RISKS-LIST: Risks-Forum Digest Monday 1 May 2020 Volume 31 : Issue 93
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator
***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <
http://www.risks.org> as
<
http://catless.ncl.ac.uk/Risks/31.93>
The current issue can also be found at
<
http://www.csl.sri.com/users/risko/risks.txt>
Contents:
Dealing with the Internet's split personality (WashPost)
In virus-hit South Korea, AI monitors lonely elders (WashPost)
How to Protest Safely in the Age of Surveillance (WiReD)
Resuscitate The Internet Fairness Doctrine (The Hill)
An advanced and unconventional hack is targeting industrial firms
(Ars Technica)
Minnesota is now using contact tracing to track protestors, as
demonstrations escalate (BGR)
Do Not Install/Use Centralized Server COVID-19 Contact Tracing Apps
(Lauren Weinstein)
Critical 'Sign in with Apple' Bug Could Have Let Attackers Hijack Anyone's
Account (The Hacker News)
Erik Prince Recruits Ex-Spies to Help Infiltrate Liberal Groups (NYTimes) Anonymous is back (PGN)
How To Create A Culture of Kick-Ass #DevSecOps Engineers That Advocates
Security Automation & Monitoring Throughout the #Software Development
Life-cycle (The Hacker News)
Live EPIC online policy panel: Privacy and the Pandemic (Diego Latella)
Risks to Elections in the COVID-19 Era (Diana Neuman)
Death or Utopia in the Next Three Decades (Brian Berg)
New Research Paper: "Privacy Threats in Intimate Relationships
(Bruce Schneier)
Re: Tesla owner locked thief in car with his iPhone app (Carlos Villalpando) Re: The GitHub Arctic Code Vault (Amos Shapir)
Re: Choosing 2FA authenticator apps can be hard. Ars did it so you don't
have to (John Levine)
Re: Vitamin C (R. G. Newbury)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Mon, 1 Jun 2020 13:17:03 +0800
From: Richard Stein <
rmstein@ieee.org>
Subject: Dealing with the Internet's split personality (WashPost)
https://www.washingtonpost.com/opinions/there-must-be-a-price-to-pay-for-misusing-the-internet/2020/05/29/fc82b08e-a1b8-11ea-81bb-c2f70f01034b_story.html
"There must be a price to pay for misusing the Internet. New 'norms' of behavior must be nourished. Bad behavior must be punished. Up to a point, that's fine. But the commission never really explains how this is to
work. One practical problem is the difficulty in identifying the source of a cyberattack."
Environment drives evolution. Genomes react to environmental stimulus over generations; they adapt enable survival. The Internet's predominate genome suggests business governance is an ideal adaptation candidate.
Each data breach, computer malfunction, viral infection, botnet, bent or malicious insider, and DDoS incurs at least inconvenience, threatens
business mortality, and routinely compromises personal privacy. Weak digital hygiene, inadequate training, ineffective content controls, and professional shirking contribute to these chronic conditions. Elevating and enforcing business conduct standards has never been more urgent.
Classified data loss is vigorously prosecuted under Federal law
https://www.nytimes.com/2020/02/04/nyregion/cia-leak-wikileaks-trial-Joshua-Schulte.html,
https://www.nytimes.com/2017/11/12/us/nsa-shadow-brokers.html)
Businesses entrusted to manage customer data suffer public brand outrage
when bulk content is lost through negligence. However, business governance teams and employees are inconstantly found liable in civil courts.
Cyber-liability insurance compensates organizations and customers when
justice determines necessity; usually, a settlement is reached before trial commences. Repeat incidents elevate premiums, and insurers mandate enhanced internal remediation to suppress recurrence. Despite repairs, comprehensive efforts to harden infrastructure, train employees, and build resilient processes appears ineffective given their industrial frequency.
Governance "skin in the game" can compel organizational behavior to
prioritize customer interests that include data protection and privacy maintenance practices.
Privileges accompany corporate rank. Why not balance them with legally enforceable penalties? Would legislation that establishes financial
penalties for business governance teams, including possible imprisonment, accelerate effective digital hygiene hardening and operational deployment?
Enforcement practices can compel business compliance rigor. The Financial crisis of 2007-2008 (see
https://en.wikipedia.org/wiki/Financial_crisis_of_2007-2008) forced
revisions to the Investment Advisors Act of 1940. Regulations were
introduced that required financial advisors to put customer interests
first. Rule violators were disciplined. However, regulations have been
recently softened to favor business interests. (See
https://www.sec.gov/news/press-release/2019-89 and
https://www.consumerreports.org/financial-planning/how-to-find-reliable-financial-advice/).
The Cyberspace Solarium Commission (
https://www.solarium.gov/report) "urges Congress to give the Cybersecurity and Infrastructure Security Agency (CISA) significantly more resources and additional authorities as the agency works
to ensure critical networks can recover quickly from cyberattacks and serves
as the 'central coordinating element to support and integrate federal, state and local, and private-sector cybersecurity efforts.'" This recovery
mechanism can facilitate post-attack remediation, but does not expedite proactive and effective deterrence by Internet-based businesses.
Establishing a fair, reliable, and vigilant Internet "cop on the beat,"
funded in part from commercial and government data breach/malware fines,
could motivate a fundamental change in how Internet-dependent businesses operate custodial data management practices. It is difficult to estimate business enforcement expenses. Operational expenses are usually factored
into product prices. Consumers may experience certain pocketbook impact.
For Internet business models that advertise application access as a quid pro quo for consumer data, there's likely very small revenue impact. Other industrial sectors: power distribution, healthcare, chemical, transportation etc. may need to proactively pool revenue (or self-insure).
Government agency executives and employees should be subject to these regulations. They are in business to safeguard public interests, which
includes oversight of significant personal identifying information and commercial data.
Mandatory penalties derived from data loss or malware incidents would effectively serve as an "Internet Tax" chartered by government to offset materialized business risks that burden public confidence. A politically-independent, enforceable regulatory structure is necessary to restore the Internet's balance toward public interest.
------------------------------
Date: Mon, 1 Jun 2020 14:15:52 +0800
From: Richard Stein <
rmstein@ieee.org>
Subject: In virus-hit South Korea, AI monitors lonely elders (WashPost)
https://www.washingtonpost.com/business/technology/in-virus-hit-south-korea-ai-monitors-lonely-elders/2020/05/30/45c38370-a2ec-11ea-be06-af5514ee038story.html
South Korea's elderly population volunteers for home digital assistant monitoring of searches and voice commands. Suicide, and unattended death generally, is a grave concern for this aging cohort.
SK Telecom is a state-sanctioned surveillance economy titan. Weak consumer privacy protections fuel business thirst for data. Significant government
and business embarrassments from largely unrestricted public data
exploitation.
------------------------------
Date: Mon, 1 Jun 2020 06:31:47 -0400
From: Monty Solomon <
monty@roscom.com>
Subject: How to Protest Safely in the Age of Surveillance (WiReD)
Law enforcement has more tools than ever to track your movements and access your communications. Here's how to protect your privacy if you plan to protest.
https://www.wired.com/story/how-to-protest-safely-surveillance-digital-privacy/
------------------------------
Date: Mon, 1 Jun 2020 21:56:47 +0800
From: Richard Stein <
rmstein@ieee.org>
Subject: Resuscitate The Internet Fairness Doctrine (The Hill)
https://thehill.com/policy/technology/500196-khanna-calls-for-internet-fairness-doctrine-in-response-controversial-trump
"Let's say the President is tweeting out conspiracy theories about Joe Scarborough," Khanna said, referring to Trump's tweets earlier this week
about an unsubstantiated conspiracy theory regarding the death of an aide
that worked for the former Florida congressman.
"Well why not allow the widower who doesn't want the president tweeting
about his deceased wife, why not give him the opportunity to send a response and that response Twitter could send to every person who clicks on the President's tweets?" Khanna suggested.
"Or why not allow someone to respond to the President's claims about ballot fraud?"
"What I would say is, you defeat speech with speech. But you didn't give one person a huge megaphone and not allow a fair response," he added.
In 1987, under President Reagan, the Fairness Act was abolished. An updated Fairness Act, tabled for legislative debate, appears overdue.
If Khanna's solution is adopted, tag-tweeted publication latency accrues
until rebuttal content materializes. A timer might be established to incentivize response. The tag-tweet process appears to be viable when
applied to a single political office.
The labor expense to oversee political content might become significant if
the resuscitated Act applied to all levels of government (federal, state, local).
Should a media company be required to sponsor this activity as a public service? Who pays for the speech/rebuttal oversight process? Who defines the rules governing the speech/rebuttal process? Who arbitrates disputes over
what is/is-not political speech?
------------------------------
Date: Mon, 1 Jun 2020 09:58:29 -0400
From: Monty Solomon <
monty@roscom.com>
Subject: An advanced and unconventional hack is targeting industrial firms
(Ars Technica)
Steganography? Check. Living off the land? Yep. Triple-encoded payloads? Uh-huh.
https://arstechnica.com/information-technology/2020/05/an-advanced-and-unconventional-hack-is-targeting-industrial-firms/
------------------------------
Date: Sun, 31 May 2020 14:39:10 -0400
From: Monty Solomon <
monty@roscom.com>
Subject: Minnesota is now using contact tracing to track protestors, as
demonstrations escalate (BGR)o
https://bgr.com/2020/05/30/minnesota-protest-contact-tracing-used-to-track-demonstrators/
In some cities like Minneapolis, though, officials are starting to turn to a familiar tool to investigate networks of protestors. The tool is contact-tracing, and it's a familiar tool in that people have been hearing about it frequently in recent weeks as an important component of a comprehensive coronavirus pandemic response. According to Minnesota Public Safety Commissioner John Harringon, officials there have been using what
they describe, without going into much detail, as contact-tracing in order
to build out a picture of protestor affiliations — a process that
officials in the state say has led them to conclude that much of the protest activity there is being fueled by people from outside coming in.
------------------------------
Date: Sun, 31 May 2020 12:05:06 -0700
From: Lauren Weinstein <
lauren@vortex.com>
Subject: Do Not Install/Use Centralized Server COVID-19 Contact Tracing Apps
https://lauren.vortex.com/2020/04/27/recommendation-do-not-install-or-use-centralized-server-coronavirus-covid-19-contact-tracing-apps
------------------------------
Date: Sun, 31 May 2020 22:43:25 -0400
From: Monty Solomon <
monty@roscom.com>
Subject: Critical 'Sign in with Apple' Bug Could Have Let Attackers
Hijack Anyone's Account (The Hacker News)
The now-patched vulnerability could have allowed remote attackers to bypass authentication and take over targeted users' accounts on third-party
services and apps that have been registered using 'Sign in with Apple'
option.
https://thehackernews.com/2020/05/sign-in-with-apple-hacking.html
------------------------------
Date: Mon, 1 Jun 2020 11:16:20 PDT
From: "Peter G. Neumann" <
neumann@csl.sri.com>
Subject: Erik Prince Recruits Ex-Spies to Help Infiltrate Liberal Groups
https://www.nytimes.com/2020/03/07/us/politics/erik-prince-project-veritas.html
[Old news, but still timely. PGN]
------------------------------
Date: Mon, 1 Jun 2020 11:56:46 PDT
From: "Peter G. Neumann" <
neumann@csl.sri.com>
Subject: Anonymous is back
George Floyd: Anonymous hackers re-emerge amid US unrest (BBC News)
https://www.bbc.com/news/technology-52879000
------------------------------
Date: Mon, 1 Jun 2020 09:10:31 -1000
From: geoff goodfellow <
geoff@iconia.com>
Subject: How To Create A Culture of Kick-Ass #DevSecOps Engineers
That Advocates Security Automation & Monitoring Throughout the
#Software Development Life-cycle.
https://thehackernews.com/2020/06/devsecops-engineers.html
------------------------------
Date: Mon, 01 Jun 2020 22:24:28 +0200
From: "Diego.Latella" <
diego.latella@isti.cnr.it>
Subject: Live EPIC online policy panel: Privacy and the Pandemic
PRIVACY AND THE PANDEMIC (
https://epic.org/events/June3/)
3 JUNE 2020, 1 PM - 2 PM EDT
The COVID-19 pandemic is a global health emergency of unprecedented scale,
and countries are deploying a wide range of techniques to respond. EPIC is advocating for greater privacy protection to ensure that the public health response protects individuals. These systems should be lawful and
voluntary. There should be minimal collection of personally identifiable information. The techniques should be robust, scalable, and provable. And
they should only be used during the pandemic emergency.
Our panelists will discuss ways in which governments can protect both public health and privacy, the technology behind digital contact tracing apps, and
the Congressional response to privacy and the pandemic.
PANELISTS:
Jane Bambauer, Professor of Law at the University of Arizona
Alan Butler, Interim Executive Director and General Counsel, EPIC
Asad Ramzanali, Legislative Director, Representative Anna Eshoo [D-CA-18]
Bruce Schneier, Internationally renowned security technologist
MODERATOR:
Anita Allen, Professor of Law and Professor of Philosophy, University of
Pennsylvania Law School; Chair, EPIC Board of Directors
ABOUT EPIC:
https://epic.org/epic/about.html
------------------------------
Date: Wed, 27 May 2020 08:08:29 -0700
From: Diana Neuman <
diana.neuman@bacesecurity.org>
Subject: Risks to Elections in the COVID-19 Era
A Fireside Chat with Peter G. Neumann and Rebecca T. Mercuri
Wednesday 3 June 2020 11am PDT
Hosted by the (Becky) Bace Cybersecurity Institute
Flyer and Website
https://www.bacesecurity.org/page/2686
Diana Neuman, Executive Director, Bace Cybersecurity Institute
diana.neuman@bacesecurity.org
------------------------------
Date: Mon, 1 Jun 2020 12:09:56 PDT
From: Brian Berg via AMW <
amw@berglist.com>
Subject: Death or Utopia in the Next Three Decades
Special EE380/Asilomar Joint Event (Thu, June 4, 11am-1pm PDT)
Register at
http://ee380.stanford.edu/register.html to receive a URL to
access the live virtual presentation
*Presentation will be published to YouTube shortly after the live event.*
Today the data suggests that we are near the beginning of a chaotic mess of global proportions. Things are fairly simple: a global pandemic with no
tools to fight the virus, a global economy in disarray, climate change and other existential risks beginning to intrude into our daily lives, and a
total lack of a plan as to what to do.
On the other hand, we are at the pinnacle of human capabilities and have, if
we so choose, the capability to create a Utopian egalitarian world without conflict or want.
In this 2-hour program, a group of experts will explore the future, focusing
on 2030 and 2050.
Where are we now? What is trending? What if anything can be done about it?
You are invited to participate in a virtual conference live using Zoom
(version 5.0 or greater), or watch the recorded version when it is
published on YouTube. You must REGISTER (
http://ee380.stanford.edu/register.html) to receive a URL to access the
live virtual presentation and find the YouTube video of the presentation
*The Panel*
John Markoff* Stanford Institute for Human Centered AI, ex-NY
Times (Moderator)
Garrett Banning* Washington-based strategic thinker and analyst
Joy Buolamwini Algorithmic Justice League | Poet of Code ; Harvard
Carole Dumaine Consultant, NIC, CIA; Co-founder of Futures.org.
John Hennessy Stanford University professor, past President; Alphabet
BoD Chair
Michael Mann Earth System Science Center and Professor, Penn State
Carmine Medina Former CIA Deputy Director, Author of Rebels At Work
Paul Saffo Forecaster of technology change, Stanford Engineering Adjunct
Megan Smith CEO shift7, MIT Board, ex-CIO of the US under Obama
*Sponsors*
The Asilomar Microcomputer Workshop is one of the iconic gatherings which supported the growth of computing. This is the first mini-conference which replaces the 46th Asilomar Microcomputer Workshop, which was canceled due to the COVID-19 pandemic.
http://www.amw.org.
The Stanford EE Colloquium on Computer Systems, EE380, will present the mini-conference as one of its offerings for Spring Quarter 2020.
http://ee380.stanford.edu
*Organizers*
Dennis Allison Program conception and organization
Robert Kennedy III Asilomar Microcomputer Workshop General Chair
------------------------------
Date: Mon, 01 Jun 2020 14:32:54 -0500
From: "Bruce Schneier <
schneier@schneier.com>
Subject: New Research Paper: "Privacy Threats in Intimate Relationships
Just published:
"Privacy Threats in Intimate Relationships"
Karen Levy and Bruce Schneier
Journal of Cybersecurity, Volume 6, Issue 1, 2020,.
Abstract: This article provides an overview of intimate threats: a class of privacy threats that can arise within our families, romantic partnerships, close friendships, and caregiving relationships. Many common assumptions
about privacy are upended in the context of these relationships, and many otherwise effective protective measures fail when applied to intimate
threats. Those closest to us know the answers to our secret questions, have access to our devices, and can exercise coercive power over us. We survey a range of intimate relationships and describe their common features. Based
on these features, we explore implications for both technical privacy design and policy, and offer design recommendations for ameliorating intimate
privacy risks.
https://academic.oup.com/cybersecurity/article/6/1/tyaa006/5849222
------------------------------
Date: Sat, 30 May 2020 18:11:52 -0700
From: Carlos Villalpando <
unbelver@gmail.com>
Subject: Re: Tesla owner locked thief in car with his iPhone app (R 31 87)
How long will it be before we see: "iPhone app bug allows anyone to lock Tesla owners into their cars"?
Never, I suspect. When I saw the original report in 31.87 I was suspect in that Teslas don't have a "remote off" and there is no physical locking mechanism. All "locking" the car does is tell the car to ignore the
exterior door handle microswitches. Attempting to duplicate this on my own Tesla Model 3, the interior driver door button always obeyed, but even if I locked it with my phone, and on top of that, there's the mechanical door release which bypasses the electronic lock. And the mechanical release is
most like all other vehicle door releases, and is used often by passengers unfamiliar with the vehicle.
I suspect this was a case of someone not knowing how to deal with the differences of how to operate the vehicle. The car has a non-standard way
of shifting into drive modes, and will not shift into drive mode without without detecting the phone key/keyfob inside the vehicle. I suspect the carjacker was confused enough for the owner to get out of phone Bluetooth range, and was too impaired to deal with what to do next.
[Thanks for that. I had problems with the original story, because it
did not make sense. PGN]
------------------------------
Date: Sun, 31 May 2020 12:43:37 +0300
From: Amos Shapir <
amos083@gmail.com>
Subject: Re: The GitHub Arctic Code Vault (RISKS-31.92)
"Think about all of the servers that are stored around the world that
hold repositories of this code. The only way the Arctic vault would be
useful is if the entire human civilization was essentially wiped out"
That's what Mersk had thought, before all their servers were hit by NotPetya
at once; they were saved only by a server in Ghana which happened to be
offline at the time.
The point is, it's not unthinkable that all repositories which belong to the same owner, or relate to the same subject, or contain some specific information, are hit at the same time by a carefully directed attack.
------------------------------
Date: 31 May 2020 16:17:08 -0400
From: "John Levine" <
johnl@iecc.com>
Subject: Re: Choosing 2FA authenticator apps can be hard. Ars did it so you
don't have to (Ars Technica)
Losing your 2FA codes can be bad. Having backups stolen can be worse. What
to do?
My, what a gratuitous mess. The TOTP codes used by 2FA apps are in fact
base32 character strings to be hashed with a timestamp to produce the
six-digit codes used for authentication. The QR codes also contain the name
of the service and sometimes an image of its logo, but the base32 string is
all that matters. Whenever something shows you the QR code, there is
invariably a way to get it to show you the string, in case you can't scan
the QR code, and the apps have a way to enter the string manually.
Keeping this in mind I can suggest a variety of lowish-tech ways to avoid losing your TOTP strings:
Scan them into more than one app when you get them.
Scan them into apps on more than one device. I use my phone, my tablet, and
a python script on my laptop.
Put the strings in a file on a device you leave at home, perhaps a USB stick
in a drawer. Print the strings out on a piece of paper and put it in your wallet, with hints that make sense to you about which string goes with which service. (The hints and the strings need not be in the same order so long as you remember the mapping.)
It would take an extremely unusual bad guy to first steal your wallet and
then figure out what the scribbles on the paper mean. On the other hand if
you lose your phone, you can enter the strings into an app on your new phone
by hand and you're ready to go.
------------------------------
Date: Mon, 1 Jun 2020 00:52:59 -0400
From: "R. G. Newbury" <
newbury@mandamus.org>
Subject: Re: Vitamin C (RISKS-31.91)
This awesome news about Vitamin C is breaking as we .... oh, wait! 71 years old, next month. Clearly it was ignored if not anathematized as impossible
by the medical establishment. (I am reminded of heliobacter pylori being 'unpossible'.)
Dr. Klenner got amazing results against all sorts of viral diseases. The results point to the importance of a healthy immune system as the first line
of defence.
Interesting to see that the bureaucracy was already in full force and power back in 1949:
(3) Routine lumbar puncture would have made it obligatory to report each
case as diagnosed to the health authorities. This would have deprived myself
of valuable clinical material and the patients of most valuable therapy,
since they would have been removed to a receiving center in a nearby town.
I had to use some web-fu: 1000 mg of Vitamin C is 20,000 IU. So these
were not small doses and delivery seemed to require injection to be useful.
Interesting that it works on shingles.
Thanks to Andre Carezia for finding this and passing it on.
------------------------------
Date: Mon, 14 Jan 2019 11:11:11 -0800
From:
RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<
http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!
OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also,
ftp://ftp.sri.com/risks for the current volume
or
ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones:
http://catless.ncl.ac.uk/w/r
ALTERNATIVE ARCHIVES:
http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.
Special Offer to Join ACM for readers of the ACM RISKS Forum:
<
http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 31.93
************************
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)