Risks Digest 31.73

[RISKS List Owner <risko () csl sri com>]

RISKS-LIST: Risks-Forum Digest  Sunday 26 April 2020  Volume 31 : Issue 73

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/31.73>
The current issue can also be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
The illusion of certainty (Spectator)
That no-click iOS Zero-day reported to be under exploit doesn't exist,
  Apple says (Ars Technica)
The Untold Story of the Birth of Social Distancing (NYTimes)
Germany changes course on contact tracing app, abandoning PEPP-PT (Politico)
Inexpensive, portable detector identifies pathogen in minutes
  (Lois Yoksoulian)
Re: Coronavirus Antibody Tests: Can You Trust the Results? (PGN)
Re: Cox email creation policy change I'd missed! (John Levine)
Re: e-postage, Internet Usage update (John Levine)
Re: Zoom 5.0 update will bring much-needed security upgrades (John Levine,
  Monty Solomon)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Sat, 25 Apr 2020 15:39:34 +0900
From: Dave Farber <farber () gmail com>
Subject: The illusion of certainty (Spectator)

https://app.spectator.co.uk/2020/04/22/the-illusion-of-certainty/content.html

------------------------------

Date: Sun, 26 Apr 2020 09:18:23 -0400
From: Monty Solomon <monty () roscom com>
Subject: That no-click iOS Zero-day reported to be under exploit doesn't
  exist, Apple says (Ars Technica)

Other critics also question evidence and say 0day may have been confused with simple bug.

https://arstechnica.com/information-technology/2020/04/apple-disputes-report-of-non-click-ios-0day-under-exploit-for-two-years/

------------------------------

Date: Sat, 25 Apr 2020 14:52:57 -0400
From: Monty Solomon <monty () roscom com>
Subject: The Untold Story of the Birth of Social Distancing (NYTimes)

The idea has been around for centuries. But it took a high school science
fair, George W. Bush, history lessons and some determined researchers to
overcome skepticism and make it federal policy.

https://www.nytimes.com/2020/04/22/us/politics/social-distancing-coronavirus.html

------------------------------

Date: Sun, 26 Apr 2020 10:17:36 PDT
From: "Peter G. Neumann" <neumann () csl sri com>
Subject: Germany changes course on contact tracing app, abandoning PEPP-PT
  (Politico)

Laura Kayali and Janosch Delcker, Politico, 26 Apr 2020

The German government announced today that Berlin would adopt a
decentralized approach to a coronavirus contact-tracing app, now backing an
approach championed by U.S. tech giants Apple and Google.

``We will promote the use of a consistently decentralized software
architecture for use in Germany,'' the country's Federal Health Minister
Jens Spahn said on Twitter, echoing an interview in "Die Welt am Sonntag".

<https://www.welt.de/wirtschaft/webwelt/article207509833/Corona-App-Bundesregierung-favorisiert-dezentralen-Ansatz.html>

Earlier this month, Google and Apple announced they would team up to unlock
their smartphones' Bluetooth capabilities to allow developers to build
interoperable contact tracing apps.  [...]

------------------------------

Date: April 27, 2020 0:38:52 JST
From: Dewayne Hendricks <dewayne () warpspeed com>
Subject: Inexpensive, portable detector identifies pathogen in minutes
  (Lois Yoksoulian)

    [Note: This item comes from friend David Rosenthal.  DLH]
       [Note: The entire item comes via David Farber.  PGN]

Lois Yoksoulian,  University of Illinois at Urbana-Champaign, 23 Apr 2020

<https://phys.org/news/2020-04-inexpensive-portable-detector-pathogens-minutes.html

Most viral test kits rely on labor- and time-intensive laboratory
preparation and analysis techniques; for example, tests for the novel
coronavirus can take days to detect the virus from nasal swabs. Now,
researchers have demonstrated an inexpensive yet sensitive smartphone-based
testing device for viral and bacterial pathogens that takes about 30 minutes
to complete. The roughly $50 smartphone accessory could reduce the pressure
on testing laboratories during a pandemic such as COVID-19.

The results of the new multi-institutional study, led by University of
Illinois at Urbana-Champaign electrical and computer engineering professor
Brian Cunningham and bioengineering professor Rashid Bashir, are reported in
the journal Lab on a Chip.

"The challenges associated with rapid pathogen testing contribute to a lot
of uncertainty regarding which individuals are quarantined and a whole host
of other health and economic issues," Cunningham said.

The study began with the goal of detecting a panel of viral and bacterial
pathogens in horses, including those that cause severe respiratory illnesses
similar to those presented in COVID-19, the researchers said.

"Horse pathogens can lead to devastating diseases in animal populations, of
course, but one reason we work with them has to do with safety. The horse
pathogens in our study are harmless to humans," Cunningham said.

The new testing device is comprised of a small cartridge containing testing
reagents and a port to insert a nasal extract or blood sample, the
researchers said. The whole unit clips to a smartphone.

Inside the cartridge, the reagents break open a pathogen's outer shell to
gain access to its RNA. A primer molecule then amplifies the genetic
material into many millions of copies in about 10 or 15 minutes, the
researchers said. A fluorescent dye stains the copies and glows green when
illuminated by blue LED light, which is then detected by the smartphone's
camera.

"This test can be performed rapidly on passengers before getting on a
flight, on people going to a theme park or before events like a conference
or concert," Cunningham said. "Cloud computing via a smartphone application
could allow a negative test result to be registered with event organizers or
as part of a boarding pass for a flight. Or, a person in quarantine could
give themselves daily tests, register the results with a doctor, and then
know when it's safe to come out and rejoin society."

------------------------------

Date: Sun, 26 Apr 2020 10:24:17 PDT
From: "Peter G. Neumann" <neumann () csl sri com>
Subject: Re: Coronavirus Antibody Tests: Can You Trust the Results?
  (RISKS-31.72)

  [Here's more on the brief item in the previous issue.  PGN]

Apoorva Mandavilli, *The New York Times*, 24 Apr 2020
https://www.nytimes.com/2020/04/24/health/coronavirus-antibody-tests.html

A team of scientists worked around the clock to evaluate 14 antibody
tests. A few worked as advertised. Most did not.

The researchers worked around the clock, in shifts of three to five hours,
hoping to stave off weariness and keep their minds sharp for the delicate
task.

They set up lines of laboratory volunteers: medical residents, postdoctoral
students, even experienced veterans of science, each handling a specific
task. They checked and rechecked their data, as if the world were depending
on it. Because in some ways, it is.

For the past few weeks, more than 50 scientists have been working diligently
to do something that the Food and Drug Administration mostly has not:
Verifying that 14 coronavirus antibody tests now on the market actually
deliver accurate results.

These tests are crucial to reopening the economy, but public health experts
have raised urgent concerns about their quality. The new research, completed
just days ago and posted online Friday, confirmed some of those fears: Of
the 14 tests, only three delivered consistently reliable results. Even the
best had some flaws.

The research has not been peer-reviewed and is subject to revision. But the
results are already raising difficult questions about the course of the
epidemic.

Surveys of residents in the Bay Area, Los Angeles and New York this week
found that substantial percentages tested positive for antibodies to
SARS-CoV-2, the official name of the new coronavirus. In New York City, the
figure was said to be as high as 21 percent. Elsewhere, it was closer to 3
percent.

The idea that many residents in some parts of the country have already been
exposed to the virus has wide implications. At the least, the finding could
greatly complicate plans to reopen the economy.

Already Americans are scrambling to take antibody tests to see if they might
escape lockdowns. Public health experts are wondering if those with positive
results might be allowed to return to work.

But these tactics mean nothing if the test results can't be trusted.

In the new research, researchers found that only one of the tests never
delivered a so-called false positive -- that is, it never mistakenly
signaled antibodies in people who did not have them.

Two other tests did not deliver false-positive results 99 percent of the time.

But the converse was not true. Even these three tests detected antibodies in
infected people only 90% of the time, at best.

The false-positive metric is particularly important. The result may lead
people to believe themselves immune to the virus when they are not, and to
put themselves in danger by abandoning social distancing and other
protective measures.

It is also the result on which scientists are most divided.  [...]
  [PGN-truncated for RISKS]

------------------------------

Date: 25 Apr 2020 17:15:59 -0400
From: "John Levine" <johnl () iecc com>
Subject: Re: Cox email creation policy change I'd missed!
  (Goldberg, RISKS-31.72)

That's really pitiful.  At Comcast and Spectrum, not only do they still
provide e-mail to their customers, but if you move or switch providers, your
e-mail keeps working indefinitely, for free.

------------------------------

Date: 25 Apr 2020 17:44:20 -0400
From: "John Levine" <johnl () iecc com>
Subject: Re: e-postage, Internet Usage update (PaulE, RISKS-31.72)

E-postage is a Well Known Bad Idea that just won't go away.  Whatever
problems you think it will solve, it won't, and even if it were possible to
implement, which it isn't, the problems it would create would be worse than
the ones it didn't solve.

I wrote a white paper on the topic in 2004.  Other than perhaps adding a
zero or two to some of the numbers, nothing has changed:

https://www.taugh.com/epostage.pdf

------------------------------

Date: 25 Apr 2020 17:27:48 -0400
From: "John Levine" <johnl () iecc com>
Subject: Re: Zoom 5.0 update will bring much-needed security upgrades
  (Engadget)

It's actually Zoom 4.6.12 but it has long overdue meeting management features.

The meeting host can turn the waiting room feature on and off, can control
whether participants can share their screens, and with a couple of clicks
put anyone back in the waiting room or remove them, and lock a meeting so
more people can't join.

This is not unlike the set of features that instant messaging and mailing
lists have had since approximately forever.  Whatever it is that provokes
people to be jerks in video meetings is definitely not limited to video
calls.

------------------------------

Date: Sat, 25 Apr 2020 22:11:32 -0400
From: Monty Solomon <monty () roscom com>
Subject: Re: Zoom 5.0 update will bring much-needed security upgrades (Levine)

The TBD version is scheduled for April 27

https://support.zoom.us/hc/en-us/articles/201361953-New-updates-for-Windows
https://support.zoom.us/hc/en-us/articles/205759689-New-updates-for-Linux
https://support.zoom.us/hc/en-us/articles/201361973-New-updates-for-Android
https://support.zoom.us/hc/en-us/articles/201361943-New-updates-for-iOS
https://support.zoom.us/hc/en-us/articles/201361963-New-updates-for-macOS

  Added notes:

I have 4.6.12 installed on my Mac now and it has the features I described.
I can believe that they will add more stuff next week.

Some of the features described in the article are scheduled for the upcoming
release. The article ends with ``The company's download page still only
offers Zoom 4.6.12, but 5.0 should be out sometime this week.''

------------------------------

Date: Mon, 14 Jan 2019 11:11:11 -0800
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest.  Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
 subscribe and unsubscribe:
   http://mls.csl.sri.com/mailman/listinfo/risks

=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that
   includes the string `notsp'.  Otherwise your message may not be read.
 *** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 *** Contributors are assumed to have read the full info file for guidelines!

=> OFFICIAL ARCHIVES:  http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
  http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
  Also,  ftp://ftp.sri.com/risks for the current volume
     or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
  If none of those work for you, the most recent issue is always at
     http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
  Lindsay has also added to the Newcastle catless site a palmtop version
  of the most recent RISKS issue and a WAP version that works for many but
  not all telephones: http://catless.ncl.ac.uk/w/r
  ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
  Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 31.73
************************