conflagration, from John
McEnroe's "You cannot be serious" rant at Wimbledon in 1981 to Martina
Hingis's meltdown in the 1999 French Open final.  But the coronavirus
pandemic has prompted a major change, with human judges replaced by
ball-tracking cameras to reduce the number of people on site at Melbourne
Park.

Serena Williams and Naomi Osaka were among the players to give their seal of
approval as the electronic system made its Grand Slam debut.  The cameras
are set up along each line and automatically announce their decisions in
real time, with a recorded human voice calling "out", "fault" and "foot
fault".  "It's interesting, It's definitely different," said 23-time Grand
Slam winner Williams after powering into the second round.  "I'm loving it
here, so... I just needed to adapt, and now I'm adapted to it. I think it's
for the best."  "I think it's not too much that can be wrong," she added. "I
think there can be some close calls that you can check, but I think it's
good."

The electronic calls feature pre-recorded voices of Australia's front-line
workers in the country's pandemic response such as firefighters and other
emergency response personnel.

*- 'No room for mistakes' -*  [...]
https://news.yahoo.com/cannot-serious-electronic-line-judges-083755583.html

------------------------------

Date: Sun, 7 Feb 2021 15:14:11 -0500
From: Gabe Goldberg <gabe () gabegold com>
Subject: AI and the List of Dirty, Naughty, Obscene, and Otherwise Bad Words
  (WiReD)

It started as a way to restrict autocompletes on Shutterstock. Now it grooms
search suggestions on Slack and influences Google's artificial intelligence
research.

https://www.wired.com/story/ai-list-dirty-naughty-obscene-bad-words/

------------------------------

Date: Fri, 12 Feb 2021 11:49:04 +0800
From: Dan Jacobson <jidanni () jidanni org>
Subject: Data fallacies: Cherry Picking, Data Dredging...

https://www.geckoboard.com/best-practice/statistical-fallacies/
Data fallacies: Cherry Picking, Data Dredging, Survivorship Bias, Cobra
Effect, False Causality, Gerrymandering, Sampling Bias, Gambler's Fallacy,
Regression Toward the Mean, Hawthorne Effect, Simpson's Paradox, McNamara
Fallacy, Overfitting, Publication Bias.

------------------------------

Date: Sun, 7 Feb 2021 08:11:55 -0800
From: Peter G Neumann <Neumann () CSL SRI COM>
Subject: Quantum computing hash function reversal (Bloomberg)

https://www.bloomberg.com/news/articles/2021-02-07/a-swiss-company-says-it-found-weakness-that-imperils-encryption

Though not published, there are reports of development of a quantum
annealing.  Security experts have long worried that advances in quantum
computing could eventually make it easier to break encryption that protects
the privacy of people's data. That's because these sophisticated machines
can perform calculations at speeds impossible for conventional computers,
potentially enabling them to crack codes previously thought indecipherable.

Now, a Swiss technology company says it has made a breakthrough by using
quantum computers to uncover vulnerabilities in commonly used encryption.
The company believes it's found a security weakness that could jeopardize
the confidentiality of the world's Internet data, banking transactions and
emails.

Terra Quantum AG <https://www.bloomberg.com/quote/1799515D:SW> said its
discovery ``upends the current understanding of what constitutes
unbreakable'' encryption and could have major implications for the world's
leading technology companies, such as Alphabet Inc.
<https://www.bloomberg.com/quote/GOOGL:US>'s Google, Microsoft Corp.
<https://www.bloomberg.com/quote/MSFT:US>, and International Business
Machines Corp. <https://www.bloomberg.com/quote/IBM:US>

But some other security experts said they aren't nearly ready to declare a
major breakthrough, at least not until the company publishes the full
details of its research. ``If true, this would be a huge result,'' said
Brent Waters <https://www.cs.utexas.edu/~bwaters/>, a computer science
professor who specializes in cryptography at the University of Texas at
Austin. ``It seems somewhat unlikely on the face of it. However, it is
pretty hard for experts to weigh in on something without it being
published.''

IBM spokesman Christopher Sciacca said his company has known the risks for
20 years and is working on its own solutions to address the issue of
post-quantum security. ``This is why the National Institute of Science &
Technology (NIST) has been hosting a challenge to develop a new quantum safe
crypto standard,'' he said in an email. ``IBM has several proposals for this
new standard in the final round, which is expected in a few years.''

Brian LaMacchia <https://www.microsoft.com/en-us/research/people/bal/>,
distinguished engineer at Microsoft, said company cryptographers are
collaborating with the global cryptographic community to prepare customers
and data centers for a quantum future. ``Preparing for security in a
post-quantum world is important not only to protect and secure data in the
future but also to ensure that future quantum computers are not a threat to
the long-term security of today's information.''

Google didn't reply to a message seeking comment.

Terra Quantum AG has a team of about 80 quantum physicists,
cryptographers and mathematicians, who are based in Switzerland, Russia,
Finland and the U.S. ``What currently is viewed as being post-quantum
secure is not post-quantum secure,'' said Markus Pflitsch, chief
executive officer and founder of Terra Quantum, in an interview. ``We can
show and have proven that it isn't secure and is hackable.''

Pflitsch founded the company in 2019. He's a former finance executive
who began his career as a research scientist at CERN
<https://home.cern/>, the European Organization for Nuclear Research.
Terra Quantum's research is led by two chief technology officers =93
Gordey Lesovik
<https://terraquantum.swiss/team/prof-gordey-b-lesovik-2/>, head of the
Laboratory of Quantum Information Technology at the Moscow Institute of
Physics and Technology, and Valerii Vinokur
<https://www.bloomberg.com/news/terminal/QNHMM0MEQTXE>, a Chicago-based
physicist who in 2020 won the Fritz London Memorial Prize for his work
in condensed matter and theoretical physics.

The company said that its research found vulnerabilities that affect
symmetric encryption ciphers
<https://www.hypr.com/symmetric-cipher/#:~:text=3DA%20symmetric%20cipher%20is%20one,into%20ciphertext%20and%20vice%20versa.>,
including the Advanced Encryption Standard
<https://csrc.nist.gov/projects/cryptographic-standards-and-guidelines/archived-crypto-projects/aes-development>,
or AES, which is widely used to secure data transmitted over the Internet
and to encrypt files. Using a method known as quantum annealing
<https://docs.dwavesys.com/docs/latest/c_gs_2.html>, the company said its
research found that even the strongest versions of AES encryption may be
decipherable by quantum computers that could be available in a few years
from now.

Vinokur said in an interview that Terra Quantum's team made the discovery
after figuring out how to invert what's called a ``hash function
<https://sandilands.info/crypto/HashFunctionsandMACs.html>,'' a mathematical
algorithm that converts a message or portion of data into a numerical
value. The research will show that ``what was once believed unbreakable
doesn't exist anymore,'' Vinokur said, adding that the finding ``means a
thousand other ways can be found soon.''

The company, which is backed by the Zurich-based venture capital firm
Lakestar LP <https://www.bloomberg.com/quote/1080945D:SW>, has developed a
new encryption protocol that it says can't be broken by quantum
computers. Vinokur said the new protocol utilizes a method known as quantum
key distribution
<https://qt.eu/discover-quantum/underlying-principles/quantum-key-distribution-qkd/>.

Terra Quantum is currently pursuing a patent for the new protocol. But
the company will make it available for free, according to Pflitsch. ``We
will open up access to our protocol to make sure we have a safe and
secure environment,'' said Pflitsch. ``We feel obliged to share it with
the world and the quantum community.''

The U.S. government, like China, has made research in quantum computing
research an economic and national security priority, saying that the
world is on the cusp of what it calls a new ``quantum revolution
<https://www.nist.gov/topics/physics/introduction-new-quantum-revolution/second-quantum-revolution>.''

In addition, technology companies including Google, Microsoft, and IBM
have made large investments in quantum computing in recent years.

------------------------------

Date: Sun, 7 Feb 2021 12:44:34 -1000
From: the keyboard of geoff goodfellow <geoff () iconia com>
Subject: The Battery Is Ready to Power the World (WSJ)

*After a decade of rapidly falling costs, the rechargeable lithium-ion
battery is poised to disrupt industries*

Rechargeable lithium-ion batteries were first commercially used in hand-held
camcorders in 1991. Laptops soon followed. A decade later, batteries enabled
the rise of tech titans such as Apple Inc. by powering smartphones and
wearable devices, then made their way into electric vehicles. The basic
technology throughout remained pretty much the same: Lithium ions move
through a liquid from the cathode to the anode, and back again.

This, however, was just the beginning. After a decade of rapidly falling
costs, the battery has reached a tipping point. No longer just for consumer
products, it is poised to transform the way the world uses power.

In the energy sector, affordable batteries are making it possible for
companies to store electricity and harvest renewable power. In the auto
industry, they are set to challenge the gas-powered engine's century-long
domination. Costs have come down so far and so fast that most car makers
expect that electric vehicles, which are currently more expensive than their
gas-powered counterparts, will cost the same amount to build within the next
five years.

The gains are likely to continue. Electric vehicles are currently the main
source of demand for battery cells. As demand grows and costs fall further,
batteries will become even more disruptive across industries. Batteries
recently scored a win at General Motors Co., which said it hoped to phase
out gasoline- and diesel-powered vehicles from its showrooms world-wide by
2035.

The battery boom could erode demand for crude oil and byproducts such as
gasoline -- as well as for natural gas, which is primarily used in power
plants. While mining materials and manufacturing batteries produce some
greenhouse gas emissions, analysts believe shifting to batteries in the auto
and energy sectors would reduce emissions overall, boosting efforts to
tackle climate change.

U.S. power plants alone produce about a quarter of the country's emissions,
while light-duty vehicles such as cars and vans contribute another 17%.

The rise of rechargeable batteries is now a matter of national security and
industrial policy. Control of the minerals and manufacturing processes
needed to make lithium-ion batteries is the 21st-century version of oil
security.

The flow of batteries is currently dominated by Asian countries and
companies. Nearly 65% of lithium-ion batteries come from China. By
comparison, no single country produces more than 20% of global crude oil
output.

Companies are working on new configurations -- such as solid-state
batteries, which don't transfer ions through liquid -- that could
significantly enhance the power and further lower battery prices. The value
of such a breakthrough could be measured in the billions of dollars, if not
trillions.

``There's still a huge amount of innovation to come,'' says Christina
Lampe-Onnerud, chief executive at Connecticut-based battery startup Cadenza
Innovation Inc. Her company envisions that buildings could someday have
their own batteries, giving them reserves of electricity they could use
during peak hours to reduce costs.  [...]
https://www.wsj.com/articles/the-battery-is-ready-to-power-the-world-11612551578?st=3Drdspf6n95se7cy5

------------------------------

Date: Fri, 12 Feb 2021 14:03:33 -0500
From: Gabe Goldberg <gabe () gabegold com>
Subject: Fairfax County vs Virginia on vaccinations

Fairfax Health District Not Participating in Statewide COVID-19 Vaccine
Registration System At This Time

https://fairfaxcountyemergency.wpcomstaging.com/2021/02/12/fairfax-health-district-not-participating-in-statewide-covid-19-vaccine-registration-system-at-this-time/

Local Vaccine Registration Forms To Close As VA Takes Over System The
Virginia Department of Health has directed all local health districts to
close their vaccine registration forms at 5 p.m. on Friday.

https://patch.com/virginia/annandale/s/hfelm/local-vaccine-registration-forms-to-end-as-va-takes-over-system

------------------------------

Date: Tue,  9 Feb 2021 14:44:26 -0500 (EST)
From: eli () panix com (B. Elijah Griffin)
Subject: Re: Terraria port to Google Stadia sunk by bad Google support

In RISKS-32.48, the https://killedbygoogle.com/ site was mentioned.  Google
Stadia, their game platform isn't yet there, although Google has killed
their team developing exclusive games for it. And now, through heavy-handed
punishment and ineffective user support, Google has facilitated killing a
game port to Stadia.

https://arstechnica.com/gadgets/2021/02/terraria-developer-cancels-google-stadia-port-after-youtube-account-ban/

Some "strike" in Youtube escalated into locking all related accounts for one
of the co-developers of the game Terraria. Gmail, paid for apps and content
on Android, etc. It sounds like the Terraria team did not use well separated
accounts (a risk). And that the Google response with unhelpful suggestions
via public twitter interactions like asking about accessing the email
account to restore the Youtube account (said account locked because of the
Youtube thing) could well be a risk of treating all customer support as
insignificant to the company.

The net effect, however, is after three weeks with no resolution, the
developer has called the bridge "burned" and doing business with Google "a
liability". Consequently the port of Terraria to Stadia is canceled.

Many people in the comments at Ars Technica point out how for some people,
getting their Google account blocked turns them into an "unperson". Google
Drive documents and backups, email, phone apps, all simultaneously
locked. With Google Fi even phone service can be locked out. Good luck
dealing with that if all your evidence of being correct was in your email or
Drive documents.

------------------------------

Date: Fri, 5 Feb 2021 23:21:22 -0500
From: Isaac Morland <isaac.morland () gmail com>
Subject: Re: The `Dumb Money' Outfoxing Wall Street Titans (Baker,
  RISKS-32.48)

I don't believe this is correct.

Suppose person A has a share. They loan it to B, who sells it to C. Then C
loans it to D, who sells it to E. Now the ownership is as follows:

A: 1 (loaned to B)
B: -1 (owed to A)
C: 1 (bought from B and loaned to D)
D: -1 (owed to C)
E: 1 (bought from D)
Total: 1 - 1 + 1 - 1 + 1 = 1

Yet, the total short interest in this scenario is 2, even though only one
*original* share is involved.

I think the confusion may arise from the difference between total ownership
(in money terms, currency plus bank deposits minus bank loans) and assets on
hand (in money terms, currency only). In the scenario above, only E actually
"has" a share; A and C only have the right to demand their share be
returned.

I make no comment on the wisdom or otherwise of any particular trading
strategy or market regulation regime.

------------------------------

Date: Sat, 6 Feb 2021 16:55:09 +0000
From: Wols Lists <antlists () youngman org uk>
Subject: Re: The calculus really is complex (Thorn, RISKS-32.48)

But that promptly begs the question SHOULD we worry. And in my informed lay
person's opinion the answer is a very big NO.

We already know that immunity seems temporary. We already suspect that
re-infection will be the norm (we haven't yet seen it much because the
timescales are too short).

And from what we know of Corona Viruses in general, CoVid does not appear
that different.

The big difference between Sars-Cov-2 and other corona viruses is that we've
never met Sars-Cov-2 before. And it's the *first* *exposure* that seems to
be the lethal one.

Come next autumn, pretty much everyone will either (a) have been vaccinated,
or (b) actually caught the virus. Or (c) be young who typically just shrug
it off without even realising they've been infected.

Which means, based on the experience of corona viruses and past pandemics,
Sars-Cov-2 will become endemic in the background, mostly unrecognised, and
might kill a few already weakened individuals every now and then.

And mutations will simply sweep through the population with weakened
immunity, who will for the most part fight it off maybe not even realising
they've caught it, because it's basically the same virus even if it's
changed slightly. Oh - and don't forget mutations on the whole tend to
*weaken* a virus, not make it more lethal. It's not in the virus's interest
to kill its host ...

The real danger is Sars-Cov-3 popping up out of nowhere and subjecting us to
a repeat of early 2020.

------------------------------

Date: Mon, 1 Aug 2020 11:11:11 -0800
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest.  Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
 subscribe and unsubscribe:
   http://mls.csl.sri.com/mailman/listinfo/risks

=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that
   includes the string `notsp'.  Otherwise your message may not be read.
 *** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 *** Contributors are assumed to have read the full info file for guidelines!

=> OFFICIAL ARCHIVES:  http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
  http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
  Also, ftp://ftp.sri.com/risks for the current volume/previous directories
     or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
  If none of those work for you, the most recent issue is always at
     http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00
  ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
  Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 32.49
************************