Risks Digest 31.74

[RISKS List Owner <risko () csl sri com>]

RISKS-LIST: Risks-Forum Digest  Monday 27 April 2020  Volume 31 : Issue 74

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/31.74>
The current issue can also be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
Why a Data-Security Expert Fears U.S. Voting Will Be Hacked
  (Alexandra Wolfe WSJ)
Principle of the Day (Ray Dalio)
Emissions Are Way Down. No, That's Not All Good News for the Environment
  (Mother Jones)
Coronavirus detected on particles of air pollution (NIH via geoff goodfellow)
"Recommendation: Do Not Install or Use Centralized Server Coronavirus
  COVID-19 Contact Tracing Apps" (Lauren Weinstein)
'No evidence' that recovering from Covid-19 gives people immunity, WHO says
  (geoff goodfellow)
Re: Coronavirus Antibody Tests: Can You Trust the Results (Rich Klawiec)
Re: Spam filter censoring COVID content (Henry Baker)
Re: e-postage, Internet Usage update (Paul Edwards)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Sun, 26 Apr 2020 22:38:51 +0200
From: "Peter G. Neumann" <neumann () csl sri com>
Subject: Why a Data-Security Expert Fears U.S. Voting Will Be Hacked
  (Alexandra Wolfe, The Wall Street Journal)

<https://www.wsj.com/articles/why-a-data-security-expert-fears-u-s-voting-will-be-hacked-11587747159>

In 2005, a concerned Florida election supervisor asked the Finnish
data-security expert Harri Hursti to hack into one of the state's commonly
used voting machines to test its vulnerability. The verdict wasn't
reassuring. By modifying just a few lines of code on the machine's memory
card, Mr. Hursti says, he could change the results of a mock election. That
same model, he adds, will be among those used in the 2020 elections. (A
spokesperson for the machine's vendor, Dominion Voting, says that these
weaknesses were fixed in 2012, but Mr. Hursti says that he has tested the
new version and found the updates insufficient.)

Mr. Hursti has spent the past 15 years trying to draw attention to the
weaknesses in America's voting systems. Last month, he was featured in an
HBO documentary called ``Kill Chain: The Cyber War on America's Elections,''
about far-reaching security breaches in multiple U.S. elections that he says
have gone unfixed. He warns that both the American political establishment
and the public are far too complacent. ``Once you understand how everything
works, you understand how fragile everything is and how easy it is to lose
this all,'' Mr. Hursti says in the film.

In 2017, the Department of Homeland Security notified 21 states that they
had been targeted by Russian hackers in the previous year's voting. (Russia
denies the allegations.) Mr. Hursti has worked with some of those states to
stave off future attacks, he says, but past breaches are rarely
investigated. DHS has said that it found no evidence that votes were changed
during the 2016 voting. A 2017 U.S. intelligence assessment
<https://www.dni.gov/files/documents/ICA_2017_01.pdf?mod''article_inline> --
whose findings were unanimously reaffirmed
<https://www.wsj.com/articles/senate-report-affirms-u-s-intelligence-findings-on-2016-russian-interference-11587483408?mod''article_inline>
Tuesday by the Republican-led Senate Intelligence Committee -- described a
significant 2016 Russian ``influence campaign'' to ``undermine public
faith'' in American democracy and ``help President-elect Trump's election
chances.''

Mr. Hursti focuses more on the hardware side of the voting process than
information operations from hostile powers. He doesn't offer direct evidence
of vote tampering in 2016, but he warns that, given the security flaws he
has uncovered, it was certainly possible. For years, voting rights groups
have been suing states, alleging problems with voting machines. Last August,
a judge in Georgia ruled that the state needed new voting machines to
replace unsecure, outdated ones that had malfunctioned during the 2018
governor's race. [...]

After working in computer programming for most of his life, he is amused to
hear critics calling him opposed to technology because of his calls for an
old-school paper voting system. ``I'm against the irresponsible use of
technology,'' he says, but ``I'm the last person I would ever think people
would be calling a Luddite.''

  [Excellent article.  Read it in its entirety if you are concerned.
  (You should be.)  PGN]

------------------------------

Date: Sun, 26 Apr 2020 08:45:40 -1000
From: geoff goodfellow <geoff () iconia com>
Subject: Principle of the Day (Ray Dalio)

*"Because of the different ways that our brains are wired, we all experience
reality in different ways and any single way is essentially distorted. This
is something that we need to acknowledge and deal with."*

*"So if you want to know what is true and what to do about it, you must
understand your own brain."*

https://twitter.com/RayDalio/status/1254134881472438275

  [image omitted for RISKS]

------------------------------

Date: Mon, 27 Apr 2020 15:13:35 -0400
From: Gabe Goldberg <gabe () gabegold com>
Subject: Emissions Are Way Down. No, That's Not All Good News for the Environment
  (Mother Jones)

Chaos in the oil sector could actually intensify climate change.

As the coronavirus cripples world economies, greenhouse gas emissions are
plummeting: This year, they could drop by as much as 5.5 percen -- the
largest decrease ever recorded. On Monday, the price of oil went negative,
meaning storing oil now costs more than the oil itself. Since we're burning
less gas and fuel, air pollution has dropped 30 percent in northeastern
cities, and Los Angeles's notorious smoggy skyline has cleared.

  [Editor's Note: The coronavirus likes to piggyback on smog (see the next
  item from NIH).  Nevertheless, at the moment, Los Angeles is far behind
  the San Francisco Bay Area in coping with COVID-19 -- although for
  unrelated reasons.  PGN]

You might be thinking all this is great news for the environment. It's a
nice idea —- but the real story is more complicated.  ``You don't want
companies collapsing like this,'' says Andrew Logan, oil and gas director of
Ceres, a think tank focused on sustainable investment.  ``Even the most
ardent climate advocate shouldn't wish for a chaotic transition in this
sector.  A chaotic transition brings all sort of pain to workers and also
the environment.''

https://www.motherjones.com/environment/2020/04/oil-prices-are-below-zero-no-thats-not-all-good-news-for-the-environment/

------------------------------

Date: Sun, 26 Apr 2020 08:47:20 -1000
From: geoff goodfellow <geoff () iconia com>
Subject: Coronavirus detected on particles of air pollution

Scientists examine whether this route enables infections at longer distances

EXCERPT:

Coronavirus has been detected on particles of air pollution by scientists
investigating whether this could enable it to be carried over longer
distances and increase the number of people infected.

The work is preliminary and it is not yet known if the virus remains viable
on pollution particles and in sufficient quantity to cause disease.

The Italian scientists used standard techniques to collect outdoor air
pollution samples at one urban and one industrial site in Bergamo province
and identified a gene highly specific to Covid-19 in multiple samples. The
detection was confirmed by blind testing at an independent laboratory.

Leonardo Setti at the University of Bologna in Italy, who led the work
<https://www.medrxiv.org/content/10.1101/2020.04.15.20065995v1>, said it was
important to investigate if the virus could be carried more widely by air
pollution.

``I am a scientist and I am worried when I don't know,'' he said. ``If we
know, we can find a solution. But if we don't know, we can only suffer the
consequences.''

Two other research groups have suggested particles could help coronavirus
travel further in the air, piggybacking on air pollution pollution.
<https://www.ncbi.nlm.nih.gov/pmc/articles/PMC7151372/>
<https://www.ncbi.nlm.nih.gov/pmc/articles/PMC7156797/#CR6>

A statistical analysis by Setti's team suggests higher levels of particle
pollution could explain higher rates of infection in parts of northern Italy
before a lockdown was imposed, an idea supported by another preliminary
analysis.  The region is one of the most polluted in Europe. [...]

<https://www.medrxiv.org/content/10.1101/2020.04.11.20061713v1>
<https://www.medrxiv.org/content/10.1101/2020.04.06.20055657v1>
<https://www.theguardian.com/environment/2020/apr/24/coronavirus-detected-particles-air-pollution>

------------------------------

Date: Mon, 27 Apr 2020 12:56:19 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: "Recommendation: Do Not Install or Use Centralized Server
  Coronavirus COVID-19 Contact Tracing Apps"

Lauren's Blog:
https://lauren.vortex.com/2020/04/27/recommendation-do-not-install-or-use-centralized-server-coronavirus-covid-19-contact-tracing-apps

------------------------------

Date: Sun, 26 Apr 2020 08:48:14 -1000
From: geoff goodfellow <geoff () iconia com>
Subject: 'No evidence' that recovering from Covid-19 gives people immunity,
  WHO says (

*The World Health Organization warned on Saturday that recovering from
coronavirus may not protect people from reinfection as the death toll from
the pandemic approached 200,000 around the globe.*

EXCERPT:

Governments across the world are struggling to limit the economic
devastation unleashed by the virus, which has infected nearly 2.8 million
people and left half of humanity under some form of lockdown.

The United Nations has joined world leaders in a push to speed up
development of a vaccine, but effective treatments for COVID-19 [...]  are
still far off.
<https://www.france24.com/en/tag/united-nations/>
<https://www.france24.com/en/tag/coronavirus/>

But with signs the disease is peaking in the US and Europe, governments are
starting to ease restrictions, weighing the need for economic recovery
against cautions that lifting them too soon risks a second wave of
infections.

The WHO <https://www.france24.com/en/tag/who/> warned on Saturday that
there is still no evidence that people who test positive for the new
coronavirus and recover are immunised and protected against reinfection.

> > Read more: 'Grave concerns' about Covid-19 immunity passports
<https://www.france24.com/en/20200416-grave-concerns-about-covid-19-immunity-passports>

The warning came as some governments study measures such as "immunity
passports" or documents for those who have recovered as one way to get
people back to work after weeks of economic shutdown.

"There is currently no evidence that people who have recovered from
#COVID19 and have antibodies are protected from a second infection," WHO
said in a statement.  [...]
https://www.france24.com/en/20200425-no-evidence-that-recovering-from-covid-19-gives-people-immunity-who-says

------------------------------

Date: April 27, 2020 2:13:50 JST
From: Rich Kulawiec <rsk () gsp org>
Subject: Re: Coronavirus Antibody Tests: Can You Trust the Results
  (RISKS-31.73)

  [via Dave Farber]

About all those tests:

``There are three major problems with testing right now. One, we do not have
the reagents. Our government is not working with private sector companies,
as all the other governments of the world are now seeking testing to
understand how to best ramp up these reagents that we do need. Number two is
we have the wild, wild west for testing right now. The FDA has all but given
up its oversight responsibility for the tests we have on the market. Many of
them are nothing short of a disaster. And we got into that place because of
the fact -- once CDC had a problem, the FDA just opened the gate. And we
have a lot of bad tests on the market right now. The third thing is these
tests just do not perform well in low prevalent populations. Meaning that
right now, if you were to test for antibody in most places in the United
States, over half of the tests would be false positives. So what we need is
a major, new initiative on testing that gets away from every day just saying
how many people got tested. We're missing the mark in a big way right now.``

Dr. Michael Osterholm, the director of the Center for Infectious Disease
Research and Policy at the University of Minnesota, 4/26/2020 on "Meet the
Press"

------------------------------

From: Henry Baker <hbaker1 () pipeline com>
Date: Mon, 27 Apr 2020 13:02:44 -0700
Subject: Re: Spam filter censoring COVID content (Levine, RISKS-31.73)

Hopefully, even bad encryption can defeat bad spam filtering.

Yes, you are correct, the spam filter almost certainly looked at the entire
message, which contained links, etc.

I didn't mention it, but it is true that the spam filter of this particular
domain operates *before* looking at the "From:" whitelist, hence my sister
can't receive this email by simply whitelisting me.

I wasn't kidding when I said *censorship* is in operation here: a number of
email providers have unilaterally taken upon themselves the task of
"protecting" their snowflakes from "bad" advice re certain pandemic viruses
(I can't use the correct term else this email itself might get censored).

This problem is another variation on the "Scunthorpe problem" (Google it)
[or dig up RISKS-18.07,08.  PGN], wherein emails were censored for nasty
words using simple character string searches which made certain perfectly
good non-nasty words unusable.

------------------------------

Date: Mon, 27 Apr 2020 09:27:19 +1000
From: Paul Edwards <paule () cathicolla com>
Subject: Re: e-postage, Internet Usage update (Levine, RISKS-31.73)

Thanks John; that's a well-written white paper and lays out the arguments
well. I agree with your conclusion that e-postage won't work across the
board.  If this example was interpreted as advocating for e-postage more
broadly then that wasn't my intent!

For this particular company, the problem they were trying to solve was email
overload of their staff. They worked out what they *could* control: the
number of internal emails sent (especially given that a significant
proportion of addresses included on emails sent were purely for
arse-covering purposes).

I think the key differentiators between this specific example and that of
broader e-postage are: the problem statement was well-defined and
understood; the scope of the exercise was similarly well-defined and limited
solely to the one company (admittedly with 100K+ employees and contractors);
implementation was simple and capable of being rolled back quickly; and the
charging was all internal. I guess the key outcome is that they were happy
with the behavioural changes they got from the exercise.

  [TNX.  We all seem to agree here, so I theink this thread may now e-vanesce
  or e-strange itself.*

    (* NOTE: Long-time RISKS readers may remember my treatise on
       hyphenation, which appeared on April Fool's Day in 1996, in
       RISKS-17.95, and very slightly updated:
       http://www.csl.sri.com/neumann/hyphen.html] PGN)]

------------------------------

Date: Mon, 14 Jan 2019 11:11:11 -0800
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest.  Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
 subscribe and unsubscribe:
   http://mls.csl.sri.com/mailman/listinfo/risks

=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that
   includes the string `notsp'.  Otherwise your message may not be read.
 *** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored.  Instead, use an
   alternative

 address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 *** Contributors are assumed to have read the full info file for guidelines!

=> OFFICIAL ARCHIVES:  http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
  http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
  Also,  ftp://ftp.sri.com/risks for the current volume
     or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
  If none of those work for you, the most recent issue is always at
     http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
  Lindsay has also added to the Newcastle catless site a palmtop version
  of the most recent RISKS issue and a WAP version that works for many but
  not all telephones: http://catless.ncl.ac.uk/w/r
  ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
  Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 31.74
************************