RISKS Forum mailing list archives
Risks Digest 29.96
From: RISKS List Owner <risko () csl sri com>
Date: Sat, 10 Dec 2016 20:07:26 PST
RISKS-LIST: Risks-Forum Digest Saturday 10 December 2016 Volume 29 : Issue 96 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/29.96> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: NASA's Power Supply Mistake on the ISS Was Totally Avoidable (WiReD) "Yamanote Line train temporarily suspended after carriage fills with smoke in Tokyo" (Oona McGee) How a rogue subway train in Singapore was caught with data (Adam Wildavsky) Boeing Dreamliner 787 should be reboot every 21 days (PGN) These Toys Don't Just Listen To Your Kid, They Send What They Hear To A Defense Contractor (Consumerist) Taking Action: Huntsville-Madison County EMA says computer code error left sirens silent during Tuesday's storms (WHNT) Audi Cars Now Talk To Stop Lights In Vegas (IEEE Spectrum via Gabe Goldberg) BMW traps thief by remotely locking him inside car (cnet) Pentagon: Looking for a Few Good Hackers (The New York Times) Ball-bearings policy analogy to cryptography policy (Ronald L. Rivest) Phone encryption: Police 'mug' suspect to get data (BBC via Brian Randell) How a Grad Student Found Spyware That Could Control Anybody's iPhone from Anywhere in the World (Vanity Fair) US police enhanced hacking authority (Ars Technica) The Neuroscientist Who's Building a Better Memory for Humans (WiReD) "Time is running out for NTP" (Fahmida Y. Rashid) Lawyers: New court software is so awful it's getting people wrongly arrested (Ars Technica) When a system upgrade gets you arrested (BBC via Jose Maria Mateos) Google accounts hacked (Check Point) Amazon Gets Real About Counterfeits (Bloomberg) Why Russia Is Using the Internet to Undermine Western Democracy (Slate) CIA assessment: Russia intervened in the 2016 election (The Washington Post) Trump supporters bought bogus Obama conspiracy theory peddled by Fox Business (The Washington Post) Spread of Fake News Provokes Anxiety in Italy (The New York Times) Police use 'fake news' in sting aimed at California gang (WBTV) Google, democracy and the truth about Internet search (The Guardian) Tech companies target online terrorist propaganda (Tami Abdollah) Big risk in nomenclature: fake news vs lies! (Harlan Rosenthal) Fake news (Joel Achenbach via Jim Geissman) "After we left the ship, I had an uneasy feeling" (Elliott) Re: NTSB on Aviation: Risks of checklists, especially when ignored (Jay Grizzard) Weapons of Math Destruction (Cathy O'Neil via Diego Latella) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Fri, 9 Dec 2016 00:14:25 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: NASA's Power Supply Mistake on the ISS Was Totally Avoidable (WiReD) https://www.wired.com/2016/12/nasa-made-really-dumb-mistake-iss-power-supply/ Lesson learned? Learn lessons. ------------------------------ Date: Sun, 04 Dec 2016 10:51:22 -0800 From: Gene Wirchenko <genew () telus net> Subject: "Yamanote Line train temporarily suspended after carriage fills with smoke in Tokyo" (Oona McGee) Oona McGee, RocketNews24, 4 Dec 2016 http://en.rocketnews24.com/2016/12/05/yamanote-line-train-temporarily-suspended-after-carriage-fills-with-smoke-in-tokyo/ According to reports, a mobile phone battery pack fire was the cause of the incident. ------------------------------ Date: Tue, 6 Dec 2016 21:52:22 -0500 From: Adam Wildavsky <adam () tameware com> Subject: How a rogue subway train in Singapore was caught with data A remarkable software detective story: https://blog.data.gov.sg/how-we-caught-the-circle-line-rogue-train-with-data-79405c86ab6a#.ext2x61ts ------------------------------ Date: Sat, 10 Dec 2016 11:14:20 PST From: "Peter G. Neumann" <neumann () csl sri com> Subject: Boeing Dreamliner 787 should be reboot every 21 days The FAA is reportedly requiring airlines to reboot Dreamliners at an interval "not to exceed 21 days" to prevent disasters. http://thepointsguy.com/2016/12/faa-requiring-airlines-reboot-dreamliners Someone has suggested out-of-band that perhaps this is related to the Windows GetTickCount function family. These functions return the number of milliseconds since the system was booted in various forms. If an application converts that value to a 32-bit signed integer, then that number will appear to become negative after 24.8 days. This issue has been around since the 787 was launched. One might have expected it to have been fixed by now? Here's an item from two years ago, thanks to Peter Ladkin: http://arstechnica.com/information-technology/2015/05/boeing-787-dreamliners-contain-a-potentially-catastrophic-software-bug/ ------------------------------ Date: Wed, 7 Dec 2016 11:50:17 -0500 From: "David Farber" <farber () gmail com> Subject: These Toys Don't Just Listen To Your Kid, They Send What They Hear To A Defense Contractor (Consumerist) https://consumerist.com/2016/12/06/these-toys-dont-just-listen-to-your-kid-they-send-what-they-hear-to-a-defense-contractor/ ------------------------------ Date: Fri, 9 Dec 2016 00:17:27 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: Taking Action: Huntsville-Madison County EMA says computer code error left sirens silent during Tuesday's storms HUNTSVILLE, Ala. A missing line of computer code is being blamed for the failure of Madison County's emergency sirens to sound Tuesday night amid several tornado warnings. Huntsville-Madison County EMA Director Jeff Birdwell told WHNT News 19 Friday that the review is ongoing and will be methodical, but he believes they've identified the problem. The EMA switched to a polygon based warning system -- aimed at sounding sirens only in areas in the path of a potential tornado -- just over a year ago. The system is supposed to sound sirens in areas -- the polygon -- that the National Weather Service reports are under a tornado warning. ``From my understanding with the absence of this code, as the polygon was received from the National Weather Service, not having that code didn't allow the software to recognize we had a warning. And then past that point you don't have a warning[,] you don't get any activation of the sirens.'' http://whnt.com/2016/12/02/taking-action-huntsville-madison-county-ema-says-computer-code-error-left-sirens-silent-during-tuesdays-storms/ A line of polygon-recognizing specific code? Must be APL. Gabriel Goldberg, Computers and Publishing, Inc. gabe () gabegold com 3401 Silver Maple Place, Falls Church, VA 22042 (703) 204-0433 ------------------------------ Date: Fri, 9 Dec 2016 00:27:08 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: Audi Cars Now Talk To Stop Lights In Vegas The plan is to eventually give drivers the information they need to make fairly ambitious predictions, like choosing the right speed to go sailing through several green lights in a row. Or the system might bypass the driver and go straight to the engine's start-stop system, shutting it down for a long count, then starting it up again seconds before getting a green light. ... Last sentence: But, like a mobile phone, a networked vehicle is eminently hackable, and when this communicative capability becomes common in cars, there will be more than enough incentive for the bad guys to prey on them. http://spectrum.ieee.org/cars-that-think/transportation/infrastructure/audi-cars-now-talk-to-stop-lights-in-vegas Not a word about built-in or planned security. Of course, how could anything go wrong with this? Gabriel Goldberg, Computers and Publishing, Inc. gabe () gabegold com 3401 Silver Maple Place, Falls Church, VA 22042 (703) 204-0433 ------------------------------ Date: Mon, 5 Dec 2016 19:44:42 -0600 From: "Alister Wm Macintyre" <macwheel99 () wowway com> Subject: BMW traps thief by remotely locking him inside car (cnet) The crook could have smashed a window and exited through it. https://www.cnet.com/news/bmw-traps-thief-by-remotely-locking-him-in-car-he-was-stealing/ ------------------------------ Date: Tue, Nov 29, 2016 at 4:07 AM From: Dewayne Hendricks <dewayne () warpspeed com> Subject: Pentagon: Looking for a Few Good Hackers Pentagon: Looking for a Few Good Hackers The Editorial Board, *The New York Times*, 28 Nov 2016 http://www.nytimes.com/2016/11/28/opinion/pentagon-looking-for-a-few-good-hackers.html In June 2015, the Office of Personnel Management announced that foreign hackers had stolen the personnel records of millions of federal employees, one of the most damaging cyberattacks in history. Just weeks later, the office of the Joint Chiefs of Staff shut down its unclassified email system for several days after officials detected that it had been breached. <http://www.nytimes.com/2015/06/05/us/breach-in-a-federal-computer-system-exposes-personnel-data.html> These serious intrusions came months after a group affiliated with the Islamic State briefly commandeered the Central Command's Twitter account and rebranded it as the *Cyber Caliphate*. <http://www.nytimes.com/2015/01/13/us/isis-is-cited-in-hacking-of-central-commands-twitter-feed.html> Given the enormity of the problem, one of the responses by the Department of Defense might seem befuddling. They've asked hackers willing to play by strict rules to find vulnerabilities in some of the Pentagon's unclassified computer system. Well-intentioned computer security experts routinely scan the internet in search of vulnerabilities, which they often map out and report. Until now, doing that on Pentagon sites carried the considerable legal risk of running afoul of the Computer Fraud and Abuse Act. *Hack the Pentagon* kicked off in April with a month-long trial program that attracted 1,400 so-called white hackers to fiddle with Department of Defense websites on the hunt for weak points that could be exploited to steal data or jam systems. Those hackers spotted 138 weaknesses, according to the Pentagon, and were paid $75,000 in rewards. Encouraged by the results, the Defense Department last week announced a formal policy <https://hackerone.com/deptofdefense> permitting outside computer experts to test for vulnerabilities in the system and report them to the department. Secretary of Defense Ashton Carter called the initiative ``*see something, say something* policy for the digital domain.'' Those hackers won't be paid for their reports, but officials hope they will do it out of a sense of duty. <http://www.defense.gov/News/News-Releases/News-Release-View/Article/1009956/dod-announces-digital-vulnerability-disclosure-policy-and-hack-the-army-kick-off> ------------------------------ Date: Thu, 8 Dec 2016 10:47:24 -0800 From: "Ronald L. Rivest" <rivest () mit edu> Subject: Ball-bearings policy analogy to cryptography policy [Noted elsewhere, reproduced here with permission. PGN] Yesterday I had a video-tape interview with Roy Levin on behalf of the ACM Oral History project. We talked about many things, including encryption policy. I tried out the following analogy, which sort-of works (at least for me). (There was no live audience, other than Roy, so it wasn't possible to get a reaction from the audience...) It goes as follows (a bit elaborated on compared to my mention in the video): Encryption policy is very much like "ball-bearing policy". Ball bearings are really what make fast vehicles possible, which causes all kinds of problems for law enforcement. Examination of the remains of the cars of suicide bombers has found definitive evidence of ball bearings. Drug smugglers are known to be particularly fond of ball-bearing-enabled fast vehicles. So Law Enforcement has proposed the regulation of ball bearings. LE understands that ball bearings have many legitimate uses, which they don't wish to hinder. LE doesn't have strong competence in ball-bearing tech, and hopes that industry will be able to do "something smart" that arrives at a reasonable compromise. I do think that the applications of encryption are even more varied and complex than are the applications of ball bearings. Encryption is everywhere inside the code of modern systems. Trying to regulate cryptography won't be any more workable than would trying to regulate ball-bearing technology... Ronald L. Rivest, Stata Center, MIT, Cambridge MA 02139 http://people.csail.mit.edu/rivest [Beware of ball-bearing cryptogeeks bearing grudges? PGN] ------------------------------ Date: December 2, 2016 at 10:41:18 AM EST From: Brian Randell <brian.randell () newcastle ac uk> Subject: Phone encryption: Police 'mug' suspect to get data (BBC)
From the BBC news website:
Phone encryption: Police 'mug' suspect to get data Detectives have developed a new tactic to beat criminals using mobile phone encryption -- legally "mug" them. The tactic has emerged after Scotland Yard's cybercrime unit smashed a fake credit card fraud racket. Officers realised crucial evidence in the investigation was concealed on a suspect's iPhone -- but it would be unobtainable if the device was locked. So a covert team seized it in the street while the suspect was on a call -- beating the security settings. The street seizure of the phone was dreamt up by detectives from Operation Falcon, the specialist Metropolitan Police team running investigations into major fraud and related crimes organised online. http://www.bbc.co.uk/news/uk-38183819 ------------------------------ Date: Thu, 1 Dec 2016 02:15:14 -0500 From: Monty Solomon <monty () roscom com> Subject: How a Grad Student Found Spyware That Could Control Anybody's iPhone from Anywhere in the World (Vanity Fair) http://www.vanityfair.com/news/2016/11/how-bill-marczak-spyware-can-control-the-iphone ------------------------------ Date: Wed, 30 Nov 2016 20:03:45 -0600 From: "Alister Wm Macintyre \(Wow\)" <macwheel99 () wowway com> Subject: US police enhanced hacking authority (Ars Technica) Once upon a time, ordinary US courts could issue warrants only to search people's property that existed within the jurisdiction of the judge. city, county, state, and needed probable cause that something was being done wrong, justifying the search. Although the FISA court could issue approval to do mass surveillance. Now ordinary judges can also issue warrants to search computers, regardless of jurisdiction or even do fishing expeditions, with no probable cause required. http://arstechnica.com/tech-policy/2016/11/new-us-law-making-it-easier-to-search-computers-takes-effect-thursday/ ------------------------------ Date: Sun, 4 Dec 2016 16:07:39 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: The Neuroscientist Who's Building a Better Memory for Humans Kernel's earliest goals are to bring Berger's implant to the market as a medical device that can help the memory impaired. Berger is currently conducting a human trial with a version of the device, and says that so far, the patients in his human trial are performing well on memory tests. But ultimately, CEO Bryan Johnson wants Kernel to develop devices -- implantable in a simple outpatient procedure -- that enhance human intelligence in areas like attention, creativity, and focus. That goal would venture into new waters for regulatory agencies: Are these medical devices or consumer devices, and who should regulate them? Under the Food and Drug Administration's terms, an implant would count as a medical device if its intent is to diagnose or treat a medical condition or to affect the structure or function of the body. But a subdermal implant that merely suggests it could improve concentration or creativity may slip through the FDA's regulatory grasp, like the dietary supplements of brain stimulators. https://www.wired.com/2016/12/neuroscientist-whos-building-better-memory-humans/ Gabriel Goldberg, Computers and Publishing, Inc. gabe () gabegold com 3401 Silver Maple Place, Falls Church, VA 22042 (703) 204-0433 ------------------------------ Date: Mon, 05 Dec 2016 09:47:00 -0800 From: Gene Wirchenko <genew () telus net> Subject: "Time is running out for NTP" (Fahmida Y. Rashid) Fahmida Y. Rashid, InfoWorld | Nov 28, 2016 A weakness of the Open-Source model is showing here. A project that is needed, but that is not very visible can struggle. Everyone benefits from Network Time Protocol, but the project struggles to pay its sole maintainer or fund its various initiatives. http://www.infoworld.com/article/3144546/security/time-is-running-out-for-ntp.html selected text: There are two types of open-source projects: those with corporate sponsorship and those that fall under the "labor of love" category. Actually, there's a third variety: projects that get some support but have to keep looking ahead for the next sponsor. Some open-source projects are so widely used that if anything goes wrong, everyone feels the ripple effects. OpenSSL is one such project; when the Heartbleed flaw was discovered in the open-source cryptography library, organizations scrambled to identify and fix all their vulnerable networking devices and software. Network Time Protocol (NTP) arguably plays as critical a role in modern computing, if not more; the open-source protocol is used to synchronize clocks on servers and devices to make sure they all have the same time. Yet, the fact remains that NTP is woefully underfunded and undersupported. ------------------------------ Date: Fri, 2 Dec 2016 09:57:18 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: Lawyers: New court software is so awful it's getting people wrongly arrested (Ars Technica) Ars Technica via NNSquad http://arstechnica.com/tech-policy/2016/12/court-software-glitches-result-in-erroneous-arrests-defense-lawyers-say/ But, just across the bay from San Francisco, Alameda County's deputy public defender, Jeff Chorney, says that since the county switched from a decades-old computer system to Odyssey in August, dozens of defendants have been wrongly arrested or jailed. Others have even been forced to register as sex offenders unnecessarily. "I understand that with every piece of technology, bugs have to be worked out," he said, practically exasperated. "But we're not talking about whether people are getting their paychecks on time. We're talking about people being locked in cages, that's what jail is. It's taking a person and locking them in a cage." [Also noted by Gabe Goldberg: While they're not specific, talking about a 1970s system being replaced might refer to mainframe or early minicomputer. That apparently worked fine until recently.] ------------------------------ Date: Wed, 30 Nov 2016 11:01:39 -0500 From: Jose Maria Mateos <chema () rinzewind org> Subject: When a system upgrade gets you arrested (BBC) http://www.bbc.com/news/technology-38153992 The software, created by Texas-based Tyler Technologies, costs about $5m (£4m) and is set to gradually replace a decades-old e-filing system that looks like something a hacker would use in a Hollywood movie. Tyler Technologies acknowledged in a statement that the upgrade process had been *challenging* -- but said poor training was to blame for bad inputting of data and integration with third-party applications that often introduce glitches into the system. One of the state's early adopters of the new technology is Alameda County, an area which covers around 1.5 million people in the San Francisco Bay Area, though not San Francisco itself. The county's public defender, Brendon Woods, is now supporting many clients who have been affected by the issues. He said a cumbersome user interface was causing the time taken to update a record to jump from around one minute to as much as 30 minutes per entry. As well as wrongful arrests and incorrectly extended custody, Mr Woods has seen several cases of misdemeanour offenses incorrectly appearing on the system as serious felony charges. ------------------------------ Date: Wed, 30 Nov 2016 20:17:44 -0600 From: "Alister Wm Macintyre \(Wow\)" <macwheel99 () wowway com> Subject: 1.3M Google accounts hacked, and counting (Check Point) I think this only applies to people whose smart phone is Android, its OS below 6.0, and they use an ap download location other than Google's. http://blog.checkpoint.com/2016/11/30/1-million-google-accounts-breached-gooligan/ http://www.forbes.com/sites/thomasbrewster/2016/11/30/gooligan-android-malware-1m-google-account-breaches-check-point-finds/#3c16256b470d http://www.i24news.tv/en/news/technology/131418-161130-over-one-million-google-accounts-hacked-israeli-company-reveals How do you know if your Google account is breached? You can check if your account is compromised by accessing the following web site created by Check Point: <https://gooligan.checkpoint.com/> If your account has been breached, the following steps are required: 1. A clean installation of an operating system on your mobile device is required (a process called "flashing"). As this is a complex process, we recommend powering off your device and approaching a certified technician, or your mobile service provider, to request that your device be "re-flashed." 2. Change your Google account passwords immediately after this process. ------------------------------ Date: Tue, 29 Nov 2016 18:27:42 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: Amazon Gets Real About Counterfeits (Bloomberg) Randy Hetrick first noticed counterfeits on Amazon.com <http://Amazon.com> Inc. in 2013. He had been selling his TRX Training System-- an exercise kit of suspension straps-- on the site since 2008. When he began noticing cheap imitations, he had his employees scour Amazon for more, then go through the tedious process of reporting them for removal. But new imposters would pop up right away, and by 2014, "We realized this was an epidemic," said Hetrick, who estimates phonies cost him $100 million a year, twice his annual sales. To read the entire article, go to http://bloom.bg/2gxVEQW The risk? That enlarging markets with online selling has a dark side, faster and broader luring crooks to counterfeit. Like everything else bad online, it's not new -- just human nature on a broader platform. ------------------------------ Date: Mon, 5 Dec 2016 17:01:38 PST From: "Peter G. Neumann" <neumann () csl sri com> Subject: Why Russia Is Using the Internet to Undermine Western Democracy http://www.slate.com/articles/technology/future_tense/2016/12/why_russia_is_using_the_internet_to_undermine_western_democracy.html Russia's leaders already see Western conspiracy everywhere: the Orange Revolution, the Arab Spring, the entire Internet. All of these play out in Moscow as plots by the U.S. and its allies to ensure the world order protects only Western values and therefore Western interests. And we play right into their hands, saying the Internet is a samizdat -- the famously hand-copied literature of opposition to Soviet rule -- and claiming the Che Guevara of the 21st-century is a network. (And rather ahistorically, too, given the United States' violent antipathy to Guevara's aims.) ------------------------------ Date: Fri, 9 Dec 2016 17:21:16 PST From: "Peter G. Neumann" <neumann () csl sri com> Subject: CIA assessment: Russia intervened in the 2016 election (WashPost) Adam Entous, Ellen Nakashima and Greg Miller *The Washington Post*, December 9 at 7:36 PM ET The CIA has concluded in a secret assessment that Russia intervened in the 2016 election to help Donald Trump win the presidency, rather than just to undermine confidence in the U.S. electoral system, according to officials briefed on the matter. Intelligence agencies have identified individuals with connections to the Russian government who provided WikiLeaks with thousands of hacked emails from the Democratic National Committee and others, including Hillary Clinton's campaign chairman, according to U.S. officials. Those officials described the individuals as actors known to the intelligence community and part of a wider Russian operation to boost Trump and hurt Clinton's chances. ``It is the assessment of the intelligence community that Russia's goal here was to favor one candidate over the other, to help Trump get elected. That's the consensus view,'' said a senior U.S. official briefed on an intelligence presentation made to U.S. senators. The Obama administration has been debating for months how to respond to the alleged Russian intrusions, with White House officials concerned about escalating tensions with Moscow and being accused of trying to boost Clinton's campaign. In September, during a secret briefing for congressional leaders, Senate Republican Leader Mitch McConnell (Ky.) voiced doubts about the veracity of the intelligence, according to officials present. [...] See also *The Boston Globe: http://www.bostonglobe.com/news/world/2016/12/09/cia-says-russia-favored-trump/WNrHBPKLpKMFdOhqKV1pvN/story.html ------------------------------ Date: Thu, 1 Dec 2016 12:06:48 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: Trump supporters bought bogus Obama conspiracy theory peddled by Fox Business (The Washington Post) via NNSquad https://www.washingtonpost.com/blogs/erik-wemple/wp/2016/12/01/trump-supporters-bought-bogus-obama-conspiracy-theory-peddled-by-fox-business/ Fox Business earlier this month committed an astounding nhatchet job against the president, who had done an interview with Gina Rodriguez on mit. Introducing the news, Fox Business host Stuart Varney claimed that President Obama, in that interview, "appears to encourage illegals to vote, and he promises no repercussions if they do." No such thing happened. ------------------------------ Date: Sat, 3 Dec 2016 08:26:53 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: Spread of Fake News Provokes Anxiety in Italy (The New York Times) The NYT via NNSquad http://www.nytimes.com/2016/12/02/world/europe/italy-fake-news.html Anxiety about bogus news reports is rising in Europe, as Prime Minister Matteo Renzi of Italy and others express concern that fake news circulated over social media may influence elections on the Continent, including a critical referendum in Italy on Sunday. The outcome of the Italian vote, which could determine the fate of Mr. Renzi's government, may also affect the stability of European financial markets and further weaken the moorings of the European Union. Leaders on both sides of the Atlantic are trying to determine whether political parties are using social media platforms to deliberately disseminate propaganda, and whether there are connections to the agendas of outside powers, including Russia. Please remember to report news or postings you believe to be fake at: https://factsquad.com -- and thanks to everyone who has already done so. Some great data there. ------------------------------ Date: Sat, 3 Dec 2016 11:40:18 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: Police use 'fake news' in sting aimed at California gang (WBTV) WBTV via NNSquad http://www.wbtv.com/story/33859699/police-use-fake-news-in-sting-aimed-at-california-gang Police investigating a notorious gang in a city on California's central coast issued a fake press release that the chief credited with saving two men by deceiving gang members who wanted to kill them, but the ruse was criticized by news organizations who reported it as fact. This one is easy. Assume that everything that is said by this police chief or released by this police department IS A LIE -- unless proof of the information is released on a contemporaneous basis. Branded as liars. ------------------------------ Date: Sun, 4 Dec 2016 12:49:51 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: Google, democracy and the truth about Internet search (The Guardian) *The Guardian* via NNSquad https://www.theguardian.com/technology/2016/dec/04/google-democracy-truth-internet-search-facebook ------------------------------ Date: Tue, 6 Dec 2016 10:04:41 PST From: "Peter G. Neumann" <neumann () csl sri com> Subject: Tech companies target online terrorist propaganda (Tami Abdollah) [What's good for the goosing is good for the propagander. PGN] Tami Abdollah https://apnews.com/6fdeb20a479c469c93572129561bd989/Tech-companies-move-to-target-terrorist-propaganda-online WASHINGTON (AP) -- Facebook, Microsoft, Twitter and YouTube are joining forces to more quickly identify the worst terrorist propaganda and prevent it from spreading online. The new program announced Monday would create a database of unique digital "fingerprints" to help automatically identify videos or images the companies could remove. The move by the technology companies, which is expected to begin in early 2017, aims to assuage government concerns -- and derail proposed new federal legislation -- over social media content that is seen as increasingly driving terrorist recruitment and radicalization, while also balancing free-speech issues. Technical details were being worked out, but Microsoft pioneered similar technology to detect, report, and remove child pornography through such a database in 2009. Unlike those images, which are plainly illegal under U.S. law, questions about whether an image or video promotes terrorism can be more subjective, depending on national laws and the rules of a particular company's service. Social media has increasingly become a tool for recruiting and radicalization by the Islamic State group and others. Its use by terror groups and supporters has added to the threat from so-called lone-wolf attacks and decreased the time from "flash to bang" -- or radicalization to violence -- with little or no time for law enforcement to follow evidentiary trails before an attack. Under the new partnership, the companies promised to share among themselves "the most extreme and egregious terrorist images and videos we have removed from our services -- content most likely to violate all our respective companies' content policies," according to a joint announcement Monday evening. When such content is shared internally, the other participating companies will be notified and can use the digital fingerprints to quickly identify the same content on their own services to judge whether it violates their rules. If so, companies can delete the material and possibly disable the account, as appropriate. Most social media services explicitly do not allow content that supports violent action or illegal activities. Twitter, for example, says users "may not promote violence against or directly attack or threaten other people on the basis of race, ethnicity, national origin, sexual orientation, gender, gender identity, religious affiliation, age, disability or disease." "We really are going after the most obvious serious content that is shared online -- that is, the kind of recruitment videos and beheading videos more likely to be against all our content policies," said Sally Aldous, a Facebook spokeswoman. The White House praised the joint effort. "The administration believes that the innovative private sector is uniquely positioned to help limit terrorist recruitment and radicalization online," said National Security Council spokesman Carl Woog. "Today's announcement is yet another example of tech communities taking action to prevent terrorists from using these platforms in ways their creators never intended." The new program caps a year of efforts to tamp down on social media's use by terrorist groups. Lawmakers last year introduced legislation that would require social media companies to report any online terrorist activity they became aware of to law enforcement. The bill by Sens. Dianne Feinstein, D-Calif., and Richard Burr, R-N.C., was criticized for not defining "terrorist activity," which could have drowned government agencies in reports. The bill was opposed by the Internet Association, which represents 37 internet companies, including Facebook, Snapchat, Google, LinkedIn, Reddit, Twitter, Yahoo and others. The bill came days after Syed Farook and his wife, Tashfeen Malik, went on a shooting attack in San Bernardino, California, killing 14 people and injuring 21 others. A Facebook post on Malik's page around the time of the attack included a pledge of allegiance to the leader of the Islamic State group. Facebook found the post -- which was under an alias -- the day after the attack. The company removed the profile from public view and informed law enforcement. Such a proactive effort had previously been uncommon. Twitter moved toward partial automation in late 2015, using unspecified "proprietary spam-fighting tools" to find accounts that might be violating its terms of service and promoting terrorism. The material still required review by a team at Twitter before the accounts could be disabled. "Since the middle of 2015, we have suspended more than 360,000 accounts for violating Twitter's policy on violent threats and the promotion of terrorism," said Sinead McSweeney, Twitter's vice president of public policy. "A large proportion of these accounts have been removed by technical means, including our proprietary spam-fighting tools." Facebook has also used image-matching technology to compare images to ones it's already removed. The effort lets Facebook review images to avoid removing legitimate and protected uses, such as a photograph published by a news organization, a spokeswoman said. Terrence McNeil of Ohio was charged in 2015 with soliciting the killings of U.S. service members over social media, including Tumblr, Facebook and Twitter. Federal prosecutors accused him of posting a series of photographs on his Facebook account to praise the death of a Jordanian pilot who was burned to death by the Islamic State group -- showing him before, during and after his death, including an image of him engulfed in flames, according to the complaint. In January, the White House dispatched top officials, including FBI Director James Comey, Attorney General Loretta Lynch and National Security Agency Director Mike Rogers, to Silicon Valley to discuss the use of social media by violent extremist groups. Among the issues they discussed was how to use technology to help quickly identify terrorist content. The four companies say they will be looking at involving additional companies in the future. ------------------------------ Date: Tue, 29 Nov 2016 19:12:04 -0600 (CST) From: Harlan Rosenthal <harlan.rosenthal () verizon net> Subject: Big risk in nomenclature: fake news vs lies! "Fake News" does not exist. Lies do. Beware of using calling something "fake news". We used to call counter-factual statements "lies". [Harlan, Many thanks for that. From now on, I am going to have to explicitly declare April Fool's items as Fake News, as opposed to "Lies". ------------------------------ Date: Wed, 7 Dec 2016 19:00:58 -0800 From: "Jim" <jgeissman () socal rr com> Subject: Fake news Joel Achenbach has a good article on "fake news". (Why isn't it called lies, or maybe propaganda?) He quotes something he wrote in 1988: "The technology of falsehood has outraced our judgment. Alienated from nature, liberated from such barbaric responsibilities as the growing of food, the making of shelter, we have entered a mysterious phase in which we passively accept a cartoon version of reality that is projected upon us by unreliable, deceptive, and sometimes diabolical media." https://www.washingtonpost.com/news/achenblog/wp/2016/12/07/fake-news-and-creeping-surrealism/?utm_term=.5eaf212cb409 ------------------------------ Date: Thu, 1 Dec 2016 11:03:50 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: "After we left the ship, I had an uneasy feeling" (Elliott) It's mysterious because Hoagland's cabin didn't have a minibar. That's right, Royal Caribbean charged a guest for an *amenity* that wasn't even in his room. And wait until you read its explanation. http://elliott.org/thats-ridiculous-2/left-ship-uneasy-feeling/ First failure data capture? What's that? There really is no explanation. The risk? That something computerized and automated allows "impossible" things to happen. Repeatedly. Because nobody cares, or nobody understands what's wrong. ------------------------------ Date: Thu, 1 Dec 2016 13:38:57 -0800 From: Jay Grizzard <elfchief () lupine org> Subject: Re: NTSB on Aviation: Risks of checklists, especially when ignored Looking at this report and concluding that checklists can easily become a placebo seems like the wrong takeaway; pilots are specifically trained in how to execute checklists in ways (e.g. challenge-response systems) that make it more difficult to just breeze through them without actually performing checklist items. This doesn't make it impossible for checklists to fail, but a lot of effort has gone into making it much harder for them to fail. The catch with checklists, though, is that you have to actually intend to use them. This incident wasn't a case of the checklists not performing their function, it was a case of negligence by the pilots. The pilots intentionally ignored the checklists, presumably due to a combination of "we already know what we need to do" and "the odds of our plane breaking in a way the checklist would catch is low". It's this kind of arrogance that kills pilots (and passengers). It's not so much that the checklists were an ineffective placebo, it's more like the pilots got their life-saving medication from the pharmacy and then threw it in the trash on the way out the door. ------------------------------ Date: Sun, 04 Dec 2016 10:31:33 +0100 From: Diego Latella <diego.latella () isti cnr it> Subject: Weapons of Math Destruction I'm not sure I've seen the notification of the following book in RISKS. I would suggest everybody should read it. Cathy O' Neil "Weapons of Math Destruction" Allen Lane (Penguin), 2016 https://weaponsofmathdestructionbook.com/ Although the language used by the Author is a little bit too much slang (for my personal taste), I guess for dissemination purposes, the book reports a series of documented facts and describes a series of concepts which I consider important for people to know. In particular, I think that the ICT community should think on the social impact of some of its results, on the opacity of practices for development and use of some predictive software tools, and on the need of ethical and legal norms for such practices. I think it is important that the scientific community contributes also at the (international) institutional and legal level, in much the same way it does for, among others weapons of mass destruction (I am thinking of course at the role movements like the Pugwash Conferences on Science and World Affairs -- Nobel Prize for Peace in 1995 -- have played and still play in the international crisis resolution or international treaties development). Dott. Diego Latella, CNR/ISTI, Via Moruzzi 1, 56124 Pisa, IT (http:www.isti.cnr.it) http://www.isti.cnr.it/People/D.Latella ------------------------------ Date: Wed, 17 Aug 2016 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) <http://the.wiretapped.net/security/info/textfiles/risks-digest/> *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 29.96 ************************
Current thread:
- Risks Digest 29.96 RISKS List Owner (Dec 10)