[continued from previous message]

In short, although you may not be required to create online accounts to
manage your affairs at your ISP, the U.S. Postal Service, the credit
bureaus or the Social Security Administration, it's a good idea to do so
for several reasons.

Most importantly, the majority of the entities I'll discuss here allow just
one registrant per person/customer. Thus, even if you have no intention of using that account, establishing one will be far easier than trying to
dislodge an impostor who gets there first using your identity data and an
email address they control.

Also, the cost of planting your flag is virtually nil apart from your investment of time. In contrast, failing to plant one's flag can allow ne'er-do-wells to create a great deal of mischief for you, whether it be misdirecting your service or benefits elsewhere, or canceling them
altogether.

Before we dive into the list, a couple of important caveats. Adding multi-factor authentication (MFA) at these various providers (where
available) and/or establishing a customer-specific personal identification number (PIN) also can help secure online access. For those who can't be convinced to use a password manager, even writing down all of the account details and passwords on a slip of paper can be helpful, provided the
document is secured in a safe place. [...]

https://krebsonsecurity.com/2020/08/why-where-you-should-you-plant-your-flag/

------------------------------

Date: Fri, 14 Aug 2020 12:11:57 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Postal Service warns 46 states their voters could be
disenfranchised by delayed mail-in ballots [as desired by Trump]

https://www.washingtonpost.com/local/md-politics/usps-states-delayed-mail-in-ballots/2020/08/14/64bf3c3c-dcc7-11ea-8051-d5f887d73381_story.html?utm_campaign=wp_main&utm_source=twitter&utm_medium=social

------------------------------

Date: Thu, 13 Aug 2020 19:36:49 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Mailer To DC Voters Prompts Widespread Confusion (DCist)

A mailer from the DC Board of Elections was supposed to help registered
voters confirm that their address was correct. Instead, it has prompted confusion over how exactly voters can notify the board that their address
has changed or that a person listed at their address no longer lives there.

And that could raise additional concerns ahead of the city's plan to mail
every registered voter -- there are more than 460,000 of them on file -- a ballot ahead of November's election.

The mailer started hitting mailboxes across D.C. in recent days, and seemed straightforward enough. People who received it at the address where they
live did not need to take further action -- that's where the ballot will be sent in the coming weeks. But it was flummoxing for people who need to
update their address (if, for instance, they want the ballot forwarded elsewhere, or would be moving in the coming weeks) or want to let the
elections board know the mailer was sent to someone who once lived at the address but is no longer there.

The instructions prompt voters to fill out one half of the mailer, detach it from the other half, and send it back to the elections board. But some
voters started noticing that in so doing, they'd be sending the board the
part of the mailer that has no information identifying who it was sent to to begin with. That's because that information -- the recipient's name, address and a unique barcode -- is on the half of the mailer that isn't supposed to
be sent back in. ...

Terrible design by [the D.C. Board of Elections] that is going to cause a
lot of problems. Do they not test/review these?'' tweeted Southwest D.C. resident Stacy Cloyd.

Rachel Coll, a spokeswoman for the elections board, said in an email that problem was a ``design flaw'' from an outside vendor that produced the
mailers. She said the board had already gotten at least 100 of the mailers
back from voters with no issues, but the board was forced to tweet out new instructions on Wednesday. ...

This isn't the first time the elections board has had issues with official documents it has mailed to voters. Earlier this year, the board sent new
voter registration cards to more than 25,000 voters with the wrong primary
date listed on them. In 2018, it failed to notify absentee voters that they
had to include postage on their envelopes to send ballots back in. And in a particularly infamous error in 2014, the board sent out hundreds of
thousands of official voter guides with an upside-down D.C. flag ---
commonly known as a sign of distress -- on the cover.

https://dcist.com/story/20/08/13/dc-elections-board-mailer-confusion/

------------------------------

Date: Sat, 8 Aug 2020 10:00:38 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Trump's lapdog Postmaster General wants to more than double costs
for states to mail ballots to voters! Crooked through and through.

https://lawandcrime.com/opinion/if-trumps-postmaster-general-raises-mail-in-ballot-stamp-price-that-could-be-an-unconstitutional-poll-tax/

------------------------------

Date: Sat, 8 Aug 2020 23:24:37 -0600
From: "Matthew Kruk" <mkrukg@gmail.com>
Subject: Unwanted Truths: Inside Trump's Battles With U.S. Intelligence
Agencies (NYTimes)

Last year, intelligence officials gathered to write a classified report on Russia's interest in the 2020 election. An investigation from the magazine uncovered what happened next.

https://www.nytimes.com/2020/08/08/magazine/us-russia-intelligence.html?action=click&module=Top%20Stories&pgtype=Homepage

------------------------------

Date: Sun, 9 Aug 2020 19:00:12 -0400
From: Monty Solomon <monty@roscom.com>
Subject: The quest to liberate $300,000 of bitcoin from an old ZIP file
(Ars Technica)

A few quintillion possible decryption keys stand between a man and his cryptocurrency.

In October, Michael Stay got a weird message on LinkedIn. A total stranger
had lost access to his bitcoin private keys -- and wanted Stay's help
getting his $300,000 back.

https://arstechnica.com/information-technology/2020/08/the-quest-to-liberate-300000-of-bitcoin-from-an-old-zip-file/

https://www.wired.com/story/quest-to-liberate-bitcoin-from-old-zip-file/

------------------------------

Date: Sun, 9 Aug 2020 10:50:07 PDT
From: "Peter G. Neumann" <neumann@csl.sri.com>
Subject: Risk of driving while Black in conjunction with computer risks

[This was submitted by someone who did not want to be identified. PGN]

An automated scanner recorded a vehicle's plate number but the scanner determines neither the issuing state nor the type of vehicle. The plate
number was flagged because just the number matched a USA national list of stolen vehicles. Computer risk 1 is a device by design gathering less than
the full set of data needed. In this case the police user of scanner data is allocated the task of checking the further details of the plate, i.e., comparing the state on the theft report *Montana* with the state on the
plate of the scanned vehicle *Colorado* and comparing the sort of vehicle on the report *motorcycle* with the vehicle observed *passenger car*. This
design assumption is computer risk 2. The manual comparison reportedly did
not occur. The driver said she asked the police to compare her name on her driver licence to her name on the car registration but the police continued
to assume that the car was stolen. Perhaps the usual blind faith in the computer (risk 3).

The woman's children, as young as six years, were in the car and were
ordered to lie on the street facedown. Two were handcuffed. The family is black. The risk here is not a computer risk but rather being black while driving.

https://www.denverpost.com/2020/08/04/aurora-police-handcuff-children-video/ Note that the Denver Post newspaper's site does not allow using a private or incognito mode of a browser. It litters the browser with cookies, a file system, database storage, local storage, service workers. It will attempt to sign up the browser for notification spam.

------------------------------

Date: Sun, 9 Aug 2020 15:24:20 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Why climate change is about to make your bad commute worse
(WashPost)

``Everything that is built around you is built with some consideration for
how much environmental exposure it's going to be able to tolerate,'' Chester explained. ``When it comes to roads, for example, the American Association
of State Highway and Transportation Officials has guidelines that say
asphalt should be engineered to withstand the hottest week on record during
a certain historical period — say, 1970 and 2000. In Arizona,
that might be 115 degrees, and in Chicago, it might be 105 degrees.''

The problem is, thanks to climate change, past is no longer prologue.
``We're not going to shut off CO2 emissions overnight, so the climate is
going to continue changing. The question is, by how much and in which direction?'' Chester said.

``Let's say you design a road in Chicago for the hottest week on record,
which might be 105 degrees. Well, the hottest week going forward might be
108 degrees, or it could be 120 degrees,'' he said.

Faced with uncertainty, civil engineers can do little but guess. And the
wrong guess could be costly.

https://www.washingtonpost.com/local/trafficandcommuting/why-climate-change-is-about-to-make-your-bad-commute-worse/2020/08/08/7ad97ba8-d5b6-11ea-aff6-220dd3a14741_story.html

------------------------------

Date: Fri, 14 Aug 2020 09:35:20 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Chrome will start hiding most of URLs, but you can opt-out -- AND
YOU SHOULD!

Google is moving ahead with what I've long considered to be a poorly-conceived plan to hide most of Chrome brower URLs by default. My original blog posts regarding this issue began two years ago, at:

https://lauren.vortex.com/2018/07/10/chrome-is-hiding-url-details-and-its-confusing-people-already

and you can read those posts to see my discussion of the problems involved
with this move.

The current situation is summarized in:

Google resumes its attack on the URL bar, hides full addresses on Chrome 86

https://www.androidpolice.com/2020/08/13/google-resumes-its-senseless-attack-on-the-url-bar-hides-full-addresses-on-chrome-canary/#2

The one saving grace is that reportedly (at least for now) a right click
menu item will provide an opt-out for this behavior, and I'd urge you to
take advantage of that opt-out when these versions of the browser reach
you. Unfortunately, the users most at risk from this new default behavior
are also probably the most unlikely to ever hear about this opt-out or use
it.

------------------------------

Date: Fri, 14 Aug 2020 16:09:31 -0400
From: Monty Solomon <monty@roscom.com>
Subject: How romance scams are thriving during quarantine

https://www.theverge.com/21366576/dating-app-scams-romance-women-quarantine-coronavirus-scheme

------------------------------

Date: Sun, 9 Aug 2020 20:27:17 -0400
From: Monty Solomon <monty@roscom.com>
Subject: No to Blockchain Credentials of COVID-19 Test Results for Entry to
Public Spaces (EFF)

An ill-conceived California bill endorses a blockchain-based system that
would turn COVID-19 test results into permanent records that could be used
to grant access to public places.

https://www.eff.org/deeplinks/2020/08/no-blockchain-credentials-covid-19-test-results-entry-public-spaces

------------------------------

Date: Sun, 9 Aug 2020 15:21:22 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Virginia launches contact-tracing app COVIDWISE using Apple, Google
technology (WashPost)

``If enough Virginians use this app, we can identify cases early and slow
the spread of this virus. We have to continue to fight #COVID19 from every possible angle -- COVIDWISE is another tool we have to protect ourselves,
our families, and our communities during this pandemic.''

The reaction:

``Not falling for this one? keep your tracker!'' read one response.

``Why would I willingly give the VDH permission to track who I have spent 15 minutes with?'' read another, using the initials for the Virginia Department
of Health. ``No thanks, Hard pass. I value both my privacy and liberty.''

``This is ridiculous,'' read yet another. ``Never gonna happen here.'' ...

And yet, people are still refusing to put a slip of cloth over their faces because they'd rather make a political statement than protect the most vulnerable around them.

They'd rather immediately dismiss an app as an invasion of their privacy
than take a moment to consider that maybe it will help keep some people
around them from getting sick or worse.

https://www.washingtonpost.com/local/a-new-app-offers-virginians-the-chance-to-show-the-country-how-to-contain-coronavirus-cases-will-they-blow-it/

------------------------------

Date: Mon, 10 Aug 2020 09:27:06 +0800
From: Richard Stein <rmstein@ieee.org>
Subject: The nuclear mistakes that could have ended civilisation (bbc.com)

https://www.bbc.com/future/article/20200807-the-nuclear-mistakes-that-could-have-ended-civilisation

"From invading animals to a faulty computer chip worth less than a dollar,
the alarmingly long list of close calls shows just how easily nuclear war
could happen by mistake."

------------------------------

Date: Mon, 10 Aug 2020 18:02:11 -0400
From: Eric Sosman <esosman@comcast.net>
Subject: Re: Omniviolence Is Coming and the World Isn't Ready (Nautilus)

In RISKS 32.18, Richard Stein quotes Nautilus concerning the possibility
of using bomb-carrying drones against populations: "A [mini-quadcopter]
can carry a one-or two-gram shaped charge [...] You can drive up I-95
with three trucks and have 10 million weapons attacking New York City."

How much does it cost to acquire, program, and arm ten million drones?
Perhaps the RISK here is not so much the damage New York might suffer,
but the attackers' likely bankruptcy, plus the dangers inherent in
fitting ten million bombs to ten million drones ...

Maybe the lure of technological overkill (sorry) is not really a RISK, but a mitigation? Probably not: Attackers aren't *that* stupid, and will likely
seek cheaper and deadlier weapons.

------------------------------

Date: Sun, 9 Aug 2020 13:29:22 +0100
From: A Michael W Bacon <amichaelwbacon@gmail.com>
Subject: Re: Blackbaud breach (RISKS-32.18)

Writing about the Blackbaud breach, Gabe Goldberg cites a notification email from "the Freedom Forum and our affiliates, the Newseum and the Freedom
Forum Institute". I was amused by this part: 'Blackbaud is the global
market leader in not-for-profit software, and their products are commonly
used to manage relationships and communications with constituents and
donors'; the style of which is (rather predictably) emerging as the excuse: "Don't blame us; they are the 'global market leader' so we didn't bother validating their security."

------------------------------

Date: Sun, 9 Aug 2020 13:30:24 +0100
From: A Michael W Bacon <amichaelwbacon@gmail.com>
Subject: Re: City outage (RISKS-32.18)

In 'Cyberattack causes Lafayette, CO city computer outage', Jim Reisert AD1C asks, "Does this mean that the attackers requested too little ransom for the key to unlock the data?"

Maybe one should wonder whether the "kidnappers" are estimating the cost of
the disruption and rebuilding, and asking below that figure to encourage payment.

------------------------------

Date: Sun, 9 Aug 2020 13:31:32 +0100
From: A Michael W Bacon <amichaelwbacon@gmail.com>
Subject: Re: Beirut explosion (RISKS-32.18)

Although details of the immediate events leading to the detonation of some 2,750 tons of Ammonium Nitrate (AN) are unclear, and might remain so, some facts are established.

The AN was unloaded from a Russian-owned ship the MV Rhosus, following the owner's inability to pay mooring and other fees. Out of Batumi, Georgia, in late September 2013 the Rhosus was loaded with AN and reportedly bound for Beira, Mozambique. The vessel stopped in Athens for some four weeks while
the owner sought additional carbo to pay the fee for the Suez Canal. It then detoured to Beirut to pick up one such new cargo, road-making equipment. However, the 27-year old ship was poorly-maintained and the rusting deck hatches began to buckle under the weight of a road-roller. That cargo was
then refused loading by the worried captain.

Captain Prokoshev decided to head for Cyprus to sort things out with the
owner, Cyprus-based Russian businessman, Igor Grechushkin. But before the
MV Rhosus could set sail, the Lebanese authorities intervened and seized it
on 4 February 2014, with unpaid bills reportedly totaling 100,000 USD.

The aging Rhosus was by now taking on water that had to be bailed out every day. After a lengthy court process, the remaining crew closed all the compartments, locked them and handed the keys to immigration at the port,
and Prokoshev and his colleagues left Beirut in September 2014, one year
after the ship's arrival.

Some [as yet unclear] time afterward, with the Rhosus deteriorating further
and taking on more water, the authorities unloaded the cargo into a dockside warehouse, the port authorities of Beirut forbid the unloading or reloading
of cargo from one vessel to another. Reportedly, the vessel subsequently
sank, but its resting-place is unclear.

Fast forward to 4 August 2020 and the currently revealed facts are that a
fire was burning for some time near, on or in the warehouse, some flashes
were observed, then there was the detonation. What started the fire remains speculation.

The Lebanese government moved quickly to announce they would find whoever
was responsible, but later began to raise the spectre of a deliberate attack
by rocket or bomb ... possibly once they realised they were responsible for
the AN being stored there.

The ensuing denials of responsibility reminded me inversely (and perversely)
of British Nuclear Fuel's claim following the 'Act of God' explosion in the late, great Douglas Adam's book, The Long Dark Teatime of the Soul.

------------------------------

Date: Sat, 8 Aug 2020 13:58:23 +1000
From: 3daygoaty <threedaygoaty@gmail.com>
Subject: Re: Beirut Blast (RISKS-32.18)

Nice back story covering a range of processes and risks that led to the
blast.

To me it looks like the judiciary failing to grant permission to move the chemical in a timely manner greatly increased the risk.

https://www.bbc.com/news/extra/x2iutcqf1g/beirut-blast

------------------------------

Date: Fri, 7 Aug 2020 21:01:04 -0400
From: Steve Singer <sws@dedicatedresponse.com>
Subject: Re: Tom's Hardware goes dark/side/ (RISKS-32.18)

If one follows Forno's / Farber's link with NoScript enabled on Firefox, the following message appears:

AD BLOCKER INTERFERENCE DETECTED

Thank you for visiting this site. Unfortunately we have detected that you
might be running custom adblocking scripts or installations that might interfere with the running of the site.

We don't mind you running adblocker, but could you please either disable
these scripts or alternatively whitelist the site, in order to continue.
Thanks for your support!

It's possible to work around this, but not worth the risk or bother to me.
My Tom's Hardware bookmark: poof!

------------------------------

Date: Mon, 10 Aug 2020 12:14:46 +0100
From: David Damerell <damerell@chiark.greenend.org.uk>
Subject: Re: When tax prep is free, you may be paying with your privacy.
(Drewe, RISKS-32.18)

He omits mentioning that around 2/3 of UK taxpayers never interact with the complications. Of the UK's circa 32 million taxpayers, only around 10
million fill out tax returns. An ordinary employee has tax deducted and sent
to HMRC by their employer, and has nothing to do save read their payslips.

Furthermore, those 10 million are disproportionately likely to be wealthy
(the criteria for self-assessment include earning over £100,000 per
annum); and while legend may say the system here is the most complicated,
I'm told by friends fortunate enough to be in that group that they do not
find it difficult to fill out their own forms, whereas I understand the
process is nightmarish in the US.

Hence I think essentially no-one is being put in the position of being
snooped on by "free" tax preparation services because they need a service
but cannot afford it.

------------------------------

Date: Mon, 1 Aug 2020 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)

The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.

SUBSCRIPTIONS: The mailman Web interface can be used directly to

subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks

SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that

includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.

SPAM challenge-responses will not be honored. Instead, use an alternative

address from which you never send mail where the address becomes public!

The complete INFO file (submissions, default disclaimers, archive sites,

copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!

OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's

searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume/previous directories
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.

Special Offer to Join ACM for readers of the ACM RISKS Forum:

<http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 32.19
************************

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)