RISKS Forum mailing list archives
Risks Digest 31.95
From: RISKS List Owner <risko () csl sri com>
Date: Fri, 5 Jun 2020 13:06:28 PDT
RISKS-LIST: Risks-Forum Digest Friday 5 June 2020 Volume 31 : Issue 95 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/31.95> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Lawsuit over online book lending could bankrupt Internet Archive (Ars Technica) MIT Researchers: If Chips Can't Get Smaller, Programmers Must Get Smarter (Srividya Kalyanaraman) Programming Languages: Rust Enters Top 20 Popularity Rankings for the First Time (Liam Tung) Pressure on ZOOM Mounts to Provide End-to-End Encryption (Politico) What does cyber-arms control look like? (Andrew Futter) Handcrafted phish emails (Dan Jacobson) Re: Misinformation About George Floyd Protests Surges on Social Media (Amos Shapir) Re: Australian Federal Government's automated debt recovery 'Robodebt' was illegal (Rodney Parkin) Re: REvil Ransomware Gang Starts Auctioning Victim Data (Paul Edwards) Surgisphere: governments and WHO changed Covid-19 policy based on suspect data from tiny US company (The Guardian) UK Failed to Conduct Data COVID Track/Trace Data Protection Impact (Politico) Re: Just Stop the Superspreading (Peter Ladkin, Henry Baker) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: June 5, 2020 at 14:18:40 GMT+9 From: Dewayne Hendricks <dewayne () warpspeed com> Subject: Lawsuit over online book lending could bankrupt Internet Archive (Ars Technica) Publishers call online library *willful digital piracy on an industrial scale*. Timothy B. Lee, Ars Technica, 1 Jun 2020 <https://arstechnica.com/tech-policy/2020/06/publishers-sue-internet-archive-over-massive-digital-lending-program/> Four of the nation's leading book publishers have sued the Internet Archive, the online library best known for maintaining the Internet Wayback Machine. The Internet Archive makes scanned copies of books -- both public domain and under copyright -- available to the public on a site called the Open Library. "Despite the Open Library moniker, IA's actions grossly exceed legitimate library services, do violence to the Copyright Act, and constitute willful digital piracy on an industrial scale," write publishers Hachette, HarperCollins, Wiley, and Penguin Random House in their complaint. The lawsuit was filed in New York federal court on Monday. For almost a decade, the Open Library has offered users the ability to "borrow" scans of in-copyright books via the Internet. Until recently, the service was based on a concept called "controlled digital lending" that mimicked the constraints of a conventional library. The library would only "lend" as many digital copies of a book as it had physical copies in its warehouse. If all copies of a book were "checked out" by other patrons, you'd have to join a waiting list. In March, as the coronavirus pandemic was gaining steam, the Internet Archive announced it was dispensing with this waiting-list system. Under a program it called the National Emergency Library, IA began allowing an unlimited number of people to check out the same book at the same time -- even if IA only owned one physical copy. Before this change, publishers largely looked the other way as IA and a few other libraries experimented with the digital lending concept. Some publishers' groups condemned the practice, but no one filed a lawsuit over it. Perhaps the publishers feared setting an adverse precedent if the courts ruled that CDL was legal. But the IA's emergency lending program was harder for publishers to ignore. So this week, as a number of states have been lifting quarantine restrictions, the publishers sued the Internet Archive. In an email to Ars Technica, IA founder Brewster Kahle described the lawsuit as "disappointing." "As a library, the Internet Archive acquires books and lends them, as libraries have always done," he wrote. "Publishers suing libraries for lending books, in this case, protected digitized versions, and while schools and libraries are closed, is not in anyone's interest." The publishers have a pretty strong case. The publishers' legal argument is straightforward: the Internet Archive is making and distributing copies of books without permission from copyright holders. That's generally illegal unless a defendant can show it is authorized by one of copyright law's various exceptions. Legal experts tell Ars that the Internet's Archive's best response is to argue that its program is fair use. That's a flexible legal doctrine that has been used to justify a wide range of copying over the decades -- from recording television broadcasts for personal use to quoting a few sentences of a book in a review. Most relevant for our purposes, the courts have held that it is a fair use to scan books for limited purposes such as building a book search engine. When considering a fair use claim, courts consider several factors, including the impact of the use on the market for the original work. A book search engine, for example, is not a substitute for reading books but, rather, helps readers find new books they might want to buy. This is one of the reasons the courts found that book scanning for a search engine was legal under fair use. But it's harder to come up with compelling arguments that the Internet Archive's open-ended lending program is fair use. James Grimmelmann, a copyright scholar at Cornell University, told Ars that he is withholding judgment until he sees the Internet Archive's response. However, he said, "it seems like the publishers have a pretty strong case." "I think there are arguments for fair use, but they're not terribly strong arguments," he said in a Monday phone interview. A pandemic exception? The Internet Archive would have had a stronger argument if it had continued to limit the number of copies that could be lent out. In that scenario, IA could argue that the program's impact on the market was little different from a conventional library. Obviously, a patron who checks out a book from a library is less likely to purchase a copy, undermining the market for the book. On the other hand, libraries themselves buy many books -- and the more popular a book is, the more copies libraries must buy. So the overall impact of libraries on demand for books is not clear. But once the IA stopped buying a copy of a book for every copy it lent out, this argument became a lot weaker. An institution like IA can buy a single copy of a book and then "lend" it to dozens, hundreds, or thousands of people at the same time. There's little doubt that this has a negative impact on the market for new books. Instead, the Internet Archive will likely need to make a more novel argument -- that the unique circumstances of a pandemic justifies allowing types of infringement that would be clearly illegal at other times. Grimmelmann wasn't able to identify any other cases where courts have made that kind of leap. ------------------------------ Date: Fri, 5 Jun 2020 12:14:15 -0400 (EDT) From: ACM TechNews <technews-editor () acm org> Subject: MIT Researchers: If Chips Can't Get Smaller, Programmers Must Get Smarter (Srividya Kalyanaraman) Srividya Kalyanaraman, American Inno, 4 Jun 2020, via ACM TechNews, 5 Jun 2020 Researchers at the Massachusetts Institute of Technology (MIT) suggest the approaching limits of chip miniaturization require future increases in computing power to come from software, algorithms, and specialized hardware. MIT's Neil Thompson said shrinking processors has been the standard approach to growing computer performance for decades, "but the nature of computer processing is changing." Performance extension has long relied on generic hardware and specialized software, but Thompson suggested it may prove more economical to design hardware for executing particular tasks, even if speed and other factors must be compromised. He added that such an approach initially will be applicable to specific areas like supercomputing and quantum computing. https://orange.hosting.lsoft.com/trk/click?ref=3Dznwrbbrs9_6-25778x222bb6x066701& ------------------------------ Date: Fri, 5 Jun 2020 12:14:15 -0400 (EDT) From: ACM TechNews <technews-editor () acm org> Subject: Programming Languages: Rust Enters Top 20 Popularity Rankings for the First Time (Liam Tung) Liam Tung, ZDNet, 2 Jun 2020 via ACM TechNews, 5 Jun 2020 The Rust programming language has cracked the top 20 rankings of the Tiobe popularity index for the first time, amid growing interest in using it for systems programming to build major platforms. Microsoft is considering Rust for Windows and Azure, aiming to eliminate memory bugs in code authored in C and C++; Amazon Web Services is using Rust for performance-sensitive elements in Lambda, EC2, and S3. Tiobe ranked Rust in 20th place this year versus 38th last year, and although this does not mean more people are using Rust, it demonstrates that more developers are searching for information about the language. Tiobe software CEO Paul Jansen credited Rust's ascension with being a systems programming language that is "done right." He said, "All the verbose programming and sharp edges of other languages are solved by Rust while being statically strongly typed," which "prevents run-time null pointer exceptions, and memory management is calculated compile-time." https://orange.hosting.lsoft.com/trk/click?ref=3Dznwrbbrs9_6-25778x222bb7x066701& ------------------------------ Date: 5-Jun-2020 15:48:13-GMT From: "Peter G. Neumann" <neumann () csl sri com> Subject: Pressure on ZOOM Mounts to Provide End-to-End Encryption (Politico) Zoom is facing more pressure to expand its use of end-to-end encryption to free accounts, which it has said need to be accessible to law enforcement. On Thursday, Consumer Reports called on Zoom to change course. ``Privacy is a right, not a luxury. If Zoom has the technical capacity to safeguard conversations with end-to-end encryption, it should offer the same protections for all its users,'' Justin Brookman, Consumer Reports' director of privacy and technology policy, said in a statement. Other popular conferencing platforms like Verizon's BlueJeans, Google's Meet and Cisco's Webex offer varying levels of encryption -- features that have drawn more attention since the pandemic forced millions of Americans online for work, school, socializing and medical care. In the weeks since Zoom announced its encryption plans,<https://blog.zoom.us/wordpress/2020/05/07/zoom-acquires-keybase-and-announces-goal-of-developing-the-most-broadly-used-enterprise-end-to-end-encryption-offering/> security experts and consumer advocates have urged <https://twitter.com/Riana_Crypto/status/1268624308852543488> the videoconferencing giant to extend the new, more robust protections to free accounts, not just paid ones. Instead, the company has stood by its plan, citing the need to monitor meetings that are used to share child sexual abuse material and engage in other illegal behavior. ``Zoom is dealing with some serious safety issues,'' said Alex Stamos, a former Facebook chief information security officer who is now advising Zoom on security. Zoom faces ``a difficult balancing act,'' Stamos added , by ``trying to both improve the privacy guarantees it can provide while reducing the human impact of the abuse of its product.'' ------------------------------ Date: Thu, 04 Jun 2020 17:19:48 +0200 From: "Diego.Latella" <diego.latella () isti cnr it> Subject: What does cyber-arms control look like? (Andrew Futter) Four principles for managing cyber-risk, European Leadership Network [1], 4 Jun 2020 Andrew Futter [2] - Associate Professor in International Politics at the University of Leicester European Leadership Network [3] I don't quite know whether it is especially computer science or its subdiscipline Artificial Intelligence that has such an enormous affection for euphemism. We speak so spectacularly and so readily of computer systems that understand, that see, decide, make judgments, and so on, without ourselves recognizing our own superficiality and immeasurable naivete with respect to these concepts. And, in the process of so speaking, we anesthetise our ability to evaluate the quality of our work and, what is more important, to identify and become conscious of its end use. […] One can't escape this state without asking, again and again: "What do I actually do? What is the final application and use of the products of my work?" and ultimately, "am I content or ashamed to have contributed to this use?" -- Prof. Joseph Weizenbaum ["Not without us", ACM SIGCAS 16(2-3) 2--7, Aug1986] [1] https://www.europeanleadershipnetwork.org/policy-brief/what-does-cyber-arms-control-look-like-four-principles-for-managing-cyber-risk/?mc_cid=4afb27a93d&mc_eid=3429fd5ce8 [2] https://www.europeanleadershipnetwork.org/person/dr-andrew-futter/ [3] https://www.europeanleadershipnetwork.org/ [4] http://www.isti.cnr.it ------------------------------ Date: Fri, 05 Jun 2020 00:54:06 +0800 From: Dan Jacobson <jidanni () jidanni org> Subject: Handcrafted phish emails I received one of those evil emails: "Your Email Account was just signed in on a new Windows device from this IP 114.058.33.178." Hey wait, wouldn't that be 114.058.033.178 or 114.58.33.178 ? Sounds kinda hand crafted. ------------------------------ Date: Thu, 4 Jun 2020 11:57:36 +0300 From: Amos Shapir <amos083 () gmail com> Subject: Re: Misinformation About George Floyd Protests Surges on Social Media (RISKS-31.94) Fight back! In the current climate of disrespect of decency and reason, it seems that too many people take an attitude of "Who cares if global warming / vaccination / moon landing is the result of hard work by tens of thousands of people over decades -- we know better because we have read an Internet post!" Things like the Flat Earth society have been viewed as harmless weirdness, but no more; such ideas had already spilled into the real world and are causing real damage and even loss of lives. It's time to fight back. Fighting back does not require overt actions like Buzz Aldrin's punching the face of a moon landing denier; it's as simple as clicking "reply". I have taken to replying to any conspiracy-related post sent to me on social media and mail, specifically those forwarded by friends and colleagues. It's rather easy to find the correct information, either from sites like *Snopes, *or more often, by just clicking the links included in the message itself -- almost always, the article's contents contradict the post's headline. I always urge posters to read the articles, not the headlines. "Don't send me such posts, I actually click the links!"... A link to a scientific article posted as "Scientists Show Global Warming is a Hoax" leads to a research which definitely supports the global warming idea; and an article labeled "Soros is out to Destroy America" reveals that his greatest crime is "using his money to support candidates he favors". I might be considered a nuisance, but this method greatly reduces the volume of nonsense on my feeds, and hopefully contributes just a bit to reduce the trend. ------------------------------ Date: Thu, 4 Jun 2020 12:15:48 +1000 From: <rodney.parkin () spitbrook net> Subject: Re: Australian Federal Government's automated debt recovery 'Robodebt' was illegal (RISKS-31.94) To add some context for non-Australian readers, the scheme made 2 fundamental errors. Firstly, it tried to automatically match income tax returns (which are assessed on an annual basis), with social security payments (which are assessed on a fortnightly basis). It was assumed that the recipient's fortnightly income was 1/26 of their annual income. But take, for example, a low income worker with casual work from time to time. In slow 2-week periods they might be entitled to social security payments, but in better 2-week periods little or no support. By assuming their fortnightly income was 1/26 of their annual income, the conclusion was often (but incorrectly) made that their social security had been overpaid in the slow times. Secondly, it sent letters of demand putting the onus of proof onto the recipient, where the recipient had little or no ability to provide such proof. For example, the claims often related to payments made years before - long after the recipient would have retained any records. Further, the letters offered no detail on how the "overpayment" was determined - the recipient was given almost no information about which payments were in dispute nor how the "overpayment" amounts had been calculated. The receipts often didn't even know what data was in dispute, let alone have access to the records that would allow them to prove their position. The government embarked on a massive bluff against members of the community least able to defend themselves. It was clear at the time that it was unreasonable, and it is no surprise that it was eventually reversed. ------------------------------ Date: Thu, 4 Jun 2020 11:01:11 +1000 From: Paul Edwards <paule () cathicolla com> Subject: Re: REvil Ransomware Gang Starts Auctioning Victim Data (RISKS-31.94) This is fascinating. Effectively these guys are packaging up bad debt and selling it. It just happens that the collateral against that debt is data rather than a house, car, or boat. I wonder if the auction is a fraction of the extortion demanded. Will we have a GDC (Global Data Crisis)? What next? Data futures contracts? :) Paul (with tongue slightly in cheek) ------------------------------ Date: Fri, 5 Jun 2020 00:33:42 -0400 From: Gabe Goldberg <ggoldberg () apcug org> Subject: Surgisphere: governments and WHO changed Covid-19 policy based on suspect data from tiny US company (The Guardian) Surgisphere, whose employees appear to include a sci-fi writer and adult content model, provided database behind Lancet and New England Journal of Medicine hydroxychloroquine studies The World Health Organization and a number of national governments have changed their Covid-19 policies and treatments on the basis of flawed data from a little-known U.S. healthcare analytics company, also calling into question the integrity of key studies published in some of the world’s most prestigious medical journals. A Guardian investigation can reveal the U.S.-based company Surgisphere, whose handful of employees appear to include a science fiction writer and an adult-content model, has provided data for multiple studies on Covid-19 co-authored by its chief executive, but has so far failed to adequately explain its data or methodology. Data it claims to have legitimately obtained from more than a thousand hospitals worldwide formed the basis of scientific articles that have led to changes in Covid-19 treatment policies in Latin American countries. It was also behind a decision by the WHO and research institutes around the world to halt trials of the controversial drug hydroxychloroquine. On Wednesday, the WHO announced those trials would now resume. Two of the world's leading medical journals -- the Lancet and the New England Journal of Medicine -- published studies based on Surgisphere data. The studies were co-authored by the firm's chief executive, Sapan Desai. Late on Tuesday, after being approached by the Guardian, the Lancet released an `expression of concern' about its published study. The New England Journal of Medicine has also issued a similar notice. An independent audit of the provenance and validity of the data has now been commissioned by the authors not affiliated with Surgisphere because of ``concerns that have been raised about the reliability of the database.'' https://www.theguardian.com/world/2020/jun/03/covid-19-surgisphere-who-world-health-organization-hydroxychloroquine ------------------------------ Date: Fri, 5 Jun 2020 11:40:30 PDT From: "Peter G. Neumann" <neumann () csl sri com> Subject: UK Failed to Conduct Data COVID Track/Trace Data Protection Impact Assessment (Politico) U.K. FACING COMPLAINT OVER LACK OF DATA PROTECTION SAFEGUARDS -- Privacy advocates have filed a complaint with the U.K. data protection authority for failing to conduct a data protection impact assessment for its coronavirus track-and-trace program. ``The Government is moving too fast, and breaking things as a result,'' James Killock of the Open Rights Group said. Ravi Naik, the lawyer assisting Killock with the complaint, said that deploying the tracing program without implementing the proper safeguards is a *disaster*. <https://www.politico.eu/article/uk-test-trace-privacy-data-impact-assessement/> ------------------------------ Date: Thu, 4 Jun 2020 09:52:23 +0200 From: Peter Bernard Ladkin <ladkin () causalis com> Subject: Re: Just Stop the Superspreading (Baker, Risks 31-94) In Risks 31-94, Henry Baker says that "The NYTimes article below attributes the bulk of COVID19 spread to "superspreaders" and "superspreading events". " Indeed so, but better to cite the source. This info is three months old already, from the London School of Hygiene and Tropical Medicine Centre for Mathematical Modelling of Infectious Diseases (LSHTM CMMID). It has recently been confirmed in two preprints from late May. The technical expression is that the disease has an overdispersion parameter value of about 0.1, according to the CMMID estimate. (The parameter is usually denoted as "k"=2E.) Baker drew attention in Risks 31.84 to a mathematical situation with significant overdispersion even with a low basic reproduction number. He seemed to want to turn that exercise into a critique of the concept of R0 in particular and SIR models in general, which puzzled me. As far as I know, the CMMID result was obtained with an SIR model. The published source is Endo et al., https://wellcomeopenresearch.org/articles/5-67 . This article was available in preprint first on March 11, 2020 at https://cmmid.github.io/topics/covid19/ The k value has been recently confirmed by an Israeli preprint about a different group of cases, Miller et al, 2020-05-22 https://www.medrxiv.org/content/10.1101/2020.05.21.20104521v1 and by a preprint from Hong Kong, Adam et al https://www.researchsquare.com/article/rs-29548/v1 from 2020-05-21 (Baker extensively quotes an NYT opinion article from Adam and co-author Cowling). The result, that most of the infection comes from superspreading, deriving directly from the k value of around 0.1, seems now to be generally accepted. German government advisor, virologist Christian Drosten, mentioned it in his podcast last week https://www.ndr.de/nachrichten/info/podcast4684.html (in German), and Oxford epidemiologist David Hunter in a Guardian opinion piece https://www.theguardian.com/commentisfree/2020/may/28/coronavirus-infection-rate-too-high-second-wave Prof. Peter Bernard Ladkin, Bielefeld, Germany Styelfy Bleibgsnd www.rvs-bi.de ------------------------------ Date: Thu, 04 Jun 2020 08:53:22 -0700 From: Henry Baker <hbaker1 () pipeline com> Subject: Re: Just Stop the Superspreading (Ladkin, RISKS-31.95) Once again, Peter Ladkin is misinterpreting my criticism of "R0"-based models. The problem is a fundamental *logical* problem: if one uses an English term "*THE* R0", it presumes that there is such a more-or-less well-defined "number" which is named "R0". But as I have argued, and continue to argue, there is *NO* such individual "number" in the case of superspreaders, since the *variance* associated with this "number" is so large. Perhaps the best analogy comes from quantum physics. Classical physics presumed the independent existence of "position" and "momentum" of a particle, but quantum physics showed that any such notions quickly lead to contradictions with actual experiments, so any attempt to utilize terms like "THE position" or "THE momentum" demonstrates conclusively the lack of understanding by the speaker of the true nature of the situation in our actual quantum world. For example, the phrase "THE position" of an electron surrounding the proton in a hydrogen atom demonstrates conclusively the ignorance of the speaker of the concepts of quantum mechanics. Ditto with "THE orbit", "THE momentum", etc. Similarly, any use of the phrase "THE reproduction number" demonstrates conclusively the ignorance of the speaker of the concept of "superspreaders". For fifty years after Heisenberg, logicians, reporters and popular science writers destroyed entire forests trying to describe quantum physics using *classical* physical terminology; they failed miserably and only produced more confusion. Even Einstein himself -- whose paper on the *quantum* nature of the photoelectric effect won him his Nobel Prize -- was never able to become comfortable with the 'spooky action at a distance' nature of quantum mechanics. Einstein couldn't force the reality of quantum mechanics onto the Procrustean bed of existing naive concepts and words. Similarly the COVID19 pandemic is causing the destruction of entire virtual forests by talking fat(uous) heads, reporters and popular science writers trying to explain what "THE" reproduction number is, when the demonstrated existence of superspreaders -- e.g., the Boston hotel event, a NY bat mitzvah, or a choir practise -- proves that there is NO single reproduction number which can provide any intuition for clear thinking about what is going on with this pandemic. If the confusion were restricted to non-scientists, such logical errors might be excused. Unfortunately, some "scientists" were successful at convincing many politicians to panic due to fatally flawed "models" whose outputs had confidence intervals that wouldn't fit into their conference room, much less onto their slides (apologies to XKCD: https://m.xkcd.com/2311/). U.S. President Lincoln was well aware of how improper usage of words can lead to logical errors. When Lincoln was asked "how many legs does a dog have if you call his tail a leg?", Lincoln quickly replied, "Four; saying that a tail is a leg doesn't make it a leg." ------------------------------ Date: Mon, 1 Jun 2020 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00 ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 31.95 ************************
Current thread:
- Risks Digest 31.95 RISKS List Owner (Jun 05)