RISKS Forum mailing list archives
Risks Digest 30.62
From: RISKS List Owner <risko () csl sri com>
Date: Fri, 30 Mar 2018 15:28:22 PDT
RISKS-LIST: Risks-Forum Digest Friday 30 March 2018 Volume 30 : Issue 62 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/30.62> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: A Cyberattack Hobbles Atlanta, and Security Experts Shudder (Alan Blinder and Nicole Perlroth) Baltimore's 9-1-1 System Hacked in Ransomware Attack (Baltimore Sun) Under Armour announces data breach, affecting 150 million MyFitnessPal app accounts (WashPo) Facebook's Cambridge Analytica problems are nothing compared to what's coming for all of online publishing (Harvard) Growth At Any Cost: Top Facebook Executive Defended Data Collection In 2016 Memo -- And Warned That Facebook Could Get People Killed (buzzfeed) Facebook deathwatch: a decade ago, it was impossible to imagine the fall of Myspace (BoingBoing) ``Maybe someone dies'': Facebook VP justified bullying, terrorism as costs of network's `growth' (Avi Selk) Ecuador cutting off WikiLeaks founder's communications (Chicago Sun Times) Self-driving car passenger slapped with ticket in San Francisco (Fox News) Uber Disabled Volvo's Safety System Before Fatality, Aptiv Says (TTNews) Uber reportedly reduced the number of sensors on its autonomous cars (Engadget) Re: "Why Big Tech Needs Big Ethics -- Right Now!" (Martin Ward) Re: Self-Driving Car Had a Fatal Accident: Now What? (Ian Jackson, Paul Fenimore) Re: Self-Driving Car Had a Fatal Accident CORRECTION (Don Norman) Re: The Unstoppable Momentum of Self-Driving Cars (3daygoaty) Government wants to know the Risks of IoT (Arthur T.) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Wed, 28 Mar 2018 07:45:57 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: A Cyberattack Hobbles Atlanta, and Security Experts Shudder (Alan Blinder and Nicole Perlroth) NNSquad Alan Blinder and Nicole Perlroth, *The New York Times*, 28 Mar 2018 https://www.nytimes.com/2018/03/27/us/cyberattack-atlanta-ransomware.html The City of Atlanta's 8000 employees got the word on [27Mar] that they had been waiting for: It was O.K. to turn their computers on. But as the city government's desktops, hard drives and printers flickered back to life for the first time in five days, residents still could not pay their traffic tickets or water bills online, or report potholes or graffiti on a city website. Travelers at the world's busiest airport still could not use the free Wi-Fi. Atlanta's municipal government has been brought to its knees since Thursday morning by a ransomware attack -- one of the most sustained and consequential cyberattacks ever mounted against a major American city. ------------------------------ Date: Thu, 29 Mar 2018 17:29:18 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Baltimore's 9-1-1 System Hacked in Ransomware Attack (Baltimore Sun) Part of Baltimore's 9-1-1 emergency system had to be temporarily shut down over the weekend because of a ransomware attack, *The Baltimore Sun* reported. The breach reportedly affected a server that runs the city's computer-aided dispatch system, which maps the locations of 9-1-1 callers and dispatches the nearest emergency responders. Workers were forced to manually dispatch emergency personnel from Sunday morning through Monday morning. The attack came after a city IT team working on a different issue inadvertently changed a firewall, leaving hackers access for about 24 hours. I don't know what else to call it but a self-inflicted wound, as chief information officer (CIO), told The Sun. The bad guys did not get in on their own without the help of someone inadvertently leaving the door open. http://www.baltimoresun.com/news/maryland/crime/bs-md-ci-hack-folo-20180328-story.html [In addition to Atlanta and Baltimore, some of Denver's city systems were also reportedly hit by ransomware attacks. PGN] ------------------------------ Date: Fri, 30 Mar 2018 08:46:26 -0400 From: Monty Solomon <monty () roscom com> Subject: Under Armour announces data breach, affecting 150 million MyFitnessPal app accounts (WashPo) Under Armour announces data breach, affecting 150 million MyFitnessPal app accounts Usernames, and email addresses tied to 150 million user accounts were accessed by hackers, the company said. http://www.washingtonpost.com/news/the-switch/wp/2018/03/29/under-armour-announces-data-breach-affecting-150-million-myfitnesspal-app-accounts/ ------------------------------ Date: Wed, 28 Mar 2018 09:56:39 -0400 From: Monty Solomon <monty () roscom com> Subject: Facebook's Cambridge Analytica problems are nothing compared to what's coming for all of online publishing (Harvard) http://blogs.harvard.edu/doc/2018/03/23/nothing/ ------------------------------ Date: Thu, 29 Mar 2018 15:39:37 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Growth At Any Cost: Top Facebook Executive Defended Data Collection In 2016 Memo -- And Warned That Facebook Could Get People Killed (buzzfeed) via NNSquad http;//www.buzzfeed.com/ryanmac/growth-at-any-cost-top-facebook-executive-defended-data?utm_term=.fiP7VK4j4%23.nc25KxLjL "We connect people. Period. That's why all the work we do in growth is justified. All the questionable contact importing practices. All the subtle language that helps people stay searchable by friends. All of the work we do to bring more communication in. The work we will likely have to do in China some day. All of it," VP Andrew "Boz" Bosworth wrote. "So we connect more people," he wrote in another section of the memo. "That can be bad if they make it negative. Maybe it costs someone a life by exposing someone to bullies. "Maybe someone dies in a terrorist attack coordinated on our tools." ------------------------------ Date: Fri, 30 Mar 2018 10:29:28 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Facebook deathwatch: a decade ago, it was impossible to imagine the fall of Myspace (BoingBoing) via NNSquad http;//boingboing.net/2018/03/30/historical-perspective.html But as big and powerful as Facebook is, it's not immortal. Everything ends. Facebook's primary value is in helping you find people to talk with (for example, finding other people with rare diseases), but it makes its living by making the experience of talking with other people as shitty as possible, with "engagement maximization" and invasive, manipulative advertising. It is supremely vulnerable to a competitor that was willing to accept a lower degree of profitability in exchange for a business-model more closely aligned with the value of providing a forum where affinity-based groups can form and organize. ------------------------------ Date: Fri, 30 Mar 2018 11:30:10 -1000 From: geoff goodfellow <geoff () iconia com> Subject: ``Maybe someone dies'': Facebook VP justified bullying, terrorism as costs of network's `growth' (Avi Selk) Avi Selk, *The Switch*, 30 Mar 2018 http://www.washingtonpost.com/news/the-switch/wp/2018/03/30/maybe-someone-dies-facebook-vp-justified-bullying-terrorism-as-costs-of-growth/ In a 2016 employee memo that was leaked this week, a Facebook executive defended the company's questionable data mining practices and championed the growth of social media at any cost -- apparently even death. ``Maybe it costs a life by exposing someone to bullies,'' company vice president Andrew Bosworth wrote in the memo, according to BuzzFeed News, which published it Thursday. ``Maybe someone dies in a terrorist attack coordinated on our tools. And still we connect people. The ugly truth is that we believe in connecting people so deeply that anything that allows us to connect more people more often is *de facto* good.'' Bosworth, who oversaw Facebook's advertising and business platform at the time and is now in charge of the company's virtual reality department, has acknowledged writing the message but said he intended only to start a debate. ``I didn't agree with it even when I wrote it,'' he wrote on Twitter after BuzzFeed published its report. ------------------------------ Date: Wed, 28 Mar 2018 10:48:45 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Ecuador cutting off WikiLeaks founder's communications (Chicago Sun Times) NNSquad https://chicago.suntimes.com/news/ecuador-wikileaks-founder-julian-assange-communications-outside-london-embassy/ Ecuador's government is cutting off WikiLeaks founder Julian Assange's communications outside the nation's London embassy. Officials announced Wednesday they were taking the measure in response to Assange's recent activity on social media. ------------------------------ Date: Wed, 28 Mar 2018 17:05:12 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Self-driving car passenger slapped with ticket in San Francisco (Fox News) via NNSquad http://www.foxnews.com/us/2018/03/28/self-driving-car-passenger-slapped-with-ticket-in-san-francisco-police-say.html A ticket was issued to a person traveling in a self-driving car in San Francisco on Monday, police told Fox News. The vehicle allegedly did not stop for a person in the crosswalk. However, Cruise, the car company involved, according to KPIX, maintained that the vehicle was in compliance with California state law. A motorcycle officer issued the ticket after seeing the car not stop for a woman going through a crosswalk in the South of Market area, San Francisco Police Department spokeswoman Officer Giselle Linnane told Fox News on Wednesday. The car "cut the pedestrian off," she said. When the robocar you're in kills someone -- YOU may end up in prison for the rest of your life! Surprise! ------------------------------ Date: Tue, 27 Mar 2018 08:53:38 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Uber Disabled Volvo's Safety System Before Fatality, Aptiv Says (TTNews) via NNSquad http://www.ttnews.com/articles/uber-disabled-volvos-safety-system-fatality-aptiv-says Uber Technologies Inc. disabled the standard collision-avoidance technology in the Volvo SUV that struck and killed a woman in Arizona 18 Mar 2018, according to the auto-parts maker that supplied the vehicle's radar and camera. "We don't want people to be confused or think it was a failure of the technology that we supply for Volvo, because that's not the case," Zach Peterson, a spokesman for Aptiv Plc, said by phone. The Volvo XC90's standard advanced driver-assistance system "has nothing to do" with the Uber test vehicle's autonomous driving system, he said. ------------------------------ Date: Wed, 28 Mar 2018 12:04:21 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Uber reportedly reduced the number of sensors on its autonomous cars (Engadget) NNSquad https://www.engadget.com/2018/03/28/uber-reduced-safety-sensors-on-its-autonomous-cars/ Reuters reports that Uber scaled back to a single LiDAR sensor on the Volvo test cars the company currently uses in its fleets. The resulting vehicles have more blind spots, says Reuter's sources, than Uber's previous generation of self-driving cars as well as that of rivals, which can use five or six sensors. ------------------------------ Date: Wed, 28 Mar 2018 14:29:43 +0100 From: Martin Ward <martin () gkc org uk> Subject: Re: "Why Big Tech Needs Big Ethics -- Right Now!" (Lauren's Blog) Governments always get it wrong and government regulation is always a terrible idea isn't it? Just think of the first Factory Act of 1802: this forced factories to "admit fresh air by means of a sufficient number of windows", to "supply every apprentice of sufficient and suitable clothing and sleeping accommodation (not more than two to a bed)", and on top of that, the pauper apprentices were prohibited from night work, and their labour limited to a mere 12 hours in a day! Health and safety gone mad! Later regulations went even further and required fencing of machinery and prohibited the cleaning of machinery in motion. My point is that *without* government regulation, any factory that treated their employees well would be working at a disadvantage to those who worked their employees to death. So, however flawed the political system might be, the only hope for better working conditions for employees was government regulation. Similarly, the only hope for more ethical treatment of customer data is government regulation: because there is money to be made from unethical use of the data, and no company can afford to leave money on the table unless all are. [You're confusing labor regulations with micromanagement of tech and information. Two different worlds. Lauren] Your argument, and my counter-argument, apply equally well to both. So what is the difference? Note that with the current dysfunctional governments, multinationals are working hard to dismantle labour regulations as well as avoiding government regulation of tech and information. Martin [Because it's demonstrability true that government actions relating to labor/health issues have positive results, and that government is typically incapable of micromanaging technology without vast negative collateral effects. Lauren] ------------------------------ Date: Wed, 28 Mar 2018 15:16:40 +0100 From: Ian Jackson <ijackson () chiark greenend org uk> Subject: Re: Self-Driving Car Had a Fatal Accident: Now What? (Norman, R 30 61) Don Norman writes:
[The accident record [of self-driving vehicles] is impressively low: in four million miles of driving, one death compared to 40 deaths in regular driving.
...
Automobile manufacturers are rushing to add more and more automation to their existing cars, promising to have fully automated vehicles within a few years. They need to slow down.
This opinion makes no sense. On Don's own figures, delaying the introduction of self driving vehicles, costs, in the United States alone, *at least 90 deaths for each day we delay*. The reality is that the existing road and driver system is so utterly appalling that it is properly regarded as a massive emergency. Only politics (the realpolitik necessity that every idiot to be allowed to drive) have prevented us from solving this. It makes sense to replace this nightmare as soon as we can - even with automation which falls far short of normal safety standards applied elsewhere. Normal safety standards (like you find in aviation, say) aren't applied to human drivers. Getting rid of human drivers is the priority. ------------------------------ Date: Wed, 28 Mar 2018 21:56:16 -0600 From: Paul Fenimore <fenimore () swcp com> Subject: Re: Self-Driving Car Had a Fatal Accident: Now What? (Norman, R 30 61)
Recently, one of Uber's autonomous automobiles was involved in an accident where a pedestrian was killed. What lesson should we learn from this incident? During the three years that my colleagues and I have been doing research on self-driving cars, this is the first death. Compare this single death with the 120,000 people who have been killed in automobile accidents in the United States in that same period: roughly 100 people each day.
Fully autonomous cars have driven around four million miles rather than the nearly nine trillion miles driven by American drivers in that same period. The accident record is impressively low: in four million miles of driving, one death compared to 40 deaths in regular driving.
The Editorial "Self-Driving Car Had a Fatal Accident..." from RISKS 30.61 makes numerous arguments, but they all hinge on the two paragraphs quoted above. The claim in the first paragraph is that un-normalized comparisons of the death rate between autonomous cars and human-operated is meaningful. I'm not sure what comparison the author intends to make, but it is axiomatic that accident *rates* are by necessity normalized. I cannot find a sensible and correct interpretation of the second paragraph; so I'll simply quote Federal accident statistics. The fatality rate by all-causes from "typical" human driving is about 1.2 deaths per 10^8 miles driven. For a vehicle-pedestrian fatality, the fatality rate is nearly an order of magnitude lower. One fatality after 4 million miles driven is between a factor of 20 and 100 higher than the rate for human-operated vehicles, meaning the likelihood this would happen to a human driver with this many miles driven is in the range 1% - 5%, better known as p < 0.05! This *single event* is a sound statistical basis to be very suspicious of Uber's self-driving car program. Quite aside from the fashionable practice of denigrating human capabilities that pervades the popular press when they discuss automation, the safety of cars has shown drastic improvements over the last century as even a cursory look at US Federal statistics shows. That improvement has been the result of many changes, both to how people drive and to the vehicles. The resources expended over that century have been enormous, far beyond what is available to any company on the 5-10 year time-scale, or even the entire self-driving car community. It should come as no surprise that a bunch of starry-eyed optimists with comparatively puny resources are unable to improve the situation in a few short years: the underlying activity is very dangerous and has been the subject of long learning. It is profoundly disappointing to see that RAND Corporation pointed out the difficulties of proving self-driving car safety: <https://www.sciencedirect.com/science/article/pii/S0965856416302129 The community did not take the warning seriously. So instead, we have a p < 0.05 proof of autonomous vehicles' danger to life and limb. ------------------------------ Date: Thu, 29 Mar 2018 14:53:55 -0700 From: Don Norman <dnorman () ucsd edu> Subject: Re: Self-Driving Car Had a Fatal Accident CORRECTION (R 30.62) My arithmetic calculation (in my RISKS-30.61 article "Self-Driving Car Had a Fatal Accident" was wrong -- but I still stand by my conclusions. Several people have written privately to me (and some to RISKS directly) about my computation comparing the death rate in autonomous (self-driving) vehicles with that of manual driving. The correspondents pointed out that my numerical comparison was flawed. Unfortunately, they are correct. Worse: I cannot recreate how I came up with the numbers that I did. I used the figure of 4 million miles driven by autonomous vehicles (I have since discovered higher mileage, but that wouldn't significantly change the result). I also used the (rounded off) numbers of 1 death per 100 million miles driven, and three trillion miles driven by Americans/year. Those numbers are correct. Why didn't I conclude that manually driven cars should have had (4*10^6)/10^8 = 0.04 deaths in 4 million miles of driving? Damned if I know: my 6 years of calculus is a bit rusty, but this was simple arithmetic. My computation was wrong. That's clear. - - - However, I stand by my conclusions. They did not depend upon this computation. If I hadn't included the numbers, my argument would still hold. We need a standard testing procedure before we allow autonomous cars on the roads. Having a safety driver is unworkable. I have written at length about this point in automobile conferences, in RISKS, in articles published in Technology Review and CACM. The Human Factors and Aviation Safety literature for the past 50 years has provided lots of evidence, some of it was even contributed by me. So, ignore my faulty numerical computations and attend to the rest of the article. By the way, Waymo (previously known as Google X) has described some of their testing procedures and precautions: it would be wonderful if all manufacturers followed those policies. Alas, the mad rush to be first is forcing companies to ignore this good advice, much of it coming from their own engineers and human factors experts. Don Norman. Prof. and Director, DesignLab, UC San Diego ------------------------------ Date: Wed, 28 Mar 2018 10:17:53 +1100 From: 3daygoaty <threedaygoaty () gmail com> Subject: Re: The Unstoppable Momentum of Self-Driving Cars (Kaufmann, R 30 61)
I wait to hear when self-driving cars successfully complete a million miles without human intervention in Boston and its suburbs during winter snowstorms.
This whole post is very nicely said. But someone will take your bet! Ignoring the fact that I have lived in those same challenging snow storms, I'm going to be a complete wowser and propose that no Turing-test like bar should be set for autonomous vehicles. I'm worried it would be just like <some big IT firm> to have a car drive a million miles in the snow and either kill people doing it, or worse, arrive at the millionth mile and pronounce "It's time". Lots of people have been fooled by bots now, it demonstrates little about any general intelligence implemented in machines. I put it to RISKS readers: why can't a strong counterexample of how dangerous automation be what the little boy said about the emperor's clothes? [With regard to Don Norman's messages, I think you might want a *wowser bowser* sitting in the driver's seat, to bite any person trying to take over the automated controls, PGN says doggedly!] ------------------------------ Date: Wed, 28 Mar 2018 21:39:06 -0500 From: "Arthur T." <Risks201802.10.atsjbt () xoxy net> Subject: Government wants to know the Risks of IoT The Consumer Product Safety Commission wants comments "about potential safety issues and hazards associated with Internet-connected consumer products". I'm sure the RISKS audience will be a good source of such comments. The comment period ends 15 Jun. The government's site: https://www.federalregister.gov/documents/2018/03/27/2018-06067/the-internet-of-things-and-consumer-product-hazards Article about the request: https://www.federalregister.gov/documents/2018/03/27/2018-06067/the-internet-of-things-and-consumer-product-hazards Important note from the above article: "Keep in mind that submissions will be [...] published out in the open." ------------------------------ Date: Tue, 10 Jan 2017 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-30.00 Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) <http://the.wiretapped.net/security/info/textfiles/risks-digest/> *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 30.62 ************************
Current thread:
- Risks Digest 30.62 RISKS List Owner (Mar 30)