Risks Digest 31.79

[RISKS List Owner <risko () csl sri com>]

RISKS-LIST: Risks-Forum Digest  Monday 4 May 2020  Volume 31 : Issue 79

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/31.79>
The current issue can also be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
Tesla Data Leak- Old Components With Personal Info Find Their Way
  (geoff goodfellow)
Apple, Google announce new privacy protection rules for contact tracing apps
  (Steven Overly)
macOS Image Capture Bug More Pervasive Than Originally Thought (MacRumors)
Life Inside the Extinction (Scientific American)
A Prophet of Scientific Rigor -- and a Covid Contrarian (WiReD)
Quote of The Day (John Adams)
Why the Coronavirus Is So Confusing (The Atlantic)
What the Coronavirus Crisis Reveals About American Medicine (The New Yorker)
Re: Online voting is too vulnerable (Dick Mills)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Sun, 3 May 2020 15:53:07 -1000
From: geoff goodfellow <geoff () iconia com>
Subject: Tesla Data Leak- Old Components With Personal Info Find Their Way
  on eBay

Evidence emerges Tesla doesn't erase personal data from replaced
components and they're winding up for sale online

EXCERPT:

Tesla's retrofitting service for media control units (MCU) and Autopilot
hardware <https://insideevs.com/tag/tesla-mcu-emmc-issue/>
<https://insideevs.com/tag/tesla-hw-2.5-or-hw-3.0/> may not go far enough in
protecting owners' personal data. That's according to white hat hacker
GreenTheOnly <https://twitter.com/greentheonly>. He obtained four units of
these Tesla <https://insideevs.com/tesla/> computers off eBay and found the
previous owners' personal data still on them. More worrying, though, was
Tesla's response, or lack thereof, when Green confronted the company with
the data.

According to Green, he informed Tesla of his findings before coming to
*InsideEVs*. The Palo Alto, California-based company refused to notify all
of its customers that might be affected in a timely manner, although a week
before this article was published Tesla did say it would notify one of the
affected customers. As of publication, it still hasn't.

Speaking to *InsideEVs*, Green said each of the modules he bought had
owner's home and work location, all saved wi-fi passwords, calendar entries
from the phone, call lists and address books from paired phones, Netflix and
other stored session cookies.  Netflix session cookies allow hackers to take
control of these accounts.

Thus, if you own a Tesla and have had your car retrofitted with new computer
hardware, your personal information may be for sale right now on eBay or
elsewhere. [...]

https://insideevs.com/news/419525/tesla-data-leak-personal-info-ebay/

------------------------------

Date: Mon, 4 May 2020 15:11:29 PDT
From: "Peter G. Neumann" <neumann () csl sri com>
Subject: Apple, Google announce new privacy protection rules for contact
  tracing apps (Steven Overly)

Steven Overly, Politico, 4 May 2020

Apple and Google will prohibit state public health agencies that use their
coronavirus contact tracing technology from monitoring the exact location of
smartphone users or using their information for other purposes, such as
targeted advertising.

The Silicon Valley giants outlined their rules for public health officials
today as they prepare to release technology later this month that would
allow authorities to trace interactions between coronavirus patients and the
public using the Bluetooth technology built into smartphones.

Apple and Google plan to only support one contact tracing app per country in
an effort to drive people to a single app, which health experts say is
crucial for the technology to be effective. In countries like the U.S. that
have pursued a state-level approach, the companies will work with
governments to support multiple apps, representatives said.

As they have previously pledged, Apple and Google will also require users to
consent to having the app track their contacts. They must also give it
approval to notify their recent contacts if they test positive for the
coronavirus, and the app will not disclose their name or other personal
information.

The company-imposed restrictions come as Senate Commerce Republicans look to
 establish rules of their own, putting forth a coronavirus-specific privacy
 bill that would require user consent to collect data and require personal
 information be deleted or anonymized once the pandemic ebbs.

------------------------------

Date: Sun, 3 May 2020 11:38:45 -0400
From: Monty Solomon <monty () roscom com>
Subject: macOS Image Capture Bug More Pervasive Than Originally Thought
  (MacRumors)

Earlier this week we reported on a bug in Apple's macOS Image Capture app
that adds empty data to photos when imported from iOS devices, potentially
eating up gigabytes of disk storage needlessly. Today, we're hearing that
the bug in macOS 10.14.6 and later is a lot more extensive than was
initially believed.

https://www.macrumors.com/2020/05/01/macos-jpg-truncation-bug-widespread/

------------------------------

Date: Mon, 4 May 2020 12:11:51 +0800
From: Richard Stein <rmstein () ieee org>
Subject: Life Inside the Extinction (Scientific American)

https://blogs.scientificamerican.com/life-unbounded/life-inside-the-extinction/

"No other species, to our knowledge, has ever had the capacity to decode the
history of life and see the evidence of past extinctions. Nor has any other
species had the capacity to recognize that it may be living within a major
extinction event. That is a big deal. There is no rule book that says what
happens if, in the middle of global extinction, a species emerges that tries
to do something about it. In other words, there is no reason to imagine that
it can't be changed, or at very least diminished. In that sense we are
extraordinarily lucky."

In 1946, Betrand Russell wrote, "The question is how to persuade humanity to
consent in its own survival." (see
https://quoteinvestigator.com/2018/12/15/survival/).

Caleb Scharf's Earth Day essay reaffirms the question Russell raised after
atomic-bomb deployment. Given there's only one Earth ecosystem, mitigation
plans require geo-political alignment to succeed.

Existential risk relevance grows without effective mitigation plan
implementation.

------------------------------

Date: Sun, 3 May 2020 12:41:49 -0400
From: Gabe Goldberg <gabe () gabegold com>
Subject: A Prophet of Scientific Rigor -- and a Covid Contrarian (WiReD)

If anyone should understand how the pressure to contribute to the science of
the crisis might lead to flawed work and exaggerated claims, it ought to be
Ioannidis, arguably the world's most famous epidemiologist. Who knows?
Perhaps like so many of us, he's just stressed out by the whole damned
thing. Maybe he's just off his game.

On the other hand, Ioannidis's track record is such that it may not be wise
to dismiss his claims too quickly. There really aren't any solid studies out
there that can help settle the question of Covid-19 fatality rates, and what
data we do have remains all over the place. Yes, Ioannidis's results look to
be an outlier -- but they may be an outlier in the right direction,
suggesting a need to revise the infection fatality rate downwards, even if
not all the way to 0.1 percent. [...]

If Ioannidis's claims even slightly alter the conversation toward a more
balanced, thoughtful view of what we really gain, and what we might lose,
from the lockdown, then maybe it's mission accomplished. If he's even partly
right that we're too biased toward staying at home, and the disease isn't as
deadly as we thought, the resulting shift could ultimately save tens of
thousands of lives. [...]

The prevailing take now is that Ioannidis has fallen prey to the very sorts
of biases and distortions that he became revered for exposing in others. If
that's what happened, it will be a twist that Ioannidis himself had
prophesied to me 10 years ago in Greece. “If I did a study and the results
showed that in fact there wasn't really much bias in research, would I be
willing to publish it?” he said then. “That would create a real
psychological conflict for me.” Ioannidis was acknowledging that he's
invested in showing that other scientists tend to get it wrong, and that he
might end up being skeptical of data suggesting they are, in fact, getting
it right.

Now Ioannidis' claims about Covid-19 may be pulled by the gravity of his
commitment to being the one who sees where everyone else went wrong.
There's a meta-meta-science lesson in there, too, and one we've sometimes
seen before.  Bias is so powerful a force in scientific research that even a
grandmaster of research into bias can eventually trip over it.
<https://slate.com/technology/2016/12/kahneman-and-tversky-researched-the-science-of-error-and-still-made-errors.html>
https://www.wired.com/story/prophet-of-scientific-rigor-and-a-covid-contrarian/

  Also, a related item:

Extremists on both sides: stay home forever, open everything NOW.
The Covid-19 Riddle: Why Does the Virus Wallop Some Places and Spare Others?

Experts are trying to figure out why the coronavirus is so capricious.  The
answers could determine how to best protect ourselves and how long we have
to.

------------------------------

Date: Sat, 2 May 2020 18:33:52 -1000
From: geoff goodfellow <geoff () iconia com>
Subject: Quote of The Day (John Adams)

"The dignity and stability of government in all its branches, the morals
of the people, and every blessing of society depend so much upon an upright
and skillful administration of justice"

https://www.foundingfatherquotes.com/quote/98

------------------------------

Date: Sun, 3 May 2020 15:51:20 -1000
From: geoff goodfellow <geoff () iconia com>
Subject: Why the Coronavirus Is So Confusing (The Atlantic)

*A guide to making sense of a problem that is now too big for any one person
to fully comprehend*

On 27 Mar, as the U.S. topped 100,000 confirmed cases of COVID-19, Donald
Trump stood at the lectern of the White House press-briefing room and was
asked what he'd say about the pandemic to a child. Amid a meandering answer,
Trump remarked
<https://www.whitehouse.gov/briefings-statements/remarks-president-trump-vice-president-pence-members-coronavirus-task-force-press-briefing-13/>,
``You can call it a germ, you can call it a flu, you can call it a virus.
You know, you can call it many different names. I'm not sure anybody even
knows what it is.''

That was neither the most consequential statement from the White House, nor
the most egregious. But it was perhaps the most ironic. In a pandemic
characterized by extreme uncertainty, one of the few things experts know for
sure is the identity of the pathogen responsible: a virus called SARS-CoV-2
that is closely related to the original SARS virus. Both are members of the
coronavirus family, which is entirely distinct from the family that includes
influenza viruses. Scientists know the shape of proteins on the new
coronavirus's surface down to the position of individual atoms. Give me two
hours, and I can do a dramatic reading of its entire genome.

But much else about the pandemic is still maddeningly unclear. Why do some
people get really sick
<https://www.theatlantic.com/health/archive/2020/04/coronavirus-immune-response/610228/>,
but others do not? Are the models
<https://www.theatlantic.com/technology/archive/2020/04/coronavirus-models-arent-supposed-be-right/609271/>
too
optimistic or too pessimistic? Exactly how transmissible
<https://www.theatlantic.com/science/archive/2020/01/how-fast-and-far-will-new-coronavirus-spread/605632/>
and
deadly is the virus? How many people have actually been infected
<https://www.theatlantic.com/health/archive/2020/03/coronavirus-testing-numbers/607714/>?
How long must social restrictions go on for
<https://www.theatlantic.com/health/archive/2020/03/how-will-coronavirus-end/608719/>?
Why are so many questions
<https://www.nytimes.com/2020/04/13/opinion/coronavirus-what-we-know.html>
still
unanswered?

The confusion partly arises from the pandemic's scale and pace. Worldwide,
at least 3.1 million people have been infected in less than four months.
Economies have nose-dived. Societies have paused. In most people's living
memory, no crisis has caused so much upheaval so broadly and so quickly.
``We've never faced a pandemic like this before, so we don't know what is
likely to happen or what would have happened, says Zo=C3=AB McLaren, a
health-policy professor at the University of Maryland at Baltimore County.
``That makes it even more difficult in terms of the uncertainty.''

But beyond its vast scope and sui generis nature, there are other reasons
the pandemic continues to be so befuddling -- a slew of forces scientific
and societal, epidemiological and epistemological. What follows is an
analysis of those forces, and a guide to making sense of a problem that is
now too big for any one person to fully comprehend.

*I. The Virus*.  [...]

https://www.theatlantic.com/health/archive/2020/04/pandemic-confusing-uncertainty/610819/

------------------------------

Date: Sun, 3 May 2020 15:50:30 -1000
From: geoff goodfellow <geoff () iconia com>
Subject: What the Coronavirus Crisis Reveals About American Medicine
  (The New Yorker)

Medicine is a system for delivering care and support; it's also a system of
information, quality control, and lab science. All need fixing.

At 4:18 a.m. on February 1, 1997, a fire broke out in the Aisin Seiki
company's Factory No. 1, in Kariya, a hundred and sixty miles southwest of
Tokyo. Soon, flames had engulfed the plant and incinerated the production
line that made a part called a P-valve -- a device used in vehicles to
modulate brake pressure and prevent skidding. The valve was small and cheap
-- about the size of a fist, and roughly ten dollars apiece -- but
indispensable. The Aisin factory normally produced almost thirty-three
thousand valves a day, and was, at the time, the exclusive supplier of the
part for the Toyota Motor Corporation.

Within hours, the magnitude of the loss was evident to Toyota. The company
had adopted *just in time* (J.I.T.) production: parts, such as P-valves,
were produced according to immediate needs -- to precisely match the number
of vehicles ready for assembly -- rather than sitting around in
stockpiles. But the fire had now put the whole enterprise at risk: with no
inventory in the warehouse, there were only enough valves to last a single
day. The production of all Toyota vehicles was about to grind to a
halt. ``Such is the fragility of JIT: a surprise event can paralyze entire
networks and even industries,'' the management scholars Toshihiro Nishiguchi
and Alexandre Beaudet observed the following year, in a case study of the
episode.

Toyota'9s response was extraordinary: by six-thirty that morning,
while the factory was still smoldering, executives huddled to organize the
production of P-valves at other factories. It was a *war room*, one official
recalled.  The next day, a Sunday, small and large factories, some with no
direct connection to Toyota, or even to the automotive industry, received
detailed instructions for manufacturing the P-valves. By February 4th, three
days after the fire, many of these factories had repurposed their machines
to make the valves. Brother Industries, a Japanese company best known for
its sewing machines and typewriters, adapted a computerized milling device
that made typewriter parts to start making P-valves. The ad-hoc work-around
was inefficient -- it took fifteen minutes to complete each valve, its
general manager admitted -- but the country's largest company was in
trouble, and so the crisis had become a test of national solidarity. All in
all, Toyota lost some seventy thousand vehicles -- an astonishingly small
number, given the millions of orders it fulfilled that year. By the end of
the week, it had increased shifts and lengthened hours. Within the month,
the company had rebounded.

Every enterprise learns its strengths and weaknesses from an Aisin-fire
moment -- from a disaster that spirals out of control. What those of u s in
the medical profession have learned from the covid-19 crisis
<https://www.newyorker.com/tag/coronavirus> has been dismaying, and on
several fronts. Medicine isn't a doctor with a black bag, after all; it's a
complex web of systems and processes. It is a health-care delivery system --
providing antibiotics to a child with strep throat or a new kidney to a
patient with renal failure. It is a research program, guiding discoveries
from the lab bench to the bedside. It is a set of protocols for quality
control -- from clinical-practice guidelines to drug and device
approvals. And it is a forum for exchanging information, allowing for
continuous improvement in patient care. In each arena, the pandemic has
revealed some strengths -- including frank heroism and ingenuity -- but it
has also exposed hidden fractures, silent aneurysms, points of fragility.
Systems that we thought were homeostatic -- self-regulating,
self-correcting, like a human body in good health -- turned out to be
exquisitely sensitive to turbulence, like the body during critical
illness. Everyone now asks: When will things get back to normal?  But, as a
physician and researcher, I fear that the resumption of normality would
signal a failure to learn. We need to think not about resumption but about
revision. [...]
https://www.newyorker.com/magazine/2020/05/04/what-the-coronavirus-crisis-reveals-about-american-medicine

------------------------------

Date: Sat, 2 May 2020 20:49:11 -0400
From: Dick Mills <dickandlibbymills () gmail com>
Subject: Re: Online voting is too vulnerable (RISKS-31.76-77)

Here's a scary thought offered 50% tongue in cheek.  The U.S. Constitution
requires that we have electors, not elections.  in fact initially, state
legislatures chose the electors in many of the states. As far as the federal
constitution is concerned, we could skip the 2020 election and still elect a
President.

Given all the anxiety about conducting elections, the no election option
sounds a bit less scary in comparison.  There is no guarantee that the
outcome of who gets elected would be different if we had no election.

Then we would have another 4 years to get our house in order before holding
another Presidential election.  We would also have a powerful motivation for
everyone to rethink the whole process seriously.  We could even amend The
Constitution.

------------------------------

Date: Mon, 14 Jan 2019 11:11:11 -0800
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest.  Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
 subscribe and unsubscribe:
   http://mls.csl.sri.com/mailman/listinfo/risks

=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that
   includes the string `notsp'.  Otherwise your message may not be read.
 *** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 *** Contributors are assumed to have read the full info file for guidelines!

=> OFFICIAL ARCHIVES:  http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
  http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
  Also,  ftp://ftp.sri.com/risks for the current volume
     or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
  If none of those work for you, the most recent issue is always at
     http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
  Lindsay has also added to the Newcastle catless site a palmtop version
  of the most recent RISKS issue and a WAP version that works for many but
  not all telephones: http://catless.ncl.ac.uk/w/r
  ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
  Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 31.79
************************