RISKS Forum mailing list archives
Risks Digest 32.40
From: RISKS List Owner <risko () csl sri com>
Date: Fri, 11 Dec 2020 20:00:49 PST
RISKS-LIST: Risks-Forum Digest Friday 11 December 2020 Volume 32 : Issue 40 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/32.40> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: GE puts default password in radiology devices, leaving healthcare networks exposed (Ars Technica) COVID data manager investigated, raided for using publicly available password (Ars Technica) Having one password makes it easier in Florida (Ars Technica) Amnesia: Critical TCP/IP Flaws Affect Millions of IoT Devices (The Hacker News) Russian SVR intel service hacks FireEye, obtaining "red team" tools (PGN) Former Israeli space security chief says aliens exist, humanity not ready (The Jerusalem Post) CDC Call for Data on Vaccine Recipients Raises Alarm Over Privacy (DNYUZ) How to steal photos off someone's iPhone from across the street (Naked Security) Global losses from cybercrime skyrocketed to nearly $1 trillion in 2020, new report finds (The Washington Post) Digital stethoscope uses artificial intelligence for diagnosing lung abnormalities (medicalxpress.com) Police Drones Starting to Think for Themselves (Cade Metz) AI Can Run Your Work Meetings Now (WiReD) The coming war on the hidden algorithms that trap people in poverty (Tech Review)) HP Ends 'Free Ink for Life' Subscription Plan (Consumer Reports) Waymo Terms of Service (waymo.com) Amazon Wants to Get Even Closer. Skintight (The New York Times) Designed A Smartwatch App To Help Stop His Dad's Nightmares (npr.org) Differential Privacy for Ordinary Security Mavens (Rob Slade) Re: Looking for ways to prevent price collusion with AI systems (Wol) Re: How 30 Lines of Code Blew Up a 27-Ton Generator (Martin Ward) Re: Utah monolith: Internet sleuths got there, but its origins are still a mystery (Amos Shapir) Re: Is Alexa Becoming Anti-semitic (John Wunderlich) Re: Rashida Tlaib takes on stablecoins, not cryptocurrency (John Levine) Re: Keyhole wasps may threaten aviation safety (Richard Stein, Carlos Villalpando) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Wed, 9 Dec 2020 01:21:54 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: GE puts default password in radiology devices, leaving healthcare networks exposed (Ars Technica) Fixing the critical vulnerability isn't s straightforward and com with its own risks. Dozens of radiology products from GE Healthcare contain a critical vulnerability that threatens the networks of hospitals and other health providers that use the devices, officials from the US government and a private security firm said on Tuesday. The devices—used for CT scans, MRIs, X-Rays, mammograms, ultrasounds, and positron emission tomography—use a default password to receive regular maintenance. The passwords are available to anyone who knows where on the Internet to look. A lack of proper access restrictions allows the devices to connect to malicious servers rather than only those designated by GE Healthcare. Attackers can exploit these shortcomings by abusing the maintenance protocols to access the devices.
From there, the attackers can execute malicious code or view or modify
patient data stored on the device or the hospital or healthcare provider servers. Aggravating matters, customers can’t fix the vulnerability themselves. Instead, they must request that the GE Healthcare support team change the credentials. Customers who don’t make such a request will continue to rely on the default password. Eventually, the device manufacturer will provide patches and additional information. https://arstechnica.com/information-technology/2020/12/default-password-in-radiology-devices-leaves-healthcare-networks-open-to-attack/ ------------------------------ Date: Thu, 10 Dec 2020 19:28:50 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: COVID data manager investigated, raided for using publicly available password (Ars Technica) Not only does the whole state share one password, but it's posted publicly. Florida police said a raid they conducted Monday <https://arstechnica.com/tech-policy/2020/12/florida-police-raid-home-of-former-state-coronavirus-data-manager/> on the Tallahassee home of Rebekah Jones, a data scientist the state fired from her job in May, was part of an investigation into an unauthorized access of a state emergency-responder system. It turns out, however, that not only do all state employees with access to that system share a single username and password, but also those credentials are publicly available on the Internet for anyone to read. https://arstechnica.com/tech-policy/2020/12/florida-posted-the-password-to-a-key-disaster-system-on-its-website/ ------------------------------ Date: Wed, 9 Dec 2020 14:35:23 -0500 From: wb8foz <wb8foz () panix com> Subject: Having one password makes it easier in Florida (Ars Technica) So Rebekah Jones was a state data scientist [in] Florida until she got fired from her Dept. of Health job in May for posting COVID stats that made Governer Ronald DeSantis mad. She had further upset deSantis by privately continuing to post COVID stats for FL. She got raided by Florida Dept of Law Enforcement agents a few days ago. The basis for the warrant was the allegation she had posted a message to the DOH mailing list. Now ARS has reported that not only does the DOH system with the list have only one login & password for all 1700 users, but it's also posted on-line. So besides the question of if she did post that message, one wonders if is it [il]legal to use a system with published login/PW data? <https://arstechnica.com/tech-policy/2020/12/florida-posted-the-password-to-a-key-disaster-system-on-its-website/> ------------------------------ Date: Thu, 10 Dec 2020 09:41:03 -1000 From: geoff goodfellow <geoff () iconia com> Subject: Amnesia: Critical TCP/IP Flaws Affect Millions of IoT Devices () Cybersecurity researchers disclosed a dozen new flaws in multiple widely-used embedded TCP/IP stacks impacting millions of devices ranging from networking equipment and medical devices to industrial control systems that could be exploited by an attacker to take control of a vulnerable system. Collectively called "AMNESIA:33 <https://www.forescout.com/research-labs/amnesia33/>" by Forescout researchers, it is a set of 33 vulnerabilities that impact four open-source TCP/IP protocol stacks -- uIP, FNET, picoTCP, and Nut/Net -- that are commonly used in Internet-of-Things (IoT) and embedded devices. As a consequence of improper memory management,* successful exploitation <https://kb.cert.org/vuls/id/815128>* of these flaws could cause memory corruption, allowing attackers to compromise devices, execute malicious code, performing denial-of-service (DoS) attacks, steal sensitive information, and even poison DNS cache. In the real world, these attacks could play out in various ways: disrupting the functioning of a power station to result in a blackout or taking smoke alarm and temperature monitor systems offline by using any of the DoS vulnerabilities. The flaws, which will be detailed today at the *Black Hat Europe Security Conference* <https://www.blackhat.com/eu-20/briefings/schedule/index.html#how-embedded-tcpip-stacks-breed-critical-vulnerabilities-21503>, were discovered as part of Forescout's Project Memoria initiative to study the security of TCP/IP stacks. [...] https://thehackernews.com/2020/12/amnesia33-critical-tcpip-flaws-affect.html ------------------------------ Date: Tue, 8 Dec 2020 16:19:33 -0500 From: Peter G Neumann <neumann () CSL SRI COM. Subject: Russian SVR intel service hacks FireEye, obtaining "red team" tools (Sundry) https://www.nytimes.com/2020/12/08/technology/fireeye-hacked-russians.html https://www.washingtonpost.com/national-security/leading-cybersecurity-firm-fireeye-hacked/2020/12/08/a3369aaa-3988-11eb-98c4-25dc9f4987e8_story.html ------------------------------ Date: Mon, 7 Dec 2020 16:10:41 -1000 From: geoff goodfellow <geoff () iconia com> Subject: Former Israeli space security chief says aliens exist, humanity not ready (The Jerusalem Post) *This "Galactic Federation" has supposedly been in contact with Israel and the US for years, but are keeping themselves a secret to prevent hysteria until humanity is ready.* Has the State of Israel made contact with aliens? According to retired Israeli general and current professor Haim Eshed, the answer is yes, but this has been kept a secret because "humanity isn't ready." Speaking in an interview to *Yediot Aharonot*, Eshed -- who served as the head of Israel's space security program for nearly 30 years and is a three-time recipient of the Israel Security Award -- explained that Israel and the US have both been dealing with aliens for years. And this by no means refers to immigrants, with Eshed clarifying the existence of a "Galactic Federation." The 87-year-old former space security chief gave further descriptions about exactly what sort of agreements have been made between the aliens and the US, which ostensibly have been made because they wish to research and understand "the fabric of the universe." This cooperation includes a secret underground base on Mars, where there are American and alien representatives. [...] https://www.jpost.com/omg/former-israeli-space-security-chief-says-aliens-exist-humanity-not-ready-651405 ------------------------------ Date: Wed, 9 Dec 2020 08:21:26 -1000 From: geoff goodfellow <geoff () iconia com> Subject: CDC Call for Data on Vaccine Recipients Raises Alarm Over Privacy (DNYUZ) The Trump administration is requiring states to submit personal information of people vaccinated against Covid-19 -- including names, birth dates, ethnicities and addresses -- raising alarms among state officials who fear that a federal vaccine registry could be misused. The Centers for Disease Control and Prevention is instructing states to sign so-called *data use agreements* that commit them for the first time to sharing personal information in existing registries with the federal government. Some states, such as New York, are pushing back, either refusing to sign or signing while refusing to share the information. <https://www.cdc.gov/vaccines/covid-19/reporting/downloads/vaccine-administration-data-agreement.pdf> Gov. Andrew M. Cuomo of New York warned that the collection of personal data could dissuade undocumented people from participating in the vaccination program. He called it ``another example of them trying to extort the State of New York to get information that they can use at the Department of Homeland Security and ICE that they'll use to deport people.'' Administration officials say that the information will not be shared with other federal agencies and that it is needed for several reasons: to ensure that people who move across state lines receive their follow-up doses; to track adverse reactions and address safety issues; and to assess the effectiveness of the vaccine among different demographic groups. [...] https://dnyuz.com/2020/12/08/c-d-c-call-for-data-on-vaccine-recipients-raises-alarm-over-privacy/ ------------------------------ Date: Sat, 5 Dec 2020 13:14:36 PST From: Peter Neumann <neumann () csl sri com> Subject: How to steal photos off someone's iPhone from across the street (Naked Security) For your amusement (?), from someone in our lab. Hollywood version: Imagine that Ethan Hunt (or Ilsa Faust) walked up to chat with you, and the conversation lasted for several minutes. (to satisfy covid-safety reqt, all people involved worn a mask in this scene) he (or she) thanked you and walked away. you might think that this was your lucky day, but then you remembered this Ian Beer's ios attack, and you hadn't had time to patch your iphone ... needless to say, the secrets stored in your phone were now in the hands of Hunt (or Faust). geek version: https://nakedsecurity.sophos.com/2020/12/02/how-to-steal-photos-off-someones-iphone-from-across-the-street/ if you'd like to challenge yourselves with hardcore details, here's Ian Beer's blog post: https://googleprojectzero.blogspot.com/2020/12/an-ios-zero-click-radio-proximity.html ------------------------------ Date: Tue, 8 Dec 2020 09:39:38 +0800 From: Richard Stein <rmstein () ieee org> Subject: Global losses from cybercrime skyrocketed to nearly $1 trillion in 2020, new report finds (The Washington Post) https://www.washingtonpost.com/politics/2020/12/07/cybersecurity-202-global-losses-cybercrime-skyrocketed-nearly-1-trillion-2020/ "Estimated global losses from cybercrime are projected to hit just under a record $1 trillion for 2020 as the coronavirus pandemic provided new opportunities for hackers to target consumers and businesses. "The projection of $945 billion in losses, from a new report out today from the Center for Strategic and International Studies and computer security company McAfee, is almost double the monetary loss from cybercrime than the $500 billion in 2018. "The report underscores the growing dangers that ransomware attacks by foreign criminal enterprises posed to American industries. Lawmakers have been deeply concerned about the impact of such attacks, including on the financial and health-care sectors, in the pandemic." https://en.wikipedia.org/wiki/World_economy#World_economy_by_country_groups (retrieved on 08DEC2020) estimates annual global economic output @ ~US$ 87.5T. US$ 0.945T/US$ 87T ~= 1.1% of output skimmed via cybertheft of various flavors. Cyberinsurance premiums will rise. Businesses that cannot afford the expense for insurance and proactive measures to secure their personnel, processes, and infrastructure might close or be bought out by competitors. "Cybercrime-whackamole-control" is impossible without coordinated international and transnational law enforcement agencies. Significant engagement appears missing. Some countries enable and encourage cybertheft/extortion to harass enemies and boost their own economies. Risk: Global economic destabilization. ------------------------------ Date: Tue, 8 Dec 2020 18:20:18 +0800 From: Richard Stein <rmstein () ieee org> Subject: Digital stethoscope uses artificial intelligence for diagnosing lung abnormalities (medicalxpress.com) https://medicalxpress.com/news/2020-12-digital-stethoscope-artificial-intelligence-lung.html "'Because it can take recordings and telemeter them to physicians, clinical support can be provided for hard-to-reach areas or areas requiring increased medical support,' said West. "The digital stethoscope also features noise suppression to enhance the auditory signal from the lungs, simplifying the diagnosis process. "'The noise suppression is a critical aspect that allows it to be used in even challenging clinics, like we see popping up with increased COVID hospitalizations,' West said. 'No training is required. Noise suppression runs automatically on the device and provides clear body sounds. "'In tests of the device, physicians were found to favor it over 95% of the time compared to traditional techniques. Once the algorithm is further improved, the digital stethoscope can be distributed to the field.'" One expects an AI stethoscope to correctly distinguish and discriminate respiratory sounds from lungs afflicted by pneumonia, chronic obstructive pulmonary disorder, silicosis, emphysema, or bronchitis. Whatever an AI stethoscope detects and diagnoses requires additional clinical assessment to confirm initial diagnosis: blood chemistry, x-ray, lung capacity, biopsy, CAT/MRI, etc. Trust but verify. Noise suppression mechanisms, if not applied carefully, can erroneously modify (damp or amplify) respiratory harmonics which might render an inaccurate diagnosis. The AI stethoscope's diagnostic capabilities will ideally demonstrate diagnosis based on low false positive/negative outcomes with high-fidelity receiver operating characteristics. Risk: Inappropriately indicated treatment protocols based on AI-stethoscope diagnosis. ------------------------------ Date: Mon, 7 Dec 2020 11:56:01 -0500 (EST) From: ACM TechNews <technews-editor () acm org> Subject: Police Drones Starting to Think for Themselves (Cade Metz) Cade Metz, *The New York Times*, 5 Dec 2020, via ACM TechNews, 7 Dec 2020 Police agencies in four U.S. cities are participating in the Drone as First Responder program, launching unmanned aerial vehicles in response to emergency calls. The Chula Vista, CA, police dispatches drones, with a certified pilot federally on the roof of the Police Department to oversee launches and pilot the drones upon their return; a special drone from Silicon Valley's Skydio avoids obstacles on its own and can follow a particular person or vehicle. The latest drone technology would allow police to operate autonomous drones relatively inexpensively, although civil liberties proponents are concerned. Greater police use of drones could eliminate any expectation of privacy outside the home, as the drones collect and store more video footage. The American Civil Liberties Union's Jay Stanley said, "It could allow law enforcement to enforce any area of the law against anyone they want." https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-28602x226c2ax068361&; ------------------------------ Date: Mon, 7 Dec 2020 18:01:08 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: AI Can Run Your Work Meetings Now (WiReD) [Of special interest to organization secretaries! ;-)] A new wave of startups is trying to optimize meetings, from automated scheduling tools to facial recognition that measures who's paying attention. Headroom aims to tackle the social distance of virtual meetings in a few ways. First, it uses computer vision to translate approving gestures into digital icons, amplifying each thumbs up or head nod with little emojis that the speaker can see. Those emojis also get added to the official transcript, which is automatically generated by software to spare someone the task of taking notes. Green and Rabinovich say this type of monitoring is made clear to all participants at the start of every meeting, and teams can opt out of features if they choose. More uniquely, Headroom's software uses emotion recognition to take the temperature of the room periodically, and to gauge how much attention participants are paying to whomever is speaking. Those metrics a displayed in a window on-screen, designed mostly to give the speaker real-time feedback that can sometimes disappear in the virtual context. ``If five minutes ago everyone was super into what I'm saying and now they're not, maybe I should think about shutting up,'' says Green. https://www.wired.com/story/ai-can-run-work-meetings-now-headroom-clockwise/ For those of us who hate being on camera, I hope the software enjoys looking at my profile picture. More seriously, there's not a word about how this AI has been trained. What could go wrong? ------------------------------ Date: Tue, 8 Dec 2020 20:25:32 -0700 From: "Matthew Kruk" <mkrukg () gmail com> Subject: The coming war on the hidden algorithms that trap people in poverty (Tech Review) A growing group of lawyers are uncovering, navigating, and fighting the automated systems that deny the poor housing, jobs, and basic services. https://www.technologyreview.com/2020/12/04/1013068/algorithms-create-a-poverty-trap-lawyers-fight-back/ ------------------------------ Date: Thu, 10 Dec 2020 20:31:20 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: HP Ends 'Free Ink for Life' Subscription Plan (Consumer Reports) Rescinding the lifetime deal is already sparking criticism from Instant Ink subscribers ``HP Regularly reviews pricing and makes adjustments based on a variety of factors. Our updated Instant Ink subscription pricing plans include ending the free printing plan option while allowing for more roll-over flexibility, options, and benefits.'' https://www.consumerreports.org/printers/hp-ends-free-ink-for-life/ Just like limiting unlimited bandwidth, terminating free-for-life. ------------------------------ Date: Mon, 7 Dec 2020 12:00:03 +0800 From: Richard Stein <rmstein () ieee org> Subject: Waymo Terms of Service (waymo.com) https://waymo.com/terms/ retrieved on 07DEC2020 (Pearl Harbor Day!) NOTE: Capitalized words used selectively for emphasis. "9. Indemnification "To the fullest extent permitted by applicable law, YOU will INDEMNIFY, DEFEND, and HOLD HARMLESS Waymo and its affiliates, and each of their respective officers, directors, agents, partners and employees (individually and collectively, the 'Waymo Parties') FROM AND AGAINST ANY loss, liability, claim, demand, damages, expenses or costs ('Claims') arising out of or related to (a) your ACCESS to or USE of our Services; (b) your User Content or Feedback; (c) your violation of these Terms; (d) your violation, misappropriation or infringement of any rights of another (including intellectual property rights or privacy rights); and (e) your conduct in connection with our Services. You agree to promptly notify Waymo Parties of any third-party Claims, cooperate with Waymo Parties in defending such Claims and pay all fees, costs and expenses associated with defending such Claims (including, but not limited to, attorneys' fees). You also agree that the Waymo Parties will have control of the defense or settlement, at Waymo's sole option, of any third-party Claims. This indemnity is in addition to, and not in lieu of, any other indemnities set forth in a written agreement between you and Waymo or the other Waymo Parties." Ironclad indemnification protects Waymo Parties arising from Service incidents, mishaps, or injuries. "11. Limitation of Liability "To the fullest extent permitted by applicable law, Waymo and the other Waymo Parties will not be liable to you under any theory of liability -- whether based in contract, tort, negligence, strict liability, warranty, or otherwise -- for any indirect, consequential, exemplary, incidental, punitive or special damages or lost profits, even if Waymo or the other Waymo Parties have been advised of the possibility of such damages. "The total liability of Waymo and the other Waymo Parties, for any claim arising out of or relating to these Terms or our Services, regardless of the form of the action, is limited to the amount paid, if any, by you to use our Services." If Waymo's liability is miraculously established, the cost of the Service will be reimbursed. Given these service terms, is it any wonder why the DV industry is poised for "blastoff"? The National Safety Council publishes https://injuryfacts.nsc.org/all-injuries/preventable-death-overview/odds-of-dying/ (retrieved on 07DEC2020). The odds of dying in a motor vehicle accident are 1 in 106. The DV industry is betting that their services can beat these odds. Is their bet a beneficial "risk shift" (public risk for private profit) or will it become yet another example of "Profit Without Honor" (https://www.amazon.com/Profit-Without-Honor-Looting-Criminal/dp/0134871421)? ------------------------------ Date: Mon, 7 Dec 2020 00:06:38 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: Amazon Wants to Get Even Closer. Skintight (The New York Times) In the pursuit of surveillance as a service, Jeff Bezos is intent on recording even our moods. How much personal data is too much to give to Amazon? https://www.nytimes.com/2020/11/27/opinion/amazon-halo-surveillance.html ------------------------------ Date: Mon, 7 Dec 2020 14:12:08 +0800 From: Richard Stein <rmstein () ieee org> Subject: Designed A Smartwatch App To Help Stop His Dad's Nightmares (npr.org) https://www.npr.org/2020/12/06/943647610/he-designed-a-smartwatch-app-to-help-stop-his-dads-nightmares retrieved on 07DEC2020. There is an urgent public health need to treat post traumatic stress disorder (PTSD) in military service veterans, especially those exposed to combat conditions. I do hope this app is effective. Consulting the QuickSearch option of FDA's Product Classification Database @ https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfPCD/pcdsimplesearch.cfm (type in "PTSD") yields: https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfPCD/classification.cfm?IDMZ. To learn a bit more, access https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfTPLC/tplc.cfm?id=3909. The FDA's Total Product Lifecycle (TPLC) linkage on Product Code QMZ reveals no published MAUDE medical device report (MDR) submissions to date for injury, malfunction, death or other event types. The TPLC platform aggregates device problems and patient problem categories. Patient problems are traced to injury, malfunction, death or other MDR event labels. Revisit TPLC Product Code QMZ in a year or so to observe the net public health benefit or deployment effectiveness of the app. Attempting to determine benefit or harm from historical medical device use can be challenging. There appears to be no federal regulation requiring the device manufacturer or supplier to periodically disclose use volumes. Device manufacturer financial reports document revenue and percentage change in revenue; no tables disclose product inventory counts sold or returned for inspection/failure analysis. See "Medtronic FY20 Irish Financial Report" @ https://investorrelations.medtronic.com/static-files/5b588fc9-9447-427d-9d51-6ff7b73370aa table on pg. 4/pdf pg. 6, retrieved on 07DEC2020. The FDA's systems do not publish totalized counts of device implants/explants or use/disuse. MDR narratives must be searched to discover language stating 'device was returned for analysis', 'implanted', 'explanted', 'removed', or 'replaced'. Further, every patient is different (pre-existing morbidities, genetics, gender, age, etc.) As a result, it is sometimes challenging to conclude if the device initiated the MDR event, or if the patient's underlying condition(s) contributed/caused the event. For this reason, focusing exclusively on MDR death events can be misleading as a predictive indicator of future therapeutic prescription outcome. Device malfunctions and injuries arising from their use are more tightly correlated. The FDA's disclaimer is VERY CLEAR about attempting to project outcomes based solely on the TPLC and MAUDE historical device/patient problem counts. See https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfMAUDE/TextSearch.cfm#disclaimer retrieved on 07DEC2020. The rate of device use by healthcare professionals/systems (hospitals) can be determined from historical procedure billing found in the United States Center for Medicare and Medicaid Services (CMS.gov). With that information, one can estimate probabilities for future patient or device problems based on historical procedure billing counts and population statistics. -- ------------------------------ Date: Wed, 9 Dec 2020 10:09:03 -0800 From: Rob Slade <rmslade () shaw ca> Subject: Differential Privacy for Ordinary Security Mavens A friend, and NYIT, have asked me to do a CISSP review seminar. Since I've taught the seminars for two decades, first for ISC2 and then for various other commercial training companies, this is not hard. I'm about 70% through my first draft. At the same time, I'm going to be giving the differential privacy presentation on Friday. https://infosecbc.org/2020/11/27/december-11th-2020-meeting/ https://community.isc2.org/t5/P/D/m-p/41128 So Gloria asked me if I was going to be putting any differential privacy content into the review seminar. I had to think about that. For one thing, knowing what I know about the CISSP exam question process, I very much doubt that anyone (other than myself) has yet created any questions about differential privacy in the CISSP exam question style. (There is *plenty* of trivia in regard to differential privacy that can be used to make up questions to prove how smart *you* are in comparison to the other guy, but that isn't the CISSP question style.) https://community.isc2.org/t5/Exams/CISSP-questions/m-p/18626 But the next problem is, where would I put it within the domains? Would it go in Law, Investigation, and Ethics, which is where we usually talk about privacy? But differential privacy isn't really about privacy. At least not *your* privacy. It's not something you can do, but something that enterprises, developers, and whole infrastructures of the IT universe have to put in place in order to protect privacy on a much larger scale. Do I put it in crypto? There's lots of math involved, some of it similar to a lot of work in various corners of crypto (although not exactly the same). Or should it go into Applications Security, since most of it primarily applies to databases and queries and it has to be baked in to database design at a pretty structural level in order to actually work. Part of the problem is that differential privacy isn't actually a single "thing." It's an amalgam of a number of ideas and technologies, none of them actually new, trying to address some interesting, and long-term, problems of privacy and disclosure. Trying to see whether these approaches actually work has raised some new issues and concepts, and differential privacy probably will provide some important and interesting approaches to some aspects of privacy and database design in the years to come. But it's kind of like Public Key Infrastructure (PKI) in crypto: you've got a lot of moving parts, and you have to make sure they are all properly in place in order to have the system work properly and not be in danger of some kind of attack on your implementation. It's also kind of the quantitative risk analysis of privacy and database design: there are a lot of details, and it's a lot of work, and most people are going to be too lazy to try to make it work properly. ------------------------------ Date: Sat, 5 Dec 2020 09:01:31 +0000 From: Wols Lists <antlists () youngman org uk> Subject: Re: Looking for ways to prevent price collusion with AI systems (RISKS-32.39) And how is this different from what already happens today? It is now recognised that certain market dynamics (mainly customer inertia in switching suppliers) ALREADY gives rise to the appearance of collusion when there is none. This is why utility prices rise quickly when raw costs go up, but fall slowly when they go down. This is why brands invest heavily in brand loyalty. And the fix needs to be the same -- keep humans in the loop, looking for the opportunity to steal a march on their opponents by intervening and cutting prices to steal customers. ------------------------------ Date: Sat, 5 Dec 2020 10:23:04 +0000 From: Martin Ward <martin () gkc org uk> Subject: Re: How 30 Lines of Code Blew Up a 27-Ton Generator (Goldberg, RISKS-32.39)
30 lines of code = 140KB?
On my machine a two-line "Hello world" compiles to 20kB. So with static linking of more libraries, 30 lines could easily compile to 140kB. But it might also mean 30 lines of code were changed in a larger file. ------------------------------ Date: Sat, 5 Dec 2020 14:12:19 +0200 From: Amos Shapir <amos083 () gmail com> Subject: Re: Utah monolith: Internet sleuths got there, but its origins are still a mystery (RISKS-32.39) Actually, the Mystery of the Monolith had been solved. The Article: The Mystery Of The Utah Monolith May Have Been Solved By Internet Sleuths details how the monolith was found; the last paragraph also details who had created it. <https://www.iflscience.com/editors-blog/the-mystery-of-the-utah-monolith-may-have-been-solved-by-internet-sleuths/> ------------------------------ Date: Sun, 6 Dec 2020 08:45:16 -0500 From: John Wunderlich <john () wunderlich ca> Subject: Re: Is Alexa Becoming Anti-semitic (RISKS-32.39) I should note the the piece on anti-semitism and AI contains assertions that are politically contested. I'm particularly referring to the notion that criticisms of the state of Israel are inherently anti-Semitic. The framing of the piece conflated anti-semitism -- a real and pernicious type of racism -- with political criticism of Israel -- a legitimate form of free speech. In affect, this highlights just how wicked hard applying AI to news/speech/politics is. ------------------------------ Date: 5 Dec 2020 17:23:44 -0500 From: "John Levine" <johnl () iecc com> Subject: Re: Rashida Tlaib takes on stablecoins, not cryptocurrency (R-32.39)
cosponsored a bill requiring stablecoins like Facebook's Libra to be issued by banks.
The important word is "stablecoins"; this is quite reasonable. A stablecoin promises that you can redeem it for some amount of real money. That means that each coin is in effect a demand loan of the underlying value to whomever holds the money, and it makes sense to regulate them like other organizations that accept demand loans and give you an IOU. These organizations are generally called banks. The best known stablecoin, Tether, claims you can redeem every tether for $1 but outside the crypto bubble it is widely considered to be a fraud. There have been over 18 billion tether issued and there is no evidence that tether has anything close to $18 billion in assets. Last year in a lawsuit their lawyer asserted that they had 74c for each tether but there's not much evidence of that either. The usual risk is that as soon as someone says BLOCKCHAIN! a certain number of people check their common sense at the door. ------------------------------ Date: Sun, 6 Dec 2020 09:36:34 +0800 From: Richard Stein <rmstein () ieee org> Subject: Re: Keyhole wasps may threaten aviation safety (RISKS-32.39) Ben -- Thank you for this informed response to my post. I am forwarding your response as follow up on this thread. On 5/12/20 12:05 pm, Ben Kamen wrote:
As a private pilot that owns a small 2 seater (and we talk about blocked pitot tubes a lot) - the problem isn't new as mud daubers have been doing this for a long time. (if this is the same species)
In areas where they are prolific or to be safe, any time the plane is parked outside, pitot covers are recommended.
The bigger problem isn't completely blocked tubes because a dead airspeed indicator would be obvious on rollout for takeoff.
What most of us worry about more is partially blocked tubes that give faulty readings.
Also being an EE, I could image some interesting tests for startup, but the FAA does like simplicity and fiber could be a problem because pitot tubes have heaters built into them to melt off any ice-buildup in incing conditions. Even my 2-seater that's not certified for flying into known icing conditions has a pitot heater. So a remote visual sensing system would have to deal with that.
------------------------------ Date: Sat, 5 Dec 2020 13:01:34 -0800 From: Carlos Villalpando <unbelver () gmail com> Subject: Re: Keyhole wasps may threaten aviation safety (RISKS-32.39)
Would a power-on-self-test be able to discern if the inlet is bugged via fiber optic signal and sensor?
Wasps nests in pitot tubes are a long-known issue in aviation. In North America, at least, the offending species is the Mud Dauber Wasp. As the linked article points out pitot tube covers are the current method of controlling such issues. How is it detected? A thorough pre-flight is key, but daubers can get pretty deep into the tube, beyond inspection ability. So issues with the Air Speed Indicator (ASI) are detected procedurally. Small aircraft crews, during the takeoff roll, are supposed to note that the ASI "comes alive" and is behaving consistent with the expected takeoff performance roll early enough to abort if necessary. Professional airline crews do the same, but also cross-check between the Captain's and First Officers' ASIs. But as it is a human procedure, humans can fail at it. Birgenair Flight 301 is an example of a pitot tube blocked by a wasp nest, with the pilots noticing, but ignoring the warnings, with all occupants perishing. https://en.wikipedia.org/wiki/Birgenair_Flight_301 ------------------------------ Date: Mon, 1 Aug 2020 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume/previous directories or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00 ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 32.40 ************************
Current thread:
- Risks Digest 32.40 RISKS List Owner (Dec 11)