RISKS-LIST: Risks-Forum Digest Tuesday 25 August 2020 Volume 32 : Issue 23
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator
***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <
http://www.risks.org> as
<
http://catless.ncl.ac.uk/Risks/32.23>
The current issue can also be found at
<
http://www.csl.sri.com/users/risko/risks.txt>
Contents:
Grading by algorithm results in UK debacle (Adam Satariano)
Surge staff and electronic records (Health in AU)
Commissioner of FDA admits he provided false information about COVID-19
treatment (MedicalXpress)
Profs and loss - China is killing academic freedom in Hong Kong China
(The Economist)
A Chrome feature is creating enormous load on global root DNS servers
(Ars Technica)
Mike Godwin, the Creator of Godwin's Law, Is Suing Trump Over His TikTok
Executive Order (Reason.com)
COVID-19 When Less is More (The Atlantic)
Re: Fiddling with the environment (A Michael W Bacon)
Re: Driverless cars are coming soon followup (Peter Houppermans)
Re: Date and time synchronization (Terje Mathisen)
Re: Washington Postal workers defy USPS orders and re-install mail,
sorting machines (Jack Christensen)
Re: Dicekeys (Arthur T.)
Re: Why Does California Have So Many Wildfires? (Henry Baker)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Tue, 25 Aug 2020 15:55:05 PDT
From: "Peter G. Neumann" <
neumann@csl.sri.com>
Subject: Grading by algorithm results in UK debacle (Adam Satariano)
Adam Satariano, *The New York Times*, National Edition, 21 Aug 2020
(60% of Page A10, PGN-ed)
*Automation pitfalls hit poor hardest.
Scores are thrown out, but damage is already done.*
The British government used a computer-generated score to replace exams that were canceled due to Covid-19. This resulted in nearly 40% of students in England having their earned A-level exam grades lowered. By the time the policy was changed, many students had lost their accepted university slots.
The new score ``included in its calculations a school's past performance on tests and a student's earlier results on `mock' exams.''
``Critics say the experience shows the risks ahead as more sophisticated
tools like artificial intelligence become available and companies pitch them
to public agencies.''
[My own oversimplified summary is that this seems to have been another
risk of government oversimplification, bordering on a combination of
naivety, stupidity, and possible political motives. A colleague suggests
that this is because the government was horribly afraid that students
might get marks they *didn't deserve* -- preferring to throw away any
actual data from the schools, and just manufacture a curve. Although not
really addressed in Satariano's article, the new score seems to have been
a reaction to the loss of international students resulting from COVID-19.
But it is also just one more example of a short-sighted policy that
trusted an artificially questionable algorithm to replace human
intelligence. Furthermore, The effects on disadvantaged students have
been very profound. PGN]
------------------------------
Date: Tue, 25 Aug 2020 11:40:20 +1000
From: James Cameron <
quozl@laptop.org>
Subject: Surge staff and electronic records (Health in AU)
At an aged care facility in Sydney, pandemic surge staff did not know how to use the electronic resident-record system, which led to diminished care both inside the facility and by local doctors outside the facility.
https://www.health.gov.au/sites/default/files/documents/2020/08/newmarch-house-covid-19-outbreak-independent-review-newmarch-house-covid-19-outbreak-independent-review-final-report.pdf
(page 21)
------------------------------
Date: Tue, 25 Aug 2020 09:59:02 -0700
From: Lauren Weinstein <
lauren@vortex.com>
Subject: Commissioner of FDA admits he provided false information about
COVID-19 treatment (MedicalXpress)
https://medicalxpress.com/news/2020-08-health-touting-false-plasma.html
------------------------------
Date: Tue, 25 Aug 2020 08:29:42 +0900
From:
farber@gmail.com
Subject: Profs and loss - China is killing academic freedom in Hong Kong
China (The Economist)
https://www.economist.com/china/2020/08/23/china-is-killing-academic-freedom-in-hong-kong
------------------------------
Date: Tue, 25 Aug 2020 12:33:43 -0400
From: Monty Solomon <
monty@roscom.com>
Subject: A Chrome feature is creating enormous load on global root DNS
servers (Ars Technica)
A Chrome feature is creating enormous load on global root DNS servers
https://arstechnica.com/gadgets/2020/08/a-chrome-feature-is-creating-enormous-load-on-global-root-dns-servers/
Chromium's impact on root DNS traffic
https://blog.apnic.net/2020/08/21/chromiums-impact-on-root-dns-traffic/
------------------------------
Date: Tue, 25 Aug 2020 16:38:44 -0400
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: Mike Godwin, the Creator of Godwin's Law, Is Suing Trump Over
His TikTok Executive Order (Reason.com)
Godwin: "I know what moral panics look like; they look kind of like this."
https://reason.com/2020/08/24/mike-godwin-the-creator-of-godwins-law-is-suing-trump-over-his-tiktok-executive-order/
------------------------------
Date: Mon, 24 Aug 2020 22:28:23 -0400
From: Sheldon <
sheldon10101@gmail.com>
Subject: COVID-19 When Less is More (The Atlantic)
https://www.theatlantic.com/health/archive/2020/08/how-to-test-every-american-for-covid-19-every-day/615217/
The Plan That Could Give Us Our Lives Back
The U.S. has never had enough coronavirus tests. Now a group of epidemiologists, economists, and dreamers is plotting a new strategy to
defeat the virus, even before a vaccine is found.
... In the past several weeks, he [Michael Mina, a professor of epidemiology
at Harvard], has become an evangelist for a total revolution in how the
U.S. controls the pandemic. Instead of restructuring daily life around the American way of testing, he argues, the country should build testing into
the American way of life.
The wand that will accomplish this feat is a thin paper strip, no longer
than a finger. It is a coronavirus test. Mina says that the U.S. should mass-produce these inexpensive and relatively insensitive tests -- unlike
other methods, they require only a saliva sample -- in quantities of tens of millions a day. These tests, which can deliver a result in 15 minutes or
less, should then become a ubiquitous part of daily life. Before anyone
enters a school or an office, a movie theater or a Walmart, they must take
one of these tests. Test negative, and you may enter the public space. Test positive, and you are sent home. In other words: Mina wants to test nearly everyone, nearly every day.
The tests Mina describes already exist: They are sitting in the office of
e25 Bio, a small start-up in Cambridge, Massachusetts; half a dozen other companies are working on similar products. But implementing his vision will require changing how we think about tests. These new tests are much less sensitive than the ones we run today, which means that regulations must be relaxed before they can be sold or used. Their closest analogue is rapid dengue-virus tests, used in India, which are manufactured in a quantity of
100 million a year. Mina envisions nearly as many rapid COVID-19 tests being manufactured a day. Only the federal government, acting as customer and controller, can accomplish such a feat. [...]
[Companies in India have developed a fancier version of a standalone
COVID-19 test which is being sold for 450 rupees ($6). This test uses the
swab up the nose until you sneeze and has a nice cassette and is harder to
use than the test from e25 bio. About half the tests in India use these $6 antigen tests. Sadly, there's a fair amount of push back on using these
tests rather than PCR.] There is no way that school kids will tolerate a
daily swab up your nose until you scream.
To begin to learn more start at rapidtests.org.
------------------------------
Date: Tue, 25 Aug 2020 08:37:35 +0100
From: A Michael W Bacon <
amichaelwbacon@gmail.com>
Subject: Re: Fiddling with the environment (Stein, RISKS-32.22)
In RISKS-32.22, Richard Stein wonders what will become of Florida's release
of a genetically engineered mosquito intended to combat Dengue Fever.
It's likely that the law of unintended consequences will have effect, and
that with the clarity of hindsight many will say the effect was totally predictable.
[With Greenland undergoing massive irreversible glacier melt, we can
expect a corresponding effect of fiddling while Nome burned. PGN]
------------------------------
Date: Tue, 25 Aug 2020 11:49:42 +0200
From: Peter Houppermans <
peter@houppermans.net>
Subject: Re: Driverless cars are coming soon followup (RISKS-32.22)
There's more where that came from..
Competition between car makers to see who can provide us the most
distraction moves the industry in exactly the wrong direction!
In their apparent desire to attach more bells and whistles to what used to
be eminently sane concepts, there is also this trend to make indicators more fancy (at least in Europe where they're separate from brake lights) by implementing them as an animated strip of LEDs that *grows* by lighting more and more of them.
The problem: this delays signal awareness.
A car's brake and turn signals are there to inform other road users that something is about to happen that may represent a risk. It is not even possible to brake without brake lights flaring, but turn indicators are
manual, and apparently still considered optional by whole tribes of road
users.
In the past, LED brake lights were even sold as options on the premise that
it gave drivers more time to react as they light quicker. However, these *swelling* indicator lights do the exact opposite: they delay the moment by which the signal imparts a warning to other road users' situational
awareness. I deem them a triumph of fashion over safety fundamentals.
------------------------------
Date: Tue, 25 Aug 2020 13:11:04 +0200
From: Terje Mathisen <
terje.mathisen@tmsw.no>
Subject: Re: Date and time synchronization (Robinson, RISKS-32.22)
You are going to get a *lot* of responses to this one, the idea is sound but the implemented logic is completely broken. :-(
Here is the procedure:
1. Get time.
2. Get date.
3. If the hour is not 11 (for systems that preformat time to AM/PM) or is
not 23, exit procedure, date and time are synchronized and nothing more
needs to be done.
Since we read time first, then date, the date might have ticked over and now
we have 2020-08-25T00:00:00 while the time read happened at 2020-08-24T23:59:59. Combining them results in 2020-08-24T00:00:00 which is
of course wrong.
The easiest fix for all such "read two counters as one atomic operation" is
to start by reading the slow one, then the fast one and then the slow one again, i.e. the date here. If the two dates are equal then we are done, otherwise read the time again and return that value together with the second date.
You can of course read both counters every time and then return the second
pair only if the dates are different, this has the small but sometimes
useful benefit of being constant time as long as the return first pair vs second pair is handled with conditional moves or other branchless code.
4. Get the time again
5. Get the date again.
If we always read both variables twice, then we can even use the suggested order by returning the first pair unless the second time is less than the first, i.e. it wrapped around, and then we return the second pair.
hms1 = gettime();
ymd1 = getdate();
hms2 = gettime();
ymd2 = getdate();
hms = (hms2 < hms1)? hms2 : hms1;
ymd = (hms2 < hms1)? ymd2 : ymd1;
------------------------------
Date: Mon, 24 Aug 2020 19:29:57 -0400
From: Jack Christensen <
christensen.jack.a@gmail.com>
Subject: Re: Washington Postal workers defy USPS orders and re-install mail,
sorting machines (RISKS-32.22)
It would be interesting to know exactly what the "risks to the public in computers and related systems" are perceived to be in this item. One cannot help but wonder whether the item was submitted to Risks with some political motivation. Our expectation should be that submissions to Risks be held to a higher standard. Cheap political demagoguery is available anywhere.
I propose the following test for RISKS submissions. If "risks to the public
in computers and related systems" can be said to exist, then we should be
able to imagine one or more solutions, *that when applied to said computers
or related systems*, could possibly address the issue.
In the linked article, there seems to be no hint of this sort of
technological issue. Certainly mail sorting machines must be computerized,
but these days most everything is, so that in itself is too low a standard
to be useful.
------------------------------
Date: Tue, 25 Aug 2020 11:42:49 -0400
From: "Arthur T." <
Risks202008.6.atsjbt@xoxy.net>
Subject: Re: Dicekeys (RISKS-32.22)
There is much to like about the Dicekeys concept, but there's also much to criticize. (Note: I am neither a mathematician nor a security professional.)
For me, any inaccuracy makes everything else questionable. My calculations show 2^194 rather than 2^196 possibilities. Each die has 6 sides and 4 orientations of the top for 24 possibilities. So there are 24^25 outcomes of rolling all of them. Order counts, so multiply by 25 factorial. Log base 2
of that number is just over 193.66. I'm not sure where he's getting the
extra bits of randomness reported.
For non-techies, physical randomization may seem more secure than computer-generated. But if the dice are not extremely well made, they'll be
a bit less random than theory suggests. Techies will easily find cryptographically secure random number generators, and 59 digits yields
about 2^196 bits (as does a 32-character string made up of upper case, lower case, numbers, and 8 symbols).
If you want a very long-term master password, you want to be able to back up its generator. You can do that by taking a picture of the dice box, but then you're no more (or less) secure than you were with non-physical keys. If you generate a long number or symbol key, you can print a more standard bar code that doesn't require trusting someone else's special programming. And then a secure hash hides your original number. I expect that readers for
general-use bar codes will be around for a long time, whereas I'd worry
about the longevity of the special-use scanner developed for Dicekeys.
So I admire the concept and the work and thought that went into making it a real product. But I won't be a customer, and I wouldn't recommend it to
anyone I know. In addition to the above considerations, computer-generated random numbers are free.
------------------------------
Date: Tue, 25 Aug 2020 07:54:29 -0700
From: Henry Baker <
hbaker1@pipeline.com>
Subject: Re: Why Does California Have So Many Wildfires? (NYTimes)
This NYTimes article hasn't a clue.
The short answer is: *fire SUPPRESSION* and too few *controlled burns*.
As a resident of Southern California for ~40 years and having lived in the vicinity of at least 40 wildfires, I've studied this issue a bit.
The white colonists who destroyed the indigenous native American way of life were 'know-it-alls' who never comprehended the clever and quite efficient
fire management strategies of these 'primitive' people, and the folly of our 'expert' mismanagement of the ecosystem in the past 300 years has sown the seeds of our wildfire problems today.
Here in Southern California, you only get the following (egrep) choices
for annual behavior for essentially all un-cultivated land:
1. (rain/growth/){1,3}burn
2. (rain/growth/){4,75}wildfire
3. (rain/growth/){76,}apocalyptic firestorm
Notice that burn|wildfire|firestorm is a necessary consequent to
'rain/growth'.
Of course, you can always eliminate 'rain', hence eliminating 'growth'
and 'fire', but then you get an Atacama-like desert.
So if we intend to continue living here in Southern California, I vote
for option #1.
https://www.theguardian.com/us-news/2019/nov/21/wildfire-prescribed-burns-california-native-americans
"For more than 13,000 years, the Yurek, Karuk, Hupa, Miwok, Chumash and hundreds of other tribes across California and the world used small
intentional burns to renew local food, medicinal and cultural resources,
create habitat for animals, and reduce the risk of larger, more dangerous *wild* fires."
"The Spanish were the first California colonizers to prevent the indigenous people from burning the land. In 1850, the US government passed the Act for Government and Protection of Indians, which *outlawed intentional burning*
in California even before it was a state."
"Early National Forest Service officials considered "the Indian way" of "light-burning" to be a *primitive*, 'essentially destructive theory'."
"For native people, the land is a renewing resource, and they feel a responsibility to keep it healthy. Light, frequent burning of the forest understory maintains oak tree health ... Fire clears and maintains prairie landscapes as habitat for elk and deer, and visibility through the dense
woods for hunting them."
https://en.wikipedia.org/wiki/Native_American_use_of_fire_in_ecosystems
"When first encountered by Europeans, many ecosystems were the result of repeated fires every *one to three years,* resulting in the replacement of forests with grassland or savanna, or opening up the forest by removing undergrowth."
"By the time that European explorers first arrived in North America,
millions of acres of 'natural' landscapes were already manipulated and maintained for human use. *Fires indicated the presence of humans to many European explorers and settlers arriving on ship.*"
"By the 17th century, native populations were on the verge of collapse due
to the introduction of European diseases (such as smallpox) and widespread epidemics (the flu) against which the indigenous peoples had no
immunity. ... As Native people were forced off their traditional landbases
or killed, traditional land management practices were abandoned."
------------------------------
Date: Mon, 1 Aug 2020 11:11:11 -0800
From:
RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<
http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!
OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also,
ftp://ftp.sri.com/risks for the current volume/previous directories
or
ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00
ALTERNATIVE ARCHIVES:
http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.
Special Offer to Join ACM for readers of the ACM RISKS Forum:
<
http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 32.23
************************
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)