RISKS Forum mailing list archives

Previous By Date Next
Previous By Thread Next

Risks Digest 32.31

From: RISKS List Owner <risko () csl sri com>
Date: Sat, 10 Oct 2020 17:32:14 PDT
RISKS-LIST: Risks-Forum Digest  Saturday 10 October 2020  Volume 32 : Issue 31

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/32.31>
The current issue can also be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
Too many passengers at front of plane caused take-off issue at Luton Airport
  (BBC)
Tesla owner says he butt-dialed a $4,280 Autopilot upgrade (CNBC)
Why cars are more "fragile": more technology has reduced reobustness
  (Paul Robinson)
Polestar 2 EV recalled over glitch that can cut power while driving
  (Engadget)
Space is becoming too crowded, Rocket Lab CEO warns (CNN)
Botched Excel import may have caused loss of 15,841 UK COVID-19 cases
  (Thomas Dzubin plus others)
Psychology study indicates that narcissists are more involved in politics
  than the rest of us (SagePub)
Doctor gave an inept diagnosis for a neurological problem (WashPost)
Can AI Detect Disinformation? A New Special Operations Program May Find Out
  (Defense One)
California bar exam has facial recognition problems (SanFranChronicle)
Nuclear Waste and Nuclear Waste Management at the Hanford Site
  (ContentSharing)
Charges filed in hack that caused NFL athlete's nude pics to be posted on
  Twitter (Ars Technica)
A Literal Child and His Mom Sue Nintendo Over Joy-Con Drift' (WiReD)
Eero for Service Providers: Eero Wi-Fi mesh targeted at ISPs (Ars Technica)
DHS warns that Emotet malware is one of the most prevalent threats today
  (Ars Technica))
'Smart' male chastity device vulnerable to locking by hackers: researchers
  (AFP)
Hackers targeting IoT devices with a new P2P botnet malware
  (The Hacker News)
Supreme Court takes on Google vs. Oracle: The biggest software development
  case ever (ZDNet)
55 New Security Flaws Reported in Apple Software and Services
  (The Hacker News)
Researchers Find Vulnerabilities in Microsoft Azure Cloud Service
  (The Hacker News)
Microsoft Office 365, Outlook down again (ZDNet)
CyberCommand has sought to disrupt the world's largest botnet, hoping to
  reduce its potential impact on the election (WashPost)
Pennsylvania voter services website crashes as 2020  election mail ballot
  deadlines loom (Inquirer)
Clinical Trials Hit by Ransomware Attack on Health Tech Firm
  (Nicole Perlroth)
Flawed Algorithm Used to Determine UK Welfare Payments Is 'Pushing People
  Into Poverty' (Thomas Macaulay)
'The Wire' inspired a fake turtle egg that spies on poachers (WiReD)
The robot shop worker controlled by a faraway human (bbc.com)
"A friend of a friend at Google interviewed at Facebook right as the virus
  hit (unnamed via twitter)
Documents Show How The LAPD Was Trained To Use Palantir (BuzzFeed)
Meet the Customer Service Reps for Disney and Airbnb Who Have to Pay to Talk
  to You (ProPublica)
Digital pioneer Geoff Huston apologises for bringing the Internet to
  Australia (ZDNet)
Psychographic Profiling cartoon (Tom Fishburne -- Marketoonist)
Re: Maryland's web-delivered ballots must be hand-copied to be counted
  (Amos Shapir)
Re: Apple marches to a different beat (Steve Klein, John Levine, Alan Ralph,
  Craig S. Cottingham)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Sat, 10 Oct 2020 12:30:32 -0500
From: Allen Bonneau <alnbonneau () gmail com>
Subject: Too many passengers at front of plane caused take-off issue at
  Luton Airport (BBC)

Downstream impact from an unavailable system

The automated system had a technical issue preventing a plane change from
being passed to downstream systems. Operators noticed the change and manual
updates were performed as a workaround.  Either the workaround was not
complete or did [not?] address all affected systems.

https://www.bbc.com/news/uk-england-beds-bucks-herts-54477819

------------------------------

Date: Fri, 9 Oct 2020 14:02:15 +0300
From: Amos Shapir <amos083 () gmail com>
Subject: Tesla owner says he butt-dialed a $4,280 Autopilot upgrade
 Luton Airport (CNBC)

It seems that the Tesla app on iPhone somehow makes an update purchase as
the default action, and doesn't require a confirmation password or code.

Full story at:
https://www.cnbc.com/2020/10/07/tesla-app-butt-dial-purchases-still-possible-refunds-hard-to-get.html

------------------------------

Date: Fri, 2 Oct 2020 20:37:12 +0000 (UTC)
From: Paul Robinson <rfc1394 () yahoo com>
Subject: Why cars are more "fragile": more technology has reduced reobustness

Some associates of mine have noticed problems with automobiles, often with
changes they do not like or want, like forcing the use of a start button
(and stepping on the brake) instead of simply turning the key. It means
things like the passenger being able to turn on he car just by turning the
key have gone the way of the AM-only radio or the crank starter. Now,
turning the engine on, even if you're not going to drive, requires getting
out of the car, sitting in the driver's seat, stepping on the brake, then
pushing the starter. Another problem is that a relatively inexpensive device
(like keys) that even in the most expensive cases never reached US$20, are
now replaced by transponders or keyfobs costing as much as $1,000.

And the cost of repairs has gone up as the capacity of most people to do
anything beyond routine maintenance has gone down. Technology has improved
features cars have, but it has come at a cost.

Cars in the past used relays to control functions because it was the least
expensive way to provide these functions. As microprocessors became ever
cheaper and had more functionality, they became ideal for use to do multiple
things in place of relays, programmable logic controllers, and other
circuitry. All that they had to do was connect them. Previously they ran one
connection (wire) to each thing being controlled. Then they got an idea:
create a network (bus) to connect the components. If the components could
simply only listen on the bus for commands addressed to them, you only need
one wire for everything, to send messages everywhere. This provides lots
more flexibility as all you have to do as add new messages with a different
command code and you can control a new device, but it makes everything more
"fragile."

Now, when I say "fragile," I don't mean the comment of Doc Brown in "Back to
the Future" in which he says a 1954 Buick crashing into a Delorean would
tear through it like tissue paper, i mean the systems are less "robust,"
less resistant to failure.

Systems built with centralized or "concentrated" architecture are more
fragile, more subject to failure because there are more critical points that
if any one point fails, the whole thing fails. On a car from the past, short
of the engine or transmission suffering catastrophic damage, the car would
continue to operate. Today, if the computer or the bus is damaged, your car
is inoperable.

Previously, a failure of the air conditioning didn't mean the car couldn't
drive, or if there was a problem with the power steering it doesn't prevent
you from putting the car in reverse. But today, so many systems are
connected in a very centralized architecture that one system can affect
another due to side effects. It also means that where before, just about
anyone with ordinary education and skils could repair most things on an
automobile with ordinary tools, today it takes a skilled mechanic with a
master's degree and $40,000 in equipment.

Distributed architecture increases robustness. Here are two examples.

The development of Blockchain technology has caused other industries to use
it beyond cryptocurrency. An example being a bank: crack their mainframe and
you can steal just about anything. But, if instead of breaking one computer
you have to get, say, all or a majority of all 100 branches to agree, it
makes it much harder to almost impossible to create a fraudulent
transaction.

During the Gulf War, despite saturation bombing, the coalition forces were
unable to shut down Iraq's military Command & Control systems; the messages
still got through. The reason being that the systems were built using
TCP/IP, the same communications protocol used by the Internet, and was
invented specifically for the US military to be able to continue to operate
communications infrastructure capable of communicating to troops in the
event of nuclear war. We found out under actual battlefield conditions that
"the damn stuff actually works."

These and other examples show that distributed architecture makes systems
more robust, while concentrated architecture makes systems more fragile. We
have traded increased functionality and cost savings, while sacrificing
robustness and less complexity. and the trend is likely to continue, unless
people get sick of these failures and demand better, or someone comes up
with better systems that are more robust and possibly simpler.

While that would be nice, I don't see that happening any time soon.

------------------------------

Date: Sat, 3 Oct 2020 12:08:30 -0400
From: Monty Solomon <monty () roscom com>
Subject: Polestar 2 EV recalled over glitch that can cut power while driving
  (Engadget)

https://www.engadget.com/polestar-2-ev-recall-over-power-glitch-151046269.html

------------------------------

Date: Fri, 9 Oct 2020 05:07:00 -1000
From: geoff goodfellow <geoff () iconia com>
Subject: Space is becoming too crowded, Rocket Lab CEO warns (CNN)

In 1978, NASA scientist Donald Kessler warned of a potential catastrophic,
cascading chain reaction in outer space. Today known as "Kessler Syndrome,"
the theory posited that space above Earth could one day become so crowded,
so polluted with both active satellites and the detritus of space
explorations past, that it could render future space endeavors more
difficult, if not impossible.  Last week, the CEO of Rocket Lab, a launch
startup, said the company is already beginning to experience the effect of
growing congestion in outer space.  Rocket Lab CEO Peter Beck said that the
sheer number of objects in space right now -- a number that is growing
quickly thanks in part to SpaceX's satellite Internet constellation,
Starlink -- is making it more difficult to find a clear path for rockets to
launch new satellites.  "This has a massive impact on the launch side," he
told CNN Business.  Rockets "have to try and weave their way up in between
these [satellite] constellations."

Part of the problem is that outer space remains largely unregulated. The
last widely agreed upon international treaty hasn't been updated in five
decades, and that's mostly left the commercial space industry to police
itself.  Rocket Lab set out to create lightweight rockets -- far smaller
than SpaceX's 230-foot-tall Falcon rockets -- that can deliver batches of
small satellites to space on a monthly or even weekly basis. Since 2018,
Rocket Lab has launched 12 successful missions and a total of 55 satellites
to space for a variety of research and commercial purposes. Beck said the
in-orbit traffic issues took a turn for the worst over the past 12 months.
It was over that time that SpaceX has rapidly built up its Starlink
constellation, growing it to include more than 700 Internet-beaming
satellites. It's already the largest satellite constellation by far, and the
company plans to grow it to include between 12,000 and 40,000 total
satellites. That's five times the total number of satellites humans have
*launched since the dawn of spaceflight* in the late 1950s.
<https://www.cnn.com/2020/07/02/tech/spacex-starlink-planet-9-x-scn/index.html>

It's not clear if traffic from its own satellites has also caused
frustrations for SpaceX. The company did not respond to a request for
comment.  Orbital junkyards.  [...]
https://www.cnn.com/2020/10/07/business/rocket-lab-debris-launch-traffic-scn/index.html

------------------------------

Date: Mon, 5 Oct 2020 13:48:04 -0700 (PDT)
From: Thomas Dzubin <dzubint () vcn bc ca>
Subject: Botched Excel import may have caused loss of 15,841 UK COVID-19 cases

"The problem is that the PHE developers picked an old file format to do this
- known as XLS."

As a consequence, each template could handle only about 65,000 rows of data
rather than the one million-plus rows that Excel is actually capable of."

https://arstechnica.com/tech-policy/2020/10/excel-glitch-may-have-caused-uk-to-underreport-covid-19-cases-by-15841/

"Asked if it was likely that some people will have got coronavirus due to
the IT failure, Work and Pensions Secretary Therese Coffey told Sky News:
"There may well be."

The error is believed to have been caused by a spreadsheet containing lab
results reaching its maximum size, and failing to update.

https://www.standard.co.uk/news/uk/covid-testing-technical-issue-excel-spreadsheet-a4563616.html

So, the problem hasn't actually been fixed... just pushed down the road a
bit for someone else to deal with in the next Pandemic

  [danny burstein noted a Twitter item from Max Roser, Univ. of Oxford
  researcher:
    https://twitter.com/MaxCRoser/status/1313046638915706880
    ah....  I had some trouble copying those URLs, but here:
   https://www.bbc.co.uk/news/uk-54412581
  https://www.dailymail.co.uk/news/article-8805697/Furious-blame-game-16-000-Covid-cases-missed-Excel-glitch.html
  PGN]

  [Regarding this item, Arthur T. noted:
    What I thought at least as interesting for RISKS readers, though, was
    that a follow-up article pointed to "The European Spreadsheet Risks
    Interest Group - EuSpRIG - ("yewsprig") for short." It's a site
    specifically for Spreadsheet Risk Management. It includes a page of
    spreadsheet errors which were egregious enough to make it into the news:
    <http://www.eusprig.org/horror-stories.htm>.  As of when I checked, this
    news item had not yet appeared.
  PGN]

------------------------------

Date: Fri, 2 Oct 2020 09:56:38 -1000
From: geoff goodfellow <geoff () iconia com>
Subject: Psychology study indicates that narcissists are more involved in
  politics than the rest of us (SagePub)

Those higher in narcissism are disproportionately taking part in the
democratic process, according to new research published in *Personality and
Social Psychology Bulletin
<https://journals.sagepub.com/doi/10.1177/0146167220919212>*.

The study found a positive correlation between narcissism and political
participation. In other words: The more narcissistic someone is, the more
likely they are to contact politicians, sign petitions, donate money, and
vote in midterm elections.

``We have entered into an *Age of Entitlement* and a *post-truth* world
that combine to form an unprecedented cultural movement where large portions
of the public pursue self-interest and self-promotion above all things and
truth is whatever you want it to be, where alternative facts are given equal
standing with credible sources,'' said study author *Pete Hatemi*
<https://scholar.google.com/citations?hl=en&user=Ci8Ix08AAAAJ&view_op=list_works&sortby=pubdate>,
a distinguished professor at Penn State University.

``It is hard not to notice how much more of *me* is part of our world --
projecting one's status at the cost of others, whether using social media
such as Facebook or Instagram or Twitter. Gone are the days when
children's goals were to be something or do something important, replaced
by the desire to be famous. Tom Wolfe's vision seems to have come to
pass.''

``It was hard for my colleague Zoltan Fazekas and I to ignore the rampant
narcissism in our elected leaders, and the outcomes of their decisions. And
it seemed likely that higher public narcissism has some role in the growing
instability of our democracy, and in 2009 we began collecting data to see
if those higher in narcissism are taking a greater part in the political
process,'' Hatemi explained.

The researchers examined data from two nationally representative surveys in
the U.S. and in Denmark, with 500 and 2,450 participants in each,
respectively, and a web-based U.S. survey with 2,280 participants.

All of the surveys assessed narcissism and eight types of political
participation: signing a petition, boycotting or buying products for
political reasons, participating in a demonstration, attending political
meetings, contacting politicians, donating money, contacting the media, and
taking part in political forums and discussion groups.

The surveys also collect information about voting behavior and
sociodemographic variables such as gender, age, race, education, and
political ideology.  [...]
https://www.psypost.org/2020/09/psychology-study-indicates-that-narcissists-are-more-involved-in-politics-than-the-rest-of-us-58112

------------------------------

Date: Mon, 5 Oct 2020 16:51:37 -0400
From: Gabe Goldberg <gabe () gabegold com>
Subject: Doctor gave an inept diagnosis for a neurological problem (WashPost)

Steven H. Horowitz, *The Washinton Post*

Perspective: "A doctor gave me an inept diagnosis for a neurological
problem.  I should know: I'm a neurologist."

  "I offered to teach the staff at this medical center, but I got nowhere.
  I could not have been the first patient so poorly evaluated. Without
  doubt, I won't be the last."

https://www.washingtonpost.com/health/hospital-misdiagnosis-mistakes-ignored/2020/10/02/7bac2d10-f851-11ea-be57-d00bb9bc632d_story.html

------------------------------

Date: Mon, 5 Oct 2020 08:39:26 -1000
From: geoff goodfellow <geoff () iconia com>
Subject: Can AI Detect Disinformation? A New Special Operations Program May
  Find Out (Defense One)

*Air Force, U.S. Special Operations Command fund year-long effort to train
a neural net to rank credibility and sort news from misinformation.*

For all the U.S. military's technical advantages over adversaries, it
still struggles to counter disinformation. A new software tool to be
developed for the U.S. Air Force and Special Operations Command, or SOCOM,
may help change that.

``If you don't compete in the information space, regardless of how good your
operations are, your activities are, you will probably eat a shit sandwich

of disinformation or false reporting later on,'' Raymond `Tony' Thomas, a
former SOCOM chief, said in an interview*.* ``We certainly experienced that
at the tactical level. That was the epiphany where we would have good raids,
good strikes, etc. and the bad guys would spin it so fast that we would be
eating collateral damage claims, etc. So the information space in that very
tactical space is key.

It even ``stretches to the strategic space,'' said Thomas, meaning that
disinformation can spread until it affects larger geopolitical realities.

Thomas now serves as an advisory board member for Primer, a company that on
Thursday *announced* a Small Business Innovation Research contract to
develop software over the next year to help analysts better -- and much more
quickly -- survey the information landscape and hopefully detect false
narratives that show up in the public space. [...]
<https://www.prnewswire.com/news-releases/socom-and-us-air-force-enlist-primer-to-combat-disinformation-301143716.html>

https://www.defenseone.com/technology/2020/10/can-ai-detect-disinformation-new-special-operations-program-may-find-out/168972/

------------------------------

Date: Thu, 8 Oct 2020 07:24:54 -0700
From: Al Stangenberger <forags () sbcglobal net>
Subject: California bar exam has facial recognition problems
  (SanFranChronicle)

Despite the software vendor's protestations, it appears that facial
recognition software is not ready for prime time...
https://www.sfchronicle.com/business/article/California-bar-exam-takers-say-facial-recognition-15629617.php

------------------------------

Date: Tue, 6 Oct 2020 15:25:00 -0400
From: Gabe Goldberg <gabe () gabegold com>
Subject: Nuclear Waste and Nuclear Waste Management at the Hanford Site

History, Environmental Issues and Policies

Cited as being the most contaminated site in the Western Hemisphere, Mr.
Weil will cover the history of Hanford from its beginning as part of the
Manhattan Project in 1943.  He will discuss the construction and operation
of multiple processing facilities for the production of plutonium (for more
than 60,000 nuclear weapons).  He will also discuss waste management
activities from the 1940s to today and current activities at the Hanford
Site.  The presentation will review major activities including the
development and impact of the Hanford Federal Facility Compliance Agreement
and Consent Order, the construction and operation of the Environmental
Restoration Disposal Facility (a huge landfill on the site receiving
remediation waste), the cocooning of production reactors, and the closing
and dismantling of large numbers of production facilities on site (including
the Plutonium Finishing Plant).

http://contentsharing.net/actions/email_web_version.cfm?ep=Kj_xdJ-0JVJIqqPQAeqUL9PFzB2cyVMeq4O4KPvoOMMkk20cH7CRQUqLr9Acr_Qu67LSb73pM6fsmZenSms-I5PLieqgow6a2sNgxWm_EL4~

------------------------------

Date: Sat, 3 Oct 2020 12:19:31 -0400
From: Monty Solomon <monty () roscom com>
Subject: Charges filed in hack that caused NFL athlete's nude pics to be
  posted on Twitter (Ars Technica)

Men accused of taking part in scheme to phish credentials and sell account access.

https://arstechnica.com/information-technology/2020/09/2-men-charged-with-hacking-social-media-accounts-of-nfl-and-nba-players/

------------------------------

Date: Wed, 7 Oct 2020 18:22:30 -0400
From: Gabe Goldberg <gabe () gabegold com>
Subject: A Literal Child and His Mom Sue Nintendo Over Joy-Con Drift' (WiReD)

The class action lawsuit alleges that the video game company hasn't done
enough to address a known problem with its controllers.

https://www.wired.com/story/nintendo-joy-con-lawsuit/

The risks? Technology, lawyers, greed...

------------------------------

Date: Wed, 7 Oct 2020 18:50:15 -0400
From: Monty Solomon <monty () roscom com>
Subject: Eero for Service Providers: Eero Wi-Fi mesh targeted at ISPs
  (Ars Technica)

https://arstechnica.com/gadgets/2020/10/eero-for-service-providers-eero-wi-fi-mesh-targeted-at-isps/

------------------------------

Date: Wed, 7 Oct 2020 18:51:06 -0400
From: Monty Solomon <monty () roscom com>
Subject: DHS warns that Emotet malware is one of the most prevalent threats
  today (Ars Technica))

https://arstechnica.com/information-technology/2020/10/dhs-warns-that-emotet-malware-is-one-of-the-most-prevalent-threats-today/

------------------------------

Date: Wed, 7 Oct 2020 07:48:14 -1000
From: geoff goodfellow <geoff () iconia com>
Subject: 'Smart' male chastity device vulnerable to locking by
 hackers: researchers (AFP)

A security flaw in an Internet-connected male chastity device could allow
hackers to remotely lock it -- leaving users trapped, researchers have
warned.

The Cellmate, produced by Chinese firm Qiui, is a cover that clamps on the
base of the male genitals with a hardened steel ring, and does not have a
physical key or manual override.

The locking mechanism is controlled with a smartphone app via Bluetooth --
marketed as both an anti-cheating and a submission sex play device -- but
security researchers have found multiple flaws that leave it vulnerable to
hacking.

"We discovered that remote attackers could prevent the Bluetooth lock from
being opened, permanently locking the user in the device. There is no
physical unlock," British security firm Pen Test Partners said Tuesday.

"An angle grinder or other suitable heavy tool would be required to cut the
wearer free."

The firm also found other security flaws in the Cellmate -- listed for $189
on Qiui's website -- that could expose sensitive user information such as
names, phone numbers, birthdays and location data.  [...]
https://sports.yahoo.com/smart-male-chastity-device-vulnerable-053135255.html

This gives new meaning to the WOPR response at the end of the movie
WarGames: The only winning strategy is not to play.

  [Richard Stein commented on
    Cellmate: Male chastity gadget hack could lock users in (bbc.com)
    https://www.bbc.com/news/technology-54436575 --
    "A bug that gives new meaning to being held by the b*lls."
  PGN]

------------------------------

Date: Wed, 7 Oct 2020 08:16:50 -1000
From: geoff goodfellow <geoff () iconia com>
Subject: Hackers targeting IoT devices with a new P2P botnet malware
  (The Hacker News)

*Cybersecurity researchers have taken the wraps off a new #botnet that's
hijacking Internet-connected smart devices in the wild to perform nefarious
tasks, mostly #DDoS attacks, and illicit #cryptocurrency coin mining.*

Cybersecurity researchers have taken the wraps off a new botnet hijacking
Internet-connected smart devices in the wild to perform nefarious tasks,
mostly DDoS attacks, and illicit cryptocurrency coin mining.

Discovered by Qihoo 360's Netlab security team, the HEH Botnet
<https://blog.netlab.360.com/heh-an-iot-p2p-botnet/> -- written in Go
language and armed with a proprietary peer-to-peer (P2P) protocol, spreads
via a brute-force attack of the Telnet service on ports 23/2323 and can
execute arbitrary shell commands.

The researchers said the HEH botnet samples discovered so far support a wide
variety of CPU architectures, including x86(32/64), ARM(32/64),
MIPS(MIPS32/MIPS-III), and PowerPC (PPC).

The botnet, despite being in its early stages of development, comes with
three functional modules: a propagation module, a local HTTP service module,
and a P2P module.

Initially downloaded and executed by a malicious Shell script named
"wpqnbw.txt," the HEH sample then uses the Shell script to download rogue
programs for all different CPU architectures from a website ("pomf.cat"),
before eventually terminating a number of service processes based on their
port numbers.  [...]
https://thehackernews.com/2020/10/p2p-iot-botnet.html

------------------------------

Date: Thu, 8 Oct 2020 00:32:27 -0400
From: Gabe Goldberg <gabe () gabegold com>
Subject: Supreme Court takes on Google vs. Oracle: The biggest software
  development case ever (ZDNet)

More than a decade in the marking, the Supreme Court may finally decide if
application programming interfaces (APIs) can be copyrighted. If the court
decides they are, everything you know about making programs will change for
the worse.

https://www.zdnet.com/article/supreme-court-takes-on-google-vs-oracle-the-biggest-software-development-case-ever/

------------------------------

Date: Fri, 9 Oct 2020 12:20:36 PDT
From: "Peter G. Neumann" <neumann () csl sri com>
Subject: 55 New Security Flaws Reported in Apple Software and Services
  (The Hacker News)

A team of five security researchers analyzed several Apple online services
for three months and found as many as 55 vulnerabilities, 11 of which are
critical in severity.

The flaws -- including 29 high severity, 13 medium severity, and 2 low
severity vulnerabilities -- could have allowed an attacker to "fully
compromise both customer and employee applications, launch a worm capable of
automatically taking over a victim's iCloud account, retrieve source code
for internal Apple projects, fully compromise an industrial control
warehouse software used by Apple, and take over the sessions of Apple
employees with the capability of accessing management tools and sensitive
resources."

The flaws meant a bad actor could easily hijack a user's iCloud account and
steal all the photos, calendar information, videos, and documents, in
addition to forwarding the same exploit to all of their contacts.

The findings were reported by Sam Curry, along with Brett Buerhaus, Ben
Sadeghipour, Samuel Erb, and Tanner Barnes over a three month period between
July and September.  <https://samcurry.net/hacking-apple/>

After they were responsibly disclosed to Apple, the iPhone maker took steps
to patch the flaws within 1-2 business days, with a few others fixed within
a short span of 4-6 hours.

So far, Apple has processed about 28 of the vulnerabilities with a total
payout of $288,500 as part of its bug bounty program.  [...]

https://thehackernews.com/2020/10/apple-security.html

------------------------------

Date: Thu, 8 Oct 2020 08:24:04 -1000
From: geoff goodfellow <geoff () iconia com>
Subject: Researchers Find Vulnerabilities in Microsoft Azure Cloud Service
  (The Hacker News)

As businesses are increasingly migrating to the cloud, securing the
infrastructure has never been more important.

Now according to the latest research, two security flaws in Microsoft's
Azure App Services could have enabled a bad actor to carry out server-side
request forgery (SSRF <https://portswigger.net/web-security/ssrf>) attacks
or execute arbitrary code and take over the administration server.

"This enables an attacker to quietly take over the App Service's git server,
or implant malicious phishing pages accessible through Azure Portal to
target system administrators," cybersecurity firm Intezer said in a report
published today and shared with The Hacker News.
<https://www.intezer.com/blog/cloud-security/kud-i-enter-your-server-new-vulnerabilities-in-microsoft-azure/>

Discovered by Paul Litvak <https://twitter.com/polarply> of Intezer Labs,
the flaws were reported to Microsoft in June, after which the company
subsequently addressed them.

Azure App Service is a cloud computing-based platform
<https://azure.microsoft.com/en-us/services/app-service/> that's used as a
hosting web service for building web apps and mobile backends.

When an App Service is created via Azure, a new Docker environment is
created with two container nodes -- a manager node and the application node
-- along with registering two domains that point to the app's HTTP web
server and the app service's administration page, which in turn leverages
Kudu <https://github.com/projectkudu/kudu> for continuous deployment of the
app from source control providers such as GitHub or Bitbucket.  [...]
<https://docs.microsoft.com/en-us/azure/app-service/deploy-continuous-deployment>

https://thehackernews.com/2020/10/microsoft-azure-vulnerability.html

------------------------------

Date: Thu, 8 Oct 2020 00:34:22 -0400
From: Gabe Goldberg <gabe () gabegold com>
Subject: Microsoft Office 365, Outlook down again (ZDNet)

Yes, Office 365, Outlook, and all the rest of Microsoft's
Software-as-a-Services are down yet again.

https://www.zdnet.com/article/microsoft-office-365-outlook-down-again/

The risks? Software, Microsoft, cloud computing, software-as-a-"service"

------------------------------

Date: Fri, 9 Oct 2020 16:17:22 -1000
From: geoff goodfellow <geoff () iconia com>
Subject: CyberCommand has sought to disrupt the world's largest botnet,
  hoping to reduce its potential impact on the election (WashPost)

*The botnet is often used to drop ransomware, which officials fear could
snarl voter registration.*

In recent weeks, the U.S. military has mounted an operation to temporarily
disrupt what is described as the world's largest botnet - one used also to
drop ransomware, which officials say is one of the top threats to the 2020
election.

U.S. CyberCommand's campaign against the Trickbot botnet, an army of at
least 1 million hijacked computers run by Russian-speaking criminals, is
not expected to permanently dismantle the network, said four U.S.
officials, who spoke on the condition of anonymity because of the matter's
sensitivity. But it is one way to distract them at least for a while as
they seek to restore operations.

The effort is part of what Gen. Paul Nakasone, the head of CyberCommand,
calls "persistent engagement," or the imposition of cumulative costs on an
adversary by keeping them constantly engaged. And that is a key feature of
CyberCom's activities to help protect the election against foreign threats,
officials said.

"Right now, my top priority is for a safe, secure, and legitimate 2020
election," Nakasone said in August in a set of written responses to
Washington Post questions. "The Department of Defense, and CyberCommand
specifically, are supporting a broader 'whole-of-government' approach to
secure our elections."

Trickbot is malware that can steal financial data and drop other malicious
software onto infected systems. Cyber-criminals have used it to install
ransomware, a particularly nasty form of malware that encrypts users' data
and for which the criminals then demand payment - usually in cryptocurrency
- to unlock.  [...]
https://www.washingtonpost.com/national-security/cyber-command-trickbot-disrupt/2020/10/09/19587aae-0a32-11eb-a166-dc429b380d10_story.html
-or-
https://www.chron.com/news/article/Cyber-Command-has-sought-to-disrupt-the-world-s-15635373.php

------------------------------

Date: Tue, 6 Oct 2020 15:33:33 -0400
From: Gabe Goldberg <gabe () gabegold com>
Subject: Pennsylvania voter services website crashes as 2020 election mail
  ballot deadlines loom (Inquirer)

Pennsylvania's online system for registering to vote and applying for and
tracking mail ballots crashed over the weekend, triggering an outage that
stretched for more than 40 hours and prompted frustration from voters weeks
before critical election deadlines.

State officials managed to restore the site Monday morning and blamed the
problem on an equipment failure at a data center run by an outside
contractor. They did not believe any data had been lost or that malicious
physical or cyber activity was behind the outage.

https://www.inquirer.com/politics/election/pennsylvania-voter-services-website-down-outage-mail-in-ballot-november-2020-election-20201004.html

------------------------------

Date: Mon, 5 Oct 2020 12:39:33 -0400 (EDT)
From: ACM TechNews <technews-editor () acm org>
Subject: Clinical Trials Hit by Ransomware Attack on Health Tech Firm
  (Nicole Perlroth)

Nicole Perlroth, *The New York Times*, 3 Oct 2020,
via ACM TechNews, 5 Oct 2020

Philadelphia-based software provider eResearch Technology (ERT) was hit two
weeks ago by a ransomware attack that has slowed clinical trials. The
exploit started when ERT workers learned that they were locked out of their
data, and clients said this forced researchers to move certain clinical
trials to pen and paper. ERT's Drew Bustos on Friday verified that
ransomware had hijacked company systems on Sept. 20, when the firm took its
systems offline, called in outside cybersecurity experts, and alerted the
U.S. Federal Bureau of Investigation. Affected customers included IQVIA, the
contract research organization helping manage AstraZeneca's Covid-19 vaccine
trial, and drug maker Bristol Myers Squibb, which is leading a consortium in
developing a rapid test for coronavirus.

https://www.nytimes.com/2020/10/03/technology/clinical-trials-ransomware-attack-drugmakers.html

------------------------------

Date: Mon, 5 Oct 2020 12:39:33 -0400 (EDT)
From: ACM TechNews <technews-editor () acm org>
Subject: Flawed Algorithm Used to Determine UK Welfare Payments Is 'Pushing
  People Into Poverty' (Thomas Macaulay)

Thomas Macaulay, *The Next Web*, 29 Sep 2020

Human Rights Watch warns a flawed algorithm for calculating monthly social
security benefits in Britain is causing hunger, debt, and psychological
distress. The model measures changes in their earnings to dole out payments,
but the non-governmental organization said the algorithm only analyzes wages
people receive within a calendar month, and ignores frequency of
payment. This means people who get multiple monthly paychecks can have their
earnings overestimated, with their welfare payments dramatically reduced as
a result. Human Rights Watch's Amos Toh said, "The government's bid to
automate the benefits system--no matter the human cost--is pushing people to
the brink of poverty."

https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-27559x225466x065619&;

------------------------------

Date: Tue, 6 Oct 2020 00:51:56 -0400
From: Gabe Goldberg <gabe () gabegold com>
Subject: 'The Wire' inspired a fake turtle egg that spies on poachers (WiReD)

Scientists 3D-printed sea turtle eggs and stuffed transmitters inside.  When
poachers pulled them out of nests, the devices tracked their every move.

https://www.wired.com/story/the-wire-inspired-a-fake-turtle-egg-that-spies-on-poachers/

------------------------------

Date: Tue, 6 Oct 2020 13:05:05 +0800
From: Richard Stein <rmstein () ieee org>
Subject: The robot shop worker controlled by a faraway human (bbc.com)

https://www.bbc.com/news/business-54232563

"It's true that the list of jobs that were once manual but which are now
done by machines with just a small amount of human oversight, or none at
all, grows ever longer.

"'When these robots are good enough, you don't necessarily want them to be
remote-controlled, you want them to be automatic,' he says.  'That's when
you cut out the workers.'"

Where staff shortages for certain roles are chronic and increasingly acute,
a robot substitute may be an optimal replacement choice. Robot life cycle
economics, like all machine v. human business investment decisions
(employment), augurs against people engaged to perform routine and
repetitive tasks.

I recall the *Scientific American* from Sep 1982 entitled, "The
Mechanization of Work", where robotic integration into manufacturing
processing, and other industries, was described. This issue also raised
economic dislocation prospects as a result of robotic substitution for human
participation.  https://www.scientificamerican.com/magazine/sa/1982/09-01/

Risks: Malicious tele-hack (remote or insider), computer crash, mechanical
malfunction, stock damage, economic disenfranchisement.

------------------------------

Date: Fri, 2 Oct 2020 10:03:45 -1000
From: geoff goodfellow <geoff () iconia com>
Subject: "A friend of a friend at Google interviewed at Facebook right as
  the virus hit..."


Accepted new job in March. Didn't quit old job. Apparently does both
jobs at home in 55 hours/week. Neither company knows yet. Might have
reversed the [companies], not sure. I have so many thoughts on this.


https://twitter.com/arrington/status/1311520168200163328

  [This is certainly RISKS-worthy!  However, there might be a problem if
  both companies require 100% of your IP -- unless you are not generating
  any.  PGN]

------------------------------

Date: Sat, 3 Oct 2020 17:08:12 -0400
From: Gabe Goldberg <gabe () gabegold com>
Subject: Documents Show How The LAPD Was Trained To Use Palantir (BuzzFeed)

https://www.buzzfeednews.com/article/carolinehaskins1/training-documents-palantir-lapd

------------------------------

Date: Sat, 3 Oct 2020 17:08:50 -0400
From: Gabe Goldberg <gabe () gabegold com>
Subject: Meet the Customer Service Reps for Disney and Airbnb Who Have to
  Pay to Talk to You (ProPublica)

https://www.propublica.org/article/meet-the-customer-service-reps-for-disney-and-airbnb-who-have-to-pay-to-talk-to-you

------------------------------

Date: Sun, 4 Oct 2020 05:46:58 -1000
From: geoff goodfellow <geoff () iconia com>
Subject: Digital pioneer Geoff Huston apologises for bringing the Internet
  to Australia (ZDNet)

*Huston says the Internet is a 'gigantic vanity-reinforcing distorted TikTok
selfie' and web security is 'the punchline to some demented sick joke'. But
Australia's first Privacy Commissioner thinks he's being optimistic.* [...]

https://www.zdnet.com/article/digital-pioneer-geoff-huston-apologises-for-bringing-the-internet-to-australia/

------------------------------

Date: Mon, 5 Oct 2020 16:20:10 -0400
From: Gabe Goldberg <gabe () gabegold com>
Subject: Psychographic Profiling cartoon (Tom Fishburne -- Marketoonist)

Psychographics are back in the news as part of the US election cycle, four
years after the Cambridge Analytica scandal made the term mainstream.

This week, CB Insights published a useful primer on psychographics, which
they describe as one of the *dark arts* of social media and Internet
marketing.

https://marketoonist.com/2020/10/psychographic-profiling-2.html

------------------------------

Date: Sun, 4 Oct 2020 18:50:13 +0300
From: Amos Shapir <amos083 () gmail com>
Subject: Re: Maryland's web-delivered ballots must be hand-copied to be
  counted (RISKS-32.30)

Let me get this straight: "The process takes about five minutes per ballot"
-- so it can be converted to a form that can be counted by a machine in
0.001 second?  Hasn't it occurred to anyone there that the ballots could
just be counted manually?

Someone there must be nominated for the next Ig-Nobel Prize for political
sciences...

------------------------------

Date: Thu, 8 Oct 2020 13:08:47 -0400
From: Steve Klein <steven () klein us>
Subject: Re: Apple marches to a different beat (Baker, RISKS-32.30)

Henry Baker reported that his Mac's clock was 2-3 minutes slow, and that he
couldn't see how to change the time server.

I administer a fleet of Macs, and they all use Apple time servers. Most use
time.apple.com; our Macs in China use time.asia.apple.com.

Three Macs chosen at random all have clocks matching the time displayed at
https://time.gov (to within 1 second).

That website, operated by the NIST (National Institute of Standards and
Technology), displays the official US time.  NIST also offers NTP (Network
Time Protocol) servers available at nist.time.gov

Apple has three default time servers depending on your location:
* Apple Americas/U.S. (time.apple.com.)
* Apple Asia (time.asia.apple.com)
* Apple Europe (time.euro.apple.com)

Changing the time server on a Mac is incredibly easy:
1. Open the Date & Time preference pane (in System Preferences)
2. Click the padlock icon to unlock settings
3. Delete time.apple.com, and type or paste the address of your preferred
   NTP server

Hope this helps Henry, and anyone else facing similar issues.

------------------------------

Date: 2 Oct 2020 23:09:53 -0400
From: "John Levine" <johnl () iecc com>
Subject: Re: Apple marches to a different beat (Baker, RISKS-32.30)


Is it just me, or do other people find that MacOS keeps their clock 2-3
*minutes* early?


It's just you.

I'm typing this on a Macbook running MacOS Catalina, and its time agrees
with my NTP synced FreeBSD server to the second.

The MacOS date and time preferences menu has an option to NTP sync to one of
Apple's servers. It's turned on by default but you might check to see if
somehow you turned it off.

------------------------------

Date: Sat, 3 Oct 2020 15:07:47 +0100
From: Alan Ralph <alan () alanralph co uk>
Subject: Re: Apple marches to a different beat (Baker, RISKS-32.30)

I've thankfully never had this issue, which is just as well since I do two
weekly radio shows for an Internet radio station, as well as occasional
online DJ shows.

I'm based in the UK, so my iMac is set to take its time signal from Apple's
European time server. I'm also still on macOS Mojave, as I've been put off
by the reports of issues with Catalina.

As for what might be causing the issue that Henry is seeing, I can think of
a few possible causes:

1. A problem with whichever Apple time server Henry's Mac defaults to.

2. A problem in the time synchronisation code in the version of macOS that
Henry's Mac is running.

3. Henry's ISP perhaps intercepting NTP traffic and making it go to their
time server, which is running fast.

I'll admit, the last one seems unlikely, but it's not as if ISPs have much
compunction against fiddling with their customer's traffic in the past. My
gut instinct, however, is that this is more likely to be a problem at
Apple's end.

------------------------------

Date: Fri, 2 Oct 2020 16:21:25 -0500
From: "Craig S. Cottingham" <craig () cottingham net>
Subject: Re: Apple marches to a different beat (Baker, RISKS-32.30)


I didn't see any easy way to change the time server that this machine
consults, so it remains early.


System Preferences -> Date & Time -> Date & Time tab.

Unlock (using the icon in the bottom-left corner) if necessary.

The field labeled *Set date and time automatically* looks like a simple
dropdown with a set selection of options, but you can actually type in any
domain name you wish.

For what it's worth, my laptop syncs with time.apple.com and has the same
time as my cell phone (which receives its date and time from my carrier) and
the master clock time reported by the US Naval Observatory at
https://www.usno.navy.mil/USNO.

------------------------------

Date: Mon, 1 Aug 2020 11:11:11 -0800
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest.  Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
 subscribe and unsubscribe:
   http://mls.csl.sri.com/mailman/listinfo/risks

=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that
   includes the string `notsp'.  Otherwise your message may not be read.
 *** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 *** Contributors are assumed to have read the full info file for guidelines!

=> OFFICIAL ARCHIVES:  http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
  http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
  Also, ftp://ftp.sri.com/risks for the current volume/previous directories
     or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
  If none of those work for you, the most recent issue is always at
     http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00
  ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
  Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 32.31
************************
Previous By Date Next
Previous By Thread Next

Current thread: