RISKS-LIST: Risks-Forum Digest Friday 5 June 2020 Volume 31 : Issue 95
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator
***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <
http://www.risks.org> as
<
http://catless.ncl.ac.uk/Risks/31.95>
The current issue can also be found at
<
http://www.csl.sri.com/users/risko/risks.txt>
Contents:
Lawsuit over online book lending could bankrupt Internet Archive
(Ars Technica)
MIT Researchers: If Chips Can't Get Smaller, Programmers Must Get Smarter
(Srividya Kalyanaraman)
Programming Languages: Rust Enters Top 20 Popularity Rankings for the First
Time (Liam Tung)
Pressure on ZOOM Mounts to Provide End-to-End Encryption (Politico)
What does cyber-arms control look like? (Andrew Futter)
Handcrafted phish emails (Dan Jacobson)
Re: Misinformation About George Floyd Protests Surges on Social Media
(Amos Shapir)
Re: Australian Federal Government's automated debt recovery 'Robodebt' was
illegal (Rodney Parkin)
Re: REvil Ransomware Gang Starts Auctioning Victim Data (Paul Edwards) Surgisphere: governments and WHO changed Covid-19 policy based on suspect
data from tiny US company (The Guardian)
UK Failed to Conduct Data COVID Track/Trace Data Protection Impact
(Politico)
Re: Just Stop the Superspreading (Peter Ladkin, Henry Baker)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: June 5, 2020 at 14:18:40 GMT+9
From: Dewayne Hendricks <
dewayne@warpspeed.com>
Subject: Lawsuit over online book lending could bankrupt Internet Archive
(Ars Technica)
Publishers call online library *willful digital piracy on an industrial
scale*.
Timothy B. Lee, Ars Technica, 1 Jun 2020
<
https://arstechnica.com/tech-policy/2020/06/publishers-sue-internet-archive-over-massive-digital-lending-program/>
Four of the nation's leading book publishers have sued the Internet Archive, the online library best known for maintaining the Internet Wayback
Machine. The Internet Archive makes scanned copies of books -- both public domain and under copyright -- available to the public on a site called the
Open Library.
"Despite the Open Library moniker, IA's actions grossly exceed legitimate library services, do violence to the Copyright Act, and constitute willful digital piracy on an industrial scale," write publishers Hachette, HarperCollins, Wiley, and Penguin Random House in their complaint. The
lawsuit was filed in New York federal court on Monday.
For almost a decade, the Open Library has offered users the ability to
"borrow" scans of in-copyright books via the Internet. Until recently, the service was based on a concept called "controlled digital lending" that mimicked the constraints of a conventional library. The library would only "lend" as many digital copies of a book as it had physical copies in its warehouse. If all copies of a book were "checked out" by other patrons,
you'd have to join a waiting list.
In March, as the coronavirus pandemic was gaining steam, the Internet
Archive announced it was dispensing with this waiting-list system. Under a program it called the National Emergency Library, IA began allowing an unlimited number of people to check out the same book at the same time --
even if IA only owned one physical copy.
Before this change, publishers largely looked the other way as IA and a few other libraries experimented with the digital lending concept. Some
publishers' groups condemned the practice, but no one filed a lawsuit over
it. Perhaps the publishers feared setting an adverse precedent if the courts ruled that CDL was legal.
But the IA's emergency lending program was harder for publishers to
ignore. So this week, as a number of states have been lifting quarantine restrictions, the publishers sued the Internet Archive.
In an email to Ars Technica, IA founder Brewster Kahle described the lawsuit
as "disappointing."
"As a library, the Internet Archive acquires books and lends them, as
libraries have always done," he wrote. "Publishers suing libraries for
lending books, in this case, protected digitized versions, and while schools and libraries are closed, is not in anyone's interest."
The publishers have a pretty strong case.
The publishers' legal argument is straightforward: the Internet Archive is making and distributing copies of books without permission from copyright holders. That's generally illegal unless a defendant can show it is
authorized by one of copyright law's various exceptions.
Legal experts tell Ars that the Internet's Archive's best response is to
argue that its program is fair use. That's a flexible legal doctrine that
has been used to justify a wide range of copying over the decades -- from recording television broadcasts for personal use to quoting a few sentences
of a book in a review. Most relevant for our purposes, the courts have held that it is a fair use to scan books for limited purposes such as building a book search engine.
When considering a fair use claim, courts consider several factors,
including the impact of the use on the market for the original work. A book search engine, for example, is not a substitute for reading books but,
rather, helps readers find new books they might want to buy. This is one of
the reasons the courts found that book scanning for a search engine was
legal under fair use.
But it's harder to come up with compelling arguments that the Internet Archive's open-ended lending program is fair use.
James Grimmelmann, a copyright scholar at Cornell University, told Ars that
he is withholding judgment until he sees the Internet Archive's
response. However, he said, "it seems like the publishers have a pretty
strong case."
"I think there are arguments for fair use, but they're not terribly strong arguments," he said in a Monday phone interview.
A pandemic exception?
The Internet Archive would have had a stronger argument if it had continued
to limit the number of copies that could be lent out. In that scenario, IA could argue that the program's impact on the market was little different
from a conventional library.
Obviously, a patron who checks out a book from a library is less likely to purchase a copy, undermining the market for the book. On the other hand, libraries themselves buy many books -- and the more popular a book is, the
more copies libraries must buy. So the overall impact of libraries on demand for books is not clear.
But once the IA stopped buying a copy of a book for every copy it lent out, this argument became a lot weaker. An institution like IA can buy a single
copy of a book and then "lend" it to dozens, hundreds, or thousands of
people at the same time. There's little doubt that this has a negative
impact on the market for new books.
Instead, the Internet Archive will likely need to make a more novel argument
-- that the unique circumstances of a pandemic justifies allowing types of infringement that would be clearly illegal at other times. Grimmelmann
wasn't able to identify any other cases where courts have made that kind of leap.
------------------------------
Date: Fri, 5 Jun 2020 12:14:15 -0400 (EDT)
From: ACM TechNews <
technews-editor@acm.org>
Subject: MIT Researchers: If Chips Can't Get Smaller, Programmers Must Get
Smarter (Srividya Kalyanaraman)
Srividya Kalyanaraman, American Inno, 4 Jun 2020,
via ACM TechNews, 5 Jun 2020
Researchers at the Massachusetts Institute of Technology (MIT) suggest the approaching limits of chip miniaturization require future increases in computing power to come from software, algorithms, and specialized
hardware. MIT's Neil Thompson said shrinking processors has been the
standard approach to growing computer performance for decades, "but the
nature of computer processing is changing." Performance extension has long relied on generic hardware and specialized software, but Thompson suggested
it may prove more economical to design hardware for executing particular
tasks, even if speed and other factors must be compromised. He added that
such an approach initially will be applicable to specific areas like supercomputing and quantum computing.
https://orange.hosting.lsoft.com/trk/click?ref=3Dznwrbbrs9_6-25778x222bb6x066701&
------------------------------
Date: Fri, 5 Jun 2020 12:14:15 -0400 (EDT)
From: ACM TechNews <
technews-editor@acm.org>
Subject: Programming Languages: Rust Enters Top 20 Popularity Rankings for
the First Time (Liam Tung)
Liam Tung, ZDNet, 2 Jun 2020 via ACM TechNews, 5 Jun 2020
The Rust programming language has cracked the top 20 rankings of the Tiobe popularity index for the first time, amid growing interest in using it for systems programming to build major platforms. Microsoft is considering Rust
for Windows and Azure, aiming to eliminate memory bugs in code authored in C and C++; Amazon Web Services is using Rust for performance-sensitive
elements in Lambda, EC2, and S3. Tiobe ranked Rust in 20th place this year versus 38th last year, and although this does not mean more people are using Rust, it demonstrates that more developers are searching for information
about the language. Tiobe software CEO Paul Jansen credited Rust's ascension with being a systems programming language that is "done right." He said,
"All the verbose programming and sharp edges of other languages are solved
by Rust while being statically strongly typed," which "prevents run-time
null pointer exceptions, and memory management is calculated compile-time."
https://orange.hosting.lsoft.com/trk/click?ref=3Dznwrbbrs9_6-25778x222bb7x066701&
------------------------------
Date: 5-Jun-2020 15:48:13-GMT
From: "Peter G. Neumann" <
neumann@csl.sri.com>
Subject: Pressure on ZOOM Mounts to Provide End-to-End Encryption (Politico)
Zoom is facing more pressure to expand its use of end-to-end encryption to
free accounts, which it has said need to be accessible to law enforcement.
On Thursday, Consumer Reports called on Zoom to change course. ``Privacy is
a right, not a luxury. If Zoom has the technical capacity to safeguard conversations with end-to-end encryption, it should offer the same
protections for all its users,'' Justin Brookman, Consumer Reports' director
of privacy and technology policy, said in a statement. Other popular conferencing platforms like Verizon's BlueJeans, Google's Meet and Cisco's Webex offer varying levels of encryption -- features that have drawn more attention since the pandemic forced millions of Americans online for work, school, socializing and medical care.
In the weeks since Zoom announced its encryption plans,<
https://blog.zoom.us/wordpress/2020/05/07/zoom-acquires-keybase-and-announces-goal-of-developing-the-most-broadly-used-enterprise-end-to-end-encryption-offering/>
security experts and consumer advocates have urged <
https://twitter.com/Riana_Crypto/status/1268624308852543488> the videoconferencing giant to extend the new, more robust protections to free accounts, not just paid ones. Instead, the company has stood by its plan, citing the need to monitor meetings that are used to share child sexual
abuse material and engage in other illegal behavior. ``Zoom is dealing with some serious safety issues,'' said Alex Stamos, a former Facebook chief information security officer who is now advising Zoom on security. Zoom
faces ``a difficult balancing act,'' Stamos added , by ``trying to both
improve the privacy guarantees it can provide while reducing the human
impact of the abuse of its product.''
------------------------------
Date: Thu, 04 Jun 2020 17:19:48 +0200
From: "Diego.Latella" <
diego.latella@isti.cnr.it>
Subject: What does cyber-arms control look like? (Andrew Futter)
Four principles for managing cyber-risk, European Leadership Network [1],
4 Jun 2020
Andrew Futter [2] - Associate Professor in International Politics at
the University of Leicester
European Leadership Network [3]
I don't quite know whether it is especially computer science or its subdiscipline Artificial Intelligence that has such an enormous affection
for euphemism. We speak so spectacularly and so readily of computer systems that understand, that see, decide, make judgments, and so on, without
ourselves recognizing our own superficiality and immeasurable naivete with respect to these concepts. And, in the process of so speaking, we
anesthetise our ability to evaluate the quality of our work and, what is
more important, to identify and become conscious of its end use. […] One can't escape this state without asking, again and again: "What do I actually do? What is the final application and use of the products of my work?" and ultimately, "am I content or ashamed to have contributed to this use?" -- Prof. Joseph Weizenbaum ["Not without us", ACM SIGCAS 16(2-3) 2--7, Aug1986]
[1]
https://www.europeanleadershipnetwork.org/policy-brief/what-does-cyber-arms-control-look-like-four-principles-for-managing-cyber-risk/?mc_cid=4afb27a93d&mc_eid=3429fd5ce8
[2]
https://www.europeanleadershipnetwork.org/person/dr-andrew-futter/
[3]
https://www.europeanleadershipnetwork.org/
[4]
http://www.isti.cnr.it
------------------------------
Date: Fri, 05 Jun 2020 00:54:06 +0800
From: Dan Jacobson <
jidanni@jidanni.org>
Subject: Handcrafted phish emails
I received one of those evil emails:
"Your Email Account was just signed in on a new Windows device from this
IP 114.058.33.178."
Hey wait, wouldn't that be
114.058.033.178 or
114.58.33.178 ?
Sounds kinda hand crafted.
------------------------------
Date: Thu, 4 Jun 2020 11:57:36 +0300
From: Amos Shapir <
amos083@gmail.com>
Subject: Re: Misinformation About George Floyd Protests Surges on Social
Media (RISKS-31.94)
Fight back!
In the current climate of disrespect of decency and reason, it seems that
too many people take an attitude of "Who cares if global warming /
vaccination / moon landing is the result of hard work by tens of thousands
of people over decades -- we know better because we have read an Internet post!"
Things like the Flat Earth society have been viewed as harmless weirdness,
but no more; such ideas had already spilled into the real world and are
causing real damage and even loss of lives. It's time to fight back.
Fighting back does not require overt actions like Buzz Aldrin's punching
the face of a moon landing denier; it's as simple as clicking "reply". I
have taken to replying to any conspiracy-related post sent to me on social media and mail, specifically those forwarded by friends and colleagues.
It's rather easy to find the correct information, either from sites
like *Snopes,
*or more often, by just clicking the links included in the message itself
-- almost always, the article's contents contradict the post's headline.
I always urge posters to read the articles, not the headlines. "Don't send
me such posts, I actually click the links!"... A link to a scientific
article posted as "Scientists Show Global Warming is a Hoax" leads to a research which definitely supports the global warming idea; and an article labeled "Soros is out to Destroy America" reveals that his greatest crime is "using his money to support candidates he favors".
I might be considered a nuisance, but this method greatly reduces the
volume of nonsense on my feeds, and hopefully contributes just a bit to
reduce the trend.
------------------------------
Date: Thu, 4 Jun 2020 12:15:48 +1000
From: <
rodney.parkin@spitbrook.net>
Subject: Re: Australian Federal Government's automated debt recovery
'Robodebt' was illegal (RISKS-31.94)
To add some context for non-Australian readers, the scheme made 2
fundamental errors.
Firstly, it tried to automatically match income tax returns (which are
assessed on an annual basis), with social security payments (which are
assessed on a fortnightly basis). It was assumed that the recipient's fortnightly income was 1/26 of their annual income. But take, for example, a low income worker with casual work from time to time. In slow 2-week
periods they might be entitled to social security payments, but in better 2-week periods little or no support. By assuming their fortnightly income
was 1/26 of their annual income, the conclusion was often (but incorrectly) made that their social security had been overpaid in the slow times.
Secondly, it sent letters of demand putting the onus of proof onto the recipient, where the recipient had little or no ability to provide such
proof. For example, the claims often related to payments made years before
- long after the recipient would have retained any records. Further, the letters offered no detail on how the "overpayment" was determined - the recipient was given almost no information about which payments were in
dispute nor how the "overpayment" amounts had been calculated. The receipts often didn't even know what data was in dispute, let alone have access to
the records that would allow them to prove their position.
The government embarked on a massive bluff against members of the community least able to defend themselves. It was clear at the time that it was unreasonable, and it is no surprise that it was eventually reversed.
------------------------------
Date: Thu, 4 Jun 2020 11:01:11 +1000
From: Paul Edwards <
paule@cathicolla.com>
Subject: Re: REvil Ransomware Gang Starts Auctioning Victim Data
(RISKS-31.94)
This is fascinating. Effectively these guys are packaging up bad debt and selling it. It just happens that the collateral against that debt is data rather than a house, car, or boat. I wonder if the auction is a fraction of
the extortion demanded. Will we have a GDC (Global Data Crisis)? What next? Data futures contracts? :)
Paul (with tongue slightly in cheek)
------------------------------
Date: Fri, 5 Jun 2020 00:33:42 -0400
From: Gabe Goldberg <
ggoldberg@apcug.org>
Subject: Surgisphere: governments and WHO changed Covid-19 policy
based on suspect data from tiny US company (The Guardian)
Surgisphere, whose employees appear to include a sci-fi writer and adult content model, provided database behind Lancet and New England Journal of Medicine hydroxychloroquine studies
The World Health Organization and a number of national governments have
changed their Covid-19 policies and treatments on the basis of flawed data
from a little-known U.S. healthcare analytics company, also calling into question the integrity of key studies published in some of the world’s most prestigious medical journals.
A Guardian investigation can reveal the U.S.-based company Surgisphere,
whose handful of employees appear to include a science fiction writer and an adult-content model, has provided data for multiple studies on Covid-19 co-authored by its chief executive, but has so far failed to adequately
explain its data or methodology.
Data it claims to have legitimately obtained from more than a thousand hospitals worldwide formed the basis of scientific articles that have led to changes in Covid-19 treatment policies in Latin American countries. It was
also behind a decision by the WHO and research institutes around the world
to halt trials of the controversial drug hydroxychloroquine. On Wednesday,
the WHO announced those trials would now resume.
Two of the world's leading medical journals -- the Lancet and the New
England Journal of Medicine -- published studies based on Surgisphere
data. The studies were co-authored by the firm's chief executive, Sapan
Desai.
Late on Tuesday, after being approached by the Guardian, the Lancet released
an `expression of concern' about its published study. The New England
Journal of Medicine has also issued a similar notice.
An independent audit of the provenance and validity of the data has now been commissioned by the authors not affiliated with Surgisphere because of ``concerns that have been raised about the reliability of the database.''
https://www.theguardian.com/world/2020/jun/03/covid-19-surgisphere-who-world-health-organization-hydroxychloroquine
------------------------------
Date: Fri, 5 Jun 2020 11:40:30 PDT
From: "Peter G. Neumann" <
neumann@csl.sri.com>
Subject: UK Failed to Conduct Data COVID Track/Trace Data Protection Impact
Assessment (Politico)
U.K. FACING COMPLAINT OVER LACK OF DATA PROTECTION SAFEGUARDS -- Privacy advocates have filed a complaint with the U.K. data protection authority for failing to conduct a data protection impact assessment for its coronavirus track-and-trace program. ``The Government is moving too fast, and breaking things as a result,'' James Killock of the Open Rights Group said. Ravi
Naik, the lawyer assisting Killock with the complaint, said that deploying
the tracing program without implementing the proper safeguards is a
*disaster*.
<
https://www.politico.eu/article/uk-test-trace-privacy-data-impact-assessement/>
------------------------------
Date: Thu, 4 Jun 2020 09:52:23 +0200
From: Peter Bernard Ladkin <
ladkin@causalis.com>
Subject: Re: Just Stop the Superspreading (Baker, Risks 31-94)
In Risks 31-94, Henry Baker says that "The NYTimes article below attributes
the bulk of COVID19 spread to "superspreaders" and "superspreading
events". "
Indeed so, but better to cite the source. This info is three months old already, from the London School of Hygiene and Tropical Medicine Centre for Mathematical Modelling of Infectious Diseases (LSHTM CMMID). It has recently been confirmed in two preprints from late May.
The technical expression is that the disease has an overdispersion parameter value of about 0.1, according to the CMMID estimate. (The parameter is
usually denoted as "k"=2E.)
Baker drew attention in Risks 31.84 to a mathematical situation with significant overdispersion even with a low basic reproduction number. He
seemed to want to turn that exercise into a critique of the concept of R0 in particular and SIR models in general, which puzzled me. As far as I know,
the CMMID result was obtained with an SIR model.
The published source is Endo et al.,
https://wellcomeopenresearch.org/articles/5-67 . This article was available
in preprint first on March 11, 2020 at
https://cmmid.github.io/topics/covid19/
The k value has been recently confirmed by an Israeli preprint about a different group of cases, Miller et al, 2020-05-22
https://www.medrxiv.org/content/10.1101/2020.05.21.20104521v1 and by a
preprint from Hong Kong, Adam et al
https://www.researchsquare.com/article/rs-29548/v1 from 2020-05-21 (Baker extensively quotes an NYT opinion article from Adam and co-author Cowling).
The result, that most of the infection comes from superspreading, deriving directly from the k value of around 0.1, seems now to be generally
accepted. German government advisor, virologist Christian Drosten, mentioned
it in his podcast last week
https://www.ndr.de/nachrichten/info/podcast4684.html (in German), and Oxford epidemiologist David Hunter in a Guardian opinion piece
https://www.theguardian.com/commentisfree/2020/may/28/coronavirus-infection-rate-too-high-second-wave
Prof. Peter Bernard Ladkin, Bielefeld, Germany Styelfy Bleibgsnd
www.rvs-bi.de
------------------------------
Date: Thu, 04 Jun 2020 08:53:22 -0700
From: Henry Baker <
hbaker1@pipeline.com>
Subject: Re: Just Stop the Superspreading (Ladkin, RISKS-31.95)
Once again, Peter Ladkin is misinterpreting my criticism of "R0"-based
models.
The problem is a fundamental *logical* problem: if one uses an English term "*THE* R0", it presumes that there is such a more-or-less well-defined
"number" which is named "R0". But as I have argued, and continue to argue, there is *NO* such individual "number" in the case of superspreaders, since
the *variance* associated with this "number" is so large.
Perhaps the best analogy comes from quantum physics. Classical physics presumed the independent existence of "position" and "momentum" of a
particle, but quantum physics showed that any such notions quickly lead to contradictions with actual experiments, so any attempt to utilize terms like "THE position" or "THE momentum" demonstrates conclusively the lack of understanding by the speaker of the true nature of the situation in our
actual quantum world.
For example, the phrase "THE position" of an electron surrounding the proton
in a hydrogen atom demonstrates conclusively the ignorance of the speaker of the concepts of quantum mechanics. Ditto with "THE orbit", "THE momentum", etc.
Similarly, any use of the phrase "THE reproduction number" demonstrates conclusively the ignorance of the speaker of the concept of
"superspreaders".
For fifty years after Heisenberg, logicians, reporters and popular science writers destroyed entire forests trying to describe quantum physics using *classical* physical terminology; they failed miserably and only produced
more confusion. Even Einstein himself -- whose paper on the *quantum*
nature of the photoelectric effect won him his Nobel Prize -- was never able
to become comfortable with the 'spooky action at a distance' nature of
quantum mechanics. Einstein couldn't force the reality of quantum mechanics onto the Procrustean bed of existing naive concepts and words.
Similarly the COVID19 pandemic is causing the destruction of entire virtual forests by talking fat(uous) heads, reporters and popular science writers trying to explain what "THE" reproduction number is, when the demonstrated existence of superspreaders -- e.g., the Boston hotel event, a NY bat
mitzvah, or a choir practise -- proves that there is NO single reproduction number which can provide any intuition for clear thinking about what is
going on with this pandemic.
If the confusion were restricted to non-scientists, such logical errors
might be excused. Unfortunately, some "scientists" were successful at convincing many politicians to panic due to fatally flawed "models" whose outputs had confidence intervals that wouldn't fit into their conference
room, much less onto their slides (apologies to XKCD:
https://m.xkcd.com/2311/).
U.S. President Lincoln was well aware of how improper usage of words can
lead to logical errors. When Lincoln was asked "how many legs does a dog
have if you call his tail a leg?", Lincoln quickly replied, "Four; saying
that a tail is a leg doesn't make it a leg."
------------------------------
Date: Mon, 1 Jun 2020 11:11:11 -0800
From:
RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<
http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!
OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also,
ftp://ftp.sri.com/risks for the current volume
or
ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
ALTERNATIVE ARCHIVES:
http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.
Special Offer to Join ACM for readers of the ACM RISKS Forum:
<
http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 31.95
************************
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)