RISKS Forum mailing list archives
Risks Digest 31.12
From: RISKS List Owner <risko () csl sri com>
Date: Mon, 18 Mar 2019 15:11:41 PDT
RISKS-LIST: Risks-Forum Digest Monday 18 March 2019 Volume 31 : Issue 12 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/31.12> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: The Rapid Decline Of The Natural World Is A Crisis Even Bigger Than Climate Change (HuffPost via Geoff Goodfellow) Boeing promised pilots a 737 software fix last year, but they're still waiting (NYTimes) American Airlines takes jets out of service, cancels flights due to overhead-bin problem (CNBC) How Artificial Intelligence Could Transform Medicine (NYTimes) Cancer Patients Are Getting Robotic Surgery; there's no evidence it's better (NYTimes) Toyota patents system to dispense tear gas on car thieves (Autoblog) World of hurt: GoDaddy, Apple, and Google misissue >1M certificates (Ars Technica) When your IoT goes dark: Why every device must be open source and multicloud (ZDNet) Companies are leaking sensitive files via Box accounts (Catalin Cimpanu) Women face greater threat from job automation than men: Study (The Straits Times) "Security Holes Found in Big Brand Car Alarms" (Dan Simmons) A slew of CEOs charged in alleged college entrance cheating scam (Monty Solomon) Hashing to prevent spread of hate videos? (CNN) Tech's Moral Void (CBC) U.S. Campaign to Ban Huawei Overseas Stumbles as Allies Resist *NYTimes) App notification for a stranger on my phone (Steven Klein) Re: U.S. DST change proposals and WWVB radio clocks (John Levine) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Sun, 17 Mar 2019 09:38:06 -0700 From: geoff goodfellow <geoff () iconia com> Subject: The Rapid Decline Of The Natural World Is A Crisis Even Bigger Than Climate Change *A three-year UN-backed study from the Intergovernmental Science-Policy Platform On Biodiversity and Ecosystem Services has grim implications for the future of humanity.* EXCERPT: Nature is in freefall and the planet's support systems are so stretched that we face widespread species extinctions and mass human migration unless urgent action is taken. That's the warning hundreds of scientists are preparing to give, and it's stark. The last year has seen a slew of brutal and terrifying warnings about the threat climate change poses to life. Far less talked about but just as dangerous, if not more so, is the rapid decline of the natural world. The felling of forests, the over-exploitation of seas and soils, and the pollution of air and water are together driving the living world to the brink, according to a huge three-year, U.N.-backed landmark study to be published in May. The study from the Intergovernmental Science-Policy Platform On Biodiversity and Ecosystem Services (IPBES), expected to run to over 8,000 pages, is being compiled by more than 500 experts in 50 countries. It is the greatest attempt yet to assess the state of life on Earth and will show how tens of thousands of species are at high risk of extinction, how countries are using nature at a rate that far exceeds its ability to renew itself, and how nature's ability to contribute food and fresh water to a growing human population is being compromised in every region on earth. Nature underpins all economies with the `free' services it provides in the form of clean water, air and the pollination of all major human food crops by bees and insects. In the Americas, this is said to total more than $24 trillion a year. The pollination of crops globally by bees and other animals alone is worth up to $577 billion. The final report will be handed to world leaders not just to help politicians, businesses and the public become more aware of the trends shaping life on Earth, but also to show them how to better protect nature. ``High-level political attention on the environment has been focused largely on climate change because energy policy is central to economic growth. But biodiversity is just as important for the future of earth as climate change,'' said Sir Robert Watson, overall chair of the study, in a telephone interview from Washington, D.C. ``We are at a crossroads. The historic and current degradation and destruction of nature undermine human well-being for current and countless future generations,'' added the British-born atmospheric scientist who has led programs at NASA and was a science adviser in the Clinton administration. ``Land degradation, biodiversity loss and climate change are three different faces of the same central challenge: the increasingly dangerous impact of our choices on the health of our natural environment.'' Around the world, land is being deforested, cleared and destroyed with catastrophic implications for wildlife and people. Forests are being felled across Malaysia, Indonesia and West Africa to give the world the palm oil we need for snacks and cosmetics. Huge swaths of Brazilian rainforest are being cleared to make way for soy plantations and cattle farms, and to feed the timber industry, a situation likely to accelerate under new leader Jair Bolsonaro, a right-wing populist. Industrial farming is to blame for much of the loss of nature, said Mark Rounsevell, professor of land use change at the Karlsruhe Institute of Technology in Germany, who co-chaired the European section of the IPBES study. ``The food system is the root of the problem. The cost of ecological degradation is not considered in the price we pay for food, yet we are still subsidizing fisheries and agriculture.'' This destruction wrought by farming threatens the foundations of our food system. A February report from the U.N. warned that the loss of soil, plants, trees and pollinators such as birds, bats and bees undermines the world's ability to produce food. An obsession with economic growth as well as spiraling human populations is also driving this destruction, particularly in the Americas where GDP is expected to nearly double by 2050 and the population is expected to increase 20 percent to 1.2 billion over the same period. [...] https://www.huffpost.com/entry/nature-destruction-climate-change-world-biodiversity_n_5c49e78ce4b06ba6d3bb2d44 [Why is this item included in the ACM Forum on Risks to the Public in Computers and Related Systems? Because climate change can affect almost every related system, one way or another. End of story. And perhaps the end of the planet, as well. PGN] ------------------------------ Date: Fri, 15 Mar 2019 10:31:32 -0700 From: Richard Stein <rmstein () ieee org> Subject: Boeing promised pilots a 737 software fix last year, but they're still waiting (NYTimes) https://www.nytimes.com/2019/03/14/business/boeing-737-software-update.html Comprehensive avionics software qualification of operational flight plans -- that stuff blown into PROMs or CPLDs -- requires exceptional organizational maturity to achieve. One life-cycle maturity indicator resides in collaterals: test plans, test results, qualification wall-clock duration, and top-10 defect escapes. These data points can indicate production defect escape suppression effectiveness. Few, if any, businesses willingly publish this content. Correlate it across industrial competition and against mitre.org CVEs to enable and guide consumer purchase decisions. Open source "eyes" help to identify code defects before publication. Shouldn't commercial-grade mission critical software stacks rely on an equivalent inspection mechanism to suppress production defect escape potential? IP protection is important, but so are the life-critical nature of the product, brand resilience, and the end-user. In Boeing's case, there appears to be a maturity gap. Repair deployment delay is one, and deficient transition/training of new capabilities is another, especially in light the emphasis to "reduce deployment and airline operational costs." Risk: Change management maturity deficiency and opaque industrial operations conceal defective product. [Earlier items: https://www.seattletimes.com/business/boeing-aerospace/pressure-on-boeing-grows-as-europe-grounds-the-737-max/ https://www.wsj.com/articles/boeing-tries-to-limit-the-fallout-11552523380 https://theaircurrent.com/aviation-safety/the-world-pulls-the-andon-cord-on-the-737-max/ https://www.nytimes.com/interactive/2019/03/13/world/boeing-737-crash-investigation.html Later items: The Aerospace Newcomer Whose Data Helped Make the Difference on Grounding the 737 MAX http://www.wsj.com/articles/aerospace-upstart-changes-how-planes-are-tracked-11552590711 Also, *The Seattle Times* today (18Mar2019) has some outstanding reporting: https://www.seattletimes.com/business/boeing-aerospace/failed-certification-faa-missed-safety-issues-in-the-737-max-system-implicated-in-the-lion-air-crash/ PGN] ------------------------------ Date: Wed, 13 Mar 2019 00:19:48 -0400 From: Monty Solomon <monty () roscom com> Subject: American Airlines takes jets out of service, cancels flights due to overhead-bin problem (CNBC) https://www.cnbc.com/2019/03/07/american-airlines-overhead-bins-leads-to-flight-cancelations.html ------------------------------ Date: Thu, 14 Mar 2019 14:44:48 -0400 From: Monty Solomon <monty () roscom com> Subject: How Artificial Intelligence Could Transform Medicine (NYTimes) https://www.nytimes.com/2019/03/11/well/live/how-artificial-intelligence-could-transform-medicine.html In Deep Medicine,” Dr. Eric Topol looks at the ways that A.I. could improve health care, and where it might stumble. ------------------------------ Date: Wed, 13 Mar 2019 17:42:52 -0700 From: Richard Stein <rmstein () ieee org> Subject: Cancer Patients Are Getting Robotic Surgery; there's no evidence it's better (NYTimes) https://www.nytimes.com/2019/03/11/health/robotic-surgery-cancer.html This essay compares surgical outcomes of traditional v. minimally invasive (robotic-assist) surgery for cervical cancer. It also discusses use of robotic-assist surgery for off-label purposes. Between 01/01/2017 and 02/28/2019, the FDA's MAUDE (Manufacturer and User Facility Device Experience) database reports the following events: 29 deaths, 72 injuries, 306 malfunctions, and 10 other attributed to Brand Name: da vinci, Manufacturer: intuitive, and product code: nay (System, Surgical, Computer Controlled Instrument). https://seer.cancer.gov/statfacts/html/cervix.html estimates 13,240 cases of cervical cancer and 4170 deaths from the disease in 2018. I cannot find a definitive reference for the total number of field deployed Da Vinci units, nor a total count of surgeries between 01JAN2017 and 28FEB2019. These figures are probably closely guarded by Intuitive Surgical, the Da Vinci's manufacturer. Risk: Patient outcome, including death. Refer to earlier comp.risks contributions on Da Vinci and robotic surgery. http://catless.ncl.ac.uk/Risks/22/36%23subj5.1 http://catless.ncl.ac.uk/Risks/26/06%23subj4.1 http://catless.ncl.ac.uk/Risks/30/89%23subj13.1 ------------------------------ Date: Tue, 12 Mar 2019 21:00:15 -0400 From: Steven J Klein <steven () klein us> Subject: Toyota patents system to dispense tear gas on car thieves (Autoblog) The website autoblog says: The patent includes a system that will release tear gas into the car. The noxious gas is piped in when the vehicle detects an illegitimate engine start. https://www.autoblog.com/2019/03/11/toyota-patent-tear-gas-anti-theft/ What could possibly go wrong? ------------------------------ Date: Wed, 13 Mar 2019 23:10:58 -0400 From: Monty Solomon <monty () roscom com> Subject: World of hurt: GoDaddy, Apple, and Google mis-issue >1M certificates (Ars Technica) https://arstechnica.com/information-technology/2019/03/godaddy-apple-and-google-goof-results-in-1-million-misissued-certificates/ ------------------------------ Date: Thu, 14 Mar 2019 00:06:28 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: When your IoT goes dark: Why every device must be open source and multicloud (ZDNet) Earlier this month, owners of the Jibo personal social robot -- a servomotor animated smart speaker with a friendly circular display "face" that underwent $73 million of venture capital funding -- saw their product's cloud services go dark after the company had its assets sold to SQN Ventures Partners in late 2018. The robot, aware of its impending demise, alerted owners with a sad farewell message: ``While it's not great news, the servers out there that let me do what I do are going to be turned off soon. I want to say I've really enjoyed our time together. Thank you very, very much for having me around. Maybe someday, when robots are way more advanced than today, and everyone has them in their homes, you can tell yours that I said hello. I wonder if they'll be able to do this.'' What Jibo, no `Daisy'? So disappointing. https://www.zdnet.com/article/when-your-iot-goes-dark-why-every-device-must-be-open-source-and-multicloud/ ------------------------------ Date: Tue, 12 Mar 2019 19:43:51 -0700 From: Gene Wirchenko <genew () telus net> Subject: Companies are leaking sensitive files via Box accounts (Catalin Cimpanu) Catalin Cimpanu for Zero Day | 11 Mar 2019 Companies are leaking sensitive files via Box accounts Leaks discovered at Apple, the Discovery Channel, Herbalife, Schneider Electric, and even Box itself. https://www.zdnet.com/article/companies-are-leaking-sensitive-files-via-box-accounts/ Companies that use Box.com as a cloud-based file hosting and sharing system might be accidentally exposing internal files, sensitive documents, or proprietary technology. The problem lies with Box.com account owners who don't set a default access level of "People in your company" for file/folder sharing links, leaving all newly created links accessible to the public. [What about having a warning message such as 'Warning: The default access has not been set to "People in your company". This is dangerous as outsiders could access information that should remain private.? Do you wish to change this?' [Yes] [Why Not?]] If the organization also allows users to customize the link with vanity URLs instead of using random characters, then the links of these files can be guessed using dictionary attacks. [Risk: Calling it a "vanity" URL. Being able to specify a URL is useful for mnemonic reasons. Is someone going to think the reason for specifying the name is vanity?] This is what Adversis did last year. The company says it scanned Box.com for accounts belonging to large companies and attempted to guess vanity URLs of files or folders that employees shared in the past. Its efforts weren't in vain. In a report published today, Adversis said it found a trove of highly sensitive data such as: [the usual sort of stuff: were you really expecting something else?] Most of these file leaks have been fixed, and Box notified all customers last September of the dangers of using incorrect access permissions for Box.com share links. "We provide admins tools to run various reports on open links across their enterprise, as well as to disable open and custom URLs for their enterprise," a Box spokesperson told us via email. "Admins can also ensure that 'People in the Company' is the default setting for all shared links to limit the potential for a user to set a [file] as public inadvertently." [What about making such a scan being the default action?] ------------------------------ Date: Wed, 13 Mar 2019 18:10:51 -0700 From: Richard Stein <rmstein () ieee org> Subject: Women face greater threat from job automation than men: Study (The Straits Times) https://www.straitstimes.com/world/united-states/women-face-greater-threat-from-job-automation-than-men-study "Women across the economic spectrum are more vulnerable than men to losing their jobs to technology, according to a study released on Wednesday (March 13) by the Institute for Women's Policy Research. "Among the positions with more than a 90 per cent chance of becoming automated were administrative assistant, office clerk, bookkeeper and cashier, all fields dominated by women. "We're already seeing some of that with tasks being replaced by computers," said Ms Chandra Childers, the study director and a senior researcher at the IWPR." Risk: Gender inequality intensified by technology. ------------------------------ Date: Fri, 15 Mar 2019 12:00:50 -0400 From: ACM TechNews <technews-editor () acm org> Subject: "Security Holes Found in Big Brand Car Alarms" (Dan Simmons) Dan Simmons, BBC News, 8 Mar 2019, via ACM TechNews; Friday, March 15, 2019 Security researchers in the U.K. have found vulnerabilities in three popular smart car alarm apps, making vehicles susceptible to theft or hijacking. The apps--from the companies Clifford, Viper, and Pandora--control alarms in 3 million vehicles. For example, Pandora Alarms, which had hyped its system as "unhackable," was found to permit users to reset passwords for any account, enabling hackers to activate car alarms, unlock vehicle doors, and start engines. The researchers also determined Clifford's app had a bug that allowed them to use a legitimate account to access other users' profiles, then alter the passwords for those accounts and take control. Viper and Clifford parent firm Directed has corrected the bug, while Pandora also said it has upgraded security. Alan Woodward at the University of Surrey said it was "disappointing" that relatively simple vulnerabilities had been introduced by security companies. https://orange.hosting.lsoft.com/trk/click%3Fref%3Dznwrbbrs9_6-1ed98x21ae50x069377%26 ------------------------------ Date: Wed, 13 Mar 2019 00:24:24 -0400 From: Monty Solomon <monty () roscom com> Subject: A slew of CEOs charged in alleged college entrance cheating scam (Sundry Sources) A slew of CEOs charged in alleged college entrance cheating scam https://www.cnbc.com/2019/03/12/a-slew-of-ceos-are-charged-in-alleged-college-entrance-cheating-scam.html FBI accuses wealthy parents, including celebrities, in college-entrance bribery scheme https://www.washingtonpost.com/world/national-security/fbi-accuses-wealthy-parents-including-celebrities-in-college-entrance-bribery-scheme/2019/03/12/d91c9942-44d1-11e9-8aab-95b8d80a1e4f_story.html College admissions bribery scheme affidavit https://games-cdn.washingtonpost.com/notes/prod/default/documents/d216435e-e073-41f6-b6fa-33ed835d053d/note/1310d5d4-ef15-4ea9-ad35-5edaac10cbb5.pdf College Admissions Scandal: Actresses, Business Leaders and Other Wealthy Parents Charged https://www.nytimes.com/2019/03/12/us/college-admissions-cheating-scandal.html
From ‘master coach' to a bribery probe: A college consultant who went off the rails
https://www.washingtonpost.com/local/education/from-master-coach-to-a-bribery-probe-a-college-consultant-who-went-off-the-rails/2019/03/12/3e3a6bfe-4501-11e9-aaf8-4512a6fe3439_story.html Why the College-Admissions Scandal Is So Absurd For the parents charged in a new FBI investigation, crime was a cheaper and simpler way to get their kids into elite schools than the typical advantages wealthy applicants receive. https://www.theatlantic.com/education/archive/2019/03/college-admissions-scandal-fbi-targets-wealthy-parents/584695/ Kids Are the Victims of the Elite-College Obsession: Too many families are focusing on college prep, molding the student to fit a school. https://www.theatlantic.com/ideas/archive/2019/03/college-bribe-scandal-shows-elite-college-obsession/584719/ [Also: https://www.cnn.com/2019/03/12/us/college-admissions-scheme-how-it-worked/index.html College scam mastermind Photoshopped students' faces onto athletes: prosecutors (NY Post): https://nypost.com/2019/03/12/college-scam-mastermind-photoshopped-students-faces-onto-athletes/ PGN] ------------------------------ Date: Sun, 17 Mar 2019 10:45:56 -0800 From: Rob Slade <rmslade () shaw ca> Subject: Hashing to prevent spread of hate videos? (CNN) The general media has (temporarily) discovered hashing. https://lite.cnn.io/en/article/h_f53c07f70ccd1b7fd21d53163da2c280 I predict a short run of calls for social media platforms to use it to prevent the spread of hate videos, violent videos, revenge pr0n, etc, etc, etc. I've seen hashing in use for some time. Fifteen years ago it was very popular as the increase in the number of viruses exploded. Not so long ago Facebook tried using it in an odd, rather futile, and foolish attempt to prevent revenge pr0n. It's been used to prevent the theft of music and video as intellectual property for some time. It works, a bit, but not terribly well. The idea is to detect something you don't want spread, and then take a hash of it. You can then search, relatively quickly, and compare that hash value against the hash values of either existing files, or newly uploaded files (depending upon your application). I said "relatively" quickly. One of the people quoted in that article said "It's exceedingly fast." It's exceedingly fast compared to more detailed forms of analysis. But when around 10 *hours* of video are uploaded to YouTube alone every *second* (anybody have current statistics?) ... well, hashing does take some time, and little bits add up. And then there is the time to compare every hash against every other hash ... And hashing works only if nothing has been changed. After all, hash values are used, sometimes in digital signatures or certificates, to ensure that something hasn't changed. Again, someone in the article referred to "'robust' hashing -- a method that should be able to detect variations on re-uploads." That's an interesting use of the word "robust." I'd think most people in the crypto field would think of a "robust" hash as one that would detect any changes, not one that would allow some changes and still match. But, quite aside from the use of the word "robust," making a hash that will accept some changes and still detect "similar" is a non-trivial task. And such a hash function would likely take even more time to run. It's easy to use hashes to catch direct and identical copies. But videos can be modified in all kinds of ways. They can be edited for length, cut into collections, processed to add comments, or even just drop a few packets during streaming. Any or all of these events could mean that a hash value will not match. No, I don't think hashing will be the silver bullet people are looking for ... ------------------------------ Date: Fri, 15 Mar 2019 20:43:36 -0600 From: "Matthew Kruk" <mkrukg () gmail com> Subject: Tech's Moral Void (CBC) https://www.cbc.ca/radio/ideas/tech-s-moral-void-1.5056316 ------------------------------ Date: Sun, 17 Mar 2019 15:46:47 -0400 From: Monty Solomon <monty () roscom com> Subject: U.S. Campaign to Ban Huawei Overseas Stumbles as Allies Resist (NYTimes) https://www.nytimes.com/2019/03/17/us/politics/huawei-ban.html The Trump administration's effort to ban Huawei from overseas wireless networks has suffered from questions over whether the Chinese telecom company poses a threat. ------------------------------ Date: Mon, 18 Mar 2019 16:50:22 -0400 From: <steven () klein us> Subject: App notification for a stranger on my phone My health insurance provider is the largest provider in my state. They have an iPhone app that can provide alerts for new claims, explanations of benefits, and other related data. About 5 minutes ago I got a notification with wording something like this: ``The security questions for Carmello have been updated.'' I'm not Carmello; I don't know anyone by that name. Perhaps coincidentally (though probably not), attempts to log into the app now fail. When I just now tried to log into the website, I got this vague error: ``Error - We're sorry, login isn't available at this time. Please log in again later.'' Will I soon be reading about a big data breach at this insurer? I won't be surprised. ------------------------------ Date: 13 Mar 2019 17:21:51 +0900 From: "John Levine" <johnl () iecc com> Subject: Re: U.S. DST change proposals and WWVB radio clocks (RichW, R 31 11)
... I'm aware of California and Florida, for example. At least one Canadian province (British Columbia) is considering doing the same.
Massachusetts, too. For some reason, states can opt out of DST, but they can't opt for year-round DST, so if FL or MA does year round DST, they will have to do it by moving to the AST time zone with no DST. If the clocks don't already handle AST, they're not really fit for purpose, since Puerto Rico and the USVI have been on AST for a century. ------------------------------ Date: Mon, 14 Jan 2019 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00 Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 31.12 ************************
Current thread:
- Risks Digest 31.12 RISKS List Owner (Mar 18)