RISKS Forum mailing list archives
Risks Digest 31.04
From: RISKS List Owner <risko () csl sri com>
Date: Mon, 28 Jan 2019 12:22:12 PST
RISKS-LIST: Risks-Forum Digest Monday 28 January 2019 Volume 31 : Issue 04 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/31.04> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: If 5G Is So Important, Why Isn't It Secure? (Henry Baker on NYT item) Everybody Does It: The Messy Truth About Infiltrating Computer Supply Chains (The Intercept) Digital Assistants Inside Cars Raise Serious Privacy Concerns (Fortune) Toilet seat sensor tracks blood pressure, stroke volume, blood oxygenation (MobiHealthNews) The Hidden Automation Agenda of the Davos Elite (NYT) Prepare for the Smart Home Fitness Revolution (WIRED) The Prime Challenges for Scout, Amazon's New Delivery Robot (Gabe Goldberg) Why Uber wants to build scooters and bikes that can drive themselves (Ars Technica) "Our worst fears have come true," VW Group exec wrote to Audi exec. (Ars) The World Economy Runs on GPS. It Needs a Backup Plan (Bloomberg) Runner found to be a hitman after GPS Watch ties him to crime scene (Runner's World) Buy Bitcoin at the Grocery Store via Coinstar (Fortune) The Internet of human things: Implants for everybody and how we get there (ZDNet) Drone activity halts air traffic at Newark Liberty International (WashPo) How Volunteers for India's Ruling Party Are Using WhatsApp to Fuel Fake News Ahead of Elections (Time) Family says hacked Nest camera warned them of North Korean missile attack (WashPost) GoDaddy weakness let bomb threat scammers hijack thousands of big-name domains (Ars Technica) Google ordered to submit search index to state sponsorship in Russia (SearchEngineLand) Why Hackers Had Thousands of DNA Tests Delivered to Random People Over the Holidays (Fortune) The Duty to Read the Unreadable (Monty Solomon) Amazon software works best on white men, study says (WashPost) Risks of Deepfake videos (Geoff Goodfellow) Here's how you can stay clear of online scams (CNET) Data Broker That Sold Phone Locations Used by Bounty Hunters Lobbied FCC to Scrap User Consent (Motherboard) Researchers discover state actor's mobile malware efforts because of YOLO OPSEC (Ars Technica) 1000 Vulnerable Cranes (Trendmicro via Henry Baker) When your landlord installs smart locks (José María Mateos) Hundreds of popular cars at risk from key compromise (BBC) Coming Soon to a Police Station Near You: The DNA 'Magic Box' (NYT) An IoT security mailing list (Firemountain via JMM) Japan to regulate foreign companies use of e-mail content (Mark Thorson) Facebook "real names" policy forces you to sign up with a fake name (Neil Youngman) Reaction to the #10YearChallenge circulating on Facebook: Nope. (Gabe Goldberg) How Reserved Storage Works in the Next Version of Windows 10 (MS) Security, Compliance Add-Ons Offered to Microsoft 365 Users (GG) How Reserved Storage Works in the Next Version of Windows 10 (MS via GG) US Patent for Drone delivery of coffee based on a cognitive state (GG) Did Australia Hurt Phone Security Around the World? (NYTimes) Location-Based Little Brothers (Henry Baker) How We Destroy Lives Today (NYTimes) Covington and the Pundit Apocalypse (NYTimes) Re: A Simple Bug Makes It Easy to Spoof Google Search Results (Vint Cerf) Re: How three rude iPhone users ruined an evening (Henry Baker) Cyber Security Hall of Fame Nominations now open (Spaf) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Mon, 21 Jan 2019 09:54:06 -0800 From: Henry Baker <hbaker1 () pipeline com> Subject: If 5G Is So Important, Why Isn't It Secure? The network must be secure enough for the innovations it promises. https://www.nytimes.com/2019/01/21/opinion/5g-cybersecurity-china.html While I'm not so wild about some of Wheeler's detailed recommendations, he's correct that security should be a paramount goal for 5G. Some quotes from this article and referenced reports: "When 5G enables autonomous vehicles, do we want those cars and trucks crashing into each other because the Russians hacked the network?" "If 5G will be the backbone of breakthroughs such as remote surgery, should that network be vulnerable to the North Koreans breaking into a surgical procedure?" "Make the Internet safe and secure for the functioning of Government and critical services for the American people." "5G Communications and other next generation networks designed and architected at the outset with enhanced security, connectivity, and availability." "Decades of well-intentioned but disjointed activities have made the Internet progressively less safe for the critical services which depend upon it." "Embrace a 'secure to market' over a 'first to market' mentality" "Unfortunately, relying on market forces alone fails to adequately weigh the risks imposed on third parties who rely on the networks and services they provision." "Problems known as 'market failures' can discourage investment and contribute to the insecurity of the critical communications network." "Because of negative externalities (third parties affected by insecure IoT), the private sector may not have sufficient incentives to invest in cybersecurity beyond their own corporate interests." "5G will enable a massive expansion of IoT endpoints that lack the processing power and memory needed for robust security protections. Fortunately, 5G is at an early phase in its development and, if security is designed in, it may be able to mitigate the cyber risk from these IoT endpoints." "Firms make decisions that strike a balance between the costs and benefits of cybersecurity investments for themselves. But they do not consider the additional benefit to the public at large of investing in cybersecurity. The result is a gap in cybersecurity preparedness that the market, on its own, is unlikely to fill." "The attack surface offered by the IoT is growing rapidly, calling for concerted effort to improve security. Multiple network providers are impacted by the IoT, rendering a consistent response difficult. In addition, the multiplicity of price-competitive vendors hinders concerted efforts to build in voluntary security by design into the IoT." More: The Trump administration's so-called "race" with China to build new fifth-generation (5G) wireless networks is speeding toward a network vulnerable to Chinese (and other) cyberattacks. ... We cannot allow the hype about 5G to overshadow the absolute necessity that it be secure. [...] Leadership in 5G technology is not just about building a network, but also about whether that network will be secure enough for the innovations it promises. And the 5G "race" is more complex and dangerous than industry and the Trump administration portray. When 5G enables autonomous vehicles, do we want those cars and trucks crashing into each other because the Russians hacked the network? If 5G will be the backbone of breakthroughs such as remote surgery, should that network be vulnerable to the North Koreans breaking into a surgical procedure? ... Nowhere in the president's directive, for instance, was there a word about protecting the cybersecurity of the new network. As the President's National Security Telecommunications Advisory Committee told him in November, "the cybersecurity threat now poses an existential threat to the future of the Nation." Last January, the brightest technical minds in the intelligence community, working with the White House National Security Council (NSC), warned of the 5G cybersecurity threat. ... https://www.dhs.gov/sites/default/files/publications/DRAFT NSTAC_ReportToThePresidentOnACybersecurityMoonshot_508c.pdf ... Shortly after taking office, the Trump FCC removed a requirement imposed by the Obama FCC that the 5G technical standard must be designed from the outset to withstand cyberattacks. For the first time in history, cybersecurity was being required as a forethought in the design of a new network standard -- until the Trump FCC repealed it. The Trump FCC also canceled a formal inquiry seeking input from the country's best technical minds about 5G security, retracted an Obama-era FCC white paper about reducing cyberthreats, and questioned whether the agency had any responsibility for the cybersecurity of the networks they are entrusted with overseeing. https://docs.fcc.gov/public/attachments/DOC-343096A1.pdf The simple fact is that our wireless networks are not as secure as they could be because they weren't designed to withstand the kinds of cyberattacks that are now common. ... ------------------------------ Date: Sat, 26 Jan 2019 15:09:28 -0500 From: José María Mateos <chema () rinzewind org> Subject: Everybody Does It: The Messy Truth About Infiltrating Computer Supply Chains (The Intercept) https://theintercept.com/2019/01/24/computer-supply-chain-attacks/
From the article:
In October, Bloomberg Businessweek published an alarming story: Operatives working for China’s People’s Liberation Army had secretly implanted microchips into motherboards made in China and sold by U.S.-based Supermicro. This allegedly gave Chinese spies clandestine access to servers belonging to over 30 American companies, including Apple, Amazon, and various government suppliers, in an operation known as a “supply chain attack,” in which malicious hardware or software is inserted into products before they are shipped to surveillance targets. [...] But while Bloomberg's story may well be completely (or partly) wrong, the danger of China compromising hardware supply chains is very real, judging from classified intelligence documents. U.S. spy agencies were warned about the threat in stark terms nearly a decade ago and even assessed that China was adept at corrupting the software bundled closest to a computer’s hardware at the factory, threatening some of the U.S. government's most sensitive machines, according to documents provided by National Security Agency whistleblower Edward Snowden. The documents also detail how the U.S. and its allies have themselves systematically targeted and subverted tech supply chains, with the NSA conducting its own such operations, including in China, in partnership with the CIA and other intelligence agencies. The documents also disclose supply chain operations by German and French intelligence. ------------------------------ Date: Sat, 26 Jan 2019 18:30:14 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: Digital Assistants Inside Cars Raise Serious Privacy Concerns (Fortune) Currently automakers say they get customer permission before they use the individual data they collect for marketing or share it with third parties. Volvo said in a statement that its technology ``takes full account of legal, security, and privacy obligations on a global scale'' and complies with a European Union law that lets residents control how their personal data is shared. An Amazon spokesman says that the company merely shares ``anonymized, aggregated performance data to help automakers improve the customer experience'' and that it doesn’t provide personally identifiable information to car companies or developers. BMW shares the data it collects but says it doesn’t make money from it directly. “Let’s say the person is listening to certain music, and we know there’s a big concert,” says Dieter May, senior vice president of digital products for BMW. “Then we would probably give that to our salespeople to make an offer for a special ticket.” But even as governments and corporations begin to address security questions, it’s unclear who will control the data that is collected. http://fortune.com/2019/01/24/the-spy-inside-your-car/ Hey, Siri -- what could go wrong? I'm sorry Dave, I can't answer that. ------------------------------ Date: Wed, 23 Jan 2019 00:51:58 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: Toilet seat sensor tracks blood pressure, stroke volume, blood oxygenation (MobiHealthNews) A recently published study found the toilet seat's readings to align with those measured through more conventional means. https://www.mobihealthnews.com/content/toilet-seat-sensor-tracks-blood-pressure-stroke-volume-blood-oxygenation Risks? Privacy, multi-person households, guests... ------------------------------ Date: Sun, 27 Jan 2019 20:22:25 -1000 From: the keyboard of geoff goodfellow <geoff () iconia com> Subject: The Hidden Automation Agenda of the Davos Elite (NYT) *This year's World Economic Forum in Davos, Switzerland, where business leaders' public positions on automation's impact on workers did not match the views they shared privately.* EXCERPT: They'll never admit it in public, but many of your bosses want machines to replace you as soon as possible. I know this because, for the past week, I've been mingling with corporate executives at the World Economic Forum's annual meeting in Davos. And I've noticed that their answers to questions about automation depend very much on who is listening. In public, many executives wring their hands over the negative consequences that artificial intelligence and automation could have for workers. They take part in panel discussions about building `human-centered AI' for the ``Fourth Industrial Revolution'' -- Davos-speak for the corporate adoption of machine learning and other advanced technology -- and talk about the need to provide a safety net for people who lose their jobs as a result of automation. But in private settings, including meetings with the leaders of the many consulting and technology firms whose pop-up storefronts line the Davos Promenade, these executives tell a different story: They are racing to automate their own work forces to stay ahead of the competition, with little regard for the impact on workers. All over the world, executives are spending billions of dollars to transform their businesses into lean, digitized, highly automated operations. They crave the fat profit margins automation can deliver, and they see AI as a golden ticket to savings, perhaps by letting them whittle departments with thousands of workers down to just a few dozen. ``People are looking to achieve very big numbers,'' said Mohit Joshi, the president of Infosys, a technology and consulting firm that helps other businesses automate their operations. ``Earlier they had incremental, 5 to 10 percent goals in reducing their work force. Now they're saying, `Why can't we do it with 1 percent of the people we have?' '' Few American executives will admit wanting to get rid of human workers, a taboo in today's age of inequality. So they've come up with a long list of buzzwords and euphemisms to disguise their intent. Workers aren't being replaced by machines, they're being `released' from onerous, repetitive tasks. Companies aren't laying off workers, they're ``undergoing digital transformation.'' A 2017 survey by Deloitte found that 53 percent of companies had already started to use machines to perform tasks previously done by humans. The figure is expected to climb to 72 percent by next year. The corporate elite's AI obsession has been lucrative for firms that specialize in `robotic process automation', or RPA. Infosys, which is based in India, reported a 33 percent increase in year-over-year revenue in its digital division. IBM's ``cognitive solutions'' unit, which uses AI to help businesses increase efficiency, has become the company's second-largest division, posting $5.5 billion in revenue last quarter. The investment bank UBS projects that the artificial intelligence industry could be worth as much as $180 billion by next year. Kai-Fu Lee, the author of `AI Superpowers' and a longtime technology executive, predicts that artificial intelligence will eliminate 40 percent of the world's jobs within 15 years. In an interview, he said that chief executives were under enormous pressure from shareholders and boards to maximize short-term profits, and that the rapid shift toward automation was the inevitable result. The Milwaukee offices of the Taiwanese electronics maker Foxconn, whose chairman has said he plans to replace 80 percent of the company's workers with robots in five to 10 years. ``They always say it's more than the stock price, But in the end, if you screw up, you get fired.'' Other experts have predicted that AI will create more new jobs than it destroys, and that job losses caused by automation will probably not be catastrophic. They point out that some automation helps workers by improving productivity and freeing them to focus on creative tasks over routine ones. But at a time of political unrest and anti-elite movements on the progressive left and the nationalist right, it's probably not surprising that all of this automation is happening quietly, out of public view. In Davos this week, several executives declined to say how much money they had saved by automating jobs previously done by humans. And none were willing to say publicly that replacing human workers is their ultimate goal. ``That's the great dichotomy,'' said Ben Pring, the director of the Center for the Future of Work at Cognizant, a technology services firm. ``On one hand,'' he said, profit-minded executives ``absolutely want to automate as much as they can. On the other hand, they're facing a backlash in civic society.'' For an unvarnished view of how some American leaders talk about automation in private, you have to listen to their counterparts in Asia, who often make no attempt to hide their aims. Terry Gou, the chairman of the Taiwanese electronics manufacturer Foxconn, has said the company plans to replace 80 percent of its workers with robots in the next five to 10 years. Richard Liu, the founder of the Chinese e-commerce company JD.com, said at a business conference last year that ``I hope my company would be 100 percent automation someday.'' One common argument made by executives is that workers whose jobs are eliminated by automation can be `reskilled' to perform other jobs in an organization. They offer examples like Accenture, which claimed in 2017 to have replaced 17,000 back-office processing jobs without layoffs, by training employees to work elsewhere in the company. In a letter to shareholders last year, Jeff Bezos, Amazon's chief executive, said that more than 16,000 Amazon warehouse workers had received training in high-demand fields like nursing and aircraft mechanics, with the company covering 95 percent of their expenses. [...] https://www.nytimes.com/2019/01/25/technology/automation-davos-world-economic-forum.html ------------------------------ Date: Thu, 17 Jan 2019 18:17:48 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: Prepare for the Smart Home Fitness Revolution (WIRED) Connected fitness started out with apps, says Tonal founder and CEO Aly Orady. ``Then we went to trackers, and then connected cardio equipment. We’re focused on the next layer, and that’s intelligence.'' These devices also simulate a sense of togetherness you can’t get from a video. Hop on the Peloton bike and you’re not just slogging through a workout, you’re joining a full-fledged party led by Alex or Cody or Jenn. One of them might ask a DJ to play records during their spin class. Another might wish you a happy birthday, or even send you a bouquet of flowers if you mention the recent passing of a loved one. (Yes, that actually happened.) Forget wearables. The next wave of exercise tech includes home fitness machines that respond directly to you. https://www.wired.com/story/smart-home-fitness-revolution/ The risk? Mistaking technology for intelligence? ------------------------------ Date: Thu, 24 Jan 2019 19:49:12 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: The Prime Challenges for Scout, Amazon's New Delivery Robot No matter who you ask, the near-future of delivery seems to involve fleets of robots shuffling packages from stores, down sidewalks, and onto doorsteps. Robots will lug grocery bags <https://www.wired.com/story/nuro-grocery-delivery-robot/ from market to kitchen; they'll begin to replace humans delivering take-out <https://www.wired.com/story/postmates-delivery-robot-serve/ and dropping off parcels. And soon, your Amazon Prime packages may show up courtesy of Scout, Amazon's new six-wheeled autonomous delivery robot built to withstand the sidewalk. https://www.wired.com/story/amazon-new-delivery-robot-scout/ I'm in a DC suburb (VA) with spotty/inconsistent sidewalks. Is that a bigger or smaller risk than cities with funloving teenagers? Article didn't say what defensive weapons these things carry, whether they're self-righting if tipped over, and if they can signal distress. ------------------------------ Date: Wed, 23 Jan 2019 00:47:55 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: Why Uber wants to build scooters and bikes that can drive themselves (Ars Technica) Uber is looking to hire people to help it develop autonomous scooter and bike technology, according to Wired-editor-turned-robotics-entrepreneur Chris Anderson. The goal would be to allow bikes and scooters to "drive themselves to charging or better locations." People interested in joining the project can fill out this form <http://t.uber.com/micromobility_robotics>.. https://arstechnica.com/cars/2019/01/uber-wants-bicycles-and-scooters-that-can-drive-themselves-to-recharge/ The risks? If you have to ask... ------------------------------ Date: Mon, 21 Jan 2019 19:44:13 -0800 From: Monty Solomon <monty () roscom com> Subject: "Our worst fears have come true," VW Group exec wrote to Audi exec. Four Audi executives were indicted on Thursday. http://arstechnica.com/tech-policy/2019/01/need-for-a-large-trunk-and-a-high-end-sound-system-pushed-audi-to-cheat/ ------------------------------ Date: Sun, 20 Jan 2019 00:42:47 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: The World Economy Runs on GPS. It Needs a Backup Plan (Bloomberg) https://www.bloomberg.com/news/features/2018-07-25/the-world-economy-runs-on-gps-it-needs-a-backup-plan ------------------------------ Date: Fri, 18 Jan 2019 20:36:22 -0800 From: Tim Lavoie <tim.lavoie () gmail com> Subject: Runner found to be a hitman after GPS Watch ties him to crime scene (Runner's World) https://www.runnersworld.com/uk/news/a25945315/mark-fellows-runner-hitman-murder/ ------------------------------ Date: Fri, 18 Jan 2019 16:50:44 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: Buy Bitcoin at the Grocery Store via Coinstar (Fortune) Don’t count on using spare quarters, dimes and pennies in this case, though. Bitcoin via Coinstar can only be purchased with paper money (as much as $2,500). Investors will go to one of the company's participating machines and select the `Buy Bitcoin' option on the screen, entering their phone number. http://fortune.com/2019/01/18/buy-bitcoin-grocery-store-coinstar/ Right next to lottery ticket vending machines. Coming next? Cash lottery winnings out as bitcoin? ------------------------------ Date: Sun, 27 Jan 2019 23:36:38 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: The Internet of human things: Implants for everybody and how we get there (ZDNet) For most adults, I do not see more than basic data stored on an implant itself -- it would be a serial number/unique ID, which would be linked to the cloud provider, where encrypted user information would be stored or federated. This virtual wallet would contain credit cards, virtual ID cards for health insurance, corporate IDs, licenses, and permits. https://www.zdnet.com/article/the-internet-of-human-things-implants-for-everybody-and-how-we-get-there/ What could go wrong? ------------------------------ Date: Wed, 23 Jan 2019 02:05:24 -0500 From: Monty Solomon <monty () roscom com> Subject: Drone activity halts air traffic at Newark Liberty International A spokesman for the Federal Aviation Administration said that two drones were spotted near Teterboro Airport. https://www.washingtonpost.com/transportation/2019/01/22/drone-activity-halts-air-traffic-newark-liberty-international-airport/ ------------------------------ Date: Sun, 27 Jan 2019 12:42:14 -0500 From: José María Mateos <chema () rinzewind org> Subject: How Volunteers for India's Ruling Party Are Using WhatsApp to Fuel Fake News Ahead of Elections http://time.com/5512032/whatsapp-india-election-2019/
From the article:
Ahead of national elections in April and May, India's political parties are pouring money into creating hundreds of thousands of WhatsApp group chats to spread political messages and memes. Prime Minister Narendra Modi’s ruling Bharatiya Janata Party (BJP) has drawn up plans to have three WhatsApp groups for each of India's 927,533 polling booths, according to reports. With each group containing a maximum of 256 members, that number of group chats could theoretically reach more than 700 million people out of India's population of 1.3 billion. [...] [A]ccording to researchers, as well as screenshots of group chats from as recently as January seen by TIME, these WhatsApp group chats frequently contain and disseminate false information and hateful rhetoric, much of which comes from forwarded messages. Experts say the Hindu nationalist BJP is fueling this trend, although opposition parties are using the same tactics. ------------------------------ Date: Wed, 23 Jan 2019 02:03:34 -0500 From: Monty Solomon <monty () roscom com> Subject: Family says hacked Nest camera warned them of North Korean missile attack The hack may have been the result of a compromised password. https://www.washingtonpost.com/technology/2019/01/23/family-says-hacked-nest-camera-warned-them-north-korean-missile-attack/ ------------------------------ Date: Wed, 23 Jan 2019 02:39:47 -0500 From: Monty Solomon <monty () roscom com> Subject: GoDaddy weakness let bomb threat scammers hijack thousands of big-name domains https://arstechnica.com/information-technology/2019/01/godaddy-weakness-let-bomb-threat-scammers-hijack-thousands-of-big-name-domains/ ------------------------------ Date: Wed, 16 Jan 2019 11:32:32 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: Google ordered to submit search index to state sponsorship in Russia (SearchEngineLand) via NNSquad https://searchengineland.com/google-ordered-to-submit-search-index-to-state-sponsorship-in-russia-310533 Russian information agency Roskomnadzor is requiring Google and Bing to subject their results to government censorship. (Yandex has reportedly already complied.) A law passed last year in the country mandates that search engine results be filtered through the federal state information system (FGIS). Russia increases Internet censorship. The new Russian situation is comparable to Chinese rules requiring Internet companies to censor results to block officially undesirable or threatening information. In addition to censoring online content, China is using Internet and mobile technology to spy on its citizens. ------------------------------ Date: Sat, 19 Jan 2019 21:03:42 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: Why Hackers Had Thousands of DNA Tests Delivered to Random People Over the Holidays (Fortune) http://fortune.com/2019/01/17/hackers-send-dna-test-kits/ The risk? Complex scams leveraging business/marketing practices... ------------------------------ Date: Sat, 26 Jan 2019 11:40:28 -0500 From: Monty Solomon <monty () roscom com> Subject: The Duty to Read the Unreadable https://papers.ssrn.com/sol3/papers.cfm%3Fabstract_id%3D3313837 Abstract The duty to read doctrine is a well-recognized building block of U.S. contract law. Under this doctrine, contracting parties are held responsible for the written terms of their contract, whether or not they actually read them. The application of duty to read is especially interesting in the context of consumer contracts, which consumers generally do not read. Under U.S. law, courts routinely impose this doctrine on consumers. However, the application of this doctrine to consumer contracts is one-sided. While consumers are excepted to read their contracts, suppliers are generally not required to offer readable contracts. This asymmetry creates a serious public policy challenge. Put simply, consumers might be expected to read contracts that are, in fact, rather unreadable. This, in turn, undermines market efficiency and raises fairness concerns. Numerous scholars have suggested that consumer contracts are indeed written in a way that dissuades consumers from reading them. This Article aims to empirically test whether this concern is justified. The Article focuses on the readability of an important and prevalent type of consumer agreements: the sign-in-wrap contract. Such contracts, which have already been the focal point of many legal battles, are routinely accepted by consumers when signing up for popular websites such as Facebook, Amazon, Uber, and Airbnb. The Article applies well-established linguistic readability tests to the 500 most popular websites in the U.S. that use sign-in-wrap agreements. We find, among other things, that effectively reading these agreements requires, on average, more than 14.5 years of education. This result is troubling, given that the majority of U.S. adults read at an 8th-grade level. These empirical findings hence have significant implications for the design of consumer contract law. ------------------------------ Date: Sun, 27 Jan 2019 23:31:33 -0500 From: Monty Solomon <monty () roscom com> Subject: Amazon software works best on white men, study says (WashPost) The new research is raising concerns about how biased results could tarnish the artificial-intelligence technology's exploding use by police and in public venues, including airports and schools. https://www.washingtonpost.com/technology/2019/01/25/amazon-facial-identification-software-used-by-police-falls-short-tests-accuracy-bias-new-research-finds/ ------------------------------ Date: Sun, 27 Jan 2019 20:14:31 -1000 From: geoff goodfellow <geoff () iconia com> Subject: Risks of Deepfake videos If you see a video of a politician speaking words he never would utter, or a Hollywood star improbably appearing in a cheap adult movie, don't adjust your television set -- you may just be witnessing the future of "fake news." "Deepfake" videos that manipulate reality are becoming more sophisticated due to advances in artificial intelligence, creating the potential for new kinds of misinformation with devastating consequences. As the technology advances, worries are growing about how deepfakes can be used for nefarious purposes by hackers or state actors. "We're not quite to the stage where we are seeing deepfakes weaponized, but that moment is coming," Robert Chesney, a University of Texas law professor who has researched the topic, told AFP. Chesney argues that deepfakes could add to the current turmoil over disinformation and influence operations. "A well-timed and thoughtfully scripted deepfake or series of deepfakes could tip an election, spark violence in a city primed EXCERPTS: If you see a video of a politician speaking words he never would utter, or a Hollywood star improbably appearing in a cheap adult movie, don't adjust your television set -- you may just be witnessing the future of "fake news." "Deepfake" videos that manipulate reality are becoming more sophisticated due to advances in artificial intelligence, creating the potential for new kinds of misinformation with devastating consequences. As the technology advances, worries are growing about how deepfakes can be used for nefarious purposes by hackers or state actors. "We're not quite to the stage where we are seeing deepfakes weaponized, but that moment is coming," Robert Chesney, a University of Texas law professor who has researched the topic, told AFP. Chesney argues that deepfakes could add to the current turmoil over disinformation and influence operations. "A well-timed and thoughtfully scripted deepfake or series of deepfakes could tip an election, spark violence in a city primed for civil unrest, bolster insurgent narratives about an enemy's supposed atrocities, or exacerbate political divisions in a society," Chesney and University of Maryland professor Danielle Citron said in a blog post for the Council on Foreign Relations. Digital manipulation may be good for Hollywood but new "deepfake" techniques could create a new kind of misinformation, according to researchers. Paul Scharre, a senior fellow at the Center for a New American Security, a think tank specializing in AI and security issues, said it was almost inevitable that deepfakes would be used in upcoming elections. A fake video could be deployed to smear a candidate, Scharre said, or to enable people to deny actual events captured on authentic video. With believable fake videos in circulation, he added, "people can choose to believe whatever version or narrative that they want, and that's a real concern." [...] https://www.afp.com/en/news/717/misinformation-woes-could-multiply-deepfake-videos-doc-1cn3in2 ------------------------------ Date: Thu, 17 Jan 2019 14:51:21 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: Here's how you can stay clear of online scams (CNET) [Scammers everywhere] CNET Magazine: Don't get fooled like he was. The story doesn't end here, because Hal said he never had an eBay account. It turns out, he'd been scammed too. In his case, it was by an online "girlfriend" he'd never met — not even through video chats. Hal was the unwitting victim of a well-known scheme to dupe people into forwarding items bought in their name outside the country. https://www.cnet.com/news/heres-how-you-can-stay-clear-of-online-scams/ Scammers are creative. Of course, old scams still work too -- I just heard that friend-of-friend fell for "grandson kidnapped" routine -- had never heard of it. Was told to wrap $2000/$3000 in separate bundles, send via FedEx, did. Fortunately, her son -- a cop! -- was able to intercept the package. ------------------------------ Date: Sun, 27 Jan 2019 16:09:12 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: Data Broker That Sold Phone Locations Used by Bounty Hunters Lobbied FCC to Scrap User Consent - Motherboard Zumigo, which sold the location data of American cell phone users, wanted the FCC to remove requirements around user consent. Another slide adds, “We strongly believe that if consumers understood the vulnerabilities they face, and their carrier’s ability to help prevent it, they would want the carrier data to be shared in order to keep them safe.” https://motherboard.vice.com/en_us/article/vbwgw8/zumigo-phone-location-data-sold-lobbied-fcc-consent For our own good, yes. ------------------------------ Date: Tue, 22 Jan 2019 09:36:54 -1000 From: geoff goodfellow <geoff () iconia com> Subject: Researchers discover state actor's mobile malware efforts because of YOLO OPSEC (Ars Technica) *Ran malware on own phones as test, uploading all their WhatsApp messages, other data.* At the Shmoocon security conference here on January 19, two researchers from the mobile security provider Lookout revealed the first details of a mobile surveillance effort run by a yet-to-be-named state intelligence agency that they had discovered by exploring the command-and-control infrastructure behind a novel piece of mobile malware. In the process of exploring the malware's infrastructure, Lookout researchers found iOS, Android, and Windows versions of the malware, as well as data uploaded from a targeted phone's WhatsApp data. That phone turned out to be one that belonged to one of the state-backed surveillance efforts -- and the WhatsApp messages and other data found on the server provided a nearly full contact list for the actors and details of their interactions with commercial hacking companies and eventual decision to build their own malware. [...] https://arstechnica.com/information-technology/2019/01/researchers-discover-state-actors-mobile-malware-efforts-because-of-yolo-opsec/ ------------------------------ Date: Fri, 18 Jan 2019 07:11:41 -0800 From: Henry Baker <hbaker1 () pipeline com> Subject: 1000 Vulnerable Cranes ( It's easier to RF hack an industrial crane than to hack a garage door opener. $40-60 of RF parts gives you control. Recommendation: off-the-shelf open source protocols rather than proprietary roll-your-own "security through obscurity" protocols. But you already knew that. Here are some selected paragraphs from a recent report. https://documents.trendmicro.com/assets/white_papers/wp-a-security-analysis-of-radio-remote-controllers.pdf A Security Analysis of Radio Remote Controllers for Industrial Applications Our research shows that there is a discrepancy between the consumer and industrial worlds. In the consumer world, the perceived risks have pushed the vendors to find reasonably secure, albeit imperfect, solutions such as rolling codes. In the industrial world, where the assets at risk are much more valuable than a fancy house or car, there seems to be less awareness. By exploiting various vulnerabilities that we discovered, we were able to move full-sized cranes deployed in production at construction sites, factories, and transportation businesses. In all of the cases, we were able to confirm and run the attacks very quickly. In each of the cases, we were able to switch on the controlled industrial machine even after the operator had issued an e-stop, which put the machine in a "stop" state. Apart from leaked schematics, the only available "technical" documentation is limited to user manuals, and we are unaware of any public research about the digital security risks in this space. We hope that our findings will inspire the RF- and hardware-hacking communities to continue looking at these protocols, and to encourage vendors to focus on open, standard RF protocols. In conclusion, given that the kind of machinery these remote controllers are managing can be dangerous if hijacked or disabled, manufacturers need to start thinking about moving to stronger open-source protocols rather than relying on security through obscurity. It could be challenging to balance the almost real-time requirements and secure RF transmission, but the hardware technology is there, ready to be used. ------------------------------ Date: Thu, 24 Jan 2019 10:30:42 -0500 From: José María Mateos <chema () rinzewind org> Subject: When your landlord installs smart locks I don't particularly like to use Twitter threads as sources (all of them will go away when Twitter (hopefully soon) implodes), but this is quite on point: https://twitter.com/hacks4pancakes/status/1086000837615382529 ------------------------------ Date: Mon, 28 Jan 2019 12:37:26 +0800 From: Richard Stein <rmstein () ieee org> Subject: Hundreds of popular cars at risk from key compromise https://www.bbc.com/news/business-47023003 New cars are more secure than ever, and the latest technology has helped bring down theft dramatically with, on average, less than 0.3% of the cars on our roads stolen. Criminals will always look for new ways to steal cars; it's an ongoing battle and why manufacturers continue to invest billions in ever more sophisticated security features -- ahead of any regulation. However, technology can only do so much and we continue to call for action to stop the open sale of equipment with no legal purpose that helps criminals steal cars. Prohibition didn't work for booze; why should it be expected to succeed for {RFID, WiFi, or Bluetooth}-enabled vehicle heists? https://www.statista.com/statistics/859950/vehicles-in-operation-by-quarter-united-states/ estimates that ~263Mvehicles were in operation during 1st quarter of 2017. This implies, assuming they are equally vulnerable to RFID/Bluetooth access theft: ~789K thefts. https://ucr.fbi.gov/crime-in-the-u.s/2017/preliminary-report/cius-2017-preliminary-excel-tables.zip shows that for the 6 month period, an estimated 289K vehicle thefts were reported within the 50 US states with cities of 100Kpeople or greater; a vehicle theft each 50 seconds or so. ------------------------------ Date: Mon, 21 Jan 2019 09:21:08 -1000 From: geoff goodfellow <geoff () iconia com> Subject: Coming Soon to a Police Station Near You: The DNA 'Magic Box' (NYT) *With Rapid DNA machines, genetic fingerprinting could become as routine as the old-fashioned kind. But forensic experts see a potential for misuse.* ... many legal experts and scientists are troubled by the way the technology is being used. As police agencies build out their local DNA databases, they are collecting DNA not only from people who have been charged with major crimes but also, increasingly, from people who are merely deemed suspicious, permanently linking their genetic identities to criminal databases. [...] If the Rapid DNA system has flaws, now is the moment to address them, many experts argue. Peter Stout, president of the Houston Forensic Science Center, was left with concerns after completing a Rapid DNA pilot program with the Houston Police Department last February. ``We need fast and cheap. It also needs to be right.'' https://www.nytimes.com/2019/01/21/science/dna-crime-gene-technology.html ------------------------------ Date: Fri, 25 Jan 2019 09:56:31 -0500 From: José María Mateos <chema () rinzewind org> Subject: An IoT security mailing list I think regular RISKS readers might be interested in a new mailing list devoted to IoT security: http://www.firemountain.net/mailman/listinfo/dumpsterfire Initial message and administrivia: http://www.firemountain.net/pipermail/dumpsterfire/2019-January/000000.html ------------------------------ Date: Sat, 19 Jan 2019 16:32:11 -0800 From: Mark Thorson <eee () dialup4less com> Subject: Japan to regulate foreign companies use of e-mail content It's already illegal for domestic companies to use the content of users' e-mail. Government is now planning to apply this to foreign companies like Google and Facebook. Almost makes me want to move to Japan. http://the-japan-news.com/news/article/0005488933 ------------------------------ Date: Sun, 27 Jan 2019 11:16:26 +0000 From: Neil Youngman <neil.youngman () youngman org uk> Subject: Facebook "real names" policy forces you to sign up with a fake name RISKS readers are familiar with Facebook's Orwellian "real names" policy I didn't realise how poor the implementation is. I only discovered when my daughter wanted to sign up that it's so bad that many people will be forced to sign up with a fake name to get around it. When my daughter wanted to sign up Facebook decided that it didn't like her name. The help pages are pretty useless and their is no real indication of why. You have to guess why the name is rejected, but the solution appears to be to go through the name verification process. The "clever" bit is that there seems to be no way to start the name verification process until you create an account, so you have to make up a name that it will accept and use that to create the account. At this point I'm guessing that a lot of people don't bother to verify their real name and continue with the fake name. I can think of at least 2 of my Facebook friends using names that aren't "the name they go by in everyday life" (https://www.facebook.com/help/112146705538576) good guess that it's either not worth the effort of verifying their real name, or because their official documents use a different form of their name to the one they normally use in real life. As currently implemented the policy seems to prevent you signing up with an unusual name, but pretty much anybody can sign up as Paul Smith with no checks. ------------------------------ Date: Sat, 19 Jan 2019 20:59:00 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: Reaction to the #10YearChallenge circulating on Facebook: Nope. He writes: Perhaps I am a curmudgeon. In my view, the meme, which prompts people to post before-and-after photos of themselves on Facebook <https://click.email.fortune.com/%3Fqs%3D449fa3686574c81be466f38d7c0cebbbe083520f6bf4d366ddb2482a4d929c0691638fbad4d87d593874c9eaaa6ffeb4c09fa97b64b0f52e> Instagram, and other social media sites, is no better than a data-siphoning social engineering attempt. The viral campaign exploits our vanity, encouraging us to surrender images of ourselves from a decade ago. People just happen to be packaging the chronology of their physiognomy in a usable format for machines to parse. https://view.email.fortune.com/%3Fqs%3D0201bad8c93739fd5962676018096aced0f8602d66109218173392a5b675b1535d006a5a5b019814f916959e973fb36f41b44d801423e04d1e0e6b4a4119a8d65899f9866c6d8e60 The risk? Willingly feeding the beast. ------------------------------ Date: Sat, 26 Jan 2019 22:32:11 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: How Reserved Storage Works in the Next Version of Windows 10 In a blog post, Microsoft stated that Reserved Storage will be available only on devices that come with Windows 10 19H1 (version 1903) pre-installed or those where 1903 was clean installed. Those who upgrade to the next version will not utilize this feature. Problems with the current update process In Windows 10 October 2018 Update or older, if a user begins to run out of storage space, Windows may not run smoothly and many apps may not work as expected. Even worse, Microsoft has had a rough track record recently when it comes to updates and those who have no free space may not be able to install updates correctly. https://www.bleepingcomputer.com/news/microsoft/how-reserved-storage-works-in-the-next-version-of-windows-10/ It took 10 versions to notice? ------------------------------ Date: Thu, 24 Jan 2019 00:36:12 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: Security, Compliance Add-Ons Offered to Microsoft 365 Users Two new security and compliance packages are available at extra cost to protect enterprise Microsoft 365 users from wider threats. https://www.eweek.com/enterprise-apps/microsoft-bolstering-security-compliance-with-microsoft-365-add-ons ------------------------------ Date: Sat, 26 Jan 2019 22:32:11 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: How Reserved Storage Works in the Next Version of Windows 10 In a blog post, Microsoft stated that Reserved Storage will be available only on devices that come with Windows 10 19H1 (version 1903) pre-installed or those where 1903 was clean installed. Those who upgrade to the next version will not utilize this feature. Problems with the current update process In Windows 10 October 2018 Update or older, if a user begins to run out of storage space, Windows may not run smoothly and many apps may not work as expected. Even worse, Microsoft has had a rough track record recently when it comes to updates and those who have no free space may not be able to install updates correctly. https://www.bleepingcomputer.com/news/microsoft/how-reserved-storage-works-in-the-next-version-of-windows-10/ It took 10 versions to notice? ------------------------------ Date: Sun, 20 Jan 2019 16:51:01 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: US Patent for Drone delivery of coffee based on a cognitive state of an individual Patent (Patent # 10,040,551 issued August 7, 2018) - Justia Patents Search Coffee or other drink, for example a caffeine containing drink, is delivered to individuals that would like the drink, or who have a predetermined cognitive state, using an unmanned aerial vehicle (UAV)/drone. The drink is connected to the UAV, and the UAV flies to an area including people, and uses sensors to scan the people for an individual who has gestured that they would like the drink, or for whom an electronic analysis of sensor data indicates to be in a predetermined cognitive state. The UAV then flies to the individual to deliver the drink. The analysis can include profile data of people, including electronic calendar data, which can be used to determine a potentially predetermined cognitive state. https://patents.justia.com/patent/10040551 https://www.inc.com/geoffrey-james/the-best-invention-of-2018-is-ibm-coffee-drone.html -- note graphics https://www.popularmechanics.com/flight/drones/a22813997/ibm-patent-coffee-delivery-drone/ ...so this is how IBM wins the patents battle every year. ------------------------------ Date: Thu, 24 Jan 2019 00:28:07 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: Did Australia Hurt Phone Security Around the World? (NYTimes) But politicians said the risk of encryption technology’s being used by terrorists was too significant. Prime Minister Malcolm Turnbull of Australia said in July, “The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia.” https://www.nytimes.com/2019/01/22/technology/australia-cellphone-encryption-security.html ------------------------------ Date: Wed, 23 Jan 2019 07:53:53 -0800 From: Henry Baker <hbaker1 () pipeline com> Subject: Location-Based Little Brothers A Chinese WeChat app displays the people in your vicinity who are in debt. Given the data publicly available (or via Facebook/Google/Twitter API's), consider the endless possibilities for future apps: * Find My Credit Scores - notifies you of the credit scores of those around you (thanks, Experian!!) * Find My Sugar Daddy / Find My Gold Digger - notifies you of the financial capacity of the people around you * Find My Real Daddy - utilizing 23&me DNA data, notifies you of genetic relationships of the people around you * Find My Sex Offender - notifies you if a registered sex offender is nearby * Find My Felon - notifies you of the arrest history of those around you and pulls up mugshots * Find My Ex's - notifies you if a previous lover is nearby * Find MeToo - notifies you if someone nearby was blacklisted as an *alleged* sexual harasser by someone * Find My Pwned - notifies you if someone nearby has been pwned and provides password(s) * Find My Echo Chamber - identifies the political party registration of those nearby * Find My Immigrant - check the E-Verify status of those nearby * Improve My Gaydar - obvious Once these apps surface, you'll probably never leave your house again! http://www.chinadaily.com.cn/a/201901/16/WS5c3edfb8a3106c65c34e4d75.html Hebei court unveils program to expose deadbeat debtors Zhang Yu in Shijiazhuang, chinadaily.com.cn, 16 Jan 2019: Deadbeat debtors in North China's Hebei province will find it more difficult to abscond as the Higher People's Court of Hebei on Monday introduced a mini-program on WeChat targeting them. Called "a map of deadbeat debtors", the program allows users to find out whether there are any debtors within 500 meters. The debtor's information is available to check in the program, making it easier for people to whistle-blow on debtors capable of paying their debts. "It's a part of our measures to enforce our rulings and create a socially credible environment," said a spokesman of the court. ------------------------------ Date: Wed, 23 Jan 2019 07:48:10 -0500 From: Monty Solomon <monty () roscom com> Subject: How We Destroy Lives Today (NYTimes) https://www.nytimes.com/2019/01/21/opinion/covington-march-for-life.html Will the Covington Catholic High School fiasco change social media? ------------------------------ Date: Wed, 23 Jan 2019 07:53:00 -0500 From: Monty Solomon <monty () roscom com> Subject: Covington and the Pundit Apocalypse (NYTimes) https://www.nytimes.com/2019/01/22/opinion/covington-teenagers-twitter.html Our hasty condemnation of these teenagers reveals the cold truth about hot takes. ------------------------------ Date: Sun, Jan 20, 2019 at 3:27 PM From: Vint Cerf <vint () google com> Subject: Re: A Simple Bug Makes It Easy to Spoof Google Search Results into Spreading Misinformation (RISKS-31.03) Bug has been fixed. ------------------------------ Date: Thu, 17 Jan 2019 12:25:03 -0800 From: Henry Baker <hbaker1 () pipeline com> Subject: Re: How three rude iPhone users ruined an evening (Wirchenko, RISKS-31.03) Thank Apple for removing the jack from their iPhones. I carry around a lot of <$5 earbuds for my own use on airplanes & my digital audio player, so I'm happy to donate them to someone to listen privately. Cheap headphones for modern USB and Bluetooth never materialized, so I'm not about to carry around $100 earbuds to donate. ------------------------------ Date: Thu, 24 Jan 2019 09:28:05 -0500 From: Gene Spafford <spaf () purdue edu> Subject: Cyber Security Hall of Fame Nominations now open The Cyber Security Hall of Fame was on hiatus while stable funding was secured. That has happened, and nominations are open for the class of 2019. [Stable funding? Who's horsing around here while there is always room for more in the ever-growing stable of honorees? PGN] Current honorees are listed at http://www.cybersecurityhalloffame.com Help by nominating qualified candidates! See bit.ly/CSHOFNom http://bit.ly/CSHOFNom for details of nominations. Help spread the word. ------------------------------ Date: Mon, 14 Jan 2019 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00 Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 31.04 ************************
Current thread:
- Risks Digest 31.04 RISKS List Owner (Jan 28)