• Risks Digest 32.23

    From RISKS List Owner@21:1/5 to All on Wed Aug 26 00:05:41 2020
    RISKS-LIST: Risks-Forum Digest Tuesday 25 August 2020 Volume 32 : Issue 23

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator

    ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as
    <http://catless.ncl.ac.uk/Risks/32.23>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    Grading by algorithm results in UK debacle (Adam Satariano)
    Surge staff and electronic records (Health in AU)
    Commissioner of FDA admits he provided false information about COVID-19
    treatment (MedicalXpress)
    Profs and loss - China is killing academic freedom in Hong Kong China
    (The Economist)
    A Chrome feature is creating enormous load on global root DNS servers
    (Ars Technica)
    Mike Godwin, the Creator of Godwin's Law, Is Suing Trump Over His TikTok
    Executive Order (Reason.com)
    COVID-19 When Less is More (The Atlantic)
    Re: Fiddling with the environment (A Michael W Bacon)
    Re: Driverless cars are coming soon followup (Peter Houppermans)
    Re: Date and time synchronization (Terje Mathisen)
    Re: Washington Postal workers defy USPS orders and re-install mail,
    sorting machines (Jack Christensen)
    Re: Dicekeys (Arthur T.)
    Re: Why Does California Have So Many Wildfires? (Henry Baker)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Tue, 25 Aug 2020 15:55:05 PDT
    From: "Peter G. Neumann" <neumann@csl.sri.com>
    Subject: Grading by algorithm results in UK debacle (Adam Satariano)

    Adam Satariano, *The New York Times*, National Edition, 21 Aug 2020
    (60% of Page A10, PGN-ed)

    *Automation pitfalls hit poor hardest.
    Scores are thrown out, but damage is already done.*

    The British government used a computer-generated score to replace exams that were canceled due to Covid-19. This resulted in nearly 40% of students in England having their earned A-level exam grades lowered. By the time the policy was changed, many students had lost their accepted university slots.
    The new score ``included in its calculations a school's past performance on tests and a student's earlier results on `mock' exams.''

    ``Critics say the experience shows the risks ahead as more sophisticated
    tools like artificial intelligence become available and companies pitch them
    to public agencies.''

    [My own oversimplified summary is that this seems to have been another
    risk of government oversimplification, bordering on a combination of
    naivety, stupidity, and possible political motives. A colleague suggests
    that this is because the government was horribly afraid that students
    might get marks they *didn't deserve* -- preferring to throw away any
    actual data from the schools, and just manufacture a curve. Although not
    really addressed in Satariano's article, the new score seems to have been
    a reaction to the loss of international students resulting from COVID-19.
    But it is also just one more example of a short-sighted policy that
    trusted an artificially questionable algorithm to replace human
    intelligence. Furthermore, The effects on disadvantaged students have
    been very profound. PGN]

    ------------------------------

    Date: Tue, 25 Aug 2020 11:40:20 +1000
    From: James Cameron <quozl@laptop.org>
    Subject: Surge staff and electronic records (Health in AU)

    At an aged care facility in Sydney, pandemic surge staff did not know how to use the electronic resident-record system, which led to diminished care both inside the facility and by local doctors outside the facility.

    https://www.health.gov.au/sites/default/files/documents/2020/08/newmarch-house-covid-19-outbreak-independent-review-newmarch-house-covid-19-outbreak-independent-review-final-report.pdf
    (page 21)

    ------------------------------

    Date: Tue, 25 Aug 2020 09:59:02 -0700
    From: Lauren Weinstein <lauren@vortex.com>
    Subject: Commissioner of FDA admits he provided false information about
    COVID-19 treatment (MedicalXpress)

    https://medicalxpress.com/news/2020-08-health-touting-false-plasma.html

    ------------------------------

    Date: Tue, 25 Aug 2020 08:29:42 +0900
    From: farber@gmail.com
    Subject: Profs and loss - China is killing academic freedom in Hong Kong
    China (The Economist)

    https://www.economist.com/china/2020/08/23/china-is-killing-academic-freedom-in-hong-kong

    ------------------------------

    Date: Tue, 25 Aug 2020 12:33:43 -0400
    From: Monty Solomon <monty@roscom.com>
    Subject: A Chrome feature is creating enormous load on global root DNS
    servers (Ars Technica)

    A Chrome feature is creating enormous load on global root DNS servers https://arstechnica.com/gadgets/2020/08/a-chrome-feature-is-creating-enormous-load-on-global-root-dns-servers/

    Chromium's impact on root DNS traffic https://blog.apnic.net/2020/08/21/chromiums-impact-on-root-dns-traffic/

    ------------------------------

    Date: Tue, 25 Aug 2020 16:38:44 -0400
    From: Gabe Goldberg <gabe@gabegold.com>
    Subject: Mike Godwin, the Creator of Godwin's Law, Is Suing Trump Over
    His TikTok Executive Order (Reason.com)

    Godwin: "I know what moral panics look like; they look kind of like this."

    https://reason.com/2020/08/24/mike-godwin-the-creator-of-godwins-law-is-suing-trump-over-his-tiktok-executive-order/

    ------------------------------

    Date: Mon, 24 Aug 2020 22:28:23 -0400
    From: Sheldon <sheldon10101@gmail.com>
    Subject: COVID-19 When Less is More (The Atlantic)

    https://www.theatlantic.com/health/archive/2020/08/how-to-test-every-american-for-covid-19-every-day/615217/

    The Plan That Could Give Us Our Lives Back

    The U.S. has never had enough coronavirus tests. Now a group of epidemiologists, economists, and dreamers is plotting a new strategy to
    defeat the virus, even before a vaccine is found.

    ... In the past several weeks, he [Michael Mina, a professor of epidemiology
    at Harvard], has become an evangelist for a total revolution in how the
    U.S. controls the pandemic. Instead of restructuring daily life around the American way of testing, he argues, the country should build testing into
    the American way of life.

    The wand that will accomplish this feat is a thin paper strip, no longer
    than a finger. It is a coronavirus test. Mina says that the U.S. should mass-produce these inexpensive and relatively insensitive tests -- unlike
    other methods, they require only a saliva sample -- in quantities of tens of millions a day. These tests, which can deliver a result in 15 minutes or
    less, should then become a ubiquitous part of daily life. Before anyone
    enters a school or an office, a movie theater or a Walmart, they must take
    one of these tests. Test negative, and you may enter the public space. Test positive, and you are sent home. In other words: Mina wants to test nearly everyone, nearly every day.

    The tests Mina describes already exist: They are sitting in the office of
    e25 Bio, a small start-up in Cambridge, Massachusetts; half a dozen other companies are working on similar products. But implementing his vision will require changing how we think about tests. These new tests are much less sensitive than the ones we run today, which means that regulations must be relaxed before they can be sold or used. Their closest analogue is rapid dengue-virus tests, used in India, which are manufactured in a quantity of
    100 million a year. Mina envisions nearly as many rapid COVID-19 tests being manufactured a day. Only the federal government, acting as customer and controller, can accomplish such a feat. [...]

    [Companies in India have developed a fancier version of a standalone
    COVID-19 test which is being sold for 450 rupees ($6). This test uses the
    swab up the nose until you sneeze and has a nice cassette and is harder to
    use than the test from e25 bio.  About half the tests in India use these $6 antigen tests. Sadly, there's a fair amount of push back on using these
    tests rather than PCR.] There is no way that school kids will tolerate a
    daily swab up your nose until you scream.

    To begin to learn more start at rapidtests.org.

    ------------------------------

    Date: Tue, 25 Aug 2020 08:37:35 +0100
    From: A Michael W Bacon <amichaelwbacon@gmail.com>
    Subject: Re: Fiddling with the environment (Stein, RISKS-32.22)

    In RISKS-32.22, Richard Stein wonders what will become of Florida's release
    of a genetically engineered mosquito intended to combat Dengue Fever.

    It's likely that the law of unintended consequences will have effect, and
    that with the clarity of hindsight many will say the effect was totally predictable.

    [With Greenland undergoing massive irreversible glacier melt, we can
    expect a corresponding effect of fiddling while Nome burned. PGN]

    ------------------------------

    Date: Tue, 25 Aug 2020 11:49:42 +0200
    From: Peter Houppermans <peter@houppermans.net>
    Subject: Re: Driverless cars are coming soon followup (RISKS-32.22)

    There's more where that came from..

    Competition between car makers to see who can provide us the most
    distraction moves the industry in exactly the wrong direction!

    In their apparent desire to attach more bells and whistles to what used to
    be eminently sane concepts, there is also this trend to make indicators more fancy (at least in Europe where they're separate from brake lights) by implementing them as an animated strip of LEDs that *grows* by lighting more and more of them.

    The problem: this delays signal awareness.

    A car's brake and turn signals are there to inform other road users that something is about to happen that may represent a risk. It is not even possible to brake without brake lights flaring, but turn indicators are
    manual, and apparently still considered optional by whole tribes of road
    users.

    In the past, LED brake lights were even sold as options on the premise that
    it gave drivers more time to react as they light quicker. However, these *swelling* indicator lights do the exact opposite: they delay the moment by which the signal imparts a warning to other road users' situational
    awareness. I deem them a triumph of fashion over safety fundamentals.

    ------------------------------

    Date: Tue, 25 Aug 2020 13:11:04 +0200
    From: Terje Mathisen <terje.mathisen@tmsw.no>
    Subject: Re: Date and time synchronization (Robinson, RISKS-32.22)

    You are going to get a *lot* of responses to this one, the idea is sound but the implemented logic is completely broken. :-(

    Here is the procedure:
    1. Get time.
    2. Get date.
    3. If the hour is not 11 (for systems that preformat time to AM/PM) or is
    not 23, exit procedure, date and time are synchronized and nothing more
    needs to be done.

    Since we read time first, then date, the date might have ticked over and now
    we have 2020-08-25T00:00:00 while the time read happened at 2020-08-24T23:59:59. Combining them results in 2020-08-24T00:00:00 which is
    of course wrong.

    The easiest fix for all such "read two counters as one atomic operation" is
    to start by reading the slow one, then the fast one and then the slow one again, i.e. the date here. If the two dates are equal then we are done, otherwise read the time again and return that value together with the second date.

    You can of course read both counters every time and then return the second
    pair only if the dates are different, this has the small but sometimes
    useful benefit of being constant time as long as the return first pair vs second pair is handled with conditional moves or other branchless code.

    4. Get the time again
    5. Get the date again.

    If we always read both variables twice, then we can even use the suggested order by returning the first pair unless the second time is less than the first, i.e. it wrapped around, and then we return the second pair.

    hms1 = gettime();
    ymd1 = getdate();
    hms2 = gettime();
    ymd2 = getdate();

    hms = (hms2 < hms1)? hms2 : hms1;
    ymd = (hms2 < hms1)? ymd2 : ymd1;

    ------------------------------

    Date: Mon, 24 Aug 2020 19:29:57 -0400
    From: Jack Christensen <christensen.jack.a@gmail.com>
    Subject: Re: Washington Postal workers defy USPS orders and re-install mail,
    sorting machines (RISKS-32.22)

    It would be interesting to know exactly what the "risks to the public in computers and related systems" are perceived to be in this item. One cannot help but wonder whether the item was submitted to Risks with some political motivation. Our expectation should be that submissions to Risks be held to a higher standard. Cheap political demagoguery is available anywhere.

    I propose the following test for RISKS submissions. If "risks to the public
    in computers and related systems" can be said to exist, then we should be
    able to imagine one or more solutions, *that when applied to said computers
    or related systems*, could possibly address the issue.

    In the linked article, there seems to be no hint of this sort of
    technological issue. Certainly mail sorting machines must be computerized,
    but these days most everything is, so that in itself is too low a standard
    to be useful.

    ------------------------------

    Date: Tue, 25 Aug 2020 11:42:49 -0400
    From: "Arthur T." <Risks202008.6.atsjbt@xoxy.net>
    Subject: Re: Dicekeys (RISKS-32.22)

    There is much to like about the Dicekeys concept, but there's also much to criticize. (Note: I am neither a mathematician nor a security professional.)

    For me, any inaccuracy makes everything else questionable. My calculations show 2^194 rather than 2^196 possibilities. Each die has 6 sides and 4 orientations of the top for 24 possibilities. So there are 24^25 outcomes of rolling all of them. Order counts, so multiply by 25 factorial. Log base 2
    of that number is just over 193.66. I'm not sure where he's getting the
    extra bits of randomness reported.

    For non-techies, physical randomization may seem more secure than computer-generated. But if the dice are not extremely well made, they'll be
    a bit less random than theory suggests. Techies will easily find cryptographically secure random number generators, and 59 digits yields
    about 2^196 bits (as does a 32-character string made up of upper case, lower case, numbers, and 8 symbols).

    If you want a very long-term master password, you want to be able to back up its generator. You can do that by taking a picture of the dice box, but then you're no more (or less) secure than you were with non-physical keys. If you generate a long number or symbol key, you can print a more standard bar code that doesn't require trusting someone else's special programming. And then a secure hash hides your original number. I expect that readers for
    general-use bar codes will be around for a long time, whereas I'd worry
    about the longevity of the special-use scanner developed for Dicekeys.

    So I admire the concept and the work and thought that went into making it a real product. But I won't be a customer, and I wouldn't recommend it to
    anyone I know. In addition to the above considerations, computer-generated random numbers are free.

    ------------------------------

    Date: Tue, 25 Aug 2020 07:54:29 -0700
    From: Henry Baker <hbaker1@pipeline.com>
    Subject: Re: Why Does California Have So Many Wildfires? (NYTimes)

    This NYTimes article hasn't a clue.
    The short answer is: *fire SUPPRESSION* and too few *controlled burns*.

    As a resident of Southern California for ~40 years and having lived in the vicinity of at least 40 wildfires, I've studied this issue a bit.

    The white colonists who destroyed the indigenous native American way of life were 'know-it-alls' who never comprehended the clever and quite efficient
    fire management strategies of these 'primitive' people, and the folly of our 'expert' mismanagement of the ecosystem in the past 300 years has sown the seeds of our wildfire problems today.

    Here in Southern California, you only get the following (egrep) choices
    for annual behavior for essentially all un-cultivated land:
    1. (rain/growth/){1,3}burn
    2. (rain/growth/){4,75}wildfire
    3. (rain/growth/){76,}apocalyptic firestorm

    Notice that burn|wildfire|firestorm is a necessary consequent to
    'rain/growth'.

    Of course, you can always eliminate 'rain', hence eliminating 'growth'
    and 'fire', but then you get an Atacama-like desert.

    So if we intend to continue living here in Southern California, I vote
    for option #1.

    https://www.theguardian.com/us-news/2019/nov/21/wildfire-prescribed-burns-california-native-americans

    "For more than 13,000 years, the Yurek, Karuk, Hupa, Miwok, Chumash and hundreds of other tribes across California and the world used small
    intentional burns to renew local food, medicinal and cultural resources,
    create habitat for animals, and reduce the risk of larger, more dangerous *wild* fires."

    "The Spanish were the first California colonizers to prevent the indigenous people from burning the land. In 1850, the US government passed the Act for Government and Protection of Indians, which *outlawed intentional burning*
    in California even before it was a state."

    "Early National Forest Service officials considered "the Indian way" of "light-burning" to be a *primitive*, 'essentially destructive theory'."

    "For native people, the land is a renewing resource, and they feel a responsibility to keep it healthy. Light, frequent burning of the forest understory maintains oak tree health ... Fire clears and maintains prairie landscapes as habitat for elk and deer, and visibility through the dense
    woods for hunting them."

    https://en.wikipedia.org/wiki/Native_American_use_of_fire_in_ecosystems

    "When first encountered by Europeans, many ecosystems were the result of repeated fires every *one to three years,* resulting in the replacement of forests with grassland or savanna, or opening up the forest by removing undergrowth."

    "By the time that European explorers first arrived in North America,
    millions of acres of 'natural' landscapes were already manipulated and maintained for human use. *Fires indicated the presence of humans to many European explorers and settlers arriving on ship.*"

    "By the 17th century, native populations were on the verge of collapse due
    to the introduction of European diseases (such as smallpox) and widespread epidemics (the flu) against which the indigenous peoples had no
    immunity. ... As Native people were forced off their traditional landbases
    or killed, traditional land management practices were abandoned."

    ------------------------------

    Date: Mon, 1 Aug 2020 11:11:11 -0800
    From: RISKS-request@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume/previous directories
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 32.23
    ************************

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)