1. Forum
  2. Usenet
  3. COMP.RISKS

  • Risks Digest 32.08

    From RISKS List Owner@21:1/5 to All on Wed Jul 8 01:14:54 2020
    RISKS-LIST: Risks-Forum Digest Tuesday 7 July 2020 Volume 32 : Issue 08

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator

    ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as
    <http://catless.ncl.ac.uk/Risks/32.08>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    No Injuries In Red Line Metro Derailment Outside Silver Spring (DCist)
    In Hong Kong, a Proxy Battle Over Internet Freedom Begins (NYTimes)
    Looks Like Russian Hackers Are on an Email Scam Spree (WiReD)
    Supreme Court bans debt collection robocalling to cellphones (TypePad)
    Goodbye to the Wild Wild Web (NYTimes)
    Encrypted Phone Network of Mob is Hacked in Europe (Adam Nossiter)
    Risks of Editing Wikipedia (Aida Chavez)
    Not so random acts: Science finds that being kind pays off (APNews)
    How my dad got scammed for $3,000 worth of gift cards (Zachary Crockett) Japanese startup creates 'connected' face mask for coronavirus new normal
    (Reuters)
    What we need is social-media distancing (Spectator)
    Early Covid-19 tracking apps easy prey for hackers, and it might get worse
    before it gets better (Jumbo Privacy)
    Re: Breaking HTTPS in the IoT: Practical Attacks For Reverse (Keith Medcalf) Re: Jane Goodall on conservation, climate change and COVID-19 (CBS News,
    (Dennis Allison)
    Re: A Doctor Confronts Medical Errors (Amos Shapir)
    Re: Smells Fishy? The Fish That Prevent Iran From Hacking Israel's Water
    System (Bill Matthews)
    Quote of The Day (Calvin Coolidge)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Tue, 7 Jul 2020 17:49:41 -0400
    From: Gabe Goldberg <gabe@gabegold.com>
    Subject: No Injuries In Red Line Metro Derailment Outside Silver Spring
    (DCist)

    The Washington Metrorail Safety Commission, the independent body overseeing Metro safety, says its preliminary investigation found the operator ran a
    red signal, which has been a fireable offense in previous instances.

    How can modern trains run red signals? Even without Positive Train Control, automatic stop-on-red has been around for a long time. That seems better
    than firing after offenses.

    https://dcist.com/story/20/07/07/first-two-cars-of-wmata-train-comes-off-tracks-outside-silver-spring-no-serious-injuries/

    ------------------------------

    Date: Tue, 7 Jul 2020 12:11:49 -0400
    From: Monty Solomon <monty@roscom.com>
    Subject: In Hong Kong, a Proxy Battle Over Internet Freedom Begins (NYTimes)

    As the city grapples with new restrictions on online speech, American tech giants are on the front line of a clash between China and the United States over the Internet's future.

    https://www.nytimes.com/2020/07/07/business/hong-kong-security-law-tech.html

    ------------------------------

    Date: Tue, 7 Jul 2020 17:26:21 -0400
    From: Gabe Goldberg <gabe@gabegold.com>
    Subject: Looks Like Russian Hackers Are on an Email Scam Spree (WiReD)

    A group dubbed Cosmic Lynx uses surprisingly sophisticated methods -- and targets big game.

    For years, costly email grifts have largely been the provenance of West
    African scammers, particularly those based in Nigeria <https://www.wired.com/story/feds-bust-nigerian-email-scammers/>. A newly discovered "business email compromise" campaign, though, appears to come
    from a criminal group in a part of the world better known for a different
    brand of online mayhem: Russia.

    Dubbed Cosmic Lynx, the group has carried out more than 200 BEC campaigns
    since July 2019, according to researchers from the email security firm
    Agari, particularly targeting senior executives at large organizations and corporations in 46 countries. Cosmic Lynx specializes in topical, tailored scams related to mergers and acquisitions; the group typically requests hundreds of thousands or even millions of dollars as part of its hustles.
    The researchers, who have worked extensively on tracking Nigerian BEC
    scammers, say they don't have a clear sense of how often Cosmic Lynx
    actually succeeds at obtaining a payout. Given that the group hasn't lowered its asks in a year, though, and has been prolific about developing new campaigns -- including some compelling Covid-19–related scams -- Agari reasons that Cosmic Lynx must be raking in a fair amount of money.

    https://www.wired.com/story/russian-hackers-email-scams/

    ------------------------------

    Date: Tue, 7 Jul 2020 10:23:14 -0400
    From: Monty Solomon <monty@roscom.com>
    Subject: Supreme Court bans debt collection robocalling to cellphones
    (TypePad)

    https://pubcit.typepad.com/clpblog/2020/07/supreme-court-bans-debt-collection-robocalling-to-cellphones.html
    https://pubcit.typepad.com/clpblog/2020/07/severability-to-the-rescue-again-a-further-note-on-todays-supreme-court-robocalling-decision.html
    https://www.supremecourt.gov/opinions/19pdf/19-631_2d93.pdf

    ------------------------------

    Date: Fri, 3 Jul 2020 15:58:26 -0400
    From: Monty Solomon <monty@roscom.com>
    Subject: Goodbye to the Wild Wild Web (NYTimes)

    The Internet is changing, and the freewheeling, anything-goes culture of
    social media is being replaced by something more accountable.

    https://www.nytimes.com/2020/07/02/technology/goodbye-to-the-wild-wild-web.html

    ------------------------------

    Date: Sat, 4 Jul 2020 17:18:04 PDT
    From: "Peter G. Neumann" <neumann@csl.sri.com>
    Subject: Encrypted Phone Network of Mob is Hacked in Europe (Adam Nossiter)

    Adam Nossiter, *The New York Times*, 3 July 2020

    Paris -- The police in Europe arrested hundreds of people on suspicion of
    drug trafficking and other crimes, after successfully hacking into an
    encrypted phone network being used by organized criminals around the world. Millions of messages were read in real time. PGN-ed

    ------------------------------

    Date: Sat, 04 Jul 2020 06:56:17 -0700
    From: Henry Baker <hbaker1@pipeline.com>
    Subject: Risks of Editing Wikipedia (Aida Chavez)

    [Right on cue re: Orwell, from the Ministry of Truth (Minitrue).. HB]

    Aida Chavez, The Intercept, 2 Jul 2020 https://theintercept.com/2020/07/02/kamala-harris-wikipedia/

    There's a War Going On Over Kamala Harris's Wikipedia Page, with
    Unflattering Elements Vanishing

    California Democratic Sen. Kamala Harris is widely seen as a frontrunner for
    a spot on the ticket with presumptive nominee Joe Biden, with vetting well underway.

    Presidential vetting operations have entire teams of investigators, but for
    the public, when the pick is announced, the most common source for
    information about the person chosen is Wikipedia. And there, a war has
    broken out over how to talk about Harris's career.

    [Long item pruned for RISKS by your moderator, who notes that what was on
    wikipedia for me for many years was way out of date. I just checked for
    the first time in several years and see that the earlier version has been
    considerably updated! Many thanks to whomever had the patience to do
    that. PGN]

    ------------------------------

    Date: Sun, 5 Jul 2020 01:16:00 -1000
    From: geoff goodfellow <geoff@iconia.com>
    Subject: Not so random acts: Science finds that being kind pays off

    Acts of kindness may not be that random after all. Science says being kind
    pays off.

    Research shows that acts of kindness make us feel better and healthier. Kindness is also key to how we evolved and survived as a species, scientists say. We are hard-wired to be kind.

    [But apparently not for all values of "we". PGN]

    Kindness ``is as bred in our bones as our anger or our lust or our grief or
    as our desire for revenge,'' said University of California San Diego psychologist Michael McCullough, author of the forthcoming book, *Kindness
    of Strangers*. It's also, he said, ``the main feature we take for
    granted.''

    Scientific research is booming into human kindness and what scientists have found so far speaks well of us.

    ``Kindness is much older than religion. It does seem to be universal,'' said University of Oxford anthropologist Oliver Curry, research director at
    Kindlab. ``The basic reason why people are kind is that we are social animals.''

    We prize kindness over any other value. When psychologists lumped values
    into ten categories and asked people what was more important, benevolence or kindness, comes out on top, beating hedonism, having an exciting life, creativity, ambition, tradition, security, obedience, seeking social justice and seeking power, said University of London psychologist Anat Bardi, who studies value systems.

    ``We're kind because under the right circumstances we all benefit from kindness,'' Oxford's Curry said.

    When it comes to a species' survival, ``kindness pays, friendliness pays,'' said Duke University evolutionary anthropologist Brian Hare, author of the
    new book *Survival of the Friendliest* <https://amzn.to/2NS4JDs>

    Kindness and cooperation work for many species, whether it's bacteria,
    flowers or our fellow primate bonobos. The more friends you have, the more individuals you help, the more successful you are, Hare said.

    For example, Hare, who studies bonobos and other primates, compares
    aggressive chimpanzees, which attack outsiders, to bonobos where the animals don't kill but help out strangers. Male bonobos are far more successful at mating than their male chimp counterparts, Hare said.

    McCullough sees bonobos as more the exceptions. Most animals aren't kind or helpful to strangers, just close relatives so in that way it is one of the traits that separate us from other species, he said. And that, he said, is because of the human ability to reason.

    Humans realize that there's not much difference between our close relatives
    and strangers and that someday strangers can help us if we are kind to them, McCullough said. [...]
    https://apnews.com/f487b63befb2f4c3181404bcc87be1c1

    ------------------------------

    Date: Sun, 5 Jul 2020 09:27:01 -0400
    From: Monty Solomon <monty@roscom.com>
    Subject: How my dad got scammed for $3,000 worth of gift cards
    (Zachary Crockett)

    At 2:30 pm on a recent Monday, my dad received a jarring phone call.

    A man claiming to be a federal agent (David White, ID #US2607-12) told him there was an abandoned car in El Paso, Texas, rented in his name. Inside
    the car, they'd found a pile of cash, blood, and drugs. His Social Security number had been linked to 7 different bank accounts, $230k in wired funds,
    and a rental unit stocked with 22 lbs. of cocaine.

    If my dad -— a 66-year-old retiree with cancer -— didn't cooperate, Agent White would freeze his bank account and pursue criminal charges. ...

    https://thehustle.co/phone-scam-gift-cards/

    ------------------------------

    Date: Sun, 5 Jul 2020 01:14:00 -1000
    From: geoff goodfellow <geoff@iconia.com>
    Subject: Japanese startup creates 'connected' face mask for coronavirus new
    normal (Reuters)

    As face coverings become the norm amid the coronavirus pandemic, Japanese startup Donut Robotics has developed an Internet-connected `smart mask' that can transmit messages and translate from Japanese into eight other
    languages.

    The white plastic `c-mask' fits over standard face masks and connects via Bluetooth to a smartphone and tablet application that can transcribe speech into text messages, make calls, or amplify the mask wearer's voice.

    ``We worked hard for years to develop a robot and we have used that
    technology to create a product that responds to how the coronavirus has reshaped society,'' said Taisuke Ono, the chief executive of Donut
    Robotics. [...]

    https://www.reuters.com/article/us-health-coronavirus-japan-mask-technol/japanese-startup-creates-connected-face-mask-for-coronavirus-new-normal-idUSKBN23X190

    ------------------------------

    Date: Sun, 5 Jul 2020 01:15:00 -1000
    From: geoff goodfellow <geoff@iconia.com>
    Subject: What we need is social-media distancing (Spectator)

    Social media brings out the worst in us because the algorithm rewards us
    for being tribal, divisive and emotional

    Nearly three months into lockdown, 40 million Americans were unemployed.
    Kids lost out on three months of schooling. Businesses shuttered, many never
    to open again. Mental health suffered. People lost their homes. Tens of thousands died alone in hospitals, family members were prevented from
    holding the hands of their loved ones in their final days, and in many cases they weren't allowed to bury them or hold a funeral.

    Parents struggled to balance distance learning and work. Teachers worried
    that their most vulnerable students weren't logging in to class. People couldn't receive medical treatment or attend birthdays and graduations.

    But humans are creative, resilient creatures, and it didn't take long before
    we adjusted to living online. Necessity forced ingenuity. AA meetings,
    fitness classes, happy hours and business meetings all pivoted to Zoom. We started group chats with family members and college friends to stay
    connected. Mostly, we shared memes.

    We posted pictures of the dog we adopted, or the sourdough we attempted to make, or the projects in our houses we'd been putting off forever that we finally got to finish, just to try to stay optimistic. There were silver linings, too. Much ink was spilled about learning to slow down, finding joy
    in being home with the family. All that time commuting -- was it worth it?
    Who did we value -- and why? Instead of honoring celebrities, athletes and musicians, we applauded nurses, doctors, truck drivers and grocery-store cashiers. We smiled at each other with our eyes as we stood six feet apart
    in lines. A feeling of solidarity and grit in the face of a common hardship pervaded, for a brief moment.

    Pundits wondered, naively, Did COVID-19 kill the culture wars? [...] https://spectator.us/need-social-media-distancing-protest-internet/

    ------------------------------

    Date: Tue, 7 Jul 2020 01:15:00 -1000
    From: geoff goodfellow <geoff@iconia.com>
    Subject: Early Covid-19 tracking apps easy prey for hackers, and it might
    get worse before it gets better (Jumbo Privacy)

    The apps could prove vital to curtailing the virus's spread as states
    reopen, but security fears may make them unpopular with users.

    The push to use smartphone apps to track the spread of coronavirus is
    creating a potential jackpot for hackers worldwide -- and the U.S. offers a fat loosely defended target.

    In the Qatar Covid-19 app, researchers found a vulnerability that would've
    let hackers obtain more than a million people's national ID numbers and
    health status. In India's app, a researcher discovered a security gap that allowed him to determine who was sick in individual homes. And researchers uncovered seven security flaws in a pilot app in the U.K.

    The U.S. is just starting to use these contact tracing apps -- which track
    who an infected person may have had contact with -- but at least one app has already experienced a data leak. North Dakota conceded in May that its smartphone app, Care19, had been sending users' location data to th= e
    digital marketing service Foursquare. The issue has since been fixed, *according to the privacy app developer* that discovered the leak.

    <https://blog.jumboprivacy.com/care19-update-foursquare-allows-developers-to-disable-idfa-collection.html>

    To date, the public debate about whether to use contact tracing apps -- a potentially crucial strategy for reopening economies during the pandemic -- *has centered mostly on* what data to collect and who should have access to
    it, but cybersecurity insiders say the apps are also highly vulnerable to attacks that could expose data ranging from user names to location data. <https://www.politico.com/news/2020/06/10/google-and-apples-rules-for-virus= -tracking-apps-sow-division-among-states-312199>

    And the U.S. has its own unique vulnerabilities: a fragmented collection of apps, tiny state cybersecurity budgets and stalled legislation in Congress
    that makes federal government rules unlikely anytime soon. [...] https://www.politico.com/news/2020/07/06/coronavirus-tracking-app-hacking-3= 48601

    ------------------------------

    Date: Sun, 05 Jul 2020 07:56:52 -0600
    From: "Keith Medcalf" <kmedcalf@dessus.com>
    Subject: Re: Breaking HTTPS in the IoT: Practical Attacks For Reverse
    Engineers (RISKS-32.07)

    For instance, the use of insecure communications (e.g., unencrypted HTTP),
    is now only found in a minority of Bishop Fox client product assessments, which gives a somewhat positive (and admittedly biased) picture of IoT security trends.

    HTTPS is *not* a security protocol. It is a *privacy* protocol. It has absolutely ZERO impact on security, which is quite a different thing
    entirely than privacy. Simply wrapping a security vulnerability inside *private* transport does absolutely nothing for security.

    ------------------------------

    Date: Sat, 4 Jul 2020 01:13:00 -1000
    From: geoff goodfellow <geoff@iconia.com>
    Subject: Re: Jane Goodall on conservation, climate change and COVID-19

    "If we carry on with business as usual, we're going to destroy ourselves"

    While COVID-19 and protests for racial justice the world's collective attention, ecological destruction, species extinction and climate change continue unabated. While the world's been focused on other crises, an
    alarming study was released warning that species extinction is now
    progressing so fast that the consequences of "biological annihilation" may
    soon be "unimaginable." <https://www.cbsnews.com/news/species-extinction-risk-biological-annihilation-study/>

    Dr. Jane Goodall <https://www.janegoodall.org/>, the world-renowned conservationist, desperately wants the world to pay attention to what she
    sees as the greatest threat to humanity's existence.

    CBS News recently spoke to Goodall over a video conference call and asked
    her questions about the state of our planet. Her soft-spoken grace somehow helped cushion what was otherwise extremely sobering news: "I just know that
    if we carry on with business as usual, we're going to destroy ourselves. It would be the end of us, as well as life on Earth as we know it," warned Goodall. [...]

    https://www.cbsnews.com/news/jane-goodall-climate-change-coronavirus-environment-interview/

    ------------------------------

    Date: Sat, Jul 4, 2020 at 6:27 AM
    From: Dennis Allison <dennis.allison@gmail.com>
    Subject: Re: Jane Goodall on conservation, climate change and COVID-19
    (RISKS-32.07)

    "If we carry on with business as usual, we're going to destroy ourselves"

    Geoff, anyone tracking the posts you've made knows that Jane Goodall has
    gotten her tense wrong; we are already extinct. We might be able to save ourselves from extinction were we to mount a cooperative global effort to mitigate the impacts that are going to occur no matter what we do. The likelihood of that is about the same as a snowball's chance of survival in
    the antarctic where temperatures reached 65 degrees Fahrenheit.

    ------------------------------

    Date: Sat, 4 Jul 2020 12:03:03 +0300
    From: Amos Shapir <amos083@gmail.com>
    Subject: Re: A Doctor Confronts Medical Errors (RISKS-32.07)

    Every documentary I've ever watched about a rare disease or medical
    condition, always repeats the same story: A patient develops some symptoms, doctors diagnose it as some common condition, treatment is not effective.
    It might takes a long time -- sometimes years -- for one curious doctor to realize it's a rare condition, and try to analyze it correctly.

    It seems that doctors use analysis algorithms that always come up pointing
    to a common condition -- which may be correct in a large majority of cases,
    but is never "this may be a rare case, further investigation is needed".

    Such methods may be understandable when working under constant pressure and diminishing budgets, but doctors now employ computerized systems, which can present them with a greater variety of options -- but do not. It seems that the same old algorithms had just been computerized with no added sophistication. AI systems wouldn't help either, if they are trained using data which is generated by the old methods.

    ------------------------------

    Date: Sat, 4 Jul 2020 21:30:21 -0400
    From: Bill Matthews <yellow.tropicana@gmail.com>
    Subject: Re: Smells Fishy? The Fish That Prevent Iran From Hacking
    Israel's Water System (RISKS-32.06)

    What kind of fish is it that can live in chlorinated water?

    When our local potable water supplier intends to change the level of chlorination or the kind of chlorinating-chemical in our water, it's
    advertised in the local paper prior to their making the change. It's advertised prior to the event so that aquarists can appropriately adapt to
    the change in chlorination.

    ------------------------------

    Date: Sat, 4 Jul 2020 01:10:00 -1000
    From: geoff goodfellow <geoff@iconia.com>
    Subject: Quote of The Day

    Calvin Coolidge, 150th Anniversary of the Declaration of Independence:

    "We live in an age of science and of abounding accumulation of material
    things. These did not create our Declaration. Our Declaration created
    them."*

    https://nsjonline.com/article/2020/06/hill-president-calvin-coolidge-on-the-150th-anniversary-of-the-declaration-of-independence-july-5-1926/

    ------------------------------

    Date: Mon, 1 Jun 2020 11:11:11 -0800
    From: RISKS-request@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 32.08
    ************************

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)