RISKS Forum mailing list archives
Risks Digest 30.17
From: RISKS List Owner <risko () csl sri com>
Date: Sat, 4 Mar 2017 11:36:02 PST
RISKS-LIST: Risks-Forum Digest Saturday 4 March 2017 Volume 30 : Issue 17 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/30.17> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Michelin Star Mix-Up Throws a Working-Class Bistro Into a Media Storm (The NYTimes) Hard Drive LED Allows Data Theft From Air-Gapped PCs (Eduard Kovacs) California Law Enforcement Union Sues To Block Police Accountability (TechDirt) How the Secret Service Protects the President Against New Cyber-threats (Fortune) The Internet is already dead (Michael Grant) Shhh! That Helpful Robot May Pose a Security Risk (John Markoff) Driverless cars have trouble seeing humans on bicycles (IEEE Spectrum) Oscars screwup and Asiana 214 crash (Phil Smith III) Use of the Red Cross in a video game (Paul Robinson) "Physical data is inherently less secure than digital" (The Register via Neil Youngman) Hacked texts from family of former Trump campaign manager surface on the dark web (TechCrunch) What if tomorrow it's the Church of Scientology? (Kelly Bert Manning) Software Engineer detained by U.S. Customs (CNBC) Google's anti-trolling AI can be defeated by typos, researchers find (Ars Technica) FCC chair wants carriers to block robocalls from spoofed numbers (Ars Technica) Human error caused Amazon Web Services outage, Apple iCloud service issues (Malcolm Owen) Full statement by Amazon regarding AWS S3 outage and actions (via LW) Radiolab podcast: CRISPR assassinations (Austin Burt via Henry Baker) A warning from Bill Gates, Elon Musk, and Stephen Hawking (Quincy Larson) Uber's data-sucking app is dangerously close to malware (Mike Isaac and Buster Hein via Henry Baker) Re: Science (Wols) Re: WiReD -- Product is Mis-Identified (westhawk) Re: WiReD (Mike Spencer) Re: Oscars screwup and Asiana 214 crash (Dan Skwire) Re: overloaded parentheses (Tony Finch) Re: The AI Threat Isn't Skynet (David Brodbeck) Re: Prominent medical quackery website removed from Google search results (David Damerell) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Sun, 26 Feb 2017 12:38:42 -0500 From: Monty Solomon <monty () roscom com> Subject: Michelin Star Mix-Up Throws a Working-Class Bistro Into a Media Storm http://www.nytimes.com/2017/02/20/world/europe/michelin-french-restaurant.html Le Bouche à Oreille, a modest restaurant in central France, got an accolade intended for a high-end restaurant of the same name. ------------------------------ Date: Sun, 26 Feb 2017 14:21:48 PST From: "Peter G. Neumann" <neumann () csl sri com> Subject: Hard Drive LED Allows Data Theft From Air-Gapped PCs (Eduard Kovacs) For those RISKS readers who believe air-gapping is not strong enough protection, here is one more risk to go along with Stuxnet-like attacks. This one involves being able to extract information with reasonable bandwidth, rather than altering the system. Eduard Kovacs, *Security Week*, 23 Feb 2017 Hard Drive LED Allows Data Theft From Air-Gapped PCs http://www.securityweek.com/hard-drive-led-allows-data-theft-air-gapped-pcs Researchers at Ben-Gurion University of the Negev in Israel have disclosed yet another method that can be used to exfiltrate data from air-gapped computers, and this time it involves the activity LED of hard disk drives (HDDs). ------------------------------ Date: Sun, 26 Feb 2017 18:24:04 -0600 From: "Alister Wm Macintyre \(Wow\)" <macwheel99 () wowway com> Subject: California Law Enforcement Union Sues To Block Police Accountability (TechDirt) The Los Angeles County Sheriff's Department has collected the names of about 300 deputies who have a history of past misconduct -- such as domestic violence, theft, bribery and brutality -- that could damage their credibility if they testify in court. Sheriff Jim McDonnell wants to send the names to prosecutors, who can decide whether to add them to an internal database that tracks problem officers in case the information needs to be disclosed to defendants in criminal trials. Prosecutors may never see this information, thanks to the police union's belief that officers shouldn't be held accountable for anything. The union's position is a Brady violation. [The defense is supposed to have access to information relevant to the case, part of the constitutional right to know the whole story behind the prosecution. AWM] https://www.techdirt.com/articles/20170223/13095236780/california-law-enforcement-union-sues-to-block-police-accountability.shtml [Why are such persons even still on the payroll? AWM] A court has ruled in favor of the union. [This case has huge implications for other US police and justice. AWM] The union's arguments are that sharing this information violates privacy of officers, whose misconduct may have been so long ago that the statute of limitations has been passed so they can no longer be held accountable for ancient mistakes. Plus it is additional punishment on top of what happened when some of them were caught, long ago. [This could be resolved by the passed info identifying the nature of the misconduct, and when it happened. AWM] The 300 persons are about 3% of the total 9,100 force. http://www.latimes.com/local/california/la-me-sheriff-deputies-misconduct-li st-20170219-story.html [Perhaps via FOIA, defense lawyers should seek the list. That might make it public, which is not currently what the Sheriff Dept trying to do] ------------------------------ Date: Wed, 1 Mar 2017 23:00:38 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: How the Secret Service Protects the President Against New Cyber-threats (Fortune) Foiling assassins and breaking up bank scams is all in a day's work for Secret Service agents. But in recent years, the job has grown harder. Today, agents must also protect the President against a host of new Internet threats and track criminals to far-flung places. The Secret Service, which began as a Civil War anti-counterfeiting squad, today has a mission that lies at the intersection of Washington, Wall Street, and the Internet. To get an idea of how the storied agency is faring in the cyber age, Fortune spoke to a long-time veteran of the service and others familiar with its work. Cyber Threats to the President If you picture a Secret Service agent, he would probably look like Scott Sarafian, a tall and clean-cut figure in a navy suit with specks of gray in his hair. Sarafian speaks deliberately and likes to use a lot of acronyms. We met on a cold morning at the Secret Service field office in downtown Brooklyn, N.Y. The office is on a top floor of a tall building and offers stunning views of New York harbor and the banking temples of lower Manhattan. Many people don't know the original mission of the Secret Service, which was part of the Treasury Department until 2003, was to solve financial crimes. It was only in 1901, following the assassination of William McKinley, that Congress gave the agency its second mission of protecting the President. When it comes to protection, there is danger from lone lunatics like John Hinckley Jr., who tried to shoot President Ronald Reagan but was foiled as brave Secret Service agents used their bodies to block bullets. But there also are more subtle threats, including the growing number of everyday objects that are connected to the Internet and are susceptible to hacking. [...] http://fortune.com/2017/02/28/secret-service-cyber-threats/ Gabriel Goldberg, Computers and Publishing, Inc. gabe () gabegold com 3401 Silver Maple Place, Falls Church, VA 22042 (703) 204-0433 ------------------------------ Date: Fri, Mar 3, 2017 at 12:46 AM From: Michael Grant <mgrant () grant org> Subject: The Internet is already dead via Geoff Goodfellow It's been replaced by Facebook, Google, Microsoft, Apple, Twitter, Snapchat. ... Soon (and it's already happening) you will see Google, MS, FB offer Internet service itself. It's already happening. None of these companies have any incentive to stop cybersecurity problems. Their answer will be to stop using email, stop using the web and only use their own apps and this becomes the Internet. It's already begun. The end has already occurred, you just haven't noticed it yet. ------------------------------ Date: Fri, 3 Mar 2017 15:31:49 PST From: "Peter G. Neumann" <neumann () csl sri com> Subject: Shhh! That Helpful Robot May Pose a Security Risk (John Markoff) John Markoff, *The New York Times*, 2 Mar 2017 In the coming age of robotics, many of those autonomous machines will be Internet-connected and mobile. What could possibly go wrong? [...] ------------------------------ Date: Mon, 27 Feb 2017 11:10:34 -0600 From: "Alister Wm Macintyre \(Wow\)" <macwheel99 () wowway com> Subject: Driverless cars have trouble seeing humans on bicycles (ieee) http://spectrum.ieee.org/transportation/self-driving/selfdriving-cars-have-a-bicycle-problem ------------------------------ Date: Mon, 27 Feb 2017 14:19:41 -0500 From: "Phil Smith III" <phsiii () gmail com> Subject: Oscars screwup and Asiana 214 crash For those who watched the Academy Awards last night, the screwup with the Best Picture award was interesting to me, in that it show-cased how mostly smart people are. Beatty clearly sensed that something was wrong when he saw a person's name as well as a film title; I assume that in the heat of the moment, coupled with the gravity of the moment, he didn't feel it was right to just stop and say "This has gotta be wrong". (And my sister pointed out that he was smart enough to had it off to Dunaway -- let HER get it wrong; a kinder interpretation is "Hmm, maybe she'll understand it better, not be confused", but that obviously didn't happen.) This incident strikes me as similar in kind to the Asiana crash, where the co-pilot felt that they were too low but didn't speak up. I realize there's been lots of discussion of crew management with regard to that crash, and obviously relating a silly 30-second confusion at an awards show to loss of life and a $xxxM aircraft is a stretch, but there are similarities. "Trust your instincts", we're told, but also "Don't make waves" and "The show must go on". Cognitive dissonance, resulting in bad outcomes. I also wonder if any Vegas bets got paid out quickly after the original announcement, and what happened if so. I'm guessing it isn't quite that fast-and because of just this kind of error. ------------------------------ Date: Tue, 28 Feb 2017 02:15:45 +0000 (UTC) From: Paul Robinson <paul () paul-robinson us> Subject: Use of the Red Cross in a video game There has been quite a bit of concern after the makers of the video game Prison Architect were sent a (relatively polite) cease and desist e-mail from the British Red Cross telling them not to use objects with the red cross symbol on it as it is protected by the Geneva Convention. They chose to make a change. So a number of people are somewhat concerned how no one said anything before given the number of games where a red cross is clearly used, such as health packs in DOOM, among other places. The makers of Prison Architect are British, and the UK does not have free speech protections, therefore the British Red Cross can strongarm them about this issue. Most video game manufacturers are American companies. Thematic elements in a game are part of the story told, and are thus fully protected by the First Amendment. As such, absent the material being shown on the box art or in some fashion claiming that the use of this protected symbol was approved by the American or International Red Cross, it is highly unlikely a court would stop the use of the Red Cross in the gameplay as it is merely a storytelling device and does not substantially violate the protection of the symbol with respect to its use in combat as specified by the Geneva Convention. Paul Robinson <paul () paul-robinson us> -- http://paul-robinson.us (My blog) ------------------------------ Date: Tue, 28 Feb 2017 16:15:21 +0000 From: Neil Youngman <neil.youngman () googlemail com> Subject: "Physical data is inherently less secure than digital" This quote raised a wry smile: "Physical data is inherently less secure than digital -- it's difficult to trace, goes missing easily and is often open to interference." The full quote goes on to add "While digital records have their own set of challenges, with the right foresight and security and compliance mechanisms in place, it's far less likely to go missing or be subject on this scale to the same issues of human error". RISKS readers will, I'm sure, have their own take on the relative security of physical and digital records. https://www.theregister.co.uk/2017/02/27/nhs_data_loss/ ------------------------------ Date: Tue, 28 Feb 2017 13:38:08 PST From: "Peter G. Neumann" <neumann () csl sri com> Subject: Hacked texts from family of former Trump campaign manager surface on the dark web (TechCrunch) https://techcrunch.com/2017/02/28/hacked-texts-andrea-manafort-trump-russia-dark-web/?ncid=rss As Politico reports, a data dump making the rounds on the dark web reveals over 280,000 text messages sent and received by Paul Manafort's daughter, Andrea. Manafort, the former chairman of Trump's presidential campaign, resigned in August 2016 after increased scrutiny around his connection to pro-Russia figures in Ukraine. In the texts, Andrea Manafort states that her father's "work and payment in Ukraine is legally questionable" and calls the wealth her father accumulated for his involvement with former President of Ukraine Viktor Yanukovyc "blood money." Yanukovyc, who faces treason charges in Ukraine, is now in exile in Russia. The hack appears to have been carried out by accessing a backup of Andrea Manafort's iPhone data, which was either stored locally on a computer or synced to an iCloud account. Politico's report doesn't name the "hacktivist collective" that posted the files, nor does an earlier blog post claiming to have first noticed them. Last week, Politico reported that Manafort had been a blackmail target while serving the Trump campaign, a revelation that appears to be drawn from the same website as the texts. ------------------------------ Date: Tue, 28 Feb 2017 18:05:29 -0500 (EST) From: Kelly Bert Manning <Kelly.Manning () ncf ca> Subject: What if tomorrow it's the Church of Scientology? Mark Thorson commented about removing potential results from Google and asked "What if tomorrow it's the Church of Scientology? " Yeah so? Should we expect Google to give equal time to Religious objections to searches about the Big Bang, Evolution and Geology because some religions take a contrary view? Google Search Results are an opinion; as a non-governmental entity, even operating in the USA, Google is not constrained take a neutral role in providing opinions about religious subject searches, no matter whose ox that may gore. That is called Freedom of Speech / Publication. As a secular person I see the frequent classification of Scientology as a Money Generating Commercial Scheme cloaked in a Religious Trappings as no different from other Religious After Life Insurance Frauds. Reasonable people can form different opinions, starting with the same facts. Scientology tells us that Psychiatry is bunk, trust the e-meter and Auditor instead. Some Christian Religions tell us to Pray rather than taking our children to doctors, or giving them insulin, antibiotics or vaccinations. Concluding that those suggestions are superstitious frauds used to collect cash is not an unreasonable opinion to arrive at. https://en.wikipedia.org/wiki/Scientology_status_by_country http://www.telegraph.co.uk/news/worldnews/europe/france/10384877/Scientologys-fraud-conviction-upheld-in-France.html ------------------------------ Date: Wed, 1 Mar 2017 13:48:22 PST From: "Peter G. Neumann" <neumann () csl sri com> Subject: Software Engineer detained by U.S. Customs (CNBC) A software engineer is detained for several hours by U.S. Customs -- and given a test to prove he's an engineer http://www.cnbc.com/2017/02/28/software-engineer-detained-given-test-to-prove-hes-engineer.html To Omin -- who now hadn't slept in more than 24 hours -- the questions seemed opaque and could have multiple answers. While he is a skilled software engineer with more than seven years of experience, Omin later tells me that the questions looked to him like someone with no technical background Googled something like, "Questions to ask a software engineer." (The U.S. Customs and Border Protection agency did not respond to multiple requests for comment made by LinkedIn over phone and email by the time this story went to press.) With no context or guidelines on how to answer the questions, Omin, "too tired to even think," sat down and tried his best. But when he handed his answers back after about 10 minutes of work, the official told him his answers were wrong. "No one would tell me why I was being questioned," Omin told me by phone. "Every single time I asked [the official] why he was asking me these questions, he hushed me... I wasn't prepared for this. If I had known this was happening beforehand, I would have tried to prepare." ------------------------------ Date: Wed, 1 Mar 2017 10:12:32 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: Google's anti-trolling AI can be defeated by typos, researchers find NNSquad https://arstechnica.com/information-technology/2017/03/googles-anti-trolling-ai-can-be-defeated-by-typos-researchers-find/ But that AI still needs some training, as researchers at the University of Washington's Network Security Lab recently demonstrated. In a paper published on February 27, Hossein Hosseini, Sreeram Kannan, Baosen Zhang, and Radha Poovendran demonstrated that they could fool the Perspective AI into giving a low toxicity score to comments that it would otherwise flag by simply misspelling key hot-button words (such as "iidiot") or inserting punctuation into the word ("i.diot" or "i d i o t," for example). By gaming the AI's parsing of text, they were able to get scores that would allow comments to pass a toxicity test that would normally be flagged as abusive. It'll get better. But this still applies for now: https://lauren.vortex.com/2017/02/23/dont-for-now-use-googles-new-perspective-comment-filtering-tool ------------------------------ Date: Fri, 3 Mar 2017 10:19:35 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: FCC chair wants carriers to block robocalls from spoofed numbers (Ars Technica) Ars Technica via NNSquad https://arstechnica.com/information-technology/2017/03/robocalls-begone-fcc-seeks-to-block-calls-from-spoofed-numbers/ The proposed rules would let providers "block spoofed robocalls when the spoofed Caller ID can't possibly be valid." Providers would be able to block numbers that aren't valid under the North American Numbering Plan and block valid numbers that haven't been allocated to any phone company. They'd also be able to block valid numbers that have been allocated to a phone company but haven't been assigned to a subscriber. Unfortunately, since this would apply only to illegitimate numbers, this is likely to be of only extremely limited value. Robocallers have long since learned that spoofed numbers that don't look legit are likely to be ignored. So they routinely "borrow" legit numbers of legit subscribers to spoof, causing even more hassles for everyone. This rule is likely to exacerbate this problem. ------------------------------ Date: Thu, 2 Mar 2017 10:31:27 -1000 From: geoff goodfellow <geoff () iconia com> Subject: Human error caused Amazon Web Services outage, Apple iCloud service issues (Malcolm Owen) Malcolm Owen, AppleInsider.com, 02 Mar 2017 Tuesday's major Amazon Web Services outage was caused through human error, the retailer has confirmed, with the downtime that impacted a number of online services, including Apple's, traced back to a single wrongly-entered command performed during debugging. The note to customers <https://aws.amazon.com/message/41926/> for the S3 (Simple Storage Service) disruption for the US-East-1 region advises the team were working on an issue that caused the S3 billing system run slower than expected. One team member executed a command from an "established playbook" to take down a small number of servers used for a subsystem in the billing process, but mistakenly took down more than required. "Unfortunately, one of the inputs to the command was entered incorrectly and a larger set of servers was removed than intended," the Amazon note states. [...] http://appleinsider.com/articles/17/03/02/human-error-caused-amazon-web-services-outage-apple-icloud-service-issues ------------------------------ Date: Thu, 2 Mar 2017 11:11:02 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: Full statement by Amazon regarding AWS S3 outage and actions NNSquad, Amazon, https://aws.amazon.com/message/41926/ Summary of the Amazon S3 Service Disruption in the Northern Virginia (US-EAST-1) Region We'd like to give you some additional information about the service disruption that occurred in the Northern Virginia (US-EAST-1) Region on the morning of February 28th. The Amazon Simple Storage Service (S3) team was debugging an issue causing the S3 billing system to progress more slowly than expected. At 9:37AM PST, an authorized S3 team member using an established playbook executed a command which was intended to remove a small number of servers for one of the S3 subsystems that is used by the S3 billing process. Unfortunately, one of the inputs to the command was entered incorrectly and a larger set of servers was removed than intended. The servers that were inadvertently removed supported two other S3 subsystems. One of these subsystems, the index subsystem, manages the metadata and location information of all S3 objects in the region. This subsystem is necessary to serve all GET, LIST, PUT, and DELETE requests. The second subsystem, the placement subsystem, manages allocation of new storage and requires the index subsystem to be functioning properly to correctly operate. The placement subsystem is used during PUT requests to allocate storage for new objects. Removing a significant portion of the capacity caused each of these systems to require a full restart. While these subsystems were being restarted, S3 was unable to service requests. Other AWS services in the US-EAST-1 Region that rely on S3 for storage, including the S3 console, Amazon Elastic Compute Cloud (EC2) new instance launches, Amazon Elastic Block Store (EBS) volumes (when data was needed from a S3 snapshot), and AWS Lambda were also impacted while the S3 APIs were unavailable. S3 subsystems are designed to support the removal or failure of significant capacity with little or no customer impact. We build our systems with the assumption that things will occasionally fail, and we rely on the ability to remove and replace capacity as one of our core operational processes. While this is an operation that we have relied on to maintain our systems since the launch of S3, we have not completely restarted the index subsystem or the placement subsystem in our larger regions for many years. S3 has experienced massive growth over the last several years and the process of restarting these services and running the necessary safety checks to validate the integrity of the metadata took longer than expected. The index subsystem was the first of the two affected subsystems that needed to be restarted. By 12:26PM PST, the index subsystem had activated enough capacity to begin servicing S3 GET, LIST, and DELETE requests. By 1:18PM PST, the index subsystem was fully recovered and GET, LIST, and DELETE APIs were functioning normally. The S3 PUT API also required the placement subsystem. The placement subsystem began recovery when the index subsystem was functional and finished recovery at 1:54PM PST. At this point, S3 was operating normally. Other AWS services that were impacted by this event began recovering. Some of these services had accumulated a backlog of work during the S3 disruption and required additional time to fully recover. We are making several changes as a result of this operational event. While removal of capacity is a key operational practice, in this instance, the tool used allowed too much capacity to be removed too quickly. We have modified this tool to remove capacity more slowly and added safeguards to prevent capacity from being removed when it will take any subsystem below its minimum required capacity level. This will prevent an incorrect input from triggering a similar event in the future. We are also auditing our other operational tools to ensure we have similar safety checks. We will also make changes to improve the recovery time of key S3 subsystems. We employ multiple techniques to allow our services to recover from any failure quickly. One of the most important involves breaking services into small partitions which we call cells. By factoring services into cells, engineering teams can assess and thoroughly test recovery processes of even the largest service or subsystem. As S3 has scaled, the team has done considerable work to refactor parts of the service into smaller cells to reduce blast radius and improve recovery. During this event, the recovery time of the index subsystem still took longer than we expected. The S3 team had planned further partitioning of the index subsystem later this year. We are reprioritizing that work to begin immediately. From the beginning of this event until 11:37AM PST, we were unable to update the individual services' status on the AWS Service Health Dashboard (SHD) because of a dependency the SHD administration console has on Amazon S3. Instead, we used the AWS Twitter feed (@AWSCloud) and SHD banner text to communicate status until we were able to update the individual services' status on the SHD. We understand that the SHD provides important visibility to our customers during operational events and we have changed the SHD administration console to run across multiple AWS regions. Finally, we want to apologize for the impact this event caused for our customers. While we are proud of our long track record of availability with Amazon S3, we know how critical this service is to our customers, their applications and end users, and their businesses. We will do everything we can to learn from this event and use it to improve our availability even further. ------------------------------ Date: Mon, 27 Feb 2017 17:26:36 -0800 From: Henry Baker <hbaker1 () pipeline com> Subject: Radiolab podcast: CRISPR assassinations Have you given your DNA to 23&me ? You could be assassinated with your own DNA. In addition to the risks of CRISPR already identified -- e.g., "gene drive", which enables a malware worm-like takeover of an entire species -- this Radiolab podcast (link below) mentions the ability to build a DNA-specific killer pill. While this killer pill was envisioned as a way to kill a specific bacteria or cancer, it could be programmed to kill *any* organism having a specific DNA sequence. So, if you had someone's DNA sequence, you could fashion a pill that would kill *only that particular person*, with no effect on everyone else. If you were a little more sophisticated, you could fashion a pill that would kill *every member of someone's family*, but no one else. Finally, if you did a lot of work, after which you could reliably distinguish a human being's *race* by his/her DNA, then you could fashion a pill that would kill only members of that *race*, but no one else. A 21st Century Nazi-like government would no longer need railroad cars and showers. If you don't think that governments have started thinking along these lines, you're incredibly naive. Why send helicopters and Seals to catch Bin Ladin at great expense & risk, when you already have his (or his family's) DNA? Just throw a little killer pill (or liquid) into his entire neighborhood -- or the local water supply, and only Bin Ladin or his close blood relatives will die. I think it's time to do a little Perl-clutching regarding this risk. http://www.radiolab.org/story/update-crispr/ Update: CRISPR Friday, February 24, 2017 -- 05:00 PM http://rspb.royalsocietypublishing.org/content/270/1518/921 Site-specific selfish genes as tools for the control and genetic engineering of natural populations Austin Burt Published 7 May 2003.DOI: 10.1098/rspb.2002.2319 ------------------------------ Date: Sun, Feb 26, 2017 at 5:44 AM From: Dewayne Hendricks <dewayne () warpspeed com> Subject: A warning from Bill Gates, Elon Musk, and Stephen Hawking (Quincy Larson) [Note: Be sure to checkout some of the videos that are linked to in the article. For instance, the one about AmazonGo. DLH] Quincy Larson, FreeCodeCamp, 19 Feb 2017 https://medium.freecodecamp.com/bill-gates-and-elon-musk-just-warned-us-about-the-one-thing-politicians-are-too-scared-to-talk-8db9815fd398 Stephen Hawking: ``The automation of factories has already decimated jobs in traditional manufacturing, and the rise of artificial intelligence is likely to extend this job destruction deep into the middle classes, with only the most caring, creative or supervisory roles remaining.'' There's a rising chorus of concern about how quickly robots are taking away human jobs. Here's Elon Musk on Thursday at the the World Government Summit in Dubai: ``What to do about mass unemployment? This is going to be a massive social challenge. There will be fewer and fewer jobs that a robot cannot do better [than a human]. These are not things that I wish will happen. These are simply things that I think probably will happen.'' And today Bill Gates proposed that governments start taxing robot workers the same way we tax human workers: ``You cross the threshold of job-replacement of certain activities all sort of at once. So, you know, warehouse work, driving, room cleanup, there's quite a few things that are meaningful job categories that, certainly in the next 20 years [will go away].'' Jobs are vanishing much faster than anyone ever imagined. In 2013, policy makers largely ignored two Oxford economists who suggested that 45% of all US jobs could be automated away within the next 20 years. But today that sounds all but inevitable. Transportation and warehousing employ 5 million Americans Those self-driving cars you keep hearing about are about to replace a lot of human workers. Currently in the US, there are: * 600,000 Uber drivers * 181,000 taxi drivers * 168,000 transit bus drivers * 505,000 school bus drivers There are also around 1-million truck drivers in the US. And Uber just bought a self-driving truck company. As self-driving cars become legal in more states, we'll see a rapid automation of all of these driving jobs. If a one-time $30,000 truck retrofit can replace a $40,000 per year human trucker, there will soon be a million truckers out of work. And it's not just the drivers being replaced. Soon entire warehouses will be fully automated. I strongly recommend you invest 3 minutes in watching this video. It shows how a fleet of small robots can replace a huge number of human warehouse workers. There are still some humans working in those warehouses, but it's only a matter of time before some sort of automated system replaces them, too. 8 million Americans work as retail salespeople and cashiers. Many of these jobs will soon be automated away. Amazon is testing a type of store with virtually no employees. You just walk in, grab what you want, and walk out. [...] ------------------------------ Date: Fri, 03 Mar 2017 15:35:40 -0800 From: Henry Baker <hbaker1 () pipeline com> Subject: Uber's data-sucking app is dangerously close to malware FYI -- An article about the Uber app as malware is several years old, but today's NYTimes article "How Uber Used Secret Greyball Tool to Deceive Authorities Worldwide" explains for the first time one of the real reasons for Uber's prurient interest in its users' data: Mike Isaac, *The New York Times*, 3 Mar 2017 How Uber Used Secret Greyball Tool to Deceive Authorities Worldwide Uber's Tactics to Avoid Law Enforcement https://www.nytimes.com/2017/03/03/technology/uber-greyball-program-evade-authorities.html Now that we know these reasons for Uber's spying, it becomes clear what information below could be used to track authorities who are trying to catch Uber drivers in illegal activities. Uber's bloated app size (215MBytes on iOS) can be seen as an all-out assault on every user's privacy. http://www.cultofmac.com/304401/ubers-android-app-literally-malware/ Buster Hein -- 11:22 am, November 26, 2014 Uber's data-sucking Android app is dangerously close to malware [updated] Uber has been sideswiped by a ridiculous number of controversies lately, but things are about to get even worse for the ride-sharing service. A security researcher just reverse-engineered the code of Uber's Android app and made a startling discovery: It's "literally malware." http://www.gironsec.com/blog/2014/11/what-the-hell-uber-uncool-bro/ Digging into the app's code, GironSec discovered the Uber app "calls home" and sends data back to Uber. This isn't typical app data, though. Uber has access to users' entire SMSLog even though the app never requests permission. It also accesses call history, Wi-Fi connections used, GPS locations and every type of device ID possible. http://www.gironsec.com/blog/2014/11/what-the-hell-uber-uncool-bro/ The app even checks your neighbor's Wi-Fi and retrieves info on the router's capabilities, frequency and SSID. News of the app's vulnerability was first posted on Hacker News with the charming intro, "TLDR: Uber's Android app is literally malware." One developer commenting on the revelation said there isn't "any reason for Google not to immediately remove this app from the store permanently and ban whatever developer uploaded it. There should probably be legal action." https://news.ycombinator.com/item?id=8660336 Here's the full list of all the data Uber is collecting through its Android app (we're checking to see if the iOS version works the same way): -- Accounts log (Email) -- App Activity (Name, PackageName, Process Number of activity, Processed id) -- App Data Usage (Cache size, code size, data size, name, package name) -- App Install (installed at, name, package name, unknown sources enabled, version code, version name) -- Battery (health, level, plugged, present, scale, status, technology, temperature, voltage) -- Device Info (board, brand, build version, cell number, device, device type, display, fingerprint, IP, MAC address, manufacturer, model, OS platform, product, SDK code, total disk space, unknown sources enabled) -- GPS (accuracy, altitude, latitude, longitude, provider, speed) -- MMS (from number, MMS at, MMS type, service number, to number) -- NetData (bytes received, bytes sent, connection type, interface type) -- PhoneCall (call duration, called at, from number, phone call type, to number) -- SMS (from number, service number, SMS at, SMS type, to number) -- TelephonyInfo (cell tower ID, cell tower latitude, cell tower longitude, IMEI, ISO country code, local area code, MEID, mobile country code, mobile network code, network name, network type, phone type, SIM serial number, SIM state, subscriber ID) -- WifiConnection (BSSID, IP, linkspeed, MAC addr, network ID, RSSI, SSID) -- WifiNeighbors (BSSID, capabilities, frequency, level, SSID) -- Root Check (root status code, root status reason code, root version, sig file version) -- Malware Info (algorithm confidence, app list, found malware, malware SDK version, package list, reason code, service list, sigfile version) Uber might have a legitimate reason to use most of this info in the app, perhaps for fraud detection or an intelligence-gathering tool. The problem is that the information is being sent and collected by Uber's servers without users' knowledge or permission. Sen. Al Franken sent a letter to Uber CEO Travis Kalanick last week demanding the company account to the public for its data gathering. The letter came as a response to a recent controversy where an Uber executive threatened to spy on and blackmail journalists who wrote unfavorable articles about the company. Uber's "God View" tool, which gives company insiders unlimited access to riders' data, has also been a cause of concern in recent weeks. http://bits.blogs.nytimes.com/2014/11/19/senator-questions-uber-on-privacy-practices/?_r=0 Cult of Mac asked Uber for comment on the collection and transmission of the data its Android and iOS apps are performing, but haven't received a response. Update: Uber has provided some clarification to the company's data gathering, noting that the blanket access is actually a requirement from Google, which forces Android developers to ask for privacy permissions up front. Uber spokeswoman Lara Sasken released the following statement to Cult of Mac: "Access to permissions including Wifi networks and camera are included so that users can experience full functionality of the Uber app. This is not unique to Uber, and downloading the Uber app is of course optional." Recode notes that Uber-competitor Lyft requests access to the same data on Android. Unlike iOS and Windows, Android developers are encouraged to request access to more user data than their apps actually need. The Uber app on Android exposes some the mobile operating system's weakness in privacy compared to iOS and Windows, both of which allow users to refuse access to data on an case-by-case basis. http://recode.net/2014/11/26/uber-under-fire-for-android-permissions/ Additional information on Android permissions can be found on Uber's site here, but not every feature is explained. https://m.uber.com/android-permissions ------------------------------ Date: Sun, 26 Feb 2017 22:29:23 +0000 From: Wols Lists <antlists () youngman org uk> Subject: Re: Science (Lauren Weinstein, RISKS-30.16) My beef with the modern Science world is that so much scientific stuff is written in the third person. As such, it actively avoids personal responsibility, and it claims an authoritative air -- which often is a smokescreen for pretending to be in the know, rather than actually being correct. If you read lectures by famous scientists of old, I suspect you will find they are mostly in the first person, and are much more accessible to the general public as a result. ------------------------------ Date: Sun, 26 Feb 2017 20:34:20 +0000 From: westhawk <thp () westhawk co uk> Subject: Re: WiReD -- Product is Mis-Identified (Bechtel, RISKS-30.15)
wired sells articlesNo. It sells eyeballs.
It does both. If you donât want to see ads, you can pay and subscribe to the ad-free version of Wired, which Iâve done. I enjoy a much quicker page load time, no distracting animations and the satisfaction that Iâm not the product⦠Reduced malware risks are an additional bonus. ------------------------------ Date: Mon, 27 Feb 2017 03:34:45 -0400 From: mspencer () tallships ca (Mike Spencer) Subject: Re: WiReD (Bechtel, RISKS-30.15) Overlooked here have been those of us still on dialup or other slow connections. The web becomes unusable if to read, say, 45K of text, your browser attempts to fetch 2M or more of assorted javascript, video, cycling image sequences and more. It's bad enough that there is a trend to put all that into the base page -- say, 450K of inline SVG image data, font definitions, js, style blocks etc. around that 45K of text. I have a wobbly congeries of hacks and workarounds using, as well, an old browser that simply doesn't support or can disable some of the useless bumpf including js. Occasionally a page will accuse me of running an ad blocker but it's detecting that I'm just not fetching all the useless crap referenced by the page. It's getting harder and harder to use the web on a slow connection. I just scratch the worst-offending sites from my life and carry on. Sadly, some of those sites are major news sites or otherwise of significance. Too bad, I'm gone. Michael Spencer, Nova Scotia, Canada mspencer () tallships ca http://home.tallships.ca/mspencer/ ------------------------------ Date: Mon, 27 Feb 2017 15:19:59 -0500 From: Dan Skwire <dskwire () mindspring com> Subject: Re: Oscars screwup and Asiana 214 crash Jclcabal Yes we saw the awards. Come to think of it I didn't see the usual dog and pony show bringing out the Price Waterhouse accountants. Did they? And are they the ones who stuff the envelopes? Probably not. So who is legally "liable" for the damages to the Academy Awards show? Were there any "damages" at all? Was there economic loss of any sort or is there a net gain because more people will watch next year, hoping for a similar car crash? We did a lot of skipping back and forth during the show but didn't want to miss *The New York Times* commercial. We didn't. Not a spectacular multimedia deal but to the point and really appreciated by us. 4800 Country Meadows Boulevard, Sarasota,FL 34235 "First Fault Software Problem Solving" ------------------------------ Date: Sun, 26 Feb 2017 22:07:06 +0000 From: Tony Finch <dot () dotat at> Subject: Re: overloaded parentheses (O'Keefe, RISKS 30.16) Possibly the language with the most enthusiastic overloading of parentheses was ALGOL 68. Together with other punctuation, they could be used as abbreviations for: ( ) expression grouping ( ; ) begin ... ; ... end ( | ) if ... then ... fi ( | | ) if ... then ... else ... fi ( | |: | ) if ... then ... elif ... else ... fi ( | | ) case ... in ... out ... esac ( | |: | | ) case ... in ... ouse ... in ... out ... esac I think `if` and `case` are disambiguated by the type (mode, in Algol 68 terminology) of the controlling expression, boolean or integer. ------------------------------ Date: Sun, 26 Feb 2017 19:41:15 -0800 From: David Brodbeck <david.m.brodbeck () gmail com> Subject: Re: The AI Threat Isn't Skynet (RISKS-30.16) In RISKS 30.16, Chris Drewe asked, "so what did happen to the leisure boom?" Which is a question I've thought about quite a bit, because I remember being promised the same thing by futurists when I was young. I think it pretty clearly ran into the fact that it's generally preferable for a business to employ a small number of full-time workers, or better yet non-employee contractors, instead of a large number of part-time staff. This is both for microeconomic reasons (administrative costs, etc.) and macroeconomic ones (keeping the supply/demand ratio for labor high, ensuring low wages.) Futurists simply didn't see the perverse incentives involved in the labor market. The result of higher worker productivity, then, is the same work is being accomplished while employing fewer people. In an efficient free market wages would drop, the supply of labor would decrease in response, and the market would re-balance. But people can't just leave the labor force, because they need money to buy food and shelter. The result is a win/win for employers. Not only do they employ fewer people, they can drive wages down! The money saved, of course, goes to the business owners and shareholders, concentrating money at the top. So in the end, instead of a leisure boom, automation led to a whole segment of society either living precariously from contract job to contract job, or living with relatives because they can't make enough money to live on their own. It's led to wealth concentration. Circumstantial evidence suggests it's even led to shorter lifespans, at least in certain areas of the US. AI can only make this worse. If AI researchers are over-optimistic, then it will be slightly less worse than is currently projected, but that's about the best we can hope for. I'm not sure what the end game is, or how to make it better. Basic income has a certain logic to it, but runs smack into powerful cultural ideas about work and morality. As politicians in the US often remind us, the Bible says, "he who will not work, neither shall he eat." I'm genuinely worried it will end with a lot of people starving. ------------------------------ Date: Wed, 1 Mar 2017 00:28:09 +0000 From: David Damerell <damerell () chiark greenend org uk> Subject: Re: Prominent medical quackery website removed from Google search results (Thorson, RISKS-30.16)
On the one hand, I agree with the anti-quackery motive, but removing quite possibly the most trafficked "alternative" medicine website from search results is disturbing to me.
There was no "anti-quackery motive", nor even the familiar story of some piece of automation somewhere going crazy, but instead some piece of automation acting in a reasonable fashion and as intended. There's a risk in jumping to conclusions. ------------------------------ Date: Tue, 10 Jan 2017 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-30.00 Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) <http://the.wiretapped.net/security/info/textfiles/risks-digest/> *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 30.17 ************************
Current thread:
- Risks Digest 30.17 RISKS List Owner (Mar 04)