RISKS Forum mailing list archives
Risks Digest 31.42
From: RISKS List Owner <risko () csl sri com>
Date: Fri, 13 Sep 2019 15:57:43 PDT
RISKS-LIST: Risks-Forum Digest Friday 13 September 2019 Volume 31 : Issue 42 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/31.42> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: CIA source pulled from Russia had confirmed Putin ordered 2016 meddling (Zack Budryk/The Hill) Open Privacy discovers unencrypted patient medical information broadcast across Vancouver (Open Privacy Research Society) Blockchains and Cryptocurrency (Nick Weaver) Bank of America less than charitable to charity that says it was hacked (BostonGlobe) Sysadmins Scramble to Secure 5M Exim Email Servers (Security Boulevard) 3-D Printers Could Help Spread Weapons of Mass Destruction (Scientific American) The Next Generation of Airbus Aircraft Will Track Your Bathroom Visits (Time) Why a cup of coffee forced a plane to make an unplanned landing (WashPost) Chinese police sniff out a fugitive —- literally -— in the case of the telltale hot pot (WashPost) Apple makes changes to kids app guidelines after criticism from developers (WashPost) Alabama is penalizing students for leaving football games early. Is that normal? (WashPost) Sorry, general AI is still a long, long way off (Mary Branscombe) Re: Russia-Ukraine power-grid blackout (Gabe Goldberg) Re: Robot hires human being in world first as AI conducts job interview (Amos Shapir) Re: Hackers short-change themselves; 21st century UK NHS (Chris Drewe) Re: Tweet from Fridge: possible but probably not in this case (Anthony Thorn) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Tue, 10 Sep 2019 14:52:01 PDT From: "Peter G. Neumann" <neumann () csl sri com> Subject: CIA source pulled from Russia had confirmed Putin ordered 2016 meddling (Zack Budryk/The Hill) The Voting News Daily, a news service of Verified Voting A CIA asset reportedly pulled from Russia in 2017 played a major role in the agency's determination that Russian President Vladimir Putin personally ordered Moscow's meddling in the 2016 election, according to *The New York Times*. The informant, while not in Putin's inner circle, interacted with him regularly and was privy to decision-making at high levels of the Russian government, according to The Times. Information on the informant's identity was so carefully guarded that it was kept out of then-President Obama's daily security briefings in 2016, instead transmitted in separate sealed envelopes. In 2016, high-level CIA officials ordered a full review of the source's record and grew suspicious he might have become a double agent after he rejected an offer of exfiltration from the agency, according to the Times. Other officials said these concerns were alleviated when the source was offered a second time and accepted. [The original source is this: Julian E. Barnes, Adam Goldman and David E. Sanger CIA Informant Extracted From Russia Had Sent Secrets to U.S. for Decades *The New York Times*, 10 Sep 2019 (updated from the previous day) Also of related interest are op-ed pieces by Michelle Goldberg and Paul Krugman in The NYT on 10 Sep 2019. PGN] ------------------------------ Date: Tue, 10 Sep 2019 08:08:08 -0400 From: José María /Chema/ Mateos <chema () rinzewind org> Subject: Open Privacy discovers unencrypted patient medical information broadcast across Vancouver (Open Privacy Research Society) https://openprivacy.ca/blog/2019/09/09/open-privacy-discovers-vancouver-patient-medical-data-breach/ The Open Privacy Research Society has discovered that the sensitive medical information of patients being admitted to certain hospitals across the Greater Vancouver Area is being broadcast, unencrypted, by hospital paging systems, and that these broadcasts are trivially interceptable by anyone in the Greater Vancouver Area. The data being broadcast includes the patients name, age, gender marker, diagnosis, their attending doctor and room number. Other broadcasts regarding medical tests such as x-rays are often associated with a patients last name or medical number, exposing their progression through hospital departments. Some broadcasts appear to contain freeform text, allowing other sensitive information to be entered as well. We have been able to confirm the authenticity of this data by cross-referencing records with public obituaries. ------------------------------ Date: Tue, 10 Sep 2019 13:51:26 PDT From: "Peter G. Neumann" <neumann () csl sri com> Subject: Blockchains and Cryptocurrency (Nick Weaver) Nick Weaver has been an occasional contributor to RISKS over the past 23 years, and is the author of the CACM Inside Risks article #244, Risks of Cryptocurrencies, CACM June 2018 http://www.csl.sri.com/neumann/insiderisks.html -- or directly at http://www.csl.sri.com/neumann/cacm244.pdf This month's IEEE Computer Society *edge* magazine (September 2019, pp 23-26, www.computer.org/computingedge) condenses Nick's Silver Bullet podcast interview with Gary McGraw, and succinctly updates the above-mentioned Inside Risks article. I recommend the *edge* interview for anyone unclear about the RISKS-related issues are associated with blockchains and cryptocurrencies. PGN ------------------------------ Date: Tue, 10 Sep 2019 20:39:31 -0400 From: Monty Solomon <monty () roscom com> Subject: Bank of America less than charitable to charity that says it was hacked (BostonGlobe) https://www.bostonglobe.com/business/2019/09/09/the-fine-print-bank-america-less-than-charitable-charity-that-says-was-hacked/IENfpHpEkjTf0rzvpzHbfJ/story.html ------------------------------ Date: Tue, 10 Sep 2019 20:14:17 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Sysadmins Scramble to Secure 5M Exim Email Servers (Security Boulevard) https://securityboulevard.com/2019/09/sysadmins-scramble-to-secure-5m-exim-email-servers/ ------------------------------ Date: Wed, 11 Sep 2019 17:00:06 +0800 From: Richard Stein <rmstein () ieee org> Subject: 3-D Printers Could Help Spread Weapons of Mass Destruction (Scientific American) https://www.scientificamerican.com/article/3-d-printers-could-help-spread-weapons-of-mass-destruction/ ``In the mid-1990s boy scout David Hahn used household objects and his scientific knowledge to start building a nuclear reactor in his backyard. Police and the Environmental Protection Agency stopped him before he could finish. Twenty years later, revolutions in manufacturing and computing have made projects such as Hahn's a lot more feasible; if he had access to a 3-D printer, for example, he might have finished his reactor before authorities intervened. Modern technologies also mean one does not need to be as smart as Hahn to create at least some kinds of DIY weapons. With the right machine and blueprints anyone can build a handgun in their living room -- and firearms are just the beginning. Researchers fear that artificial intelligence and 3-D printing might one day create, on demand, weapons of mass destruction.'' The WMD Do-It-Yourself kit is a frightening possibility. Can a 3-D printer enable WMD deployment of a chemical or biological device? Thanks to Graham Allison's efforts, and the Nunn-Lugar Cooperative Threat Reduction legislation of 1991, WMD material (enriched uranium and plutonium, biological/chemical) became more difficult to acquire as the Soviet Union disintegrated. Threat reduction implementation tapered substantially after Russia annexed Crimea. https://en.m.wikipedia.org/wiki/Nunn%E2%80%93Lugar_Cooperative_Threat_Reduction, ------------------------------ Date: Fri, 13 Sep 2019 21:42:13 +0800 From: Richard Stein <rmstein () ieee org> Subject: The Next Generation of Airbus Aircraft Will Track Your Bathroom Visits (Time) https://time.com/5675566/airbus-airplane-bathroom-tracker/ ``The Airbus Connected Experience aims to give flight attendants a more detailed survey of the cabin, with sensors for such critical data as when bathroom soap is running low and how much toilet paper remains in each bathroom. But the rethinking of the passenger environment doesn't just stop with the lavatory. At each seat, your belt will signal red for unbuckled and green when fastened. The goal is faster boarding and departure, dispensing with those lap-scrutinizing walk-throughs flight attendants must perform. The crew will also have access to information on what's onboard and where, like which galley carts contain specific meals, such as pre-orders or vegetarian selections.'' What happens if there's a faulty or intermittent seat belt lock/unlock sensor? Will each flier be required to wear an RFID tag that is scanned when entering and exiting the toilet? Will airlines compile a passenger `compliance score' and use it to raise or lower ticket prices, or deny purchase, based on profiled compliance history? ------------------------------ From: Monty Solomon <monty () roscom com> Date: Fri, 13 Sep 2019 11:18:48 -0400 Subject: Why a cup of coffee forced a plane to make an unplanned landing (WashPost) A new safety bulletin from the British government shows that an unplanned landing in Ireland was caused by coffee that spilled on a control panel in the cockpit. The airline says it is now providing lids for coffee. https://www.washingtonpost.com/travel/2019/09/12/why-spilled-cup-coffee-forced-plane-make-an-unplanned-landing/ ------------------------------ Date: Fri, 13 Sep 2019 11:35:07 -0400 From: Monty Solomon <monty () roscom com> Subject: Chinese police sniff out a fugitive —- literally -— in the case of the telltale hot pot (WashPost) China leads the world in facial recognition tech but sometimes police just use their noses as well. https://www.washingtonpost.com/world/asia_pacific/chinese-police-sniff-out-a-fugitive--literally--in-the-case-of-the-telltale-hot-pot/2019/09/12/86db31a8-d521-11e9-ab26-e6dbebac45d3_story.html ------------------------------ Date: Fri, 13 Sep 2019 11:36:51 -0400 From: Monty Solomon <monty () roscom com> Subject: Apple makes changes to kids app guidelines after criticism from developers (WashPost) https://www.washingtonpost.com/technology/2019/09/12/apple-makes-changes-kids-app-guidelines-following-criticism-developers/ ------------------------------ Date: Fri, 13 Sep 2019 11:37:50 -0400 From: Monty Solomon <monty () roscom com> Subject: Alabama is penalizing students for leaving football games early. Is that normal? (WashPost) Plenty of schools have incentive programs for students who attend games, but ones who give demerits for early exits are harder to find. https://www.washingtonpost.com/sports/2019/09/13/alabama-is-penalizing-students-leaving-football-games-early-is-that-normal/ ------------------------------ Date: Thu, 12 Sep 2019 10:09:19 -0700 From: Gene Wirchenko <gene () shaw ca> Subject: Sorry, general AI is still a long, long way off (Mary Branscombe) [On the limits of computer searching:] Mary Branscombe for 500 words into the future, ZDNet, 12 Sep 2019 Artificial intelligence might have passed a school science test but when everyday tasks are still well beyond it's ability, we can't even talk about building general purpose AI. https://www.zdnet.com/article/sorry-general-ai-is-still-a-long-long-way-off/ opening text: For the last few weeks, we've been watching a plant grow on our windowsill. A seed blew into the window box and took root, and started to shoot up. There was nothing growing in that end-of-the-window box, so we left it until we could see whether it was a weed or a nice plant. The seed had been long and black, and the stem grew tall and spindly. Once we could see a few leaves, I started searching the web for a plant with a long, hairy stem and long, pointed leaves springing alternately from the stem, that grow in the UK from long black seeds, that are pointy at one end and round at the other. If you described that to a botanist or a gardener, they would tell you immediately that it was probably a sunflower, but I didn't get any useful results from searching by the description. In fact, none of the lists of UK plants with hairy stems or alternate leaf-growth patterns that I did find included the sunflower. It wasn't until we could see the flower forming and looking very like a sunflower that I could search for 'sunflower hairy stem' and get a description telling me that sunflowers have long, hairy stems and leaves growing alternately from the stem. Once I knew what I wanted, the machine learning behind the search engine could tell me about it, but it couldn't take my description and tell me what I was looking at. ------------------------------ Date: Thu, 12 Sep 2019 18:58:53 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Re: Russia-Ukraine power-grid blackout (WiReD) A fresh look at the 2016 blackout in Ukraine suggests that the cyberattack behind it was intended to cause far more damage. https://www.wired.com/story/russia-ukraine-cyberattack-power-grid-blackout-destruction/ ------------------------------ Date: Tue, 10 Sep 2019 17:32:47 +0300 From: Amos Shapir <amos083 () gmail com> Subject: Re: Robot hires human being in world first as AI conducts job interview (RISKS-31.41) For the past 20 years or so, many large companies have tried to match candidates with positions by automatic processes to scan CV's for keywords; this method may be faster, but may miss candidates who would do an excellent job, but whose CV does not contain *exactly* the same keywords a manager had to come up with to describe the job. Thus, much of the interview process is already done by robots; however the new method misses an even more important aspect: getting a candidate acquainted with the people s/he's going to be working with. (Though in this case, the job's description seems to indicate that the newly hired employee would be working mainly with robots anyway) ------------------------------ Date: Thu, 12 Sep 2019 22:21:47 +0100 From: Chris Drewe <e767pmk () yahoo co uk> Subject: Re: Hackers short-change themselves; 21st century UK NHS (R 21 41) 1. The theft of British Airways's customer payment card details in 2018 was widely reported, but it seems that the hackers also lost out due to the sudden abundance of saleable information reducing the black-market value of these details... Summary follows. The full article [not included] gives typical black-market values for personal details; the title comes from a comment that ``the typical profile of cyber-crime victims are well-off, middle-aged professionals aged 35-44 with an income above 50,000 pounds [$65,000] in managerial positions.'' https://www.telegraph.co.uk/technology/2019/09/10/rich-smart-sensibly-grown-up-hackers-dream/ Rich, smart and sensibly grown-up? You're the hackers? dream Harry de Quetteville, 10 Sep 2019 Poor hackers. British Airways?s aircraft may be grounded again, but at least this time the company knows why: its pilots are on strike. Too often in recent years the company has stranded passengers because of mysterious IT foul-ups. The cost of some of those failures was not always immediately apparent. In 2018 half a million BA customers had their payment card details stolen. It was only later BA was hit was hit with a huge ?183m fine for the breach. And it now turns out it wasn?t just BA and its passengers who suffered. Hackers did too. So many fraudulent cards hit the market after the data breach at BA (as well as others at Marriott, and Ticketmaster) that black market prices collapsed. 2. RISKS often features the problems of the latest technology, but here's an item on the problems of *not* using this. The UK's National Health Service (`the envy of the world') still uses fax machines, pagers, land-line telephones, etc. for communications, which are obviously not ideal for a large organisation dealing with a huge throughput of patients, especially as much information is time- and life-critical. Some staff unofficially use social networking sites like WhatsApp, but there are big RISKS here with patient confidentiality, possibility of confusion between personal and work information, no way of sorting incoming messages, and so forth. Working in health is quite a high-pressure job in general of course, but if it's difficult to make contact with other people this just raises stress levels and wastes valuable time. This article features a junior doctor, Lydia Yarlott, who has come up with a fix (summary follows): https://www.cityam.com/wp-content/uploads/2019/09/CITYAM_20190910_NEW.pdf
With WhatsApp being seen as a sort of sticking plaster to the communication problem, in true doctor fashion, Yarlott started concocting a cure. With the help of a team of technologists, she has built a secure instant messaging service called Forward Health designed for doctors, nurses, midwives, and other clinicians. Through the app, NHS staff can search by name or role in a hospital or clinic, share patient notes and photos, with everyone working off the same list. On average, the app saves each clinician 43 minutes per shift, which is time that would usually wasted waiting for a colleague to call them back. It means that doctors can access the info they need anywhere in the hospital, ultimately allowing them to move away from paper notes. It?s a simple idea, and remarkable that nothing like this existed in the NHS already, which just goes to show how far behind official hospital technology ? still heavily reliant on pagers ? really is. And it?s worrying that old-fashioned and counterintuitive tech is exacerbating existing issues in the NHS, making the working lives of staff even harder. While bringing NHS tech into the modern era is vital, the organisation is such a vast and complex web that updating the system is painfully difficult ? not to mention the fact that [NHS] trusts tend to make standalone decisions, rather than learning from each other.
------------------------------ Date: Fri, 13 Sep 2019 00:33:35 +0800 From: Dan Jacobson <jidanni () jidanni org> Subject Re: *a seatbelt for the Internet* (Fortune, RISKS-31.41) A serious issue is [that] your phone's precious single USB socket is rated for only a limited amount of plugging in and out, after which it will start to fail (bad connection, not all metal plates properly in contact). Meaning you won't be able to charge your phone anymore -- spelling the certain demise of your phone completely, as it would make more sense to get a fast new phone rather than repair an old slow one. Mom was right. See what happens after too much `phone s*x'. ``Avoid multiple partners'' they say. Well even to much plugging in and out 'action' with the same partner will lead to `terminal' illness, as was my experience with MicroUSB. And I'm not going to increase my `libido' and RISK it with my new Type C phone. I'm just not in the mood, OK? ------------------------------ Date: Tue, 10 Sep 2019 10:06:21 +0200 From: Anthony Thorn <anthony.thorn () atss ch> Subject: Re: Tweet from Fridge: possible but probably not in this case (RISKS-31.41) Re: "Bright Idea --Can't stop..." (RISKS-31.41) This raised some questions in my mind, so here is a little follow-up, from: https://www.theguardian.com/technology/2019/aug/13/teen-smart-fridge-twitter-grounded "After reports emerged questioning Dorothy's account, LG confirmed that some of its fridge models have social media capabilities, but the company could not confirm whether Dorothy’s tweet was sent from one. ``We don't know if Dorothy actually used an LG smart refrigerator to tweet, but yes – it is possible to access Twitter via the web browser on select LG smart refrigerator models,'' an LG spokeswoman, Taryn Brucha, said. Igor Brigadir, a computer researcher at University College Dublin, reviewed the tweets for the Guardian and said that the metadata for Dorothy's Wii U and Nintendo tweets showed that the tweets were legitimate. He said others had used the devices to post on Twitter in the past. But the refrigerator tweet, Brigadir said, most likely did not come from the fridge. ``The LG fridge [tweet] was definitely manually created,'' he said. Brigadir examined the metadata of the tweets and discovered that they were sent through a custom Twitter app. If Dorothy had tweeted from the fridge, Brigadir continued, the metadata would probably have said the tweet was sent through a browser, not from a fridge. Dorothy was able to make it look like she tweeted from the fridge because custom apps can be renamed on Twitter to make tweets appear as though they were sent from different devices. ``For me, the think that seals it is the fact that nobody else ever made any other tweets from that fridge, whereas, for the Wii U and Nintendo clients, there's fresh tweets daily,'' Brigadir added. [Amos Shapir notes that this is rather old news -- and probably fake: https://www.buzzfeednews.com/article/stephaniemcneal/dorothy-fridge-tweets PGN] ------------------------------ Date: Mon, 14 Jan 2019 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00 Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 31.42 ************************
Current thread:
- Risks Digest 31.42 RISKS List Owner (Sep 13)