1. Forum
  2. Usenet
  3. COMP.RISKS

  • Risks Digest 32.14

    From RISKS List Owner@21:1/5 to All on Sun Jul 26 23:58:16 2020
    RISKS-LIST: Risks-Forum Digest Sunday 26 July 2020 Volume 32 : Issue 14

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator

    ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as
    <http://catless.ncl.ac.uk/Risks/32.14>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    Anatomy of an Election `Meltdown' in Georgia (NYTimes)
    Intel's Stunning Failure Heralds End of Era for U.S. Chip Sector (Bloomberg) Russia's GRU hackers hit U.S. government and energy targets (Ars Technica) Unsolicited Chinese seeds? (Washington State Dept of Agriculture)
    Homeland in Portland? No, USAF. (The Intercept)
    Finally there's a handbook on voting (Kimberly Wehle)
    Conflict Over a Rental Car Leads to Elusive ATM Skimming Suspect (NYTimes) Letting Your Insurer Ride Shotgun, for a Discounted Rate (NYTimes)
    The three worst things about email, and how to fix them (WashPost)
    PDF signatures useless (ZDNet)
    Google is aware of 'w5' Wi-Fi failures on some Nest thermostats and
    providing replacements (Android Police)
    Re: Boeing's future is cloudy as it tries to restore credibility
    (Joseph Gwinn)
    Re: European Public Sphere Towards Digital Sovereignty for Europe
    (Drew Dean)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Sun, 26 Jul 2020 12:44:01 -0700
    From: Peter Neumann <neumann@csl.sri.com>
    Subject: Anatomy of an Election `Meltdown' in Georgia (NYTimes)

    .. Was the Result of Cascade of Failures
    Danny Hakim, Reid J. Epstein, and Stephanie Saul
    *The New York Times*, 26 July 2020
    National Edition front page continued in pp.22-23.

    Stuggles to get the new high-text voting system working, failures to detect check marks instead of 'X', a huge management problem, barrage of partisan blame-throwing, Reps blame Fulton County (Atlanta, Dems), Dems blame just another Rep effort to disenfranchizes Dems, problems still unresolved six
    weeks later, with no signs of any improvements for November. "It has become increasingly clear that what happened in June was a collective collapse.'' [Seriously PGN-ed, but the entire article is really scary and ominous.]

    ------------------------------

    Date: Sat, 25 Jul 2020 17:36:53 +0900
    From: David Farber <farber@keio.jp>
    Subject: Intel's Stunning Failure Heralds End of Era for U.S. Chip Sector
    (Bloomberg)

    https://www.bloomberg.com/news/articles/2020-07-25/intel-stunning-failure-heralds-end-of-era-for-u-s-chip-sector

    ------------------------------

    Date: Sat, 25 Jul 2020 09:59:08 -0400
    From: Monty Solomon <monty@roscom.com>
    Subject: Russia's GRU hackers hit U.S. government and energy targets
    (Ars Technica)

    Russia's GRU military intelligence agency has carried out many of the most aggressive acts of hacking in history: destructive worms, blackouts, and -- closest to home for Americans -- broad hacking-and-leaking operation
    designed to influence the outcome of the 2016 U.S. presidential
    election. Now it appears the GRU has been hitting U.S. networks again, in a series of previously unreported intrusions that targeted organizations
    ranging from government agencies to critical infrastructure.

    https://arstechnica.com/information-technology/2020/07/russias-gru-hackers-hit-us-government-and-energy-targets/

    https://www.wired.com/story/russia-fancy-bear-us-hacking-campaign-government-energy/

    ------------------------------

    Date: Sat, 25 Jul 2020 15:37:40 -0700
    From: Paul Saffo <paul@saffo.com>
    Subject: Unsolicited Chinese seeds? (Washington State Dept of Agriculture)

    This from Facebook. Anyone know the background? Any guesses what this is about? Cover for drug deals? There don't seem to be any explanations on the web.

    https://www.vvng.com/people-are-receiving-an-unsolicited-package-of-seeds-from-china-in-the-mail/
    https://www.facebook.com/WAStateDeptAg/photos/a.10151025620032906/10158360747457906/

    Washington State Department of Agriculture, with Stephanie Marshall and 14 others.

    Today we received reports of people receiving seeds in the mail from China
    that they did not order. The seeds are sent in packages usually stating
    that the contents are jewelry. Unsolicited seeds could be invasive,
    introduce diseases to local plants, or be harmful to livestock.

    Here's what to do if you receive unsolicited seeds from another country:

    1) DO NOT plant them and if they are in sealed packaging (as in the photo
    below) don't open the sealed package.

    2) This is known as agricultural smuggling. Report it to USDA and maintain
    the seeds and packaging until USDA instructs you what to do with the
    packages and seeds. They may be needed as evidence.

    https://www.aphis.usda.gov/=E2=80=A6/impor=E2=80=A6/sa_sitc/ct_antismuggling

    [APHIS = Animal and Plant Health Inspection Service. I don't find the
    item on the aphis site. Maybe this is the symbiosis between the Chinese
    A(u)nts and the Aphi(d)s? PGN]

    ------------------------------

    Date: Sat, 25 Jul 2020 15:36:57 -0700
    From: Paul Saffo <paul@saffo.com>
    Subject: Homeland in Portland? No, USAF. (The Intercept)

    https://theintercept.com/2020/07/23/air-force-surveillance-plane-portland-protests/

    ------------------------------

    Date: Sat, 25 Jul 2020 14:23:46 -0400
    From: David Lesher <wb8foz@8es.com>
    Subject: Finally there's a handbook on voting (Kimberly Wehle)

    [In need of VV education? DL]

    <https://www.washingtonpost.com/opinions/2020/06/19/finally-theres-handbook-voting/>

    Kim Wehle: Congress needs to appropriate money to the states every year exclusively for elections. The last serious influx of federal funding for equipment occurred in 2002. How many of us are using computers or flip
    phones from 18 years ago? I would like to see modern encryption technology brought to bear on voting so that, just like we conduct private and
    sensitive bank transactions on our phones, we vote on our phones safely and securely. This would address much of the fraud and the suppression concerns from both sides of the aisle.

    [Disclosure: She is not a RISKS reader. PGN]

    ------------------------------

    Date: Fri, 24 Jul 2020 23:31:37 -0400
    From: Gabe Goldberg <gabe@gabegold.com>
    Subject: Conflict Over a Rental Car Leads to Elusive ATM Skimming Suspect
    (NYTimes)

    https://www.nytimes.com/2020/07/17/business/credit-card-skimmer-arrest-alaska.html

    The risks? Greed, hubris, patterns, personality...

    ------------------------------

    Date: Sat, 25 Jul 2020 19:06:43 -0400
    From: Gabe Goldberg <gabe@gabegold.com>
    Subject: Letting Your Insurer Ride Shotgun, for a Discounted Rate (NYTimes)

    Most big car insurers offer apps that monitor your driving, and one start-up requires it. The trade-off in privacy is a premium that could be
    substantially cheaper for safe drivers.

    https://www.nytimes.com/2020/07/16/business/car-insurance-app-discounts.html

    Same old, same old: except here you're the product *and* the customer.

    ------------------------------

    Date: Sat, 25 Jul 2020 10:33:33 +0800
    From: Richard Stein <rmstein@ieee.org>
    Subject: The three worst things about email, and how to fix them (WashPost)

    https://www.washingtonpost.com/technology/2020/07/21/gmail-alternative-hey

    The inconveniences of convenience.

    "Problem 1: Anybody can email you. And they do." True. Email account content can resemble a litter box. Delivery, while not 100%, surpasses snail mail
    speed and cost-effectiveness. Caveat emptor for anything that is
    free. Without authenticated credential provenance, via a nationalized (or global) identity, authorization, and maintenance mechanism, random and arbitrary recipient address email transmission is no-go.

    "Problem 2: Important stuff gets lost." True. Check your SPAM folder for important content mischaracterized by the latest attempt to automatically
    pick fly poop from a pepper pile. Filters are like rocket science: they intimidate the unskilled and uninitiated discouraging use.

    "Problem 3: Your email isn't really private." True. Corporate email service provider terms of service (aka, privacy policies) routinely authorize collection, exploitation, followed by the unfortunate involuntary breach
    (via hack or negligence) of said collected or transmitted email content.

    The privacy policy entitles the service to potentially gain from the content (if there's anything of value or merit) in exchange for convenient and free public access.

    Some entities (government security agencies specifically) might find
    interest in the names/email addresses of dissidents -- see the recent
    Twitter hack of Geert Wilders. https://www.washingtonpost.com/world/middle_east/twitter-says-hackers-accessed-dutch-politicians-inbox/2020/07/23/b979af96-ccd2-11ea-99b0-8426e26d203b_story.html.

    That "Hey" may partially mitigate these foundational email features to suit certain clientele (or their investors) does not diminish technological risk exposure.

    ------------------------------

    Date: Sat, 25 Jul 2020 14:13:58 +0930
    From: William Brodie-Tyrrell <william.brodie.tyrrell@gmail.com>
    Subject: PDF signatures useless (ZDNet)

    It turns out that PDF cryptographic signatures do not protect the entire contents or visual appearance of the file. Which makes them utterly
    pointless.

    https://www.zdnet.com/google-amp/article/new-shadow-attack-can-replace-content-in-digitally-signed-pdf-files/

    ------------------------------

    Date: Sat, 25 Jul 2020 09:48:23 -0400
    From: Monty Solomon <monty@roscom.com>
    Subject: Google is aware of 'w5' Wi-Fi failures on some Nest thermostats
    and providing replacements (Android Police)

    If troubleshooting doesn't work, it's a known issue and you can get a replacement

    https://www.androidpolice.com/2020/07/24/google-is-aware-of-w5-wi-fi-failures-on-some-nest-thermostats-and-providing-replacements/

    ------------------------------

    Date: Sat, 25 Jul 2020 16:50:15 -0400
    From: Joseph Gwinn <joegwinn@comcast.net>
    Subject: Re: Boeing's future is cloudy as it tries to restore credibility
    (Ward, RISKS-32.13)

    Probably junior programmers get this boring grunt work: senior programmers get to do more interesting jobs, like writing new code! [...]

    Ahh, no. This was the customer tolerance level, to which IBM managed. As I recall, IBM alternated fixup releases (nothing new add, so more stable) and improvement releases (sorta beta test).

    ------------------------------

    Date: Sat, 25 Jul 2020 20:51:10 -0700
    From: Drew Dean <drewdean@gmail.com>
    Subject: Re: European Public Sphere Towards Digital Sovereignty for Europe
    (ACATech, RISKS-32.13)

    I think there's an unmentioned risk: that of an EU boondoggle. :-)

    ------------------------------

    Date: Mon, 1 Jun 2020 11:11:11 -0800
    From: RISKS-request@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 32.14
    ************************

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)