RISKS Forum mailing list archives

Previous By Date Next
Previous By Thread Next

Risks Digest 32.45

From: RISKS List Owner <risko () csl sri com>
Date: Mon, 25 Jan 2021 13:51:18 PST
RISKS-LIST: Risks-Forum Digest  Monday 18 January 2021  Volume 32 : Issue 45

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/32.45>
The current issue can also be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
Bursts of acceleration in Tesla vehicles caused by drivers mistaking
  accelerators for brakes, feds conclude (Ian Duncan)
Riot in the Capitol is a nightmare scenario for cybersecurity professionals
  (Tonya Riley)
Post-Riot, the Capitol Hill IT Staff Faces a Security Mess (WiReD)
The Parler API was open without authentication. One or more third parties
  have done full downloads (Ars Technica)
ESS voting machine company sends threats (Andrew Appel)
IPhone12 will stop your implantable defibrillator (Medicalxpress.com)
IRS rushes to fix error that sent millions of stimulus payments to wrong
  bank accounts (Michelle Singletary)
Lack of Tiny Parts Disrupts Auto Factories Worldwide (NYTimes)
Lost Passwords Lock Millionaires Out of Their Bitcoin Fortunes (NYTimes)
Bug wipes UK arrest records (Tom Van Vleck)
Risks of DNS encryption: NSA warns enterprises to beware of third-party DNS
  resolvers (Ars Technica)
Company name could lead to security xss attack (IBTimes)
How Amazon Sidewalk Works -- and Why You May Want to Turn It Off (WiReD)
What to expect for the 2021 workplace (WashPost)
In-Garage Delivery: Amazon Key (Amazon.com)
AI algorithm over 70% accurate at guessing a person's political orientation
  (techxplore.com)
Detection of Hardware Trojans Using Controlled Short-Term Aging
  (NYU Tandon School of Engineering)
Unique study incorporates fluid dynamics and more to evaluate, enhance
  future implants (PHYS.ORG)
Risk Management and Two-Dose Vaccines (Rob Slade)
Different kinds of security (Rob Slade)
Hacker Locks Internet-Connected Chastity Cage (Larry Werring)
Re: Scope of Russian Hacking Far Exceeds Initial Fears (Larry Werring)
Re: Voting Systems: The Cherry and the Cream (3daygoaty)
Re: One Minute Left": Hockey, CoVID-19 ...vs hacking (Stephen Fierbaugh, 
  Chris Drew, Stephen Fierbaugh)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Sat, 9 Jan 2021 18:00:44 -0500
From: Gabe Goldberg <gabe () gabegold com>
Subject: Bursts of acceleration in Tesla vehicles caused by drivers
  mistaking accelerators for brakes, feds conclude (Ian Duncan)

Ian Duncan, *The Washington Post*, 8 Jan 2021

Dozens of incidents involving Teslas unexpectedly accelerating and crashing
were the fault of drivers, not a defect with the electric vehicles, the
federal car safety agency concluded Friday.

https://www.washingtonpost.com/transportation/2021/01/08/tesla-brakes/

  [Doesn't speak well of Tesla owners' driving skills...]

------------------------------

Date: Tue, 12 Jan 2021 11:19:09 PST
From: Peter Neumann <neumann () csl sri com>
Subject: Riot in the Capitol is a nightmare scenario for cybersecurity
  professionals (Tonya Riley)

Tonya Riley, *The Washington Post, 7 Jan 2021
Riot in the Capitol is a nightmare scenario for cybersecurity professionals

Lawmakers and congressional staff were ushered into secure locations as a
mob backing President Trump violently stormed the U.S. Capitol in hopes of
overturning the election he lost.

The assault -- which only temporarily delayed the certification of
president-elect Joe Biden's win -- left many unanswered questions about
security at the Capitol, including its cybersecurity.  The quick evacuation
left computers and other device unattended as the mob ransacked offices.

------------------------------

Date: Sun, 10 Jan 2021 00:23:17 -0500
From: Gabe Goldberg <gabe () gabegold com>
Subject: Post-Riot, the Capitol Hill IT Staff Faces a Security Mess (WiReD)

Wednesday's insurrection could have exposed congressional data and devices
in ways that have yet to be appreciated.  [...]

Given the scope of the intrusion, Coleman and others say that it's important
to assume that any device could have been compromised and remediate the
breach with that scale and scope in mind. But he and others emphasize that
rather than replacing every device and cable in the entire congressional
orbit, constant vigilance and an “assume breach”
mentality will be the best defense going forward. The Economic Development
Administration took an ill-advised maximalist approach after a 2011
compromise, launching a massive campaign
<https://arstechnica.com/information-technology/2013/07/us-agency-baffled-by-modern-technology-destroys-mice-to-get-rid-of-viruses/>
to physically destroy all of its digital equipment, including desktop
computers, printers, cameras, mice, and keyboards -- most of which were
uninfected. The effort concluded only when the agency ran out of money for
the project.

Congress needn't take an action so dramatic as that. But it also must
acknowledge how exposed Wednesday's incident has left it.

https://www.wired.com/story/capitol-riot-security-congress-trump-mob-clean-up/

Every cable? And if they ran out of money to destroy things, what was left
to *buy* things?

------------------------------

Date: Tue, 12 Jan 2021 09:35:30 -0700
From: "Bob Gezelter" <gezelter () rlgsc com>
Subject: The Parler API was open without authentication. One or more third
  parties have done full downloads (Ars Technica)

It is important to design APIs so that they are reasonably secure. It is
reported that the Parler API was open (e.g. did not require authentication).
Further more, the geo-tagging inherent in JPEG was provided on public
images.  Reportedly, the entire contents of Parler's database have been
accessed by at least one third party.

I guess that the individuals who implemented Parler were not well-read on
web security issues, and were not familiar with the OWASP guidance on the
subject.

The full articles can be found at:

https://arstechnica.com/information-technology/2021/01/parlers-amateur-coding-could-come-back-to-haunt-capitol-hill-rioters/

------------------------------

Date: Tue, 12 Jan 2021 18:08:42 PST
From: Peter Neumann <neumann () csl sri com>
Subject: ESS voting machine company sends threats (Andrew Appel)

Andrew Appel <appel () princeton edu> has another RISKS-relevant article on
freedom-to-tinker:

https://freedom-to-tinker.com/2021/01/11/ess-voting-machine-company-sends-threats/

ESS voting machine company sends threats, 11 Jan 2021

For over 15 years, election security experts and election integrity
advocates have been communicating to their state and local election
officials the dangers of touch-screen voting machines. The danger is simple:
if fraudulent software is installed in the voting machine, it can steal
votes in a way that a recount wouldn't be able to detect or correct. That
was true of the paperless touchscreens of the 2000s, and it's still true of
the ballot-marking devices (BMDs) and *all-in-one* machines such as the ES&S
ExpressVote XL voting machine ( [
https://www.cs.princeton.edu/~appel/papers/bmd-insecure.pdf | see section 8
of this paper ] *). This analysis is based on the characteristics of the
technology itself, and doesn't require any conspiracy theories about who
owns the voting-machine company.

In contrast, if an optical-scan voting machine was suspected to be hacked,
the recount can assure an election outcome reflects the will of the voters,
because the recount examines the very sheets of paper that the voters marked
with a pen. In late 2020, many states were glad they used optical-scan
voting machines with paper ballots: the recounts could demonstrate
conclusively that the election results were legitimate, regardless of what
software might have been installed in the voting machines or who owned the
voting-machine companies. In fact, the vast majority of the states use
optical-scan voting machines with hand-marked paper ballots, and in 2020 we
saw clearly why that's a good thing.

In November and December 2020, certain conspiracy theorists made
unsupportable claims about the ownership of Dominion Voting Systems, which
manufactured the voting machines used in Georgia. [
https://www.cnn.com/2021/01/08/politics/dominion-voting-defamation-lawsuit/index.html

Dominion has sued for defamation

  [For example, PGN suggests looking at this WashPost item:
https://www.washingtonpost.com/politics/dominion-sues-pro-trump-lawyer-sidney-powell-seeking-more-than-13-billion/2021/01/08/ebe5dbe0-5106-11eb-b96e-0e54447b23a1_story.html
  ]

Dominion is the manufacturer of voting machines used in many states. Its
rival, Election Systems and Software (ES&S), has an even bigger share of the
market.

Apparently, ES&S must think that amongst all that confusion, the time is
right to send threatening Cease & Desist letters to the legitimate critics
of their ExpressVote XL voting machine. Their lawyers sent [
https://freedom-to-tinker.com/2021-01-04-cease-and-desist-letter-to-smart-elections-0029787725-1/
| this letter ] to the leaders of [ https://smartelections.us/ | SMART
Elections ] , a journalism+advocacy organization in New York State who have
been communicating to the New York State Board of Elections, explaining to
the Board why it's a bad idea to use the ExpressVote XL in New York (or in
any state).

ES&S's lawyers claim that certain facts (which they call *accusations*) are
*false, defamatory, and disparaging*, namely: that the ``ExpressVote XL can
add, delete, or change the votes on individual ballots'', that the
ExpressVote XL will ``deteriorate our security and our ability to have
confidence in our elections,'' and that it is a ``bad voting machine.''

Well, let me explain it for you. The ExpressVote XL, if hacked, can add,
delete, or change votes on individual ballots -- and no voting machine is
immune from hacking. That's why optical-scan voting machines are the way to
go, because they can't change what's printed on the ballot. And let me
explain some more: The ExpressVote XL, if adopted, will deteriorate our
security and our ability to have confidence in our elections, and indeed it
is a bad voting machine. And expensive, too!

It's been clearly explained in the peer-reviewed literature how touch-screen
voting machines -- even the ones like the XL that print out paper ballots --
can (if hacked) alter votes; and how most voters won't notice; and how even
if some voters do notice, there's no way to correct the election result. And
it's been explained why machines like the ExpressVote XL are particularly
insecure -- as I said, [
https://www.cs.princeton.edu/~appel/papers/bmd-insecure.pdf | see section 8
of this paper ] *.

And it's pretty clear that the folks at SMART Elections are aware of these
scientific studies, and are basing their journalism and advocacy on good
science.

I'll summarize here what's explained in the paper: how the ExpressVote XL,
if hacked, can change votes. If the machine is hacked, the software can do
whatever the hacker has programmed, but the hacker can't change the
hardware. The hardware includes a thermal printer that can make black marks
(i.e., print text or barcodes or whatever) on the paper, but the hardware
can't erase marks. Therefore you might think the ExpressVote XL, even if
hacked, couldn't alter votes. But consider this: suppose there are 15
contests on the ballot; suppose the voter makes choices for all 13 contests
and chooses not to vote for State Senator. Then what the legitimate software
does is, in the line for State Senator, print NO SELECTION MADE. But the
hacked software could simply leave that line blank -- then, when the voter
has reviewed the ballot (or not bothered to), the ballot card is pulled past
the printhead into the ballot box, and the printhead (under control of
hacked software) can print in a vote for Candidate Smith. Few voters will be
worried that the line is blank rather than filled in with NO SELECTION MADE.

You might think, ``OK, the ExpressVote XL can fill in undervotes, that's
bad, but it can't change votes.''  But it can! Here is the mechanism:
Suppose the voter makes choices in all 15 contests, and chooses Jones for
State Senator. The hacked software can print a ballot card with only 14
contests, and leave blank spaces for State Senator. Then, after the voter
reviews the ballot card behind glass, the card moves past the printhead into
the ballot box. At this time the hacked software can print the hacker's
choice (Smith) for State Senator. If most humans were really good at
checking their printout line-by-line with what they marked on the
touchscreen, this wouldn't succeed because the voter would notice the
missing line, but voters are only human.

More details and explanation are in
https://www.cs.princeton.edu/~appel/papers/bmd-insecure.pdf

------------------------------

Date: Sun, 10 Jan 2021 10:04:05 +0800
From: Richard Stein <rmstein () ieee org>
Subject: IPhone12 will stop your implantable defibrillator
  (Medicalxpress.com)

https://medicalxpress.com/news/2021-01-iphone12-implantable-defibrillator.html

"In a recent paper in the journal Heart Rhythm, doctors describe how they
turned off the potentially life-saving cardiac defibrillator function of an
implanted Medtronic device simply by holding an iPhone 12 near it. The
authors had nothing personal against Medtronic, or for that matter, against
the new iPhone. The main reason they singled the phone out here was because
it is compatible with some of the most advanced new technologies available
for various magnetic-based communications and charging."

  [Monty Solomon noted another take:
   Medical study suggests iPhone 12 with MagSafe can deactivate pacemakers
   https://9to5mac.com/2021/01/11/iphone-12-magsafe-deactivates-pacemakers/
  PGN]

------------------------------

Date: Sat, 9 Jan 2021 18:02:51 -0500
From: Gabe Goldberg <gabe () gabegold com>
Subject: IRS rushes to fix error that sent millions of stimulus payments to
  wrong bank accounts (Michelle Singletary)

Michelle Singletary, *The Washington Post*, 8 Jan 2021

https://www.washingtonpost.com/business/2021/01/08/irs-tax-preparer-stimulus-error/

------------------------------

Date: Thu, 14 Jan 2021 12:27:52 -0500
From: Gabe Goldberg <gabe () gabegold com>
Subject: Lack of Tiny Parts Disrupts Auto Factories Worldwide (NYTimes)

Carmakers can't buy the semiconductors they need because home electronics
are taking all the supply.

https://www.nytimes.com/2021/01/13/business/auto-factories-semiconductor-chips.html

  [The Internet of Things is becoming the Internet of Ca-chings?  PGN]

------------------------------

Date: Wed, 13 Jan 2021 00:12:55 -0500
From: Gabe Goldberg <gabe () gabegold com>
Subject: Lost Passwords Lock Millionaires Out of Their Bitcoin Fortunes
  (NYTimes)

https://www.nytimes.com/2021/01/12/technology/bitcoin-passwords-wallets-fortunes.html

The risk? History repeating itself.

------------------------------

Date: Sun, 17 Jan 2021 03:20:47 -0800
From: Tom Van Vleck <thvv () multicians org>
Subject: Bug wipes UK arrest records

Software bug wipes out over 150,000 UK arrest records including fingerprints
and DNA data.

------------------------------

Date: Sat, 16 Jan 2021 08:59:40 -0800
From: Lauren Weinstein <lauren () vortex com>
Subject: Risks of DNS encryption: NSA warns enterprises to beware of
  third-party DNS resolvers (Ars Technica)

https://arstechnica.com/information-technology/2021/01/the-nsa-warns-enterprises-to-beware-of-third-party-dns-resolvers/

------------------------------

Date:   Sun, 17 Jan 2021 03:16:20 -0800
From:   Tom Van Vleck <thvv () multicians org>
Subject: Company name could lead to security xss attack

Someone named his company

  " " >   [or perhaps even `" " >']

https://www.ibtimes.sg/british-company-forced-change-name-it-could-be-used-cross-site-scripting-hack-53148

------------------------------

Date: Wed, 13 Jan 2021 23:44:43 -0500
From: Gabe Goldberg <gabe () gabegold com>
Subject: How Amazon Sidewalk Works -- and Why You May Want to Turn It Off
  (WiReD)

The white paper points out the steps that Amazon has taken to make this as
private and secure as possible, including a variety of cryptographic
algorithms and those three levels of encryption: It shouldn't be possible
for other people to spy on your network or suddenly gain access to your
smart thermostat. Everything should happen seamlessly behind the scenes, in
theory.

All that said, it really comes down to how much you trust Amazon -- the
company that seems keen to collect as much data as possible about you,
shares Ring camera information with law enforcement agencies, and which
hasn't always protected sensitive user data quite as robustly as it might
have done. The company has also said it might share Sidewalk data with
third-party developers further down the line, and you know where that kind
of data sharing tends to lead.

If you end up deciding that Amazon Sidewalk isn't for you, you need to take
action: It's on by default, once the software update has hit your devices
(it's also on by default for users setting up an Amazon-powered smart home
for the first time.) If you want to turn it off, you need to open up the
Alexa app on your phone, and go to More, Settings, Account Settings, and
Amazon Sidewalk.

https://www.wired.com/story/how-amazon-sidewalk-works/

------------------------------

Date: Sun, 10 Jan 2021 02:13:55 -0500
From: Gabe Goldberg <gabe () gabegold com>
Subject: What to expect for the 2021 workplace (WashPost)

Video chats will get smarter -- and, potentially, creepier -- thanks to
artificial intelligence.

If 2020 was the year video conferencing truly went mainstream, 2021 could be
the year it gets smarter. Some of the largest platforms will begin using
artificial intelligence to recognize and track certain gestures participants
make, automate to-do items and help manage the challenges of workers split
between work and home.

Zoom Video Communications, for instance, announced a *smart gallery* feature
it plans to roll out in June 2021 that will use cameras to make multiple
people in the same on-site conference room appear as separate, equal-sized
windows on their live-stream video. Those working from home will see the
individual faces of each colleague rather than just a view of the whole
conference room, an effort to visually shrink the differences between remote
and in-person workers.

``We want to maintain the democratization of Zoom, and have everyone on
the same level when people come back to the office,'' said Oded Gal, Zoom's
chief product officer.

Cisco Systems, meanwhile, will launch *gesture recognition* early next year
using artificial intelligence to recognize specific movements -- clapping,
raised hands, a thumbs up, or thumbs down. For large virtual meetings with
hundreds of attendees, it could help gauge reactions to an idea without
requiring attendees to answer a survey or click on-screen emoji.

Asked if recognizing facial expressions like smiles, frowns or eye rolls in
a video call might be next, Cisco Senior Vice President Jeetu Patel said
addressing privacy concerns has to come first. Even collecting anonymous
data might make people uneasy, he said.  ``This is much more of a privacy
and comfort issue than it is a technology issue.  It's just a matter of what
is going to be acceptable.''

Microsoft Teams, meanwhile, added a new feature late this year that uses AI
to recognize what tasks participants agreed to complete during a meeting and
send them reminders afterward, as well as create searchable meeting
transcripts.

``It will follow up with me with *action items* that I agreed to,'' Jared
Spataro, corporate vice president for Microsoft 365, said in an interview.
``A lot of things that people are thinking `Yeah, someday that will be
reality' are actually already in the product.'' Microsoft has also filed a
patent for a system that could use sensors, cameras and software to examine
body language, expressions and participant contributions to come up with an
*overall quality score* for how the meeting went. But Spataro said,
``Neither research nor patents is a good predictor of product pipeline.
We're always looking at all those types of things.''

https://www.washingtonpost.com/road-to-recovery/2021/01/03/rtr-officetrends/

  Potentially?

------------------------------

Date: Thu, 14 Jan 2021 23:54:05 -0500
From: Gabe Goldberg <gabe () gabegold com>
Subject: In-Garage Delivery: Amazon Key (Amazon.com)

What is Key by Amazon In-Garage Delivery?

Key by Amazon In-Garage Delivery is a secure, convenient way to receive
Amazon packages inside your garage. It helps prevent package theft and
provides protection from potentially damaging weather like heat and
rain. Key by Amazon is also contactless, because there�s no interaction
between you and the delivery associate, or contact between the associate and
the garage door.

Key In-Garage Delivery requires a compatible Smart Garage Hub or Wifi Garage
Door Opener to enable authorized delivery associates to leave Amazon
packages inside your garage.

https://www.amazon.com/b?node=21222091011&ref=kfg_surl_key

------------------------------

Date: Fri, 15 Jan 2021 10:53:57 +0800
From: Richard Stein <rmstein () ieee org>
Subject: AI algorithm over 70% accurate at guessing a person's political
  orientation (techxplore.com)

https://techxplore.com/news/2021-01-ai-algorithm-accurate-person-political.html

"A team of researchers at Stanford University has developed an AI algorithm
that proved to be slightly over 70% accurate at guessing a person's
political affiliation after studying a single photograph. In their paper
published in the journal Scientific Reports, the group describes building
and testing their algorithm and how well it worked."

See "Facial recognition technology can expose political orientation from
naturalistic facial images," for a detailed discussion of image
classification and algorithm operation.
https://www.nature.com/articles/s41598-020-79310-1

"The researchers were not able to pin down exactly what sorts of facial
characteristics their system correlated with political affiliation, but they
did find some trends -- head orientation and emotional expression, for
example, appeared to provide some clues."

Political profiling based on facial recognition can guide campaign
advertising, appeals for donations, personnel recruiting, etc. Given a
polarized electorate, the algorithm might assist identification of
persuadable voters to tip a close election.

Correlate this algorithm's predictive capabilities with an interpretation of
the brain's amygdala, as explored by political neuroscientists [1] using
fMRI to estimate political inclinations, to yield artificially intelligent
phrenology.

[1] "A Neurology of the Conservative-Liberal Dimension of Political
    Ideology, Part 4: Neuroimaging Studies" from
https://neuro.psychiatryonline.org/doi/full/10.1176/appi.neuropsych.16030051

------------------------------

Date: Thu, 14 Jan 2021 13:57:46 -0500
From: Gabe Goldberg <gabe () gabegold com>
Subject: Detection of Hardware Trojans Using Controlled Short-Term Aging
  (NYU Tandon School of Engineering)

The project builds upon on-going research, funded by a $1.3 million grant
from the Office of Naval Research, to create algorithms for detecting
Trojans -- deliberate flaws inserted into chips during fabrication -- based
on the short term aging phenomena in transistors.

It will focus on this physical phenomenon of short-term aging as a route to
detecting hardware Trojans. The efficacy of short-term aging-based hardware
Trojan detection has been demonstrated through simulations on integrated
circuits (ICs) with several types of hardware Trojans through stochastic
perturbations injected into the simulation studies. This DURIP project seeks
to demonstrate hardware Trojan detection in actual physical ICs.

https://engineering.nyu.edu/news/detection-hardware-trojans-using-controlled-short-term-aging

------------------------------

Date: Thu, 14 Jan 2021 11:15:50 +0800
From: Richard Stein <rmstein () ieee org>
Subject: Unique study incorporates fluid dynamics and more to evaluate,
  enhance future implants (PHYS.ORG)

https://phys.org/news/2021-01-unique-incorporates-fluid-dynamics-future.html

"Rice University engineers hope to make life better for those with
replacement joints by modeling how artificial hips are likely to rub them
the wrong way."

Knee, hip, and shoulder replacements are performed routinely, especially for
an aging population. Arthroplasty is the medical procedure orthopedic
surgeons apply for joint replacement.

"Rates of Total Joint Replacement in the United States: Future Projections
to 2020--2040 Using the National Inpatient Sample"
https://www.jrheum.org/content/early/2019/04/09/jrheum.170990 estimates 498K
total hip arthroplasty and 1.06M total knee arthroplasty procedures in 2020
within the US. The essay projects a 2-3X multiplier for each by 2040.

The FDA's product classification website (type in 'knee' or 'hip' to see an
extended list)
(https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfPCD/PCDSimpleSearch.cfm,

A culled list (filtered for implants -- partial and total -- and inspected
to possess non-null TPLC medical device report records) reveals 24 separate
product codes for hip replacements and 20 for knee replacements. Each
product code represents manufactured devices consisting of various plastics,
metals, or a combination of these materials.

Given the product code count above, and the Patient Problem counts given
below, an estimate of diminished quality of life from hip arthroplasty can
be calculated assuming there's at least 1 manufactured product per product
code.

1085 * 24 = 47740 patient problems/5 years = 9548 patient problems per year
or 9,548/498,000 = ~2% of all arthroplasty procedures in 2020 are estimated
to experience post-operative negative quality of life impact: infection,
pain, dislocations, etc. A similar method can be applied to estimate knee
replacement quality of life impacts.

Given the implantation growth rate projection, this number is likely to
double or triple by 2040 without significant improvements in prosthetic
device and patient arthroplasty treatment life cycles.

For product code JDH (Device: prosthesis, hip, hemi-, trunnion-bearing,
femoral, metal/polyacetal, Regulation Description: Hip joint femoral
(hemi-hip) trunnion-bearing metal/polyacetal cemented prosthesis), the FDA's
Total Product Life Cycle tool
(https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfTPLC/tplc.cfm?id=4638)
aggregates the following Top-10 Device Problems and Patient Problems (linked
to medical device reports) between 01JAN2016 and 31DEC2020 (in CSV format):

Device Problems,MDRs with this Device Problem,Events in those MDRs
Insufficient Information,387,387
Adverse Event Without Identified Device or Use Problem,177,177
Device Dislodged or Dislocated,121,121
Break,71,71
Fracture,65,65
Loose or Intermittent Connection,36,36
Appropriate Term/Code Not Available,31,31
Unintended Movement,22,22
Unstable,14,14
Loosening of Implant Not Related to Bone-Ingrowth,12,12
Migration or Expulsion of Device,10,10

The Top-10 Patient Problems attributed to this product code in CSV format
are:

Patient Problems,MDRs with this Patient Problem,Events in those MDRs
Injury,532,532
Unspecified Infection,125,125
Pain,88,88
Joint Dislocation,78,78
No Code Available,60,60
No Information,50,50
Bone Fracture(s),50,50
No Known Impact Or Consequence To Patient,40,40
No Consequences Or Impact To Patient,32,32
Failure of Implant,30,30

------------------------------

Date: Tue, 12 Jan 2021 12:15:56 -0800
From: Rob Slade <rmslade () shaw ca>
Subject: Risk Management and Two-Dose Vaccines

Now that vaccines have started to roll out, we have a new risk management
lesson from them.  Most of the vaccines that have been approved so far are
two-dose vaccines.  With the rush to get vaccines into people in the most
expeditious manner, there is now a new controversy.  Do you give as many
people as possible one dose of the vaccine, or do you hold back doses so
that there will be a guaranteed supply for those who need a second shot?

First, let's look at the mechanics of what is going on with the two-dose
vaccines.  (There are some one dose vaccines coming, but they seem to be at
least a month away from approval, so we've got some time to discuss this.)
The first shot, in a two-dose series, is often referred to as a primer shot.
It is delivering some material to the body to alert the immune system to
something it should be paying attention to.  Most often this is some kind of
protein that is foreign to the human body.  The Pfizer and Moderna vaccines
are kind of interesting in that they contain messenger RNA (mRNA) that makes
our bodies produce the protein spikes that are on the coronavirus.  Having
produced these proteins (without ever having encountered the actual virus),
our bodies then produce antibodies that identify and attack these proteins.
The idea is that, by the time we actually encounter some coronavirus, our
bodies are primed and ready to attack the actual virus.  (Given the trials
that have gone on, and the data collected, the idea seems to be correct.)

With many two-dose vaccines, the second dose, sometimes known as a booster
shot, as opposed to the initial primer shot, is often just more of the same.
(Both the Pfizer and Moderna vaccines are of this type.)  In past studies of
vaccines, it seems to be that, in the case of many vaccines, a second shot
of the same material does two things.  The first is that it increases the
protective effectiveness of the vaccine, by boosting the immune response
that we produce.  The second is that it increases the duration over time
that the body is able to produce this response, thus conferring protection
over a longer period.  For example, after a single shot the body may produce
an effective immune response for a period of four months.  After a second
shot, that might be increased to two years.  (At this point we don't have
good data about duration in regard to the Pfizer and Moderna vaccines, since
they haven't existed for more than a few months, but we assume they will
follow a similar pattern.)

The increase in duration is, of course, a benefit.  But, in the midst of a
pandemic, and particularly in the midst of huge second and third wave
surges, it is the increase in effectiveness that sets up the possible
controversy.  Do you leave some people only partly protected, so that you
can partly protect others?

Since this is risk management, we again have to note probabilities and
uncertainties and the fact that none of this is quantum.  Protection isn't
absolute, and it doesn't turn on and off.  In particular, protection doesn't
turn on instantly, and takes time to develop.  And it also takes time to go
away again.

In a two-dose vaccine regime, you receive an initial primer shot.  That does
not mean you can now safely go to bars and insurrection mobs without being
at risk of getting CoVID-19.  It will take some time for your body to
develop any kind of immune response.  After three weeks or so, you may have
about 80% protection.  Note that this isn't 100% protection.  You can still
get infected if you encounter someone who is infectious.  But you are less
likely to become infected.

(Actually, even though it might sound low, 80% is pretty good for a vaccine.
The flu vaccines that we get every year are only about 50% effective.  That,
and the effects of herd immunity when almost everyone gets the vaccine,
means far fewer cases of the flu, and fewer deaths, and less time lost to
sickness, and less impact on the economy, and so even a 50% effective
vaccine is a very good thing.)

At this point, two things may be happening.  Your body may (and probably is)
still increasing it�s protection, even without any further intervention.
Some of the Pfizer and Moderna data indicates that, over a longer period of
time, even a single dose of the vaccine can confer protection over 90%.  But
you can, at this point, get the second, booster, dose of the vaccine.
Following the booster dose, after some time (possibly a week, possibly six
weeks), your protection level can rise to around 95%.

A couple more points to note.  I said �at this point.� Vaccine studies
in the past have clearly shown that, if you give the booster shot too early,
it is basically a waste of vaccine.  There is a minimum time, after the
primer shot, before a booster shot gives any booster effect.  This minimum
time seems to be three weeks, in the case of Pfizer, and four weeks, in the
case of Moderna.

Another factor to consider is that, while there is a definite minimum time
period between shots in terms of maximum effect, the maximum time between
shots is much more open ended.  If the minimum time is three weeks, then
there is no diminution of effect if you wait until four weeks to give the
booster.  In fact, many studies seem to indicate that, to a certain extent,
the longer you wait for the second, booster, shot, the stronger the
protection and the longer the duration of protection.  (Again, the
coronavirus vaccines simply haven't been in existence long enough for us to
have really good data on the timing, but studies or existing vaccines show
that this is very likely.)

Yet another consideration goes back to those numbers.  You will recall that
I said 80% was pretty good protection.  It is.  90% is better, and 95% is
better still.  But even 95% isn't that much better than 80%, and 80% is a
whole lot better than nothing.

So, back to the controversy.  When we start giving vaccines, we can stick
with the minimum time regime, and give everyone a second dose as soon as
they hit the three week mark.  That way we get more people up to 95%
protection sooner.

Or, we can delay the second dose out to five weeks.  The downside is that
those people spend an extra two weeks at 80% protection before they get the
booster dose.  But, during those two weeks, we can start bringing even more
people to 80% protection (rather than leaving them with nothing).  Which
means we start building herd immunity faster.  And the early lot are not,
after all, being left with no protection.  They are probably at 80%, and may
be building, themselves, towards 90%.  And they are still well within the
time period during which they are going to get the booster effect.  They may
even get a better booster effect for the delay.

The calculus involved here is complex.  It involves the infectiousness of
the virus, the effectiveness of the vaccine, the total numbers of cases, and
a number of other considerations.  However, in our situation, the answer
seems to fall on the *delay* side of the equation.

------------------------------

Date: Fri, 15 Jan 2021 11:35:30 -0800
From: Rob Slade <rmslade () shaw ca>
Subject: Different kinds of security

For years, no, actually decades, I have read, with pleasure and reliance, a
certain columnist's columns on politics in BC.  He has been knowledgeable,
analytical, and educational.  Due to his taking on a field outside his
expertise in 2020, that of the pandemic, I am rapidly losing any and all of
the respect that I ever had for his journalistic abilities.

https://vancouversun.com/opinion/columnists/vaughn-palmer-dix-ducks-and-
covers-before-fessing-up-on-care-home-covid-outbreaks

His latest column chides Health Minister Adrian Dix for being careful in his
answer about a question involving the rise of infections in long term care
homes.  Yes, Dix might have answered earlier and more directly that staff is
responsible for most outbreaks in long term care.  But that is a loaded
question right now.  Staff are responsible for outbreaks because they are
the ones moving between the community and the homes.  What do you want to do
about that?  Ban the staff?  Leave the homes unattended, and let the
residents shift as best they can from their beds?

But the columnist isn't content to raise that nonsensical issue.  He then
goes on to blame the "second wave" surge on the election.  Anyone who takes
the time to look at the case numbers can see that the election made almost
no contribution to the surge, which clearly dates from Thanksgiving dinners
and parties.

The columnist then takes up the cudgel on behalf of the idea of "routine"
testing for staff.  As he has been told many times when he raises the (same)
question on "The Dr. Bonnie Show (co-starring Adrian Dix and Nigel Howard),"
there *is* routine testing of medical staff.  It's just that the routine
varies depending upon the level of medical and public health risk, and not
at the call of some political columnist.

Testing of every staff member twice a week would still leave at least a four
day window every week during which people could become infected and
infectious.  In fact the window would be longer, since test results take
about 24 to 48 hours to be processed.  And who is it that would do these
tests (by the way, how many LTC staff are there in the entire province of
BC?), and what work would *not* be done while they are doing them?  Risk
management is obviously not the columnist's field.

It may just be CoVID fatigue and increased irritability on my part, but I am
growing distressed with the poor quality of the Sun's coverage of the
pandemic, and it's seeming pursuit of the scandalous over the informative.
And so I fired off this rant to some of my friends in security.

And got a response back:


Did you send this to the wrong mailing list?


So, I definitely did not make the point I wanted to make properly.  I
suppose a bit more detail (and a bit less rant) is in order.

Lemme start with a seminar I did some time back.  Unusually, it was actually
in Vancouver.  I had two candidates, sitting next to each other, as it
happened, who both worked for government, but came from radically divergent
security situations, as became obvious when we discussed the good old CIA
triad of Confidentiality, Integrity, and Availability.

One worked for E-Comm.  These are the people who, among other things, answer
the phones when you call 911.  The E-Comm people don't exactly broadcast
their calls, but confidentiality is not their first concern.  That's
availability.  When somebody in trouble calls 911, somebody *has* to answer
the phone.  (I had a tour through E-Comm one time, and their business
continuity and resilience planning is *really* impressive.)

Sitting beside him was a candidate from one of the business development
banks of the federal government.  These agencies provide loans to businesses
that want to expand their business.  Since the idea is expansion, most of
the loans aren't exactly secured by traditional equity.  In order to ensure
that the money (mostly) goes to actually building business, the companies
have to provide masses of information about themselves, their markets, and
their plans.  This data is *highly* confidential: if it ever got into the
hands of their competitors, the companies could be in real trouble.  So
everything is kept strictly confidential, and almost all their security is
directed that way.  But availability?  As he said himself, "Hey, we're the
federal government.  If we disappeared for a month, who would even notice?"

I guess what the columnist doesn't see (and what I didn't really allow for),
is that he has worked for decades in politics.  Politics is definitely a
long game.  It doesn't really happen all that fast.  It's important to have
a really good memory, going back decades.  You need to analyse.  And you've
got all the time in the world to analyse, because nothing is going to happen
very quickly.  You need to look, in minute detail, at what the government,
and political figures, are doing, while they are doing it, to point out
minor flaws so that, by the time an act *is* passed, it's perfect.  (It
never actually *is* perfect, but that's what you are aiming for.)

But a pandemic isn't politics, even though a lot of political work is
involved.  A pandemic is emergency management.  You have to do *something*,
because, if you don't, people will die.  And, often, anything you do is
better than doing nothing, because if you do nothing, people will die.  So,
delaying things while you look for a perfect solution is wrong, because, in
emergency management, "the best" is very definitely the enemy of the good.
Pandemics are fluid, and you make the best choice you can, at the time, with
limited information, and change plans when the information changes, and
hope, rather desperately, that the first plans you made don't run completely
counter to later information.  But you make a choice, and do it, because, if
you don't, people will die.

In emergency management, you do try to get divergent opinions, to try and
make sure that you don't make a drastic mistake.  But the very last thing
you need, in the middle of a pandemic or other disaster, is someone publicly
second-guessing what you are doing.  That can wait for the "after action"
debriefings.  During the crisis, having some political columnist (with no
training in emergency management, or even risk management) saying that you
are making a mistake is just messing with the messaging you are trying to
get out to the public.  And, if that happens, people might die.

There are different types of security.  They are useful in different types
of situations.  There is no "one size fits all."  We need to apply the right
security to the right situation.  And we definitely don't want to apply the
wrong security to the wrong situation.

------------------------------

Date: Mon, 11 Jan 2021 14:12:54 -0500
From: Larry Werring <lwerring () nrtco net>
Subject: Hacker Locks Internet-Connected Chastity Cage

    The risks seem obvious...<br>

https://www.vice.com/en/article/m7apnn/your-cock-is-mine-now-hacker-locks-internet-connected-chastity-cage-demands-ransom

------------------------------

Date: Sun, 10 Jan 2021 21:39:04 -0500
From: Larry Werring <lwerring () nrtco net>
Subject: Re: Scope of Russian Hacking Far Exceeds Initial Fears (RISKS-32.44)

I am getting very tired of reading stories like this. I worked IT security
for many years in Government (now retired) expending much effort to stop
this kind of activity. One of the reasons I retired early was the lack of
will to really do anything about this type of activity.  If the
Russians or the Chinese or anyone else, for that matter, flew over and
dropped troops into our major centers with orders to break into key
Government and commercial buildings, sabotage critical infrastructure, and
steal sensitive information and other valuables, we would immediately
retaliate in an appropriate manner that would discourage future similar
activities.  Doing it electronically is the same as doing it the old
fashioned way (analog). Why isn't anyone dealing with it as such? As far as
I know, there has been no retaliation for the numerous intrusions that have
occurred over the years. Why are we still letting them get away with
it?  Unless we treat this like an electronic war and appropriately
defend ourselves with a good offence, they will keep doing it with
impunity.  If you are going to do nothing then you might as well
throw open the doors and let them in (i.e. surrender).  At the very least,
take control of or destroy their access to the Internet so they can't access
their targets.<br> <br> Maybe it's a good thing that I am retired. My
frustration and bitterness at doing so much over the years with so little
effect is beginning to show through.  I can see from this and other
similar posts that my peers are having very little success in dealing with
the many crooks and enemies conducting these intrusions. Were I still
working, I would be even more frustrated than I am reading about
it. Continue to do nothing and they'll reap your reward.

------------------------------

Date: Sun, 10 Jan 2021 14:26:08 +1100
From: 3daygoaty <threedaygoaty () gmail com>
Subject: Re: Voting Systems: The Cherry and the Cream (RISKS-32.44)


At anytime after I'd voted, I could check my vote online by entering my
registration number.


I ran one of these pilots in 2007, the one in Swindon.

It is illegal for the voting authority to issue any kind of binding proof of
your vote that you could use to trade, sell or demonstrate your voting
choices to a third party.  The challenge is to show you something convincing
that is not your vote, but which also can be independently verified.

One of the best that has been achieved to date and not torn to shreds (so to
speak) -- for which I was the project manager -- is vVote (2014) due to
Teague, Schneider, Culnane, Hook and Ryan, and this is a supervised polling
place system based on Pret a Voter.  I am not aware of a remote votingscheme in the world used or proposed for high 
stakes public elections that
has withstood even a fairly brief spotlight by the voting security
community.

------------------------------

Date: Sun, 10 Jan 2021 07:31:33 -0600
From: Stephen Fierbaugh <stephen () fierbaugh org>
Subject: Re: One Minute Left": Hockey, CoVID-19 ...vs hacking (Drewe,
  RISKS-32.43)

We "wait" until total monthly deaths from all causes decrease to <= 1
standard deviation from normal.

The benefit is this calculation is easy to make from readily available civil
data collection processes which have been in place for a long time, doesn't
require any special testing, and can't really be manipulated.

For my Smith County, Texas, USA, mortality is currently at 7.351 standard
deviations.

------------------------------

Date: Wed, 13 Jan 2021 22:24:07 +0000
From: "Chris D." <e767pmk () yahoo co uk>
Subject: Re: One Minute Left": Hockey, CoVID-19 ...vs hacking
  (Fierbaugh, RISKS-32.45)

Thanks, but I'm not sure if it's that simple.  Reportedly, what panics
politicians is people dying from Covid-19 in hospital corridors or parking
lots, so much routine health treatment has virtually stopped to leave room
for these people.  "Total monthly deaths from all causes" will include those
who may have died from delayed investigation and/or treatment but it's
difficult to say how many there were, and people who die quietly at home
aren't so conspicuous.  We are deluged with figures on daily/weekly/monthly
deaths, but often measured in different ways or time periods, and then
there's the annual panic over 'winter'.  There are constant demands over
making lockdown restrictions stricter, or if this would make things better
or worse...

  Hope that helped but it probably didn't.  CD

------------------------------

Date: Wed, 13 Jan 2021 16:46:55 -0600
From: Stephen Fierbaugh <stephen () fierbaugh org>
Subject: Re: One Minute Left": Hockey, CoVID-19 ...vs hacking
  (Drewe, RISKS-32.45)

Clarification: I didn't mean that we stay locked down until then. 
Rather, the public health emergency will be over then. That the metric
measures all deaths, not just explicitly COVID-19 is an intentional feature,
not a bug.

------------------------------

Date: Mon, 1 Aug 2020 11:11:11 -0800
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest.  Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
 subscribe and unsubscribe:
   http://mls.csl.sri.com/mailman/listinfo/risks

=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that
   includes the string `notsp'.  Otherwise your message may not be read.
 *** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 *** Contributors are assumed to have read the full info file for guidelines!

=> OFFICIAL ARCHIVES:  http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
  http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
  Also, ftp://ftp.sri.com/risks for the current volume/previous directories
     or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
  If none of those work for you, the most recent issue is always at
     http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00
  ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
  Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 32.45
************************
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
precedence: bulk
Subject: Risks Digest 32.46

RISKS-LIST: Risks-Forum Digest  Monday 25 January 2021  Volume 32 : Issue 46

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/32.46>
The current issue can also be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
FAA Files Reveal a Surprising Threat to Airline Safety: the U.S. Military's
  GPS Tests (IEEE Spectrum)
Australia's proposed media code could break the world wide web, says the man
  who invented it (The Guardian)
Big Tech (Lauren Weinstein)
Home alarm tech admits he used security cameras to be a serial Peeping Tom
  (ProTip via Ars Technica)
AI-powered text from this program could fool the government (Will Knight)
No stopping AI? Scientists conclude there would be no way to control
  super-intelligent machines (Study Finds)
DNSpooq Lets Attackers Poison DNS Cache Records (Catalin Cimpanu)
1,900 doses of Moderna vaccine destroyed after cleaner accidentally unplugs
  freezer in Boston (ABC News)
COVID-19 Vaccine Reservations (RLGSC via Bob Gezelter)
Intelligence Analysts Use U.S. Smartphone Location Data Without Warrants
  (NYTimes)
A Lesson From 1930s Germany: Beware State Control of Social Media
  (Heidi Tworek via Kimi Wei)
Biden Has a Peloton Bike. That Raises Issues at the White House.
  (NYTimes)
Biden will be the first president to use the new Air Force One
  (Business Insider)
Janet Yellen suggests 'curtailing' cryptocurrency (Business Insider)
Camouflage shield known as Quantum Stealth, is light-bending material that
  could be used to obscure objects of varying sizes (Geoff Goodfellow)
Google-Linked Balloon Project to Provide Cell Service Will Close (NYTimes)
Supermarket Worker Stole $1 Million and Bought Cars and Guns, Police Say
  (NYTimes)
Forever Chemicals Are Widespread in U.S. Drinking Water
  (Scientific American)
Revving up electric car industry, Israeli firm develops 5-minute-charge
  battery (The Guardian)
Re: Bursts of acceleration in Tesla vehicles caused by drivers mistaking
  accelerators for brakes ... (Don Norman with appended excerpts from
  John Levine and Michael Bacon)
Re: Post-Riot, the Capitol Hill IT Staff Faces a Security Mess
  (Craig S. Cottingham)
Re: Bug wipes UK arrest records (Michael Bacon, John Colville)
Re: Company name could lead to security xss attack (Wol)
Re: Risk Management and Two-Dose Vaccines (Rob Slade)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Thu, 21 Jan 2021 09:57:56 -1000
From: geoff goodfellow <geoff () iconia com>
Subject: FAA Files Reveal a Surprising Threat to Airline Safety: the
  U.S. Military's GPS Tests (IEEE Spectrum)

*Military tests that jam and spoof GPS signals are an accident waiting to
happen*

Early one morning last May, a commercial airliner was approaching El Paso
International Airport, in West Texas, when a warning popped up in the
cockpit: *GPS Position Lost*. The pilot contacted the airline's operations
center and received a report that the U.S. Army's White Sands Missile Range
<https://www.wsmr.army.mil/Pages/home.aspx>, in South Central New Mexico,
was disrupting the GPS signal. ``We knew then that it was not an aircraft
GPS fault,'' the pilot wrote later.

The pilot missed an approach on one runway due to high winds, then came
around to try again. ``We were forced to Runway 04 with a predawn landing
with no access to [an instrument landing] with vertical guidance,'' the
pilot wrote. ``Runway 04 has a high CFIT threat due to the climbing terrain
in the local area.''

CFIT stands for ``controlled flight into terrain,'' and it is exactly as
serious as it sounds. The pilot considered diverting to Albuquerque, 370
kilometers away, but eventually bit the bullet and tackled Runway 04 using
only visual aids. The plane made it safely to the ground, but the pilot
later logged the experience on NASA's Aviation Safety Reporting System
<https://asrs.arc.nasa.gov/>, a forum where pilots can anonymously share
near misses and safety tips.

This is far from the most worrying ASRS report involving GPS jamming. In
August 2018, a passenger aircraft in Idaho, flying in smoky conditions,
reportedly suffered GPS interference from military tests and was saved from
crashing into a mountain only by the last-minute intervention of an air
traffic controller. ``Loss of life can happen because air traffic control
and a flight crew believe their equipment are working as intended, but are
in fact leading them into the side of the mountain,'' wrote the controller.
``Had [we] not noticed, that flight crew and the passengers would be dead. I
have no doubt.''.  [...]

https://spectrum.ieee.org/aerospace/aviation/faa-files-reveal-a-surprising-threat-to-airline-safety-the-us-militarys-gps-tests

  [For further background on this topic, see Kate Murphy, Our GPS System Is
  Too Vulnerable, *The New York Times* Sunday Review, 24 Jan 2021.  ``We
  need a backup for a service that is essential but full of weaknesses.''
  Sounds quite consistent with other RISKS items!  PGN]

------------------------------

Date: Thu, 21 Jan 2021 20:07:09 -0800
From: Lauren Weinstein <lauren () vortex com>
Subject: Australia's proposed media code could break the world wide web,
  says the man who invented it (The Guardian)

https://www.theguardian.com/media/2021/jan/20/australias-proposed-media-code-could-break-the-world-wide-web-says-the-man-who-invented-it

------------------------------

Date: Tue, 19 Jan 2021 14:23:51 -0800
From: Lauren Weinstein <lauren () vortex com>
Subject: Big Tech

  [via NNSquad]

Some of my contemporaries are jumping on the "Big Tech is the Enemy"
bandwagon.  I could not disagree more. I am convinced that "Big Tech" is
ultimately our salvation -- and that does include social media. The goal
must be fixing the problems we have created, not killing Big Tech.

------------------------------

Date: Fri, 22 Jan 2021 12:57:57 -0800
From: Lauren Weinstein <lauren () vortex com>
Subject: Home alarm tech admits he used security cameras to be a serial
  Peeping Tom (ProTip via Ars Technica)

No cameras in the bedroom?

https://arstechnica.com/information-technology/2021/01/home-alarm-tech-backdoored-security-cameras-to-spy-on-customers-having-sex/

------------------------------

Date: January 18, 2021 at 7:38:27 PM GMT+9
From: Dewayne Hendricks <dewayne () warpspeed com>
Subject: AI-powered text from this program could fool the government
  (Will Knight)

  [via Dave Farber]

Volunteers couldn't tell AI-generated comments from those penned by humans.
Will Knight, Ars Technica, 17 Jan 2021
https://arstechnica.com/tech-policy/2021/01/ai-powered-text-from-this-program-could-fool-the-government/

In October 2019, Idaho proposed changing its Medicaid program. The state
needed approval from the federal government, which solicited public feedback
via Medicaid.gov.

Roughly 1,000 comments arrived. But half came not from concerned citizens or
even Internet trolls. They were generated by artificial intelligence. And a
study found that people could not distinguish the real comments from the
fake ones.

The project was the work of Max Weiss, a tech-savvy medical student at
Harvard, but it received little attention at the time. Now, with AI language
systems advancing rapidly, some say the government and Internet companies
need to rethink how they solicit and screen feedback to guard against
deepfaketext manipulation and other AI-powered interference.

``The ease with which a bot can generate and submit relevant text that
impersonates human speech on government websites is surprising and really
important to know,'' says Latanya Sweeney, a professor at Harvard's Kennedy
School who advised Weiss on how to run the experiment ethically.  Sweeney
says the problems extend well beyond government services, but it is
imperative that public agencies find a solution. ``AI can drown speech from
real humans,'' she says. ``Government websites have to change.''

The Centers for Medicare and Medicaid Services says it has added new
safeguards to the public comment system in response to Weiss's study,
though it declines to discuss specifics. Weiss says he was contacted by the
US General Services Administration, which is developing a new version of the
federal government website for publishing regulations and comments, about
ways to better protect it from fake comments.

Government systems have been the target of automated influence campaigns
before. In 2017, researchers discovered that over a million comments
submitted to the Federal Communications Commission regarding plans to roll
back net neutrality rules had been auto-generated, with certain phrases
copied and pasted into different messages.

Weiss's project highlights a more serious threat. There has been remarkable
progress in applying AI to language over the past few years. When powerful
machine-learning algorithms are fed huge amounts of training data=94in the
form of books and text scraped from the Web=94they can produce programs
capable of generating convincing text. Besides myriad useful applications,
this raises the prospect that all sorts of Internet messages, comments, and
posts could be faked easily and less detectably.

``As technology gets better,'' Sweeney says, ``human speech venues become
subject to manipulation without human knowledge that it has happened.''
Weiss was working at a health care consumer-advocacy organization in the
summer of 2019 when he learned about the public feedback process required to
make Medicaid changes. Knowing that these public comments had swayed
previous efforts to change state Medicaid programs, Weiss looked for tools
that could auto-generate comments.

``I was a bit shocked when I saw nothing more than a submit button standing
in the way of your comment becoming a part of the public record,'' he says.

Weiss discovered GPT-2, a program released earlier that year by OpenAI, an
AI company in San Francisco, and realized he could generate fake comments to
simulate a groundswell of public opinion. ``I was also shocked at how easy
it was to fine tune GPT-2 to actually spit out the comments,'' Weiss
says. ``It's relatively concerning on a number of fronts.''

Besides the comment-generating tool, Weiss built software for automatically
submitting comments. He also conducted an experiment in which volunteers
were asked to distinguish between the AI-generated comments and ones written
by humans. The volunteers did no better than random guessing.

After submitting the comments, Weiss notified the Centers for Medicare and
Medicaid Services. He had added a few characters to make it easy to identify
each fake comment. Even so, he says, the AI feedback remained posted online
for several months.

GPT-3

OpenAI released a more capable version of its text-generation program,
called GPT-3, last June. So far, it has only been made available to a few AI
researchers and companies, with some people building useful applications
such as programs that generate email messages from bullet points. When GPT-3
was released, OpenAI said in a research paper that it had not seen signs of
GPT-2 being used maliciously, even though it had been aware of Weiss's
research.

OpenAI and other researchers have released a few tools capable of
identifying AI-generated text. These use similar AI algorithms to spot
telltale signs in the text. It's not clear if anyone is using these to
protect online commenting platforms. Facebook declined to say if it is using
such tools; Google and Twitter did not respond to requests for comment.

It also isn't clear if sophisticated AI tools are yet being used to create
fake content. In August, researchers at Google posted details of an
experiment that used deepfake-text-detection tools to analyze over 500
million webpages. They found that the tools could identify pages hosting
auto-generated text and spam. But it wasn't clear if any of the content was
made using an AI tool such as GPT-2.

------------------------------

Date: Mon, 18 Jan 2021 12:28:06 -1000
From: geoff goodfellow <geoff () iconia com>
Subject: No stopping AI? Scientists conclude there would be no way to
  control super-intelligent machines (Study Finds)


From self-driving cars to computers that can win game shows, humans have a

natural curiosity and interest in artificial intelligence (AI). As
scientists continue making machines smarter and smarter however, some are
asking ``what happens when computers get too smart for their own good?''

From The Matrix to The Terminator, the entertainment industry has already

started pondering if future robots will one day threaten the human race.
Now, a new study concludes there may be no way to stop the rise of
machines. An international team says humans would not be able to prevent
super artificial intelligence from doing whatever it wanted to.

Scientists from the Center for Humans and Machines at the Max Planck
Institute have started to picture what such a machine would look like.
Imagine an AI program with an intelligence far superior to humans. So much
so that it could learn on its own without new programming. If it was
connected to the Internet, researchers say the AI would have access to all
of humanity's data and could even take control of other machines around the
globe.

Study authors ask what would such an intelligence
<https://www.studyfinds.org/human-brains-computer-see-objects/> do with all
that power? Would it work to make all of our lives better? Would it devote
its processing power to fixing issues like climate change? Or, would the
machine look to take over the lives
<https://www.studyfinds.org/majority-of-office-workers-feel-artificial-intelligence-could-replace-them-within-5-years/>
of its human neighbors?  Controlling the uncontrollable? The dangers of
super artificial intelligence [...]
https://www.studyfinds.org/no-way-to-control-super-artificial-intelligence-ai/

------------------------------

Date: Mon, 25 Jan 2021 12:18:06 -0500 (EST)
From: ACM TechNews <technews-editor () acm org>
Subject: DNSpooq Lets Attackers Poison DNS Cache Records (Catalin Cimpanu)

Catalin Cimpanu, ZDNet, 19 Jan 2021 via ACM TechNews, 25 Jan 2021

Researchers in Israeli boutique cybersecurity consultancy JSOF have
disclosed seven vulnerabilities that affect Dnsmasq, a domain name system
(DNS) forwarding client for *NIX-based operating systems. The
vulnerabilities involve DNSpooq software in millions of devices sold
worldwide, including networking gear like routers, access points, firewalls,
and VPNs from numerous companies. The researchers say the vulnerabilities
could be combined to poison DNS cache entries recorded by Dnsmasq servers,
allowing attackers to redirect users to clones of legitimate websites. Four
of the vulnerabilities are buffer overflows in the Dnsmasq code that could
result in remote code execution scenarios, and the remainder enable DNS
cache poisoning. The researchers advise users to apply security updates
released by the Dnsmasq project.

https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-291b8x2279e7x070793&;

------------------------------

Date: Fri, 22 Jan 2021 14:10:41 -0600
From: "Allen M. Bonneau"
Subject: 1,900 doses of Moderna vaccine destroyed after cleaner accidentally 
  unplugs freezer in Boston (ABC News)

I have seen many stories about cleaners unplugging various systems so they
could plug in the vacuum cleaner, etc.� This is the first one I have seen
where the system was alarmed for this very scenario.

  Toto said, the freezer at the Boston pharmacy "was in a secure location
  and had an alarm system installed.�The plug was found loose after a
  contractor accidentally removed it while cleaning."

  He said they are investigating why the incident occurred and why the
  alarm system did not work as it was supposed to.

https://abcnews.go.com/Health/1900-doses-moderna-vaccine-destroyed-cleaner-accidentally-unplugs/story?id=75419665

------------------------------

Date: Mon, 25 Jan 2021 04:57:59 -0700
From: "Bob Gezelter" <gezelter () rlgsc com>
Subject: COVID-19 Vaccine Reservations (RLGSC)

Various new outlets have reported systemic problems with the COVID-19
vaccination program in the United States. The most recent installment in my
blog, Ruminations, discussed some of the major issues I encountered.

The general public is rarely impacted by poor choices in IT implementations.
Unfortunately, the COVID-19 vaccination program has become an example of how
not to implement important public-facing computer systems. ...

The full text can be found at:

http://www.rlgsc.com/blog/ruminations/public-health-endangered-by-deficient-user-models.html

------------------------------

Date: Sat, 23 Jan 2021 15:27:37 -0500
From: Jan Wolitzky <jan.wolitzky () gmail com>
Subject: Intelligence Analysts Use U.S. Smartphone Location Data Without
 Warrants, Memo Says

https://www.nytimes.com/2021/01/22/us/politics/dia-surveillance-data.html

------------------------------

Date: January 19, 2021 at 10:13:21 AM GMT+9
From: Kimi Wei <kimiwei88 () gmail com>
Subject: A Lesson From 1930s Germany: Beware State Control of Social Media

Heidi Tworek, *The Atlantic*,  26 May 2019   [via Dave Farber]

https://www.theatlantic.com/international/archive/2019/05/germany-war-radio-social-media/590149/?fbclid=IwAR1o7hi3wl70oEtokq9Q4ofduG45sSF-4XqAb6tXfS7lUKnPjZeglRRg0H0

Regulators should think carefully about the fallout from well-intentioned
new rules and avoid the mistakes of the past

``Our way of taking power and using it would have been inconceivable without
the radio and the airplane,'' Nazi Propaganda Minister Joseph Goebbels
claimed in August 1933.

  [Timely byt very long item truncated for RISKS.  PGN]

------------------------------

Date: Wed, 20 Jan 2021 05:33:22 -0500
From: Jan Wolitzky <jan.wolitzky () gmail com>
Subject: Biden Has a Peloton Bike. That Raises Issues at the White House.

https://www.nytimes.com/2021/01/19/us/politics/biden-peloton.html

------------------------------

Date: Thu, 21 Jan 2021 13:38:57 -0500
From: Gabe Goldberg <gabe () gabegold com>
Subject: Biden will be the first president to use the new Air Force One
  (Business Insider)

Here's what we know about the $5.3-billion aircraft

https://www.businessinsider.com/what-we-know-about-the-air-force-one-replacement-project-2020-7

Favorite line:

  The Air Force announced in April that Boeing will develop the owner's
  manual for the new VC-25B aircraft and the service branch is paying $84
  million for it, DefenseOne reported. The manual will reportedly contain
  over 100,000 pages and won't even be ready at the time of the jet's
  estimated delivery to the Air Force, with DefenseOne reporting that it
  will arrive in January 2025.

That is one serious manual! And it better have a quick index for pilots...

------------------------------

Date: Thu, 21 Jan 2021 14:03:49 -0500
From: Gabe Goldberg <gabe () gabegold com>
Subject: Janet Yellen suggests 'curtailing' cryptocurrency

https://markets.businessinsider.com/currencies/news/bitcoin-price-cryptocurrency-should-be-curtailed-terrorism-concerns-yellen-2021-1-1029985692

On the other hand...

http://broadbandbreakfast.com/2021/01/panelists-at-ces-2021-agree-widespread-adoption-of-cryptocurrency-is-imminent/

------------------------------

Date: Thu, 21 Jan 2021 10:00:08 -1000
From: geoff goodfellow <geoff () iconia com>
Subject: Camouflage shield known as Quantum Stealth, is light-bending
  material that could be used to obscure objects of varying sizes

https://twitter.com/knowIedgehub/status/1352235869143330819

------------------------------

Date: Fri, 22 Jan 2021 13:00:14 -0500
From: Gabe Goldberg <gabe () gabegold com>
Subject: Google-Linked Balloon Project to Provide Cell Service Will Close
  (NYTimes)

https://www.nytimes.com/2021/01/21/technology/loon-google-balloons.html

------------------------------

Date: Fri, 22 Jan 2021 13:11:00 -0500
From: Gabe Goldberg <gabe () gabegold com>
Subject: Supermarket Worker Stole $1 Million and Bought Cars and Guns,
  Police Say (NYTimes)

The theft, by a 19-year-old who worked at a Kroger in Duluth, Georgia.,
occurred over two weeks when a supermarket compliance officer was away, the
authorities said.

https://www.nytimes.com/2021/01/21/us/kroger-atlanta-teen-arrested.html

The risk? Let me think...

------------------------------

Date: Sat, 23 Jan 2021 13:05:06 +0800
From: Richard Stein <rmstein () ieee org>
Subject: Forever Chemicals Are Widespread in U.S. Drinking Water
  (Scientific American)

https://www.scientificamerican.com/article/forever-chemicals-are-widespread-in-u-s-drinking-water/

"A handful of states have set about trying to address these contaminants,
which are scientifically known as perfluoroalkyl and polyfluoroalkyl
substances (PFASs). But no federal limits have been set on the concentration
of the chemicals in water, as they have for other pollutants such as
benzene, uranium and arsenic. With a new presidential administration coming
into office this week, experts say the federal government finally needs to
remedy that oversight. 'The PFAS pollution crisis is a public health
emergency,' wrote Scott Faber, EWG's senior vice president for government
affairs, in a recent public statement."

Cast iron cookware is safer than non-stick, though maintenance is
higher. Can also be used for weight training!

The movie "Dark Waters" dramatizes the protracted effort to hold industry
accountable for PFAS water pollution.

------------------------------

Date: Tue, 19 Jan 2021 12:46:52 -1000
From: geoff goodfellow <geoff () iconia com>
Subject: Revving up electric car industry, Israeli firm develops
  5-minute-charge battery

*Herzliya-based startup StoreDot unveils solution for main obstacle to
widespread use of electric vehicles, but it requires major upgrades to
charging stations*

Israeli company StoreDot announced Tuesday that in a landmark achievement in
the electric vehicle industry, it had managed to develop the world's first
car battery that can be fully charged in just five minutes.

However, the invention will take time to become commercially feasible since
the ultra-fast charge would require much higher-power chargers than are
currently available, The Guardian *reported*  [... PGN-truncated]
<https://www.theguardian.com/environment/2021/jan/19/electric-car-batteries-race-ahead-with-five-minute-charging-times>
<https://www.timesofisrael.com/israeli-startup-storedot-unveils-ultra-fast-charging-batteries-for-drones/>
https://www.timesofisrael.com/revving-up-electric-car-industry-israeli-firm-develops-5-minute-charge-battery/

------------------------------

Date: Mon, 18 Jan 2021 15:49:42 -0800
From: Don Norman <dnorman () ucsd edu>
Subject: Re: Bursts of acceleration in Tesla vehicles caused by drivers
  mistaking accelerators for brakes ... (RISKS-32.45)

Gabe Goldberg reported *The Washington Post* on an NHTSA investigation into
crashes by Teslas. The study concluded that there was no design fault, but
rather Driver Error: Mistakenly stepping on the accelerator rather than the
brake.

https://www.washingtonpost.com/transportation/2021/01/08/tesla-brakes/

Gabe then editorializes in the cute quip manner that has become all too
common on RISKS: "[Doesn't speak well of Tesla owners' driving skills...]."

I believe it is a Design Fault -- not just of Tesla, but of automobiles in
general and the standards committees.

Mistaken application of the accelerator pedal rather than the brake is a
reasonably frequent event in automobiles, so frequent that it even has an
acronym: SUA. Sudden Unintended Acceleration.

Why? Because the accelerator and brake pedals are adjacent, sometimes at
approximately the same height (especially loved by racers, so they can "heel
and toe" between the toe pedals rapidly.

In modern autos, there is no clutch pedal, so there is lots of room to space
the pedals differently.  There are other solutions to the placement of the
pedals, but each change will have its own perceived risks, so rather than
make suggestions only to have people point out the flaws, I say, why not
turn it over to the Human Factors engineers. Every major car manufacturer --
and even NHTSA-- employs them. Let the studies begin!  (Caveat: I'm a Fellow
of the Human Factors society, among others, so I am biased.)

I also suspect that for many of the Tesla accidents, the driver's foot was
on the floor or otherwise resting.  Why? In the Tesla (or any auto with
adaptive cruise control), there is nothing for the right foot to do.
Acceleration and appropriate speed is automatically handled by the vehicle.
Why not rest the foot. I know I do. If there suddenly is a need to brake, a
small percentage of misses is likely.

Note too that in the case of Tesla, all the SUA events did have forces
applied to the accelerator pedal (the auto has extensive record keeping), so
these were unlikely to simply be faulty automation. Of the 217 cases
examined by NHTSA. 28% were in parking lots and 12% in Driveways -- 40%!

Tesla -- and many Electric Vehicles (EVs) have a feature that can be
dangerous in this situation: Electric motors have high torque even at
startup, so the initial acceleration, even (especially) from a stopped
position can be unexpectedly rapid.  Notice that most of the cases were in
zero or low velocity situations. The NHTSA report states: "Eighty-six (86)
percent of these crashes occurred in parking lots, driveways or other
close-quarter *not-in-traffic* locations." Moreover, NHTSA says: "Almost all
of these crashes were of short duration, with crashes occurring within three
seconds of the alleged SUA event."

I don't have comparable statistics for the multiple crashes that Toyota had
due to SUA or for any of the other manufacturers who were also afflicted.

But Norman's Rule of Design is that when there are multiple, repeated
incidents of the same type of accident, even though the tendency is to blame
the person, invariably it is actually due to inappropriate design.  When I
see one or two cases, blaming the person might be appropriate. But when the
number of cases gets into the multiple hundreds, something else is going on.

It is cute to make fun of drivers, whether for their age, gender, or choice
of automobile. Cute statements often are false statements. And false
statements can cause damage and death. In the case of automobile accidents,
a false belief that incidents are caused by driver error prevents government
agencies and automobile manufacturers from believing they should do
something about it.

Please people, stop calling faulty design "human error."

(I couldn't find the NHTSA report on the NHTSA site, but it is available at
https://www.teslarati.com/tesla-sudden-acceleration-nhtsa-closes-review/ .)

Don Norman, Founding Director Emeritus, Design Lab,
University of California, San Diego USA.

  [John Levine noted that in the 1980s a bunch of unexpected acceleration
  events in Audi 100's were also due to pedal confusion. Audi recalled them
  to move the pedals farther apart and to add an interlock so you had to
  step on the brake before putting the car in gear.

  Michael Bacon noted that many air crashes have been attributed to "pilot
  error", but examination of later incidents found issues with design,
  materials, systems, construction, maintenance, inspection, manuals,
  training, operations, etc.  PGN]

------------------------------

Date: Tue, 19 Jan 2021 14:35:11 -0600
From: "Craig S. Cottingham" <craig () cottingham net>
Subject: Re: Post-Riot, the Capitol Hill IT Staff Faces a Security Mess
  (Goldberg, RISKS-32.45)


And if they ran out of money to destroy things, what was left
to *buy* things?


Different bucket. Congress probably allocated X dollars to destroy and Y
dollars to replace.

------------------------------

Date: Tue, 19 Jan 2021 10:58:50 +0000
From: Michael Bacon <attilathehun1900 () tiscali co uk>
Subject: Re: Bug wipes UK arrest records (RISKS-32.45)

The deleted records were linked to police investigations that were
terminated before charge (No Further Action) or to those where an individual
had been acquitted at court.  Statistically, few of them will relate to
murders, rapes or other serious crimes.

That's not to say there is little or no risk, but it's not as serious as the
opposition parties or the British Broadcasting Corporation would like to
make out.

------------------------------

Date: Tue, 19 Jan 2021 10:58:50 +0000
From: Michael Bacon <attilathehun1900 () tiscali co uk>
Subject: Re: Bug wipes UK arrest records (RISKS-32.45)

The deleted records were linked to police investigations that were
terminated before charge (No Further Action) or to those where an individual
had been acquitted at court.  Statistically, few of them will relate to
murders, rapes or other serious crimes.

That's not to say there is little or no risk, but it's not as serious as the
opposition parties or the British Broadcasting Corporation would like to
make out.

------------------------------

Date: Mon, 18 Jan 2021 23:06:21 +0000
From: John Colville <John.Colville () uts edu au>
Subject: Re: Company name could lead to security xss attack

Not a sophisticated, modern problem but: Some years ago, in Sydney
(Australia) there was a company named Computer Accounting and Systems, or
CAS for short.  For a while people were sending cheques (checks) were to pay
'CAS' until some enterprising person changed the recipient name by adding a
'H' converting it to a cash cheque.

------------------------------

Date: Mon, 18 Jan 2021 23:46:34 +0000
From: Wol <antlists () youngman org uk>
Subject: Re: Risk Management and Two-Dose Vaccines (RISKS-32.45)


The calculus involved here is complex.  [...]


The UK thinks the calculus is simple.

Firstly, it appears that 12 weeks is the optimum delay to provide the
longest protection.

Secondly, and far more importantly, while a single dose may only offer 50%
or 60% protection against infection, it DOES seem to offer *100%* protection
against hospitalisation.

No, we don't want "one shot" people getting infected and spreading it, but
the more people we can keep out of hospital, the better. (And getting
infected seems to offer 85% immunity after you've recovered.)

------------------------------

Date: Mon, 1 Aug 2020 11:11:11 -0800
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest.  Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
 subscribe and unsubscribe:
   http://mls.csl.sri.com/mailman/listinfo/risks

=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that
   includes the string `notsp'.  Otherwise your message may not be read.
 *** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 *** Contributors are assumed to have read the full info file for guidelines!

=> OFFICIAL ARCHIVES:  http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
  http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
  Also, ftp://ftp.sri.com/risks for the current volume/previous directories
     or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
  If none of those work for you, the most recent issue is always at
     http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00
  ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
  Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 32.46
************************
Previous By Date Next
Previous By Thread Next

Current thread: