RISKS Forum mailing list archives
Risks Digest 31.48
From: RISKS List Owner <risko () csl sri com>
Date: Mon, 25 Nov 2019 14:27:51 PST
RISKS-LIST: Risks-Forum Digest Monday 25 November 2019 Volume 31 : Issue 48 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/31.48> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Ghost ships, crop circles, and soft gold: A GPS mystery in Shanghai (MIT Technology Review) GPS is easy to hack, and the US has no backup (Scientific American) European Council approves plans to make new car safety features mandatory (INews) Non-urgent alarms are drowning out real ones in hospitals (WashPost) Internet world despairs as non-profit .org sold for $$$$ to private equity firm, price caps axed (The Register) How dumb design wwii plane led macintosh (WiReD) Accidental evacuation warning (Peter H. Gregory) 6 Tips for Windows 7 End of Life and Support (MakeUseOf} Microsoft restores services after it experienced a large global outage across numerous platforms (Business Insider) Someone Got Access to Their Secret Consumer Score. Now You Can Get Yours, Too. (NYTimes) Could Salesforce Blockchain Cut Cancer Drug Development Costs in Half? (Fortune) China is Pushing Toward Global Blockchain Dominance (WiReD) Burglars Really Do Use Bluetooth Scanners to Find Laptops Phones (WiReD) Disruption Mitigation Systems for Fusion Demonstration at ITER (Richard Stein) Law enforcement can plunder DNA profile database, judge rules (ZDNet) How to Opt Out of the Sites That Sell Your Personal Data (WiReD) Privacy not included (Mozilla) 146 New Vulnerabilities All Come Preinstalled on Android Phones (WiReD) Uber safety push includes plans to start audio recording rides in the U.S. (WashPost) Nikki Haley Used System for Unclassified Material to Send `Confidential' Information (The Daily Beast) Official Monero website is hacked to deliver currency-stealing malware (Ars Technica) UK Conservative Party Scolded for Rebranding Twitter Account (NYTimes) AI future or follies? (Fortune magazine email) The Downside of Tech Hype (Scientific American) Best Buy Made These Smart Home Gadgets Dumb Again (WiReD) Officials Warn of "Juice Jacking" Scams at USB Charging Stations (LA County) Artificial Intelligence Discovers Tool Use in Hide-and-Seek Games (NYTimes) After False Drug Test, He Was in Solitary Confinement for 120 Days NoiseAware - proprietary algorithm for noise detection in rental properties (The Verge) A hypothesis on the immediate future of audio scams (CBC) How to prevent a data breach, lessons learned from the infosec vendors themselves (Web Informant) Someone Got Access to Their Secret Consumer Score. Now You Can Get Yours, Too. (NYTimes) Iowa hired cyberhackers, then arrested them (TechSpot) Mastercard vs. mistakes and fraud (Fortune) As 5G Rolls Out, Troubling New Security Flaws Emerge (WiReD) Re: The rise of microchipping: are we ready for technology to get under the skin? (Amos Shapir) Re: What happens if your mind lives for ever on the Internet? (John R. Levine) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Mon, 18 Nov 2019 17:21:43 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: Ghost ships, crop circles, and soft gold: A GPS mystery in Shanghai (MIT Technology Review) A sophisticated new electronic warfare system is being used at the world's busiest port. But is it sand thieves or the Chinese state behind it? Now, new research and previously unseen data show that the Manukai, and thousands of other vessels in Shanghai over the last year, are falling victim to a mysterious new weapon that is able to spoof GPS systems in a way never seen before. Nobody knows who is behind this spoofing, or what its ultimate purpose might be. These ships could be unwilling test subjects for a sophisticated electronic warfare system, or collateral damage in a conflict between environmental criminals and the Chinese state that has already claimed dozens of ships and lives. But one thing is for certain: there is an invisible electronic war over the future of navigation in Shanghai, and GPS is losing. ... https://www.technologyreview.com/s/614689/ghost-ships-crop-circles-and-soft-gold-a-gps-mystery-in-shanghai/ ------------------------------ Date: Wed, 20 Nov 2019 13:47:14 +0800 From: Richard Stein <rmstein () ieee org> Subject: GPS is easy to hack, and the US has no backup (Scientific American) https://www.scientificamerican.com/magazine/sa/2019/12-01/ Old news for this forum. See http://catless.ncl.ac.uk/Risks/30/58#subj2.1 for instance. Search on 'gps spoof' or 'gps hack'. The 1st and 2nd paragraphs of this piece are noteworthy for public flight safety: "On August 5, 2016, Cathay Pacific Flight 905 from Hong Kong was heading for an on-time arrival at Manila's Ninoy Aquino International Airport when something unexpected occurred. The pilots radioed air traffic controllers and said they had lost GPS (Global Positioning System) guidance for the final eight nautical miles to 'runway right-24.' Surprised, the controllers told the pilots to land the widebody Boeing 777-300 using just their own eyes. The crew members pulled it off, but they were anxious the whole way in. Fortunately, skies were mostly clear that day. "The incident was not isolated. In July and August of that year, the International Civil Aviation Organization received more than 50 reports of GPS interference at the Manila airport alone. In some cases, pilots had to immediately speed up the plane and loop around the airport to try landing again. That kind of scramble can cause a crew to lose control of an aircraft. In a safety advisory issued this past April, the organization wrote that aviation is now dependent on uninterrupted access to satellite positioning, navigation and timing services and that vulnerabilities and threats to these systems are increasing." Airmanship is attributed to pilots that successfully react to abnormal cockpit conditions, and sustain flight safety. See https://www.nytimes.com/2019/09/18/magazine/boeing-737-max-crashes.html for a descriptions of pilots that possess and demonstrate airmanship, versus those that regard flying as 1352 procedural steps from takeoff to landing. That GPS is frequently spoofed or jammed or hacked, often by hostile governments or non-state actors, is unsettling as a periodic member of the air traveling public. This USA Today piece from (https://www.usatoday.com/story/travel/columnist/mcgee/2015/06/03/amtrak-rail-bus-flying-safety/28358899/) indicates that bus travel was safest: "Here's how the U.S. Department of Transportation ranked these modes by fatalities in 2012: Bus: 39 Aviation: 447 Railroad: 557 All other highway: 33,743 "Undoubtedly some readers are typing responses already -- and rightfully so. Because the story begins rather than ends with these numbers, and such statistics are brimming with caveats, clarifications, exceptions and asterisks. In fact, the benchmarks themselves need to be constantly reevaluated; for example, simply calculating fatalities may not capture other serious but non-fatal hazards." ------------------------------ Date: Thu, 14 Nov 2019 22:40:46 +0000 From: Chris Drewe <e767pmk () yahoo co uk> Subject: European Council approves plans to make new car safety features mandatory (INews) Spotted this in a local newspaper, by Matt Allan, INews, 13 Nov 2019 <https://inews.co.uk/inews-lifestyle/cars> Speed limiters and breathalyser tech to be fitted to all new cars from 2022 All new cars launched from 2022 will have to be equipped with speed-limiting equipment and the wiring for in-built breath alysers following a decision by the European Council. The rule will make it compulsory for car makers to fit intelligent speed assistance (ISA); wiring for in-car breathalysers; lane-keep assistance; autonomous emergency braking; data loggers and driver drowsiness warning systems. The move has met with a mixed response from safety and motoring organisations. [...] Looks like lots of risks, e.g. how much data is logged, and what happens to it? Hygiene issues with breathalyser? How are these features checked at vehicle inspections? Could drivers be faced with legal action for taking circuitous routes or driving in an uneconomic style..? As a friend observed, the problem with all this automation in cars is that it's not clear who the heck is actually driving the darn thing... ------------------------------ Date: Sun, 24 Nov 2019 22:06:05 -0500 From: Monty Solomon <monty () roscom com> Subject: Non-urgent alarms are drowning out real ones in hospitals (WashPost) The safety devices are everywhere in health-care facilities, but they also create a riot of disturbances for staff and patients. https://www.washingtonpost.com/health/hospital-alarms-prove-a-noisy-misery-for-patients-i-feel-like-im-in-jail/2019/11/22/e4f6edc8-0554-11ea-ac12-3325d49eacaa_story.html ------------------------------ Date: Fri, 22 Nov 2019 9:45:55 PST From: "Peter G. Neumann" <neumann () csl sri com> Subject: Internet world despairs as non-profit .org sold for $$$$ to private equity firm, price caps axed (The Register) https://www.theregister.co.uk/2019/11/20/org_registry_sale_shambles/?page=1 In a sign that ICANN is unlikely to challenge the sale of the registry -- as some have formally urged it to do -- ICANN says in its statement that the new contract requires the operator of the registry to ``provide registrars at least 30 days'' advance written notice of any price increase for initial registrations and 6 months' notice for any price increases of renewals,'' while allowing domain owners to renew a domain for as much as 10 years in advance ``thus enabling a registrant to lock in current prices for 10 years in advance of a pricing change.'' It is debatable whether even a small number of the 10 million .org domain holders would be aware of price increases until they are required to pay them, or whether the ability to register a domain for 10 years is equivalent to a 10-year price freeze. ------------------------------ Date: Thu, 14 Nov 2019 11:21:39 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: How dumb design wwii plane led macintosh (WiReD) We now presume that apps that reorder the entire economy should require no instruction manual at all; some of the most advanced computers ever made now come with only cursory instructions that say little more than "turn it on." Using the app, you could reserve all your activities way before you boarded the ship. And once on board, all you needed was to carry was a disk the size of a quarter; using that, any one of the 4,000 touchscreens on the ship could beam you personalized information, such which way you needed to go for your next reservation. The experience recalled not just scenes from /Her/ and /Minority Report/, but computer-science manifestos from the late 1980s that imagined a suite of gadgets that would adapt to who you are, morphing to your needs in the moment. Behind the curtains, in the makeshift workspace, a giant whiteboard wall was covered with a sprawling map of all the inputs that flow into some 100 different algorithms that crunch every bit of a passenger;s preference behavior to create something called the *Personal Genome*. If Jessica from Dayton wanted sunscreen and a mai tai, she could order them on her phone, and a steward would deliver them in person, anywhere across the sprawling ship. The server would greet Jessica by name, and maybe ask if she was excited about her kitesurfing lesson. Over dinner, if Jessica wanted to plan an excursion with friends, she could pull up her phone and get recommendations based on the overlapping tastes of the people she was sitting with. If only some people like fitness and others love history, then maybe they;ll all like a walking tour of the market at the next port. Jessica;s Personal Genome would be recalculated three times a second by 100 different algorithms using millions of data points that encompassed nearly anything she did on the ship: How long she lingered on a recommendation for a sightseeing tour; the options that she /didn't/ linger on at all; how long she'd actually spent in various parts of the ship; and what's nearby at that very moment or happening soon. If, while in her room, she had watched one of Carnival's slickly produced travel shows and seen something about a market tour at one her ports of call, she'd later get a recommendation for that exact same tour when the time was right. ``Social engagement is one of the things being calculated, and so is the nuance of the context,'' one of the executives giving me the tour said. https://www.wired.com/story/how-dumb-design-wwii-plane-led-macintosh/ Good news about design, until... Risks? Believing that anything high-tech is fully self-evident or self-explanatory. And revealing a bit too much information and thinking. ------------------------------ Date: Fri, 15 Nov 2019 14:09:59 -0600 From: "Peter H. Gregory" <peter.gregory () gmail com> Subject: Accidental evacuation warning A warning was broadcast in the Highway 99 tunnel to get out of their cars and evacuate the tunnel. Someone at the command center mistakenly pushed the wrong buttons causing this alarm. Despite the warnings, no one followed the instructions. https://mynorthwest.com/1598411/seattle-tunnel-accidental-alert/?roi=echo3-58101618167-53483587-16474aef43b30d442cb39e87eef9740b ------------------------------ Date: Fri, 15 Nov 2019 17:01:06 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: 6 Tips for Windows 7 End of Life and Support (MakeUseOf} https://www.makeuseof.com/tag/windows-7-end-of-life-support/ No surprises here except I didn't know about: The end of Windows 7 support is a cause for concern for anyone running the fading operating system. However, it isn't the end of Windows 7 if you have enough money. Windows 7 Pro and Enterprise have the option to pay $350 to keep Windows 7 alive for three years. The *Microsoft Extended Security Updates program* will run until 2023. The program isn't for everyone, though. Only businesses, professional organizations, and mission-critical computers can apply for the Extended Security Updates program. When that period ends, those companies must have made provisions to upgrade to Windows 10 (or otherwise). And this misstatement presumably means Microsoft programs, not all software: The programs you use on Windows 7 will also stop receiving updates to fix bugs and security holes. ------------------------------ Date: Wed, 20 Nov 2019 12:05:25 -0500 From: Monty Solomon <monty () roscom com> Subject: Microsoft restores services after it experienced a large global outage across numerous platforms (Business Insider) https://www.businessinsider.com/microsoft-outage-us-japan-and-australia-2019-11 ------------------------------ Date: Sun, 24 Nov 2019 22:28:29 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: Someone Got Access to Their Secret Consumer Score. Now You Can Get Yours, Too. (NYTimes) Little-known companies are amassing your data -- like food orders and Airbnb messages -- and selling the analysis to clients. Here's how to get a copy of what they have on you. I Got Access to My Secret Consumer Score. Now You Can Get Yours, Too. https://www.nytimes.com/2019/11/04/business/secret-consumer-score-access.html Sigh, a while ago I requested my files from various government agencies mentioned in a surveillance article. Nothing much found. Now there's more work learning what these people have on me. ------------------------------ Date: Sun, 24 Nov 2019 22:13:27 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: Could Salesforce Blockchain Cut Cancer Drug Development Costs in https://fortune.com/2019/11/21/ucsf-salesforce-blockchain-breast-cancer/ I was just screened, at a specialist's office, for a clinical trial. The process was straightforward and rigorous, driven by an automated online questionnaire a nurse completed with my answers. It included criteria for inclusion/exclusion, and branched through questions based on my answers. So I'm not sure what this from article all means or how (apparently) magic blockchain solves all problems: Just how would that work out in practicality? Esserman explains that the current clinical trial and drug development process is riddled with uncertainty, especially when it comes to data collection and integrity. For instance: The baseline for what qualifies as an acceptable liver function level for a potential clinical trial participant can vary wildly based on who did the test, where it came from, and what criteria were used to assess the numbers. Blockchain could simultaneously universalize and democratize that process, according to Esserman. That's because this system could automate a process that is still, in this digital age, reliant on flesh-and-blood humans to assess, record, and analyze something as basic as lab reading. ``I can see, with blockchain, what the normalized numbers are for someone enrolling in an iSPY trial,'' she says, adding that data re-entry and redundant practices can drive up the cost of a clinical trial 30% to 60%. Blockchain could potentially provide both accountability and efficiency on this front since everything is linked together in a documented chain-of-custody -- a practice that is surprisingly foreign to American health care. ------------------------------ Date: Fri, 15 Nov 2019 15:39:45 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: China is Pushing Toward Global Blockchain Dominance (WiReD) As US leaders dither, President Xi Jinping vies for the technological future of finance. https://www.wired.com/story/opinion-china-is-pushing-toward-global-blockchain-dominance/ The risk? Blockchain? Not blockchain? ------------------------------ Date: Tue, 19 Nov 2019 16:28:24 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: Burglars Really Do Use Bluetooth Scanners to Find Laptops Phones (WiReD) Bluetooth scanners are readily available and easy to use -- which means that smash-and-grab car break-in might not have been pure chance. https://www.wired.com/story/bluetooth-scanner-car-thefts/ ------------------------------ Date: Sun, 17 Nov 2019 14:42:12 +0800 From: Richard Stein <rmstein () ieee org> Subject: Disruption Mitigation Systems for Fusion Demonstration at ITER I looked up progress on the ITER (International Thermonuclear Experimental Reactor) program, a multi-billion dollar effort that plans to demonstrate viable and sustained fusion energy before the permanent shift to fusion powered reactors. See ITER.org for the full story and interim progress reports. I happened on this summary article: "Addressing the challenge of plasma disruptions" System (DMS). https://www.iter.org/newsline/-/2678&sa=U&ved=2ahUKEwj_7LnzzPDlAhV-7nMBHU0VCGQQFjAAegQIBRAC&usg=AOvVaw3NsHxU8Qu30UmW_uvj4Mrf A portentous name. Airlines and other industries rely on disruption MANAGEMENT systems to assist their operations during crises. For logistics-based businesses, the scale of invocation is usually a few minutes before emergency governance kicks in and commences protocols to sustain or recover business continuity. In the case of a fusion reactor, the Disruption MITIGATION System needs to respond within ~10-20 msec according to this paper: "Requirements for Triggering the ITER Disruption Mitigation System." https://www.researchgate.net/publication/295829604_Requirements_for_Triggering_the_ITER_Disruption_Mitigation_System/link/56ec5fee08ae59dd41c4fc4f/download DMS will require a hard real-time platform to successfully interact with and monitor the plasma fusion reactor parameters that can compromise electricity generation. Plasmas that operate at a Q-value greater than 1 (self-sustaining nuclear fusion reactions) generate ~15-25 million amps of electron flow, neatly trapped by intense magnetic fields to prevent runaway electrons (RE) from damping out the reaction. But when the REs start to negatively influence fusion, the DMS must engage to sustain fusion or the reactor parts can meltdown into a diverter. My short investigation on the whole DMS issue found a few more interesting tidbits: 1) https://www.euro-fusion.org/fusion/fusion-conditions/ hosts a video of controllable fusion parameters, made from a fusion simulation that operators can control for practice. Homer Simpson has it easy at the Springfield Nuclear Plant compared to this simulation video. 2) "Plasma Disruption Management in ITER," via https://nucleus.iaea.org/sites/fusionportal/Shared%20Documents/FEC%202016/fec2016-preprints/preprint0314.pdf shows estimated DMS invocation parameters based on a simulation using the Joint European Torus as a baseline model. ------------------------------ Date: Wed, 20 Nov 2019 09:37:46 -0800 From: Gene Wirchenko <gene () shaw ca> Subject: Law enforcement can plunder DNA profile database, judge rules (ZDNet) Charlie Osborne for Zero Day, 7 Nov 2019 DNA data is available even if users opt-out in a landmark ruling that could have serious privacy implications. https://www.zdnet.com/article/law-enforcement-can-plunder-dna-profile-database-judge-rules/ A judge has approved a warrant for law enforcement to access the database of DNA profiler GEDmatch, a landmark ruling which may have serious privacy implications. Fields, however, would like to see these databases become common repositories of information for investigators. "You would see hundreds and hundreds of unsolved crimes solved overnight," the detective told the publication. "I hope I get a case where I get to try." ------------------------------ Date: Fri, 15 Nov 2019 16:32:49 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: How to Opt Out of the Sites That Sell Your Personal Data (WiReD) It's much harder than it should be to get your name off of data broker and people-search sites, but it's possible. https://www.wired.com/story/opt-out-data-broker-sites-privacy/ ------------------------------ Date: Sat, 16 Nov 2019 09:56:41 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: Privacy not included (Mozilla) Be Smart. Shop Safe. How creepy is that smart speaker, that fitness tracker, those wireless headphones? We created this guide to help you shop for safe, secure connected products. This URL shows how creepy users find these products: https://foundation.mozilla.org/en/privacynotincluded/ Ho ho ... uh oh. ------------------------------ Date: Fri, 15 Nov 2019 17:20:24 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: 146 New Vulnerabilities All Come Preinstalled on Android Phones (WiReD) The dozens of flaws across 29 Android smartphone makers show just how insecure the devices can be, even brand-new. https://www.wired.com/story/146-bugs-preinstalled-android-phones/ ------------------------------ Date: Wed, 20 Nov 2019 13:44:22 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: Uber safety push includes plans to start audio recording rides in the U.S. (WashPost) https://www.washingtonpost.com/technology/2019/11/20/uber-plans-start-audio-recording-rides-us-safety/ The risk? No good deed (recording for safety) goes unpunished (violating laws and privacy). ------------------------------ Date: Wed, 20 Nov 2019 14:21:02 -0700 From: Jim Reisert AD1C <jjreisert () alum mit edu> Subject: Nikki Haley Used System for Unclassified Material to Send `Confidential' Information (The Daily Beast) Newly released emails suggest that in 2017 the then-ambassador lost her password for classified communication, and so she used a different system. Christopher Dickey World News Editor Updated Nov. 20, 2019 8:46AM ET / Published Nov. 20, 2019 5:01AM ET Excerpt: North Korea had just tested an intercontinental ballistic missile capable of hitting Alaska, and the Trump administration was scrambling to react. But it seems Nikki Haley, Trump's ambassador to the United Nations, had lost her password for classified communications. That's why on that fraught July 4, 2017, she was typing away on her BlackBerry 10 smartphone, sending 'confidential' information over a system meant only for unclassified material. Haley was in a rush as she headed to her office "On my way in" shooting emails back and forth with top aides who'd been with her since she was governor of South Carolina. She needed to make a statement, and they were drafting it for her. 'Let's clean this up,' she writes after looking at some of the copy. 'Pretty this up for me,' she says. The next day we discover what the problem is with her communications. 'Can't find my password for the high side,' she writes. The stylistic suggestions and the apparent explanation for using less secure messages was in a trove of emails recently obtained under the Freedom of Information Act by the watchdog organization American Oversight. https://www.thedailybeast.com/nikki-haley-used-system-for-unclassified-material-to-send-confidential-information Also https://arstechnica.com/information-technology/2019/11/nikki-haley-lost-her-password-so-she-sent-sensitive-info-over-unclassified-system/ ------------------------------ Date: Wed, 20 Nov 2019 21:00:41 -0500 From: Monty Solomon <monty () roscom com> Subject: Official Monero website is hacked to deliver currency-stealing malware (Ars Technica) https://arstechnica.com/information-technology/2019/11/official-monero-website-is-hacked-to-deliver-currency-stealing-malware/ ------------------------------ Date: Thu, 21 Nov 2019 11:14:22 -0500 From: Monty Solomon <monty () roscom com> Subject: UK Conservative Party Scolded for Rebranding Twitter Account (NYTimes) https://www.nytimes.com/2019/11/20/world/europe/factcheck-uk-conservative-party.html The temporary name change, to *factcheckUK*, was an effort to *mislead people* during an election debate between Prime Minister Boris Johnson and Jeremy Corbyn of Labour, Twitter said. ------------------------------ Date: Sat, 16 Nov 2019 22:55:13 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: AI future or follies? (Fortune magazine email) *OpenAI Releases Full-Scale Version of Its "Too Dangerous to Release" Language Model. *The San Francisco-based AI research shop has released the full-size version of its language modeling algorithm <https://click.newsletters.fortune.com/?qs=304881d1f47022db4f760185645ac2ac31d0d56b4c65014094846471e16c4081a577163efe8dd6ddb221b3736f452cdb2721d903d584bd5e>, GPT-2, which can compose whole paragraphs of fairly-coherent text from just a few seed words or sentences. When it unveiled the model in February, the company said it was declining to make the most powerful version of the software -- which has 1.5 billion parameters -- available to the public out of fear it could be abused to create fake news. At the time, many in the AI research community criticized that decision as a publicity stunt. OpenAI says it has reversed course now because, since February, it has released gradually more powerful versions of GPT-2 and seen little evidence of misuse. 1.5 billion parameters -- one hopes they're not using that word for its common definition in programming. And what could go wrong with this? Speaking of GPT-2: At Microsoft's Ignite developer conference last week, the company showcased *how OpenAI's language model could be used to create an auto-complete feature for lines of software code. <https://click.newsletters.fortune.com/?qs=304881d1f47022db4dbaf7299aa4046ce631a1f8631c155c7c536ccab15fec10a3b423e23d79653c1795c5b1141d8b0740595bfbe6029e5f> Microsoft's team took the language model and trained it on the 3,000 top-rated open-source code repositories on Github. The result is a system that suggests, as a coder types, the most likely completion of a line of code. Microsoft says the system can be fine-tuned for a specific team of coders by training it on their particular code base. This is just one of several examples of AI simplifying -- or sometimes even automating (see Google's AutoML, <https://click.newsletters.fortune.com/?qs=304881d1f47022db5155acde02b6e6b27ff76b1140e84eaa051d56bebbcbca9cd6067ca8f4653df4171128073d96c9cc1bbce1aed87f040d> for example) -- the act of writing software. So if you thought learning to code was a guarantee of employment in the face of relentless AI-driven automation, think again. ------------------------------ Date: Fri, 22 Nov 2019 10:36:16 +0800 From: Richard Stein <rmstein () ieee org> Subject: The Downside of Tech Hype (Scientific American) https://blogs.scientificamerican.com/observations/the-downside-of-tech-hype/ "What can be done about rising hype? Although scientists and engineers can have little impact on the media, those at universities can promote better measures of success and more accuracy in their announcements, courses and curricula. Measuring university programs by amounts of venture capital funding attracted or numbers of start-ups created makes it easy for programs to game the system. "Better accuracy requires acknowledging the long development times, explaining the reasons for them, and illuminating the process by which new technologies became economically feasible, going beyond simplistic distinctions between basic and applied research. The reality is that few technologies experience the types of improvements necessary for commercialization and excessive hype distracts decision makers from the challenges of achieving the necessary pre-commercialization improvements." Academic offices exaggerate technology benefits to lure funding from commercial and government sources. Absent long-term measurements of success for a given R&D dollar, there's no quantitative predictor of failure or success for scientific of engineering research payoff. No risk, no reward, like betting a few bucks at the roulette table. In a casino, the odds of a return are fixed. In biotechnology, the odds of a candidate substance becoming a blockbuster drug are estimated at 1000 to 1 (see http://blogs.einstein.yu.edu/the-high-cost-of-and-uncertain-path-to-a-blockbuster-drug/). Regarding AI hype, see the companion piece "The Media's Coverage of AI is Bogus" https://blogs.scientificamerican.com/observations/the-medias-coverage-of-ai-is-bogus/. ------------------------------ Date: Fri, 15 Nov 2019 11:16:24 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: Best Buy Made These Smart Home Gadgets Dumb Again (WiReD) Last week, a series of smart home gadgets became dumb again. On November 6, Best Buy pulled the plug on its line of Insignia Connect products, including a convertible freezer/fridge, two kinds of smart plugs, a smart light switch, and a Wi-Fi-connected camera. Best Buy offered people who purchased the gadgets partial gift cards, not full refunds. Most of the items still have some functionality, but are no longer equipped with the smart features that led people to choose them in the first place. The Wi-Fi camera, however, ceased to function altogether. The incident is a salient reminder that when you buy an Internet-connected device, you're betting the company behind it will continue supporting its corresponding software in the future. That means regularly updating apps to ensure compatibility with the latest smartphones, patching bugs, and more. But it's impossible to tell ahead of time what brands will outlast their competitors and which will shutter, get acquired, or pivot. One day you wake up and your smart freezer is suddenly stupid. https://www.wired.com/story/best-buy-smart-home-dumb/ ------------------------------ Date: Fri, 22 Nov 2019 16:26:30 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: Officials Warn of "Juice Jacking" Scams at USB Charging Stations Los Angeles -- Law enforcement officials in Los Angeles County are warning cell phone users about a new scam that could infect their devices with malware when they plug into USB charging stations at airports, hotels and other public locations. In a scam called "juice jacking," criminals load malware onto charging stations or cables they leave plugged in at the stations, infecting the phones and other electronic devices of unsuspecting users. The malware may lock a user's device or export data and passwords directly to the scammer. "A free charge could end up draining your bank account," said Luke Sisak, a deputy district attorney in Los Angeles County. "Within minutes of being plugged in, the malware could lock the device or send private information, like passwords, addresses or even a full backup of the phone directly to the criminal." Officials are urging people to use AC power outlets instead of USB charging stations, as well as to take AC and car chargers when traveling and consider buying a portable charger for emergencies. http://da.lacounty.gov/about/inside-LADA/juice-jacking-criminals-use-public-usb-chargers-steal-data-ff ------------------------------ Date: Fri, 22 Nov 2019 20:11:44 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: Artificial Intelligence Discovers Tool Use in Hide-and-Seek Games (Quanta Magazine) After millions of games, machine learning algorithms found creative solutions and unexpected new strategies that could transfer to the real world. https://www.quantamagazine.org/artificial-intelligence-discovers-tool-use-in-hide-and-seek-games-20191118/ The risk? That bots dominate world Hide-and-Seek tournaments... ------------------------------ Date: Fri, 22 Nov 2019 20:16:49 -0500 From: Monty Solomon <monty () roscom com> Subject: After False Drug Test, He Was in Solitary Confinement for 120 Days (NYTimes) https://www.nytimes.com/2019/11/20/nyregion/prison-inmate-drug-testing-lawsuit.html Hundreds of New York State prisoners were locked in cells, denied release or removed from programs when tests erroneously showed they had used narcotics, according to a lawsuit. ------------------------------ Date: Sat, 23 Nov 2019 07:15:14 -0500 From: Jeremy Epstein <jeremy.j.epstein () gmail com> Subject: NoiseAware - proprietary algorithm for noise detection in rental properties (The Verge) [Should this be called "Noiseware?" PGN] I'm staying in an Airbnb for Thanksgiving, and noticed this in the fine print: "We are dedicated to protecting our guests and neighbors from bothersome levels of noise. In an effort to do so, this property is equipped with NoiseAware technology. NoiseAware is a smart home device that measures volume levels throughout the property and allows us to respond to noise nuisances without disrupting your stay. NoiseAware is privacy compliant and is required on this property." So I naturally had to learn what this "privacy compliant" system is. It purports to be a device that will plug in and inform the property owner if it gets too noisy, but using a proprietary algorithm that's more sophisticated than just measuring dB level. Of course it's proprietary, so no one can tell how it comes to a conclusion, but if it reacts, I presume there would be a call from the property owner - and perhaps impact my ability to get future rentals. There's some hint of the algorithm ("Our Noise Risk Score goes beyond the sporadic and instantaneous measurement of a decibel, to bring you context and deeper insight. We track not only how loud it is, but how long it is loud for. We combine this with a number of other factors to bring you the contextual noise risk score. Nobody wants a text every time your guest sneezes."). But there's no explanation of why they say it's "privacy compliant" - is it a microphone that sends what it hears to the cloud, or just a loudness sensor that's sending a dB score (which would be less intrusive)? I found one article in Verge that indicates it's truly a simple sensor, not a microphone, so perhaps this is one of the rare cases of an IoT vendor getting it right! (Having said that, I'd be more comfortable if someone did a teardown of one of the devices and verified that indeed it is just a noise sensor, and that the lack of a microphone isn't a false claim.) https://www.theverge.com/circuitbreaker/2018/10/29/18037604/noiseaware-gen-3-indoor-outdoor-security-microphone ------------------------------ Date: Sun, 24 Nov 2019 11:41:14 -0500 From: José María Mateos <chema () rinzewind org> Subject: A hypothesis on the immediate future of audio scams (CBC) My landlady send me the other day this news article: https://www.cbc.ca/news/canada/edmonton/can-you-hear-me-phone-scam-warning-bbb-1.3970312 Excerpt: From encrypted passwords to padlocked doors, Canadians will go to extreme lengths to avoid scammers. Now it may not be safe to pick up the phone. A new scam relies on your voice to answer a simple question: "Can you hear me now"? The scammers try to bait callers into answering "yes." Anti-fraud agencies say that simple acknowledgment can be used to make it sound as if you signed on for a purchase or service. ``They're trying to get a recording of you saying *yes*,'' said Ron Mycholuk, a spokesman with the Better Business Bureau of Central and Northern Alberta. ``They're going to take that recorded *yes*, play around with that audio and make it seem to you, or a representative of a business, that you have paid for some advertising, a cruise or a big ticket item, and send you the bill.'' At this point I don't pick up the phone if I don't recognize the number. Voicemail is quite useful and I can always call back if the message is not spam, which rarely happens. However, I then remembered this other piece of news (which, incidentally, I haven't been able to find on the RISKS archive, but I'd be surprised if it hasn't been sent before): https://www.zdnet.com/article/forget-email-scammers-use-ceo-voice-deepfakes-to-con-workers-into-wiring-cash/ Excerpt: Criminals are using AI-generated audio to impersonate a CEO's voice and con subordinates into transferring funds to a scammer's account. So-called deepfake voice attacks could be the next frontier in a scam that's cost US businesses almost $2bn over the past two years using fraudulent email. *The Wall Street Journal* reports that the CEO of an unnamed UK-based energy company thought he was talking on the phone with his boss, the CEO of the German parent company, who'd asked him to urgently transfer [the equivalent of] $243,000 to a Hungarian supplier. However, the UK CEO was in fact taking instructions from a scammer who'd used AI-powered voice technology to impersonate the German CEO. It's the voice equivalent of deepfake videos that are causing alarm for their potential to manipulate public opinion and cause social discord. So of course at this point one would expect that the first scam (the method) and the second one (the technology) are a match made in heaven. Let's see if that starts happening. I'm betting on "sure, what else is to expect". ------------------------------ Date: Sun, 24 Nov 2019 22:03:05 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: How to prevent a data breach, lessons learned from the infosec vendors themselves (Web Informant) https://blog.strom.com/wp/?p=7456 ------------------------------ Date: Sun, 24 Nov 2019 22:28:29 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: Someone Got Access to Their Secret Consumer Score. Now You Can Get Yours, Too. (NYTimes) Little-known companies are amassing your data -- like food orders and Airbnb messages -- and selling the analysis to clients. Here's how to get a copy of what they have on you. I Got Access to My Secret Consumer Score. Now You Can Get Yours, Too. https://www.nytimes.com/2019/11/04/business/secret-consumer-score-access.html Sigh, a while ago I requested my files from various government agencies mentioned in a surveillance article. Nothing much found. Now there's more work learning what these people have on me. ------------------------------ Date: Wed, 13 Nov 2019 11:20:00 PST From: "Peter G. Neumann" <neumann () csl sri com> Subject: Iowa hired cyberhackers, then arrested them (TechSpot) https://www.techspot.com/news/82740-iowa-hired-cybersecurity-firm-do-penetration-testing-arrested.html ------------------------------ Date: Sat, 16 Nov 2019 23:02:06 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: Mastercard vs. mistakes and fraud (Fortune) The AI profiles of lots of other companies are starting to look more like Amazon's. Case in point: Mastercard. Ajay Bhalla, who heads cyber and intelligence solutions for the payments company, told me it has used AI to cut in half the number of times a customer has their credit card transaction erroneously declined, while at the same time reducing fraudulent transactions by about 40%. Mastercard has also used predictive analytics to spot cyberattacks <https://click.newsletters.fortune.com/?qs=dbd9314600a712630e23a5418eacc48e1536514d7dbfffe4f219611063d6d67fb034c62e813981dd59682d0fb76c03606d9ed2e8b28103db> and waves of fraudulent activity by organized crime groups. Bhalla says this has helped its customers avoid some $7.5 billion worth of damage from cyber attacks in just the past 10 months. And, he says, Mastercard is now using AI-based software across every section of the company, from human resources to finance to marketing. ------------------------------ Date: Sat, 16 Nov 2019 23:02:46 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: As 5G Rolls Out, Troubling New Security Flaws Emerge (WiReD) https://www.wired.com/story/5g-vulnerabilities-downgrade-attacks/ ------------------------------ Date: Wed, 13 Nov 2019 16:52:12 +0200 From: Amos Shapir <amos083 () gmail com> Subject: Re: The rise of microchipping: are we ready for technology to get under the skin? (RISKS-31.47) Technically, the machines which read the ID chips do not care whether the chip is embedded in a card or implanted under the customer's skin. The difference is that implantation is like branding: The decision whether to carry an ID chip is transferred from the people themselves to their owner ^H^H^H^H employer. ------------------------------ Date: 13 Nov 2019 11:16:22 -0500 From: "John R. Levine" <johnl () iecc com> Subject: Re: What happens if your mind lives for ever on the Internet? (RISKS-31.47)
It may be some way off, but mind uploading, the digital duplication of your mental essence, could expand human experience into a virtual afterlife.
For another take on this very topic from June of this year, see: http://wondermark.com/c1485/ It's five pages, click the Next arrow at the right. ------------------------------ Date: Mon, 14 Jan 2019 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00 Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 31.48 ************************
Current thread:
- Risks Digest 31.48 RISKS List Owner (Nov 25)