RISKS Forum mailing list archives
Risks Digest 30.20
From: RISKS List Owner <risko () csl sri com>
Date: Thu, 30 Mar 2017 11:05:37 PDT
RISKS-LIST: Risks-Forum Digest Thursday 30 March 2017 Volume 30 : Issue 20 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/30.20> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Aging resident dies after Eden Prairie caregiver forgot to plug in heart pump (Gabe Goldberg) Self-driving Uber gets in accident in Tempe, Arizona (Business Insider) NASA fireworks (Alister Wm Macintyre) Evidence That Robots Are Winning the Race for American Jobs (Claire Cain Miller) Ransomware scammers exploited Safari bug to extort porn-viewing iOS users (Ars Technica) Senate votes to let ISPs sell your Web browsing history to advertisers (Ars Technica) For sale: Your private browsing history (Ars Technica) UK government says Apple ``cannot get away with unbreakable encryption'' following terrorist attack (Ben Lovejoy) Fake Sleuths: Web Gets It Wrong on London Attacker (Mark Scott) How police unmasked suspect accused of sending seizure-inducing tweet (Ars Technica) DJI Proposes Electronic Identification Framework For Small Drones (Slashdot) Win10 Class Action ... (The Register via Alister Wm Macintyre) Risks from falsified Data (BBC via John Murrell) US Supreme Court Case on Toner Cartridges (Alister Wm Macintyre) Re: self-checkout at grocery stores (Barry Gold, Mark Jackson) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Thu, 30 Mar 2017 01:16:08 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Aging resident dies after Eden Prairie caregiver forgot to plug in heart pump A distracted aide at an Eden Prairie assisted-living center failed to plug in a resident's heart pump at bedtime, and the man didn't live through the night, according to a state investigation released Wednesday. http://www.startribune.com/aging-resident-dies-after-eden-prairie-caregiver-forgot-to-plug-in-heart-pump/413868613/ If an alarm sounds but nobody hears it... Gabriel Goldberg, Computers and Publishing, Inc. gabe () gabegold com 3401 Silver Maple Place, Falls Church, VA 22042 (703) 204-0433 ------------------------------ Date: Sat, 25 Mar 2017 11:18:03 -0400 From: Monty Solomon <monty () roscom com> Subject: Self-driving Uber gets in accident in Tempe, Arizona http://www.businessinsider.com/self-driving-uber-gets-in-accident-in-tempe-arizona-2017-3 ------------------------------ Date: Thu, 23 Mar 2017 08:30:24 -0500 From: "Alister Wm Macintyre \(Wow\)" <macwheel99 () wowway com> Subject: NASA fireworks NASA's Inspector General reports: https://oig.nasa.gov/ A security patch, applied by IT staff at NASA, caused an equipment shutdown and subsequent fire that destroyed spacecraft hardware. The fire lasted 3.5 hours, unnoticed by anyone because the security patch had shut down the fire alarm systems. [The news media blame the fire on the security patch. Inspector General finds more significant faults. The Space Agency has lost track of its equipment needs. AWM] This was not an isolated incident, of bad consequences of networking hardware, without good management of the equipment's dissimilar needs.. "Vulnerability scanning used to identify software flaws, that can be exploited by an attacker, caused equipment to fail and loss of communication with an Earth science spacecraft during an orbital pass. A chilled-water heating, ventilation and air-conditioning system was disabled -- which caused IT equipment reliant on it in one of NASA's data centers to be shut down after temperatures rapidly rose to more than 50 degrees centigrade. Here is the IG Feb-8 report, on above challenges: https://oig.nasa.gov/audits/reports/FY17/IG-17-011.pdf [Many industries grew with industrial control mechanisms not designed to be networked with computer systems vulnerable to malware, hacking etc. They don't have good firewalls or any cyber security protections, but in the interests of cost savings, critical infrastructure industrial systems are being included into computer networks, often without adequate thinking to protect all the devices in a cyber security risky world. US's Space Agency is one of those industries. Before networking the industrial control hardware, there were personnel familiar with its maintenance needs. If you drop those people from the payroll, you are making your outfit more vulnerable.. AWM] https://fcw.com/articles/2017/02/09/nasa-iot-problems-rockwell.aspx http://www.computing.co.uk/ctg/news/3004421/security-patch-caused-equipment-shutdown-and-fire-at-nasa?im_edp=gmail.com [Registration required] http://www.theinquirer.net/inquirer/news/3004427/nasa-equipment-shutdown-and-fire-blamed-on-rogue-security-patch Lots of NASA operations get connected to the cloud, without upper management awareness, nor approval, due to lack of good cyber security.. Here's IG Feb-7 report on that: https://oig.nasa.gov/audits/reports/FY17/IG-17-010.pdf http://www.networkworld.com/article/3167609/security/nasa-has-a-shadow-it-problem.html NASA is also involved with IoT. https://www.fedscoop.com/nasa-forays-into-the-internet-of-things/ https://www.nasa.gov/sites/default/files/atoms/files/it-talk_oct-dec2015-v1_1.pdf Iowa Senator Chuck Grassley reported, in 2007, that $ 1.9 billion in hardware was stolen, thanks to hackers into NASA. That's a significant portion of NASA's annual $ 13 billion budget. https://www.grassley.senate.gov/news/news-releases/nasa-ig-under-fire ------------------------------ Date: Tue, Mar 28, 2017 at 7:23 PM From: Dewayne Hendricks <dewayne () warpspeed com> Subject: Evidence That Robots Are Winning the Race for American Jobs (Claire Cain Miller) [Note: This item comes from friend Mike Cheponis. DLH] Claire Cain Miller, *The New York Times*, 28 Mar 2017 https://www.nytimes.com/2017/03/28/upshot/evidence-that-robots-are-winning-the-race-for-american-jobs.html Who is winning the race for jobs between robots and humans? Last year, two leading economists described a future in which humans come out ahead. But now they've declared a different winner: the robots. The industry most affected by automation is manufacturing. For every robot per thousand workers, up to six workers lost their jobs and wages fell by as much as three-fourths of a percent, according to a new paper by the economists, Daron Acemoglu of M.I.T. and Pascual Restrepo of Boston University. It appears to be the first study to quantify large, direct, negative effects of robots. The paper is all the more significant because the researchers, whose work is highly regarded in their field, had been more sanguine about the effect of technology on jobs. In a paper last year, they said it was likely that increased automation would create new, better jobs, so employment and wages would eventually return to their previous levels. Just as cranes replaced dockworkers but created related jobs for engineers and financiers, the theory goes, new technology has created new jobs for software developers and data analysts. But that paper was a conceptual exercise. The new one uses real-world data -- and suggests a more pessimistic future. The researchers said they were surprised to see very little employment increase in other occupations to offset the job losses in manufacturing. That increase could still happen, they said, but for now there are large numbers of people out of work, with no clear path forward -- especially blue-collar men without college degrees. Acemoglu: ``The conclusion is that even if overall employment and wages recover, there will be losers in the process, and it's going to take a very long time for these communities to recover. If you've worked in Detroit for 10 years, you don't have the skills to go into health care. The market economy is not going to create the jobs by itself for these workers who are bearing the brunt of the change.'' The paper's evidence of job displacement from technology contrasts with a comment from the Treasury secretary, Steve Mnuchin, who said at an Axios event last week that artificial intelligence's displacement of human jobs was ``not even on our radar screen,'' and ``50 to 100 more years'' away. (Not all robots use artificial intelligence, but a panel of experts -- polled by the M.I.T. Initiative on the Digital Economy in reaction to Mr. Mnuchin's comments -- expressed the same broad concern of major job displacement.) The paper also helps explain a mystery that has been puzzling economists: why, if machines are replacing human workers, productivity hasn't been increasing. In manufacturing, productivity has been increasing more than elsewhere -- and now we see evidence of it in the employment data, too. The study analyzed the effect of industrial robots in local labor markets in the United States. Robots are to blame for up to 670,000 lost manufacturing jobs between 1990 and 2007, it concluded, and that number will rise because industrial robots are expected to quadruple. [...] ------------------------------ Date: Wed, 29 Mar 2017 22:47:09 -0400 From: Monty Solomon <monty () roscom com> Subject: Ransomware scammers exploited Safari bug to extort porn-viewing iOS users (Ars Technica) https://arstechnica.com/security/2017/03/ransomware-scammers-exploited-safari-bug-to-extort-porn-viewing-ios-users/ ------------------------------ Date: Thu, 23 Mar 2017 13:42:39 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Senate votes to let ISPs sell your Web browsing history to advertisers NNSquad https://arstechnica.com/tech-policy/2017/03/senate-votes-to-let-isps-sell-your-web-browsing-history-to-advertisers/ The US Senate today voted to eliminate broadband privacy rules that would have required ISPs to get consumers' explicit consent before selling or sharing Web browsing data and other private information with advertisers and other companies. The rules were approved in October 2016 by the Federal Communications Commission's then-Democratic leadership, but are opposed by the FCC's new Republican majority and Republicans in Congress. The Senate today used its power under the Congressional Review Act to ensure that the FCC rulemaking "shall have no force or effect" and to prevent the FCC from issuing similar regulations in the future. The House, also controlled by Republicans, would need to vote on the measure before the privacy rules are officially eliminated. President Trump could also preserve the privacy rules by issuing a veto. If the House and Trump agree with the Senate's action, ISPs won't have to seek customer approval before sharing their browsing histories and other private information with advertisers. ------------------------------ Date: Tue, 28 Mar 2017 15:09:10 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: For sale: Your private browsing history via NNSquad https://arstechnica.com/tech-policy/2017/03/for-sale-your-private-browsing-history/ The House of Representatives voted today to eliminate ISP privacy rules, following the Senate vote to take the same action last week. The legislation to kill the rules now heads to President Donald Trump for his signature or veto. The White House issued a statement today supporting the House's action, and saying that Trump's advisors will recommend that he sign the legislation. That would make the death of the Federal Communications Commission's privacy rules official. The rules issued by the FCC last year would have required ISPs to get consumers' opt-in consent before selling or sharing Web browsing history, app usage history, and other private information with advertisers and other companies. But lawmakers used their authority under the Congressional Review Act (CRA) to pass a joint resolution ensuring that the rules "shall have no force or effect" and that the FCC cannot issue similar regulations in the future. ------------------------------ Date: Mon, 27 Mar 2017 10:10:26 -1000 From: geoff goodfellow <geoff () iconia com> Subject: UK government says Apple ``cannot get away with unbreakable encryption'' following terrorist attack (Ben Lovejoy) Ben Lovejoy, 9to5mac, 27 Mar 2017 British Home Secretary Amber Rudd -- in charge of police policy in the UK -- told the BBC what is quoted in the subject line. Rudd was speaking after it was revealed that Khalid Masood accessed WhatsApp two minutes before ploughing through pedestrians on Westminster Bridge in a rented car, killing three of them, before fatally stabbing a police officer guarding the Houses of Parliament. She described end-to-end encrypted messaging as used by WhatsApp and Apple's Messages app as ``completely unacceptable''. https://9to5mac.com/2017/03/27/amber-rudd-british-government-apple-messages-whatsapp-end-to-end-encryption/ [The problem is of course that dumbing down communication security just for British law enforcment would also be completely unacceptable, and could even be responsible for bringing down her own government as a result of subsequent compromises! Is she Ruddy Naive? (And then I recall the former prime minister suggesting a ban an all cryptography.) PGN] ------------------------------ Date: Sun, 26 Mar 2017 10:12:34 -0400 From: Monty Solomon <monty () roscom com> Subject: Fake Sleuths: Web Gets It Wrong on London Attacker (Mark Scott) Mark Scott, *The New York Times*, 24 Mar 2017 http://www.nytimes.com/2017/03/24/technology/london-terror-attack-suspect-social-media.html ------------------------------ Date: Thu, 23 Mar 2017 01:09:27 -0400 From: Monty Solomon <monty () roscom com> Subject: How police unmasked suspect accused of sending seizure-inducing tweet (Ars Technica) https://arstechnica.com/tech-policy/2017/03/how-police-unmasked-suspect-accused-of-sending-seizure-inducing-tweet/ ------------------------------ Date: Tue, 28 Mar 2017 16:41:51 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: DJI Proposes Electronic Identification Framework For Small Drones (Slashdot) https://tech.slashdot.org/story/17/03/28/213236/dji-proposes-new-electronic-license-plate-for-drones?utm_source=rss1.0mainlinkanon&utm_medium=feed Chinese drone maker DJI proposed that drones be required to transmit a unique identifier to assist law enforcement to identify operators where necessary. Anyone with an appropriate receiver could receive the ID number, but the database linking the ID with the registered owner would only be available to government agencies. Ridiculous idea -- bad players would simply disable this feature -- or modify it (and you can bet that it will be possible to modify it, one way or another). Handy for false flags! Luckily, the DJI page on this is in such a low contrast font that you can't read it without going blind anyway. ------------------------------ Date: Mon, 27 Mar 2017 01:34:54 -0500 From: "Alister Wm Macintyre \(Wow\)" <macwheel99 () wowway com> Subject: Win10 Class Action ... 'Windows 10 destroyed our data!' Microsoft hauled into US court. 'Dodgy' unwanted operating system update sparks potential class-action lawsuit 24 Mar 2017 According to the complaint, Windows 10 installed itself onto plaintiff Stephanie Watson's computer without her consent and then erased data, some of it related to her work. She hired Geek Squad to repair the machine, with only partial success, and ended up having to purchase a new computer. Plaintiff Robert Saiger, the complaint says, consented to the Windows 10 update, only to have his computer stop functioning. He lost data, then lost time and money, while incurring aggravation attempting to recover the data. Plaintiff Howard Goldberg "elected to accept Windows 10 after declining over 6 months of daily prompts requesting him to download it." After three attempts to do so, the result was a non-functional computer and lost data. https://www.theregister.co.uk/2017/03/24/microsoft_windows_10_update/ [If a Win-7 user got add-on software for some activity, supported by Win-7 but not by Win-10, and uses the software sub-directories of the add-on for the associated data, then: 1. Microsoft does NOT tell the user that Win-10 does not support that stuff. 2. The Win-10 installation process erases all the non-Microsoft software, and associated sub-directory data, that won't work with Win-10. 3. The user is not told about this erasure. Other OS are much more polite to the user, giving the opportunity to save the software and data, not supported by the OS upgrade, so that the user can seek some add-on that is supported by the latest OS upgrade, and also provides a conversion path to move the data into any replacement format needed. Documentation regarding the OS upgrade also gives warning what is no longer supported, and will need some software from some from other than the OS company, to facilitate such conversions. Microsoft is not a believer in such user-friendly conversion info standards. AWM] ------------------------------ Date: Mon, 27 Mar 2017 22:12:57 +0100 From: "John Murrell" <mail () johnmurrell org uk> Subject: Risks from falsified Data (BBC) http://www.bbc.co.uk/news/business-38254362 There is an interesting article on the BBC website at that discusses an alternative and much more subtle version of Malware. This involves infiltrating systems and making changes to data which while being too small to notice immediately result in system failure. Their conclusion is that data integrity from start to end is just as important as any other form of security. I had a quick search through the Risks Digests and could not find any evidence of this being discussed. Has anyone any evidence that they are willing and able to discuss of this type of attack ? [Is this not just one more example of faked news, perhaps more subtle than flagrant fake news, but still disinformation. PGN] ------------------------------ Date: Mon, 27 Mar 2017 00:31:16 -0500 From: "Alister Wm Macintyre \(Wow\)" <macwheel99 () wowway com> Subject: US Supreme Court Case on Toner Cartridges You Should Care about the Supreme Court Case on Toner Cartridges. The verdict could have consequences on practically any purchased product. [PC printer manufacturers make most of their money selling toner & other ink systems, often at ridiculous high prices. Various 3rd party outfits sell apparently identical ink cartridges for much less money. I turn in my used cartridges to a recycling outfit, which refills them, with much lower cost to me than buying the printer manufacturer cartridges. The printer manufacturers want to put a stop to that competition, make you use theirs exclusively, then they can jack up the prices even more. https://www.hardocp.com/news/2017/03/25/you_should_care_about_supreme_court_case_on_toner_cartridges/ http://gizmodo.com/supreme-court-printer-cartridge-case-could-be-the-citiz-1793643311 http://www.scotusblog.com/case-files/cases/impression-products-inc-v-lexmark-international-inc/ <https://www.hardocp.com/news/2017/03/25/you_should_care_about_supreme_court_case_on_toner_cartridges/%0b%0bThe%20case:%0dhttp:/www.scotusblog.com/case-files/cases/impression-products-inc-v-lexmark-international-inc/%20%0b> https://consumerist.com/2017/03/23/why-you-should-care-about-the-supreme-court-case-on-toner-cartridges/ ------------------------------ Date: Tue, 21 Mar 2017 17:45:59 -0700 From: Barry Gold <barrydgold () ca rr com> Subject: Re: self-checkout at grocery stores [???] I avoid self-checkout lanes unless the queues get *very* long or I have only a single item because: 1. I'm nowhere near as fast as a trained checker in the whole scan-and-bag thing. 2. I want the checkers to keep their jobs. And I *never* use self-checkout if I have produce or anything else that needs to be weighed, because there's no way I can do the enter-the-proper-code-and-weigh the thing as a checker who has usually memorized the code for every single produce item in the store. ------------------------------ Date: Wed, 22 Mar 2017 20:26:24 -0400 From: Mark Jackson <mjackson () alumni caltech edu> Subject: Re: self-checkout at grocery stores (Lamkin, RISKS-30.19) That looks like the same system deployed in some of their stores by Stop & Shop, a not-particularly-high-end grocery chain serving much of the U.S. Northeast: https://stopandshop.com/shopping/shopping-tools/scanit/ ------------------------------ Date: Tue, 10 Jan 2017 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-30.00 Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) <http://the.wiretapped.net/security/info/textfiles/risks-digest/> *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 30.20 ************************
Current thread:
- Risks Digest 30.20 RISKS List Owner (Mar 30)