RISKS Forum mailing list archives
Risks Digest 32.34
From: RISKS List Owner <risko () csl sri com>
Date: Tue, 27 Oct 2020 17:49:26 PDT
RISKS-LIST: Risks-Forum Digest Tuesday 27 October 2020 Volume 32 : Issue 34 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/32.34> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Airport Hackings by Russian Group Raise Election Alarm (Nicole Perlroth) F-35 'Overwhelmed' By Pilot Attempts To Save It /Corrected/ (AVweb) Tesla Putting 'Self-Driving' in the Hands of Drivers, Amid Criticism the Tech Is Not Ready (Faiz Siddiqui) 14 minutes in a "Full Self Driving" #Tesla beta test results in *6* different problems (Twitter) UK national police computer down for 10 hours after engineer pulled the plug (Attila the Hun) State inspection report sheds additional light on deadly Allston elevator accident (The Boston Globe) More on erroneous Alexa/third-party data provider evacuation notices in Boulder County, Colorado (William Kucharski) Surveillance Startup Used Own Cameras to Harass Coworkers (Vice) Security Researchers Warn of Security and Privacy Risks Caused by Link Preview Feature in Popular Messaging Apps (The Hacker News) A nonprofit with ties to Democrats is sending out millions of ballot applications. Election officials wish it would stop. (ProPublica) Here's why residents of Boston just received a COVID-19 emergency alert (The Boston Globe) Re: How does Google's monopoly hurt you? (Jose Mateos)( Re: Air Force updates code on plane mid-flight (Henry baker) Re: POTUS Twitter account reportedly hacked by Dutch whitehat (Rob Slde) Re: Censorship or Sensibility? (Barry Gold) Re: Why cars are more "fragile" (Chris Drew) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Sat, 24 Oct 2020 11:12:23 PDT From: "Peter G. Neumann" <neumann () csl sri com> Subject: Airport Hackings by Russian Group Raise Election Alarm (Nicole Perlroth) Nicole Perlroth, *The New York Times*, 24 Oct 2020 The group known as Dragonfly and Energetic Bear has breached the power grid, water-treatment facilities, and nuclear power plants. In recent years they have also breached WiFi systems at several airports -- including SFO and two other U.S. west-coast airports (apparently attempting to find an unidentified traveler). [PGN-ed] [As usual we note that all sorts of systems that should be isolated from The Internet are not, and that almost all supposedly trustworthy systems are not. Groan. PGN] ------------------------------ Date: Mon, 26 Oct 2020 18:30:43 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: F-35 'Overwhelmed' By Pilot Attempts To Save It /Corrected/ (AVweb) An unstable approach, a misaligned helmet and an ``overwhelmed'' flight control system led to the crash of an Air Force F-35 at Eglin Air Force Base in Florida last May. An Air Force accident report <https://www.afjag.af.mil/Portals/77/AIB-Reports/2020/May/Eglin%20AFB%20F35A%20AIB%20Report_Signed.pdf> released a few weeks ago found plenty of fault with the pilot's actions but it was ultimately the airplane that wouldn't allow itself to be saved. The plane's overworked processor set the horizontal stabilizers to the ``default'' position of trailing edge down just as the pilot initiated a go-around to try his landing again. When the aircraft didn't respond to firewalled throttle and full back pressure on the stick, the pilot ejected and the plane rolled, caught fire and disintegrated. The pilot suffered minor injuries and the aircraft, worth $175,983,949, became a debris field. https://www.avweb.com/aviation-news/f-35-overwhelmed-by-pilot-attempts-to-save-it/ Gotta love quoting nine-digit airplane cost down to the dollar. I guess it include fuel in the tank. ------------------------------ Date: Fri, 23 Oct 2020 12:25:19 -0400 (EDT) From: ACM TechNews <technews-editor () acm org> Subject: Tesla Putting 'Self-Driving' in the Hands of Drivers, Amid Criticism the Tech Is Not Ready (Faiz Siddiqui) Faiz Siddiqui, *The Washington Post*, 21 Oct 2020 via ACM TechNews, Friday, October 23, 2020 Electric automaker Tesla has selected a number of owners of its vehicles to have a software update download automatically into those vehicles to enable the cars to steer better and accelerate without human control. Critics are troubled by the absence of LiDAR sensors, a safety feature used by most self-driving car makers, from Tesla's system, which instead uses a suite of cameras and radar linked to an advanced neural network. Tesla CEO Elon Musk said the new software will better capture the exterior view of the vehicle and more seamlessly integrate collected footage to create a multidimensional perspective; safety experts disagree, warning the system cannot always perceive the true shape or depth of obstacles. The Partners for Automated Vehicle Education campaign said, "Public road testing is a serious responsibility and using untrained consumers to validate beta-level software on public roads is dangerous and inconsistent with existing guidance and industry norms." https://orange.hosting.lsoft.com/trk/click?ref=Dznwrbbrs9_6-27a57x225cdfx066958&; [The subject line does not seem to consistently reflect the text. PGN] ------------------------------ Date: Sun, 25 Oct 2020 16:12:22 -1000 From: geoff goodfellow <geoff () iconia com> Subject: 14 minutes in a "Full Self Driving" #Tesla beta test results in *6* different problems (Twitter) https://twitter.com/GretaMusk/status/1320499722788999169 ------------------------------ Date: Mon, 26 Oct 2020 04:54:35 +0000 From: Attila the Hun <attilathehun1900 () tiscali co uk> Subject: UK national police computer down for 10 hours after engineer pulled the plug British police forces were plunged into chaos when the Police National Computer (PNC) went down for more than 10 hours on 21 October 2020; reportedly after an engineer unplugged it. The system enables real-time checks on people and vehicles, and is the backbone of the country's policing system. It stores and shares criminal records information across the UK and is used by law enforcement agencies and criminal justice agencies to access information to support national, regional and local investigations. It also links with the Europe-wide Schengen information system, which shares real-time information on persons and objects of interest. The outage affected every aspect of policing, a police source said, adding: ``Without the PNC, you cannot police. It is the backbone of intelligence for everyday policing; so when it went down on Wednesday, it caused absolute chaos.'' The glitch, which has been attributed to *human error*, left the National Police Chiefs' Council scrambling to convene two emergency Gold Command meetings of very senior police officers to address the problem. Deputy Chief Constable Naveed Malik, the National Police Chiefs Council lead for the PNC, said: ``The PNC was temporarily affected by an electricity power outage. There is nothing to suggest it was related to malicious activity. The police and Home Office worked closely together to restore the system the same day, and are now reviewing the causes of this issue. Police forces were kept up to date and continued to deliver essential services to protect our communities from harm.'' Whilst detail is not (yet) available, it is at once hard and easy to believe that such a critical system could be vulnerable to total failure through the action of one person "switching it off". ------------------------------ Date: Tue, 27 Oct 2020 09:49:08 -0400 From: Monty Solomon <monty () roscom com> Subject: State inspection report sheds additional light on deadly Allston elevator accident (The Boston Globe) https://www.boston.com/news/local-news/2020/10/26/allston-elevator-accident-report ------------------------------ Date: Mon, 26 Oct 2020 10:50:58 -0600 From: William Kucharski <kucharsk () mac com> Subject: More on erroneous Alexa/third-party data provider evacuation notices in Boulder County, Colorado I previously wrote that third-party services like Amazon's Alexa sent push notifications informing owners located within an entire county of a mandatory wildfire evacuation order, based upon a much narrower evacuation notice sent out via NOAA All Hazards Radio (the precise area covered by the order was delineated in the accompanying audio announcement.) However, in talking to people familiar with the situation, the failure was even worse than that: Not only was the evacuation order disseminated, the third-party services helpfully hyper-localized the message. Rather than being told an evacuation order had been issued for a portion of or all of Boulder County, you were informed an evacuation order had specifically been issued for your precise location. For example, if you live in Longmont, you were informed an evacuation order had been issued for Longmont; if you live in Lafayette, you were informed an evacuation order had been issued for Lafayette, and so on. This deprived recipients of knowing the warning had been county-based to begin with, let alone the context provided by the original accompanying audio message. These notifications were based solely upon assumptions made by the third-party data service, not upon information created by or disseminated via official sources of civil information. This resulted in some panic as well as clogged incoming phone lines to emergency services at a time when those phone lines needed to be kept clear. It also forced harried emergency service organizations to have to issue press releases letting people know they were not under an evacuation order. https://www.9news.com/article/news/local/wildfire/longmont-not-under-evacuation-orders-sunday-false-wrong-incorrect-push-alerts/73-630a2dde-fbfa-4cb8-a987-a46a900f7f91 ------------------------------ Date: Mon, 26 Oct 2020 15:57:28 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Surveillance Startup Used Own Cameras to Harass Coworkers (Vice) Employees at Verkada accessed the company's facial recognition system to take photos of women colleagues and make sexually explicit jokes. Four employees who worked in different teams throughout Verkada said that the culture of sexism at the company largely emanated from a cliquey group of high-ranking white men on the sales team, many of them who grew up and played high school football in same wealthy enclave, Danville, California, some of whom went on to play for the NFL. "If you're not invited into that core group of guys, you have a hard time moving your career forward or getting promoted," a former sales employee told Motherboard. "The word frat is thrown around at Verkata a lot because there are guys that protect each other at the company. That's this crew from Danville. They're like a frat." https://www.vice.com/en/article/pkdyqm/surveillance-startup-used-own-cameras-to-harass-coworkers ------------------------------ Date: Mon, 26 Oct 2020 08:27:19 -1000 From: geoff goodfellow <geoff () iconia com> Subject: Security Researchers Warn of Security and Privacy Risks Caused by Link Preview Feature in Popular Messaging Apps (The Hacker News) Cybersecurity researchers over the weekend disclosed new security risks associated with link previews in popular messaging apps that cause the services to leak IP addresses, expose links sent via end-to-end encrypted chats, and even unnecessarily download gigabytes of data stealthily in the background. "Links shared in chats may contain private information intended only for the recipients," researchers Talal Haj Bakry and Tommy Mysk* said <https://www.mysk.blog/2020/10/25/link-previews/>*. "This could be bills, contracts, medical records, or anything that may be confidential." "Apps that rely on servers to generate link previews may be violating the privacy of their users by sending links shared in a private chat to their servers." Generating Link Previews at the Sender/Receiver Side [...] https://thehackernews.com/2020/10/mobile-messaging-apps.html ------------------------------ Date: Mon, 26 Oct 2020 18:21:17 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: A nonprofit with ties to Democrats is sending out millions of ballot applications. Election officials wish it would stop. (ProPublica) CVI argues that the vast majority of its mailers are accurate, and while a small percentage of people receive one with a mistake, they otherwise reach voters who would be overlooked. But for years, CVI has been criticized for the inaccuracy of its mailers and has faced reports that it has sent voter registration forms to the deceased, to longtime voters who are already registered and even to pets with human-sounding names. Several state and local election officials said that they have asked CVI to use more up-to-date voter lists and make it clearer that its letters do not come from the government. CVI said its mailers include disclaimers that it is not a government organization. https://www.propublica.org/article/a-nonprofit-with-ties-to-democrats-is-sending-out-millions-of-ballot-applications-election-officials-wish-it-would-stop Idiots confused Fairfax County and Fairfax City (VA), misdirected each area's return envelopes to the other jurisdiction. Risk? Incompetent do-gooders. ------------------------------ Date: Tue, 27 Oct 2020 09:51:58 -0400 From: Monty Solomon <monty () roscom com> Subject: Here's why residents of Boston just received a COVID-19 emergency alert (The Boston Globe) https://www.boston.com/news/coronavirus/2020/10/20/coronavirus-cell-phone-alerts-massachusetts ------------------------------ Date: Sun, 25 Oct 2020 10:19:24 -0400 From: =?iso-8859-1?Q?Jos=E9_Mar=EDa?= Mateos <chema () rinzewind org> Subject: Re: How does Google's monopoly hurt you? (RISKS-32.33) Another interesting feature of recent Google's searches is that the results are not always what one is looking for. For instance, DuckDuckGo is much better at finding material that infringes copyright. I found that the other day while "researching" something. Also, I had this link saved in my personal bookmarks, and looks like it's very relevant for the present discussion and it links very well with the main topic discussed on the WP video: https://www.tbray.org/ongoing/When/201x/2018/01/15/Google-is-losing-its-memory
From the article:
Evidence" This isn't just a proof, it's a rock-n-roll proof. Back in 2006, I published a review of Lou Reed's Rock n Roll Animal album. Back in 2008, Brent Simmons published That New Sound, about The Clash's London Calling. Here's a challenge: Can you find either of these with Google? Even if you read them first and can carefully conjure up exact-match strings, and then use the site: prefix? I can't. [...]
Why? · Obviously, indexing the whole Web is crushingly expensive, and getting more so every day. Things like 10+-year-old music reviews that are never updated, no longer accept comments, are lightly if at all linked-to outside their own site, and rarely if ever visited -- well, let's face it, Google's not going to be selling many ads next to search results that turn them up. So from a business point of view, it's hard to make a case for Google indexing everything, no matter how old and how obscure.
------------------------------ Date: Sat, 24 Oct 2020 19:51:49 -0700 From: Henry Baker <hbaker1 () pipeline com> Subject: Re: Air Force updates code on plane mid-flight (The Aviationist) What code? The U-2 is basically an F-104 with glider training wings -- the only flying computers back in the early 1950's were slide rules! The Skunk Works was able to deliver a U-2 prototype in 9 months because they started with an existing airplane -- presumably including the entire cockpit & controls. So the pilot was updating his Android phone from 'Quince Tart' (10) to 'Red Velvet Cake' (11) in mid-flight? :-) Pretty risky, considering how difficult this plane is to fly. Apparently, the U-2 is even harder to fly than the F-104, which is a pretty high bar (NATO allies crashed F-104's in alarming numbers). PS: The F-104 was my favorite plastic model airplane when I was a kid, and I got to see a real one up close as a Cub Scout; I couldn't believe how small it was (wingspan would fit in my current 2-car garage; length is about 3 parking spaces long). Sadly, the first U-2 plastic model wasn't available until 1962 -- long after I graduated from Cub Scouts! ------------------------------ Date: Mon, 26 Oct 2020 11:44:00 -0700 From: Rob Slade <rmslade () shaw ca> Subject: Re: POTUS Twitter account reportedly hacked by Dutch whitehat (RISKS-32.33)
[This item needs some verification.]
Simple testing seems to indicate that this information is correct, and that a lot of people have tried it. ------------------------------ Date: Sun, 25 Oct 2020 07:07:59 -0700 From: Barry Gold <BarryDGold () ca rr com> Subject: Re: Censorship or Sensibility? (RISKS-32.33) On 10/24/2020 5:57 PM, RISKS List Owner wrote:
Just weeks before the election, the tech giants unite to block access to incriminating reporting about their preferred candidate. [...] https://theintercept.com/2020/10/15/facebook-and-twitter-cross-a-line-far-more-dangerous-than-what-they-censor/
I want to note the use of slanted language in their discussion of Facebook and Twitter: ``Facebook limiting distribution is a bit like if a company that owned newspaper delivery trucks decided not to drive because it didn't like a story. Does a truck company edit the newspaper? It does now, apparently.'' If a company owns newspaper delivery trucks doesn't want to deliver newspapers with a story its owners don't like, that's their privilege. And the newspapers can decide not to use that company any more. "Freedom of the press belongs to the man who owns the press." Same with the delivery company.
Would anyone encounter difficultly understanding why such a decree would constitute dangerous corporate censorship? Would Democrats respond to such a policy by simply shrugging it off on the radical libertarian ground that private corporations have the right to do whatever they want? To ask that question is to answer it.
Maybe not, but they should. That is what free speech is about: my right to say what I want (within some very broad limits) and, equally important, not to say what I don't want to.
Not even radical free-market libertarians espouse such a pro-corporate view.
I do, and I'm not a "radical free-market libertarian". To be fair, I used to be, but I think that the theoretical grounding of libertarianism has some significant holes in it.
Beyond that, both Facebook and Twitter receive substantial, unique legal benefits from federal law, further negating the claim that they are free to do whatever they want as private companies. ... these social media companies receive a very valuable and particularized legal benefit in the form of Section 230 of the Communications Decency Act,which shields them <https://www.eff.org/issues/cda230> from any liability for content published on their platforms, including defamatory material or other legally proscribed communications.
"unique legal benefits": those same legal benefits protect Reddit and 4chan and Tumbler, and a BBS that I help moderate and several "furry" that I use, all of which include some sexually-oriented material. I think section 230 of the Communications Decency Act is the greatest boon to free speech ever passed by Congress. (And to think it appeared in a law that attempted to impose censorship on the Internet...) That said, I must note that any large social-media company intentionally biasing the material they distribute is a bad idea, because it endangers Section 230, which also protects smaller "Web 2.0" organizations. Including any startups that might eventually challenge Facebook and Twitter. In fact, I might wonder if they did this intentionally to push Congress to make more exceptions to Section 230. As always, regulation protects the existing providers (who can hire people to help comply with the regulations and lawyers to defend them against accusations of breaking them) against competition from smaller providers. This is as true of Facebook and Twitter as it is of taxi companies (until Uber and Lyft found a way around the regulation) and AirBnB.
Facebook outright ``has monopoly power in the market for social networking,'' and that power is ``firmly entrenched and unlikely to be eroded by competitive pressure'' from anyone at all due to `high entry barriers' including strong network effects, high switching costs, and Facebook's significant data advantage -- that discourage direct competition by other firms to offer new products and services.
Okay, so FB has a lot of economic power. Why? Because they have been highly successful in satisfying consumer demand for a place to talk to each other. I should note that there are a lot of very rich Republicans. I would guess that over 75% of billionaires lean Conservative in their views. Let them take some of their money and start right-slanted competitors to Facebook and Twitter. It's not cheap, but it's well within the reach of any ten billionaires, and if they do it right they might get even richer in the process. That's what the competition in the marketplace is supposed to be about. If the "barrier to entry" is simply that you need to invest some money, that is no barrier in an age when the the US alone has over 500 billionaires, over 2,000 worldwide. ------------------------------ Date: Tue, 27 Oct 2020 22:04:50 +0000 From: Chris Drewe <e767pmk () yahoo co uk> Subject: Re: Why cars are more "fragile" (RISKS-32.33) Just a cotton-pickin' moment there, please! The UK gov't department of motor vehicles (DVLA) web site (https://www.gov.uk/historic-vehicles) says:
Historic (classic) vehicles: MOT and vehicle tax You do not need to get an MOT if: the vehicle was built or first registered more than 40 years ago no *substantial changes* have been made to the vehicle in the last 30 years, for example replacing the chassis, body, axles or engine to change the way the vehicle works Vehicles exempt from vehicle tax [VED] If your vehicle was built before 1 January 1980, you can stop paying vehicle tax from 1 April 2020. You do not have to apply to stop getting an MOT for your vehicle each year. However, you must still keep it in a roadworthy condition. You can be fined up to GBP2,500 and get 3 penalty points for using a vehicle in a dangerous condition.
Old-car enthusiasts usually agree that it's a good idea to have an MoT
(annual vehicle inspection) even if it's not mandatory, if only to avoid any
insurance and liability awkwardness ("these dangerous old clunkers!").
There is a caveat, in the sense that regular MoTs aren't subject to VAT
(goods and services tax) whereas voluntary ones are, so this means some
extra paperwork for the garage, which may not welcome your business.
The London low-emission charge web site says:
(https://tfl.gov.uk/modes/driving/ultra-low-emission-zone/ways-to-meet-the-standard)
Vehicles need to meet the different emission standards for the Ultra Low Emission Zone (ULEZ) based on their vehicle type, and the type of emission. To see if your vehicle meets the standard, use our vehicle checker. Or see which locations fall within the ULEZ zone with our postcode checker. If you drive a vehicle that doesn't meet the ULEZ standards within the central London area and the daily charge is not paid, a Penalty Charge Notice (PCN) will be issued to the registered keeper. This penalty is in addition to any Congestion Charge or Low Emission Zone penalties received. From 25 October 2021, ULEZ is expanding from central London to create a single, larger zone up to the North Circular Road (A406) and South Circular Road (A205). The North and South Circular roads themselves are not in the zone. Find out how to prepare for the ULEZ expansion. What are the standards? We would prefer that you use a vehicle that meets the emissions standards rather than pay a daily charge. Euro standards - which first appeared in 1992 - are a range of emissions controls that set limits for air polluting nitrogen oxides (NOx) and particulate matter (PM) from engines. New vehicles and road vehicle engines must show that they meet these limits to be approved for sale. The ULEZ standards for existing central London ULEZ and when the zone expands are: Euro 3 for motorcycles, mopeds, motorised tricycles and quadricycles (L category) Euro 4 (NOx) for petrol cars, vans, minibuses and other specialist vehicles Euro 6 (NOx and PM) for diesel cars, vans and minibuses and other specialist vehicles Euro VI (NOx and PM) for lorries, buses and coaches and other specialist heavy vehicles (NOx and PM) Euro 3 became mandatory for all new motorcycles in 2007 Euro 4 became mandatory for all new cars in 2005 and light vans in 2006 Euro 6 became mandatory for all new heavy duty engines for goods vehicles and buses from January 2014, September 2015 for cars and light vans, and September 2016 for larger vans up to and including 3.5 tonnes gross vehicle weight.
Hence older vehicles are particularly badly hit as it's only ones meeting very recent standards that are permitted. There are congestion charge exemptions for some specific vehicle types, e.g. those for disabled people or recovery vehicles -- loads of paperwork needed to verify. (https://tfl.gov.uk/modes/driving/congestion-charge/discounts-and-exemptions?intcmp=2133) I couldn't see anything for historic vehicles, so it looks like drivers on the annual London-to-Brighton antiques run will have to pay up. This all applies to London, with other cities having their own schemes. As readers will have gathered, the official line is that people shouldn't really use cars, to save the planet and avoid suffocating residents; the authorities are spending loads of taxpayers' money on a walking and cycling revolution -- who wants to drive anyway? :o) ------------------------------ Date: Mon, 1 Aug 2020 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume/previous directories or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00 ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 32.34 ************************
Current thread:
- Risks Digest 32.34 RISKS List Owner (Oct 27)