RISKS Forum mailing list archives
Risks Digest 31.56
From: RISKS List Owner <risko () csl sri com>
Date: Tue, 4 Feb 2020 15:44:39 PST
RISKS-LIST: Risks-Forum Digest Tuesday 4 February 2020 Volume 31 : Issue 56 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/31.56> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Iowa's Tally-by-App Experiment Fails (WSJ) Risks in the Iowa Tally fiasco (Sundry) Live frogs (Flyer Talk) Computers threaten saffron harvest (Eric Sosman) No smoke, no water, no waste. VR could train the next generation of firefighters (cnn.com) Artificial intelligence-created medicine to be used on humans for first time (bbc.com) Why asking an AI to explain itself can make things worse (MIT Tech Review) AI License Plate Readers Are Cheaper: Drive Carefully (WiReD) No more Punxsutawney Phil: It's long overdue for an AI groundhog instead, PETA says. (The Washington Post) Android Users Beware: this dangerous menace is already hiding on 43 million phones (Forbes) Why Google Backtracked on Its New Search Results Look (NYTimes) Regis University's cyberattack was ``a crisis of the highest order, But investigators couldn't trace its origin (Denver Post) An artist wheeled 99 smartphones around in a wagon to create fake traffic jams on Google Maps (Business Insider) Very strange, still receiving security patches/updates for Windows 7 systems (Gabe Goldberg) Seven Years Later, Scores of EAS Systems sit Un-patched, Vulnerable (Security Ledger) The Fractured Future of Browser Privacy (WiReD) NYTimes: How Chaos at Chain Pharmacies Is Putting Patients at Risk (NYTimes) IKEA Promises New Data Controls for Consumers (WSJ) Facebook shows you how it stalks you. Here are the privacy settings to change. (WashPost) Re: Boeing 737s can't land facing west (R. G. Newbury) Re: Should Automakers Be Responsible for Accidents? (John Levine) Re: Election Security At The Chip Level (John Levine, Gabe Goldberg) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Tue, 4 Feb 2020 12:27:23 -0500 From: Monty Solomon <monty () roscom com> Subject: Iowa's Tally-by-App Experiment Fails (WSJ) https://www.wsj.com/articles/iowa-caucus-results-delayed-by-apparent-app-issue-11580801699 ------------------------------ Date: Tue, 4 Feb 2020 13:38:15 -0800 From: "Peter G. Neumann" <peter.neumann () sri com> Subject: Risks in the Iowa Tally fiasco (Sundry) https://go.ind.media/webmail/546932/550762215/0ed6efde19172f984587fb6624e= 4e481dc208bc0a3090465ab7fedfcc3c2b280=20 Shadow Inc reportedly sent out the caucus reporting app via TestFairy, which seemingly could enable lots of intruders to interpose themselves. https://docs.testfairy.com/Testers/How_to_test_Android_apps.html https://www.vice.com/en_us/article/y3m33x/heres-the-shadow-inc-app-that-failed-in-iowa-last-night [However, officials were quick to state that this was a "code error", not a hacking episode. Nevertheless, the entire system seems rather flaky, as do most of the other approaches to ensuring voting integrity. PGN] ------------------------------ Date: Sat, 1 Feb 2020 12:38:47 +0000 From: "Wendy M. Grossman" <wendyg () pelicancrossing net> Subject: Live frogs (Flyer Talk) Here's a risk you won't have solved in the 1960s on Multics. From the FlyerTalk American Airlines forum: https://www.flyertalk.com/forum/american-airlines-aadvantage/2006995-delayed-due-live-frogs.html
Delayed due to... live frogs
Yep you read that correctly, live frogs. On 2559 yesterday from DFW>DTW, we were delayed a few minutes at the gate in DFW due to a load of live frogs. According to the captain (who made two very nice, detailed announcements about it), there was a load of live frogs in the aft cargo hold and the computer just didn't like it and either wouldn't allow them there or it couldn't compute them being there. So thankfully instead of keeping us delayed, they offloaded them for a later flight. The funniest part was that after we landed, and on the looooong taxi at DTW to the gate, I heard what sounded like frogs. It was probably just somebody still asleep and snoring intermittently, but part of me wonders if there was a load in the forward hold that did get to travel. Just might be the funniest delay I've encountered.>> ------------------------------ Date: Tue, 4 Feb 2020 13:55:29 -0500 From: Eric Sosman <esosman () comcast net> Subject: Computers threaten saffron harvest Over-reliance on technology may doom the United States' latest attempt to produce saffron in commercially significant quantities. The spice comes from the /crocus sativus/ flower, grown primarily in a region stretching from Spain to Kashmir. From (admittedly fragmentary) reports it appears American farmers and entrepreneurs have been using computer- aided methods to attempt to grow this crocus in the American Midwest, perhaps for fear of (or in hopes of) higher tariffs against the import of foreign saffron. Unfortunately, the effort has run into a snag: computer malfunctions are said to have messed up the Iowa crocuses. ------------------------------ Date: Wed, 29 Jan 2020 16:02:10 -0800 From: Richard Stein <rmstein () ieee org> Subject: No smoke, no water, no waste. VR could train the next generation of firefighters (cnn.com) https://www.cnn.com/2020/01/29/tech/virtual-reality-firefighter-training/index.html Conserving material resources during training, via computer simulation, is an environmental gain, but can a simulator prepare superior fire-fighter capability for deployment during a city-wide conflagration, or during a catastrophic forest fire? The essay describes mechanical fire-hose force feedback as a simulator feature. The simulation effectively renders smoke, flame, foam application, and other combustion effects. A thermal suit heats up the trainee when approaching a simulated flame wall. Is the simulation fidelity sufficiently meritorious to fully abandon hands-on training and fire suppression equipment deployment? I wonder if the simulator can train a firefighter how to use a PyroLance (http://money.cnn.com/2018/02/05/technology/business/pyrolance-firefighting-gun/index.html)? Risk: VR training supplement versus traditional hands-on person-in-the-loop firefighter qualification effectiveness. ------------------------------ Date: Thu, 30 Jan 2020 20:10:57 -0800 From: Richard Stein <rmstein () ieee org> Subject: Artificial intelligence-created medicine to be used on humans for first time (bbc.com) https://www.bbc.com/news/technology-51315462 Historically, there's 1000 to 1 odds against a candidate drug succeeding in the marketplace. See http://blogs.einstein.yu.edu/the-high-cost-of-and-uncertain-path-to-a-blockbuster-drug/. "Typically, drug development takes about five years to get to trial, but the AI drug took just 12 months. "Exscienta chief executive Prof Andrew Hopkins described it as a 'key milestone in drug discovery.'" That AI drug design is applied to accelerate synthesis may improve these odds. It would appear to reduce the human effort expended for development. Whether or not patient outcome benefit materializes is to be shown (or not) by clinical studies, and hopefully, a double-blind clinical study BEFORE final regulatory approval is granted. ------------------------------ Date: February 3, 2020 4:06:02 JST From: geoff goodfellow <geoff () iconia com> Subject: Why asking an AI to explain itself can make things worse (MIT Tech Review) Creating neural networks that are more transparent can lead us to over-trust them. The solution might be to change how they explain themselves. Upol Ehsan once took a test ride in an Uber self-driving car <https://www.technologyreview.com/smart-cities/self-driving-cars/>. Instead of fretting about the empty driver's seat, anxious passengers were encouraged to watch a *pacifier* screen that showed a car's-eye view of the road: hazards picked out in orange and red, safe zones in cool blue. For Ehsan, who studies the way humans interact with AI at the Georgia Institute of Technology in Atlanta, the intended message was clear: ``Don't get freaked out -- this is why the car is doing what it's doing.'' But something about the alien-looking street scene highlighted the strangeness of the experience rather than reassuring. It got Ehsan thinking: what if the self-driving car could really explain itself? The success of deep learning <https://www.technologyreview.com/g/deep-learning/> is due to tinkering: the best neural networks are tweaked and adapted to make better ones, and practical results have outpaced theoretical understanding. As a result, the details of how a trained model works are typically unknown. We have come to think of them as black boxes <https://www.technologyreview.com/s/613440/ai-researchers-want-to-study-ai-the-same-way-social-scientists-study-humans/> . A lot of the time we're okay with that when it comes to things like playing Go or translating text or picking the next Netflix show to binge on. But if AI is to be used to help make decisions in law enforcement, medical diagnosis, and driverless cars, then we need to understand how it reaches those decisions -- and know when they are wrong. People need the power to disagree with or reject an automated decision, says Iris Howley <http://www.cs.williams.edu/~iris/>, a computer scientist at Williams College in Williamstown, Massachusetts. Without this, people will push back against the technology. ``You can see this playing out right now with the public response to facial recognition systems,'' she says. Ehsan is part of a small but growing group of researchers trying to make AIs better at explaining themselves, to help us look inside the black box. The aim of so-called interpretable or explainable AI (XAI) is to help people understand what features in the data a neural network is actually learning -- and thus whether the resulting model is accurate and unbiased. [...] https://www.techtelegraph.co.uk/why-asking-an-ai-to-explain-itself-can-make-things-worse/ https://www.technologyreview.com/s/615110/why-asking-an-ai-to-explain-itself-can-make-things-worse/ ------------------------------ Date: Sat, 1 Feb 2020 00:43:26 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: AI License Plate Readers Are Cheaper: Drive Carefully (WiReD) https://www.wired.com/story/ai-license-plate-readers-cheaper-drive-carefully/ ------------------------------ Date: Thu, 30 Jan 2020 09:08:25 -0800 From: Richard Stein <rmstein () ieee org> Subject: No more Punxsutawney Phil: It's long overdue for an AI groundhog instead, PETA says. (The Washington Post) https://www.washingtonpost.com/nation/2020/01/29/groundhog-peta-punxsutawney/ PETA has a point: Groundhogs hibernate during Winter; that's what ectotherms do. But Phil's celebrity status commands performance: he must also visit school children during the Winter, pose for magazine covers (Rat Mag, Rodent of The Year). He's part of a mandatory PR campaign that sustains Punxsutawney, PA tourism foot traffic. But simulate Punxsutawney Phil with artificial intelligence to determine if Winter will extend by another 6 week? AI is overkill for this purpose. Why not employ a Magic 8-ball or a coin-toss to prognosticate an extended winter? Granted, these choices lack glamor; they are not newsworthy, but they are likely as accurate as the appearance (or not) of Phil's shadow. ------------------------------ Date: Wed, 29 Jan 2020 13:06:10 -1000 From: the keyboard of geoff goodfellow <geoff () iconia com> Subject: Android Users Beware: this dangerous menace is already hiding on 43 million phones (Forbes) ``This shows how hard it is for users to stay safe'', the CEO of mobile security firm Upstream warns. The company is about to publish a report into the Android threat landscape. The data is staggering. The company has unearthed 98,000 malicious apps, which have infected 43 million devices. The worst five apps, Dimitris Maniatis tells me, have been downloaded 700 million times, ``this shows the scale of the issue.'' <https://www.secure-d.io/mobileadfraud2019report/> *And that risk is accelerating. That number of malicious apps is up 50% in the last year, and shows every sign of spiraling out of control.* This can now be viewed as an endemic problem with mobile apps downloaded from Google's Play Store -- despite Google Protect and the App Defense Alliance, Some 50% of the bad apps exposed by Upstream *were or are*, in the official Play Store. Countless stories have been written about the hundreds of malicious apps with hundreds of millions of installs. The key question is what is the scale of the issue? <https://www.forbes.com/sites/zakdoffman/2019/11/10/google-confirms-play-store-security-threat-heres-the-fixbut-does-it-make-you-safer/#7557b2514337>. Upstream has collated the data from its Secure-D security platform, data collected by 31 different network operators across 20 different countries, data representing the devices 0f almost 700 million different users. In its report <https://www.secure-d.io/mobileadfraud2019report/>, Upstream explains the methods by which users are enticed to install malicious malware and then grant a raft of permissions that goes way beyond what is required for the app's claimed purpose. That malware then communicates with its controllers, seeking instructions and content to operate. The apps are designed to remain hidden, not arousing suspicion, avoiding an uninstall. The primary issue with mobile malware is advertising or click fraud. Trivial apps that pull unwanted ads onto devices to run in the background or as a foreground nuisance. For advertisers, this results in millions of dollars of fraudulent charges. For users, the issue is degraded performance, drained batteries and huge data bills. There is also the issue that such apps can lead to devices being infected with more dangerous malware. [...] https://www.forbes.com/sites/zakdoffman/2020/01/29/android-users-beware-this-dangerous-menace-is-already-hiding-on-43-million-phones/ ------------------------------ Date: Sat, 1 Feb 2020 19:52:51 -0500 From: Monty Solomon <monty () roscom com> Subject: Why Google Backtracked on Its New Search Results Look (NYTimes) The Internet giant, which some lawmakers and regulators say has grown too powerful, tweaked the way it displayed ads on search results. It did not go over well. https://www.nytimes.com/2020/01/31/technology/google-search-results.html ------------------------------ Date: Tue, 28 Jan 2020 19:39:45 -0700 From: Jim Reisert AD1C <jjreisert () alum mit edu> Subject: Regis University's cyberattack was ``a crisis of the highest order, But investigators couldn't trace its origin (Denver Post) [Follow-up to RISKS-31.39 (29 August 2019)] Elizabeth Hernandez, *The Denver Post*, 28 Jan 2020 Information-technology experts from across Colorado convened at Regis University on Tuesday to learn never-before-shared details about last year's crippling cyberattack -- an experience the private Jesuit college's chief information officer called "a crisis of the highest order." A few new details revealed during the presentation: * Federal and third-party investigators were unable to determine a root cause of the attack, meaning it's unclear how the attack originated * The hacker -- determined to be from outside the country -- attacked Regis's backups first * When faced with the decision to rebuild the IT system or repair it, officials decided to rebuild and update https://www.denverpost.com/2020/01/28/regis-university-cyberattack-ransomware/ ------------------------------ Date: Mon, 3 Feb 2020 16:44:05 -0500 From: Monty Solomon <monty () roscom com> Subject: An artist wheeled 99 smartphones around in a wagon to create fake traffic jams on Google Maps (Business Insider) https://www.businessinsider.com/google-maps-traffic-jam-99-smartphones-wagon-2020-2 [Also noted: "Performance artist generates virtual traffic jams in Google Maps by pulling a wagon full of smartphones" "99 second hand smartphones are transported in a handcart to generate virtual traffic jam in Google Maps. Through this activity, it is possible to turn a green street red which has an impact in the physical world by navigating cars on another route to avoid being stuck in traffic. " [...] #googlemapshacks http://www.simonweckert.com/googlemapshacks.html via https://twitter.com/StevenJCrowley/status/1223977380794064897 PGN] ------------------------------ Date: Wed, 29 Jan 2020 15:57:14 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: Very strange, still receiving security patches/updates for Windows 7 systems One Windows 7 Ultimate system, one Windows Professional, have Windows Security Essentials being updated daily. Was Microsoft kidding about no updates after January 14? Or did I get the year wrong? (No, I didn't). Plus, the Win 7 Ultimate system got Pop-Up of Doom on January 14. But updates keep rolling along. No, I didn't jump through the hoops to purchase extended support and I didn't get a gift card saying that someone bought it for me. It'll be interesting seeing what happens next Patch Tuesday, but still this is already puzzling. ------------------------------ From: Shawn Merdinger <shawnmer () gmail com> Date: Tue, 28 Jan 2020 19:38:30 -0500 Subject: Seven Years Later, Scores of EAS Systems sit Un-patched, Vulnerable (Security Ledger) https://securityledger.com/2020/01/seven-years-later-scores-of-eas-systems-sit-un-patched-vulnerable/ ------------------------------ Date: Sat, 1 Feb 2020 00:24:11 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: The Fractured Future of Browser Privacy (WiReD) https://www.wired.com/story/chrome-firefox-edge-browser-privacy/ ------------------------------ Date: Sat, 1 Feb 2020 16:32:03 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: NYTimes: How Chaos at Chain Pharmacies Is Putting Patients at Risk (NYTimes) https://www.nytimes.com/2020/01/31/health/pharmacists-medication-errors.html ------------------------------ Date: Mon, 3 Feb 2020 09:52:36 -0500 From: Monty Solomon <monty () roscom com> Subject: IKEA Promises New Data Controls for Consumers (WSJ) https://www.wsj.com/articles/ikea-promises-new-data-controls-for-consumers-11580383800 ------------------------------ Date: Sat, 1 Feb 2020 11:28:10 -0500 From: Monty Solomon <monty () roscom com> Subject: Facebook shows you how it stalks you. Here are the privacy settings to change. (WashPost) The new ’Off-Facebook Activity' tool, available around the world Tuesday, reminds us we're living in a reality TV program where we forget the cameras are always on. Here are the privacy settings to change right now. https://www.washingtonpost.com/technology/2020/01/28/off-facebook-activity-page/ ------------------------------ Date: Mon, 3 Feb 2020 22:29:39 -0500 From: "R. G. Newbury" <newbury () mandamus org> Subject: Re: Boeing 737s can't land facing west (RISKS-31.54) As a first guess, I would suspect that somewhere in the code, there is a conversion from polar to rectangular reference frames (or vice versa) and X=r * cos(theta) with theta=270 give zero and either a 'NAN' or divide by zero error crashes the program. You would need that sort of calculation to find the rhumb and distance, knowing the lat/long of the present and destination positions. 'X' is the Difference of Latitude in miles (Y is the Departure). Using GPS you know the present and destination positions, but the pilot wants to know 'how far' and 'what direction'. The calculations will be done using true and then, if desired, corrected to magnetic bearings. [John Stockton noted: Tangent of 270 degrees (and of 90 degrees) is numerically dangerous, each being, so to speak, +- infinity. Perhaps, to the accuracy of the arithmetic, those 7 runways are EXACTLY 270 degrees true, and others are only *nearly* 270 degrees true.] [PGN noted that this should remind some of us old-timers of the joke about the plane that crashed because all the Poles in the Left Half (of the) Plane. PGN] ------------------------------ Date: 4 Feb 2020 17:07:51 -0500 From: "John Levine" <johnl () iecc com> Subject: Re: Should Automakers Be Responsible for Accidents?
Automaker enterprise liability would have useful incentives that driver liability law misses. https://www.cato.org/sites/cato.org/files/serials/files/regulation/2019/3/regulation-v42n1-1.pdf
I can hardly wait: "Sorry, sir, you've had three moving violations so we'll have to ask you to leave the showroom now." ------------------------------ Date: 4 Feb 2020 17:15:43 -0500 From: "John Levine" <johnl () iecc com> Subject: Re: Election Security At The Chip Level (SemiEngineering via Goldberg, RISKS-31.54) The comments on this article are much better than the article. They say that voting electronically is a well known bad idea, so stop. Elections have a unique security model: You need a reliable list of who voted, you need a reliable list of who or what they voted for, and you need to be confident there's no way to link those two lists. Nothing else works that way. That's why even though voting machines may look like ATMs, an ATM is a dreadful model to use since with ATMs, the bank has full knowledge of all of the details of every transaction, e.g., when you were there, who you are, what you did, how much money it dispensed, all linked together. As has been pointed out too many times, paper ballots dropped into a box, along with observers to ensure that only people on the voter list got to vote, satisfy the model quite well. If you want to have machines scan and count the ballots, that's fine, but the paper ballots are the actual record. ------------------------------ Date: Tue, 4 Feb 2020 17:27:21 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: Re: Election Security At The Chip Level (RISKS-31.54) ATMs -- maybe only one "advantage": they have your PICTURE, proving identity, thanks to ubiquitous security camera. Of course, voter ID laws head in that direction introducing another gaggle of problems while solving a non-problem. ------------------------------ Date: Mon, 14 Jan 2019 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00 Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 31.56 ************************
Current thread:
- Risks Digest 31.56 RISKS List Owner (Feb 04)