[continued from previous message]

<https://twitter.com/NotableMercuri>. PGN]

------------------------------

Date: Thu, 03 Sep 2020 21:13:50 -0400
From: malcolm@carlock.com
Subject: Re: For Election Administrators, Death Threats Have Become Part
of the Job (ProPublica, RISKS-32.24)

Election officials have been dealing with death threats for a very long
time, probably (where democracy existed) for thousands of years.

Over a century ago, New York's Tammany Hall machine hired gang members to intimidate voters, political opponents and election officials. The laws
they pushed through to "inadvertently" empower the gangs are still on the
books today.

https://nypost.com/2012/01/16/the-strange-birth-of-nys-gun-laws/

If millions of voters fear or form a distaste for dealing with "correct
voting enforcement" at the polls, does that create a RISK of a candidate
being elected with only a tiny percentage of the population actually voting?

https://www.cityandstateny.com/articles/politics/campaigns-and-elections/de-blasio-voter-turnout-2017.html

------------------------------

Date: Sun, 6 Sep 2020 12:55:06 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Court Approves Warrantless Surveillance Rules While Scolding FBI

The release of a newly declassified ruling follows a separate decision by an appeals court that a defunct National Security Agency program was illegal.

https://www.nytimes.com/2020/09/05/us/politics/court-approves-warrantless-surveillance-rules-while-scolding-fbi.html

------------------------------

Date: Tue, 01 Sep 2020 01:14:43 +0800
From: Dan Jacobson <jidanni@jidanni.org>
Subject: Blanked-Out Spots On China's Maps Helped Us Uncover Xinjiang's
Camps (Buzzfeed)

https://www.buzzfeednews.com/article/alison_killing/satellite-images-investigation-xinjiang-detention-camps

"Our breakthrough came when we noticed that there was some sort of issue
with satellite imagery tiles loading in the vicinity of one of the known
camps while using the Chinese mapping platform Baidu Maps. The satellite imagery was old, but otherwise fine when zoomed out -- but at a certain
point, plain light gray tiles would appear over the camp location. They disappeared as you zoomed in further, while the satellite imagery was
replaced by the standard gray reference tiles, which showed features such as building outlines and roads."

------------------------------

Date: Wed, 2 Sep 2020 20:55:23 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: How Four Brothers Allegedly Fleeced $19 Million From Amazon (WiReD)

The scheme involved 7,000 $94 toothbrushes, according to law enforcement.

According to the indictment, the brothers swapped ASINs for items Amazon ordered to send large quantities of different goods instead. In one
instance, Amazon ordered 12 canisters of disinfectant spray costing
$94.03. The defendants allegedly shipped 7,000 toothbrushes costing $94.03 each, using the code for the disinfectant spray, and later billed Amazon for over $650,000.

In another instance, Amazon ordered a single bottle of designer perfume for $289.78. In response, according to the indictment, the defendants sent 927 plastic beard trimmers costing $289.79 each, using the ASIN for the
perfume. Prosecutors say the brothers frequently shipped and charged Amazon
for more than 10,000 units of an item when it had requested fewer than
100. Once Amazon detected the fraud and shut down their accounts, the
brothers allegedly tried to open new ones using fake names, different email addresses, and VPNs to obscure their identity. “Open account under dummy names and they can go look for no one,” Yoel allegedly wrote on WhatsApp in the fall of 2018.

https://www.wired.com/story/how-four-brothers-allegedly-fleeced-19-million-amazon/

Nobody matches what's received/billed against what's ordered?

------------------------------

Date: Thu, 3 Sep 2020 18:03:24 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: A critical flaw is affecting thousands of WordPress sites (WiReD)

Hackers have been exploiting the vulnerability, which is now patched: Users should update to File Manager version 6.9 ASAP.

https://www.wired.com/story/a-critical-flaw-is-affecting-thousands-of-wordpress-sites/

------------------------------

From: the keyboard of geoff goodfellow <geoff@iconia.com>
Date: Wed, 2 Sep 2020 12:32:25 -1000
Subject: Is Your Chip Card Secure? Much Depends on Where You Bank (EPAM)

Chip-based credit and debit cards are designed to make it infeasible for skimming devices or malware to clone your card when you pay for something by dipping the chip instead of swiping the stripe. But a recent series of
malware attacks on U.S.-based merchants suggest thieves are exploiting weaknesses in how certain financial institutions have implemented the technology to sidestep. [...] https://www.epam.com/about/newsroom/in-the-news/2020/is-your-chip-card-secure-much-depends-on-where-you-bank

------------------------------

Date: Mon, 31 Aug 2020 14:50:31 +0800
From: Richard Stein <rmstein@ieee.org>
Subject: The Brain Implants That Could Change Humanity (NYTimes)

https://www.nytimes.com/2020/08/28/opinion/sunday/brain-machine-artificial-intelligence.html

Moises Velasquez-Manoff explores and discusses brain computer interface
(BCI) technology, experiments, and ethics. The essay presents a thought-provoking tour de force of active BCI research largely sponsored by corporations to augment future revenue capture. The proverbial "Google cap"
may one-day substitute for the mouse and keyboard to facilitate brain read/write operations: brain wave transliteration into digital commands and emotive/intellectual idea stimulus without lifting a finger or batting an eyelid.

Medical justification for neural stimulator implant research is established
for patients suffering from paralysis, Parkinson's or Alzheimer's Disease,
and certain severe compulsive disorders (drug, alcohol) abuse that have
limited or no effective pharmaceutical interventions. Significant risks are attributed to implanted medical devices especially neural stimulators (see https://catless.ncl.ac.uk/Risks/32/22#subj12 for instance).

BCI capabilities become spooky and privacy-invasive when reading (interpolating/extrapolating) and/or writing (injecting/compositing) human brainwaves to facilitate consumer convenience. This sentiment is especially true given myopic corporate leadership that emphasizes casual consumer "user experience" over therapeutic use.

The essay also discusses potential national security implications of this technology, and foresees an BCI-race among superpowers for strategic
advantage.

BCI ethics are discussed:

"When I asked Facebook about concerns around the ethics of big tech entering the brain-computer interface space, Mr. Chevillet, of Facebook Reality Labs, highlighted the transparency of its brain-reading project. 'This is why
we've talked openly about our B.C.I. research -- so it can be discussed throughout the neuroethics community as we collectively explore what responsible innovation looks like in this field,' he said in an email.

"Ed Cutrell, a senior principal researcher at Microsoft, which also has
a B.C.I. program, emphasized the importance of treating user data
carefully. 'There needs to be clear sense of where that information
goes,' he told me. 'As we are sensing more and more about people, to
what extent is that information I'm collecting about you yours?'

"Some find all this talk of ethics and rights, if not irrelevant, then
at least premature.

"Medical scientists working to help paralyzed patients, for example, are already governed by HIPAA laws, which protect patient privacy. Any new
medical technology has to go through the Food and Drug Administration
approval process, which includes ethical considerations."

HIPAA enforcement measures are ineffective: they neither sufficiently
penalize nor deter hyper-sensitive data-trove breach. See https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-highlights/2019-december/index.html
for summary enforcement actions through DEC2019.

BCI technology constitutes interdisciplinary work: creative and
thrilling, a cutting-edge chance-of-a-lifetime to "make a difference."

Despite professional membership and allegiance to ethical codes of
conduct, scientists and engineers routinely participate on projects with
little concern about product or result end-use. Most appear content to
accept the idea that end-use decisions are "above my payscale."

Regular readers of this forum know that to maintain a secret, don't
write it down and save into a computer, especially a cloud-connected
one. BCI capabilities bypass manually-engaged interfaces, secrets can be
recorded surreptitiously, or ideas imbued without veto. Human wetware read/write occurs with false-negative/positive outcome probability of
success or failure.

Widespread introduction of BCIs into the consumer marketplace
(entertainment, education, transportation, etc.) WITHOUT regulatory
safeguards and strict enforcement of privacy and data protection
standards would represent a perfidious act against privacy rights. A BCI license, a safeguard to own/operate, should become mandatory and
required via qualifying exam or certification of purpose regardless of read-only or read/write-enabled product capability. A warning label, in
big RED text, might also state: "Product use may induce severe physical
and emotional harm including, but not limited to: trauma, anxiety,
convulsion, compulsiveness, paralysis, orgasm, constipation,
incontinence, day dream, nightmare, hunger, thirst,..."

Some earlier submissions that touch on BCI can be found by searching
comp.risks for {fMRI, brain wave ai} yields:

1) https://catless.ncl.ac.uk/Risks/14/42#subj5.1 (1993)
2) https://catless.ncl.ac.uk/Risks/17/70#subj5.1 (1996)
3) https://catless.ncl.ac.uk/Risks/29/60#subj13.1
4) https://catless.ncl.ac.uk/Risks/29/63#subj46.1
5) https://catless.ncl.ac.uk/Risks/29/64#subj12.1
6) https://catless.ncl.ac.uk/Risks/29/73#subj7.1
7) https://catless.ncl.ac.uk/Risks/30/40#subj10.1

------------------------------

From: geoff goodfellow <geoff@iconia.com>
Date: Sat, 29 Aug 2020 13:53:07 -1000
Subject: Neuralink: Elon Musk unveils pig he claims has computer implant in
brain (The Guardian)

Billionare entrepreneur presented animal during a live-stream event to
recruit workers for his neuroscience startup

The tech entrepreneur Elon Musk on Friday showed off a pig whose brain he
says has been implanted with a small computer.

``We have a healthy and happy pig, initially shy but obviously high energy
and, you know, kind of loving life, and she's had the implant for two
months,'' Musk said of Gertrude, the pig.

The billionaire entrepreneur, whose other companies include Tesla and
SpaceX, presented during a live-stream event to recruit employees for his neuroscience startup Neuralink. He described Gertrude's coin-sized implant
as *Fitbit in your skull with tiny wires*.

Musk co-founded Neuralink in 2016 with the goal of creating a wireless brain-machine interface, something scientists hope can help cure
neurological conditions and allow people with paralysis to control a
computer mouse. [...] https://www.theguardian.com/technology/2020/aug/28/neuralink-elon-musk-pig-computer-implant

------------------------------

Date: Sun, 30 Aug 2020 16:36:43 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: New parking technology aims to manage curb space virtually
(WashPost)

Washington DC is the first U.S. city to test a system that sends real-time information about curbside parking availability to delivery drivers -- a
move its developer hopes will make food deliveries more efficient and reduce driver stress.

In addition to telling drivers whether space is available, the system also sends information about the size of available spots so drivers can tell
whether their vehicles will fit.

https://www.washingtonpost.com/local/trafficandcommuting/new-parking-technology-aims-to-manage-curb-space-virtually/2020/08/29/d69275f2-e881-11ea-bc79-834454439a44_story.html

What could go wrong with this? This time it's a real question -- thinking of "No good deed goes unpunished" and the Law of Unintended Consequences. I
guess we'll find out.

------------------------------

Date: Sat, 29 Aug 2020 20:48:16 -0400
From: Gene Spafford <spaf@purdue.edu>
Subject: The Pod People Campaign: Driving User Traffic via Social Networks
(Courtney Falk)

This report may be of interest to some. It is by a former student, and provides details of a puzzling threat campaign.

Date: August 28, 2020 at 21:50:32 EDT
From: Courtney Falk <courtney.falk@infinite-machines.com>
Subject: The Pod People Campaign: Driving User Traffic via Social Networks

Today I'm releasing a report that documents independent research I've done
over the last two months. I've identified infrastructure used by threat
actors across a variety of social network. The actors insert links into legitimate user profiles with the hope of redirecting users to spam
websites. Over 70 different social networks appear to be affected to
differing degrees.

I'm releasing the report and indicators on GitHub. Hopefully this improves
the health and safety of social networks and the Internet at large. Please feel free to share and distribute as you see fit. Courtney Falk

https://github.com/podpeople/podpeople

------------------------------

Date: Sun, 30 Aug 2020 08:41:19 -1000
From: geoff goodfellow <geoff@iconia.com>
Subject: Re: Humans Take a Step Closer to Flying Car

In the 1880s, the first automobile was developed and about two decades
later, the Wright brothers in North Carolina invented the first successful airplane. Today, the world is closer to combining those two concepts as a Japanese tech company said it completed a manned test flight of a *flying
car*.

The company, SkyDrive, said in a news on Friday that it had release
completed a flight test using *the world's first manned testing machine*,
its SD-03 model, an electrical vertical takeoff and landing (eVTOL)
vehicle. The flight time was four minutes, the company said. <https://skydrive2020.com/archives/3506>

The aircraft has one seat and operates with eight motors and two propellers
on each corner. It lifted about 3 meters (or about 10 feet) into the air and was operated by a pilot, the company said.

Tomohiro Fukuzawa, SkyDrive's chief executive, said on Saturday that five
years ago there were various prototypes of flying cars, usually with fixed wings. SkyDrive's product, he said, was one of the most compact in size and
was lighter compared with other designs. [...] https://dnyuz.com/2020/08/29/humans-take-a-step-closer-to-flying-cars/

------------------------------

Date: Tue, 1 Sep 2020 15:41:00 +0100
From: Martin Ward <martin@gkc.org.uk>
Subject: Re: Driverless cars are coming soon followup (Bacon, RISKS-32.24)

Much more common than applying the handbrake while moving at a substantial speed (in my personal driving style at least) is the use of engine braking: reducing speed by changing down to a lower gear. I regularly do this when approaching junctions and traffic lights to avoid wear on the brake pads.
When changing down, however, I also touch the brake pedal to cause the brake lights to illuminate and indicate to any drivers behind me that I am
reducing speed.

------------------------------

Date: Mon, 31 Aug 2020 08:16:47 -0700
From: Barry Gold <BarryDGold@ca.rr.com>
Subject: Re: Tesla with Autopilot hits cop car; driver admits he was
watching a movie (RISKS-32.24)

From the Ars Technica article: Tesla could learn from Cadillac<https://arstechnica.com/cars/2018/10/tesla-autopilot-loses-to-gms-super-cruise-in-consumer-reports-ratings/>,

whose Super Cruise technology includes an eye-tracking camera that verifies that the driver is looking at the road. An eye-tracking system like this
would likely prevent incidents like Wednesday's crash in North Carolina. If
the driver had tried to watch a movie while Autopilot was engaged, the
system would have detected that he was not watching the road, warned the driver, and eventually deactivated itself.

I wonder how well that works if the driver is wearing sunglasses.

------------------------------

Date: Sat, 29 Aug 2020 20:19:31 -0700
From: "David E. Ross" <david@rossde.com>
Subject: Re: Date and time synchronization (RISKS-32.24)

John Harper asked three questions.

All three were answered in a very large (for that era) software system developed some 50+ years ago for the U.S. Air Force for operating space satellites. That software system remained in use more than 10 years beyond
its expected life time, into the 1990s. Internally, date and time were represented as elapsed TAI (atomic) minutes -- a single floating-point value combining date and time -- from a base date, which was database settable.

In the TAI time scale, there are no leap-seconds. Neither daylight savings time nor time zones exist. For display purposes, the date-time minutes
value was converted to UTC, again without daylight savings time or time
zones. The reverse conversion was also implemented for accepting user input
of date and time.

Leap-seconds are announced about 30 days in advance. We would enter the
date of a pending leap-second into the system's database before it actually occurred so that the TAI>UTC and UTC>TAI conversions would remain correct.

(Preferably, leap-seconds occur at the end of the day on either 30 June or
31 December. The standard also allows for leap-seconds at the end of the
day on 31 March or 30 September, but I do not think those two options have
ever been used. The standard limits the occurrence of leap-seconds to those four instances.)

No one at IBM understood any of this. That was unfortunate because IBM
had the contract to replace that software system in the 1990s.

------------------------------

Date: Sun, 30 Aug 2020 15:45:50 +0200
From: Terje Mathisen <terje.mathisen@tmsw.no>
Subject: Re: Date and time synchronization (RISKS-32.24)

The 0200 -- 0300 change is pretty much standard everywhere that uses
daylight savings adjustments.

I have been a member of the NTP Hackers (Network Time Protocol) team for the last 25 years, I have probably spent more time pondering these issues than
most comp.risks regulars. :-)

First, all computers should of course maintain internal time in UTC, or even better, in TAI.

That is, daylight savings and/or time zones are irrelevant to time stamps.

However, if you do have to take time stamps in local time, then you also
need to record the current time zone, which includes (at least indirectly)
the current number of leap seconds which is a proxy for the TAI-UTC
offset. So effectively you need to convert back to either UTC or TAI at the point of measurement.

Systems that do this wrong, like the default for Windows, seem to magically change all time stamps for file modification when you change time zones
and/or enter/leave a daylight savings period.

All of these issues occur after the original post about taking a glitch-free sample of a multi-element counter.

------------------------------

Date: Sun, 30 Aug 2020 10:41:56 -0500
From: "Craig S. Cottingham" <craig@cottingham.net>
Subject: Re: Dicekeys, an additional risk (Lederman, RISKS-32.24)

There seems to be quite a bit of misinformation in play with regards to how Dicekeys work and are intended to be used. I'm not sure if that misunderstanding is on the part of previous correspondents or mine, so I welcome corrections if I'm not describing Dicekeys correctly below.

1. The dice are intended to be randomized *only once*, after which they are
placed in a box which is sealed shut and only ever *read* in the
future. I don't know that the box is tamper-proof, but I suspect it is
designed to be at least tamper-evident.

2. The software which turns the state of the randomized dice into a
cryptographic secret is open source. While it *can* use an image of the
dice in the box to generate the secret, it's not *required*. You can
supply the position, orientation, and exposed faces of the dice manually.

3. One of the advisors to the team is Bruce Schneier, who should need no
introduction to RISKS readers. I assume that he was involved in designing
Dicekeys, or at least that by being associated with Dicekeys he is
indicating his confidence in its security. I do not feel qualified to vet
the security of Dicekeys myself, but I am comfortable that *he* is.

------------------------------

Date: Sun, 30 Aug 2020 21:27:26 -0500
From: Bob Wilson <wilson@math.wisc.edu>
Subject: Re: Dicekeys, an additional risk (Lederman, RISKS-32.24)

For non-techies, physical randomization may seem more secure than computer-generated. But if the dice are not extremely well made, they'll be
a bit less random than theory suggests.

No matter how well made the dice are, as they are used they will collide
with each other and slowly (or quickly, depending upon the material) become more and more deformed. This means they will become less random, and each
set of dice will become less random in a different way.

It is not so easy as that. "Random" is a very tricky word or concept. (See
how much space the Bible according to Don Knuth devotes to it!) Unless you
can say what it means and use that to decide about what actually makes the dicekeys result random, you can't be sure the wear might not make the
results MORE random, whatever that might mean! The world seems to have
gotten away from software verification these days, but verbal claims need similar calibration.

------------------------------

Date: Mon, 31 Aug 2020 01:06:13 +0300
From: Amos Shapir <amos083@gmail.com>
Subject: Re: Greenland glacier melt (RISKS-32.24)

(Following is my opinion as a qualified forecaster and former meteorologist.)

And recently, the Jakobshavn Glacier has been found to be growing *again. https://wattsupwiththat.com/2019/06/19/if-greenland-is-catastrophically-melting-how-do-alarmists-explain-nasas-growing-greenland-glacier/

Read articles, not headlines. This article notes "This photo of a dog sled team going through some meltwater on ice in Greenland has made headlines,
but it's just a snapshot of one place", and then brings up details of a
glacier which is recently expanding.

But the Jakobshavn glacier is also just one place, which is evident from
what the article itself lists as the main reason for its expansion:
Unusually cold water off Greenland west coast. Cold water which is the
result of all other glaciers in Greenland melting away (which the article
does not mention).

It is also true that the melting ice in Greenland is not very significant globally, as it contributes to ocean rising of less than 1mm per year; but
keep in mind that Greenland is not the problem, only its symptom.

------------------------------

Date: Tue, 01 Sep 2020 13:44:50 +0100
From: David Damerell <damerell@chiark.greenend.org.uk>
Subject: Re: Greenland glacier melt (Newbury, RISKS-32.24)

[Eschenbach, 3 Aug 2019?]

Willis Eschenbach wrote much the same article in 2010 (for the same site,
which is not remotely reliable). Why, we ask, do we look at the average from 1981 to 2010 - especially in the 2019 version?

Because it neatly elides the increase. In 2009, the figure was 286 billion tonnes, over twice the 2002 figure (itself more than this average).
Depending on whether the increase is linear or not, the blithe conclusion
that it'll last forever is distinctly dubious.

The rest of the submission is the usual dodges where we find one particular glacier that's growing and conclude there's no overall problem.

The risks of using a site whose operator is dependent on conspiracy theories for his income should be obvious.

------------------------------

Date: Mon, 31 Aug 2020 11:50:39 +0100
From: John Murrell <mail@JohnMurrell.org.uk>
Subject: Re: Grading by algorithm results in UK debacle

While the downgrading of students O-Levels got all the publicity, there were also significant upgrades.

[I had to edit this a little. I hope this is correct. PGN]

In the Italian exam in one exam centre, there were two different cohorts of students. One included those who had English as a first language and who
were learning Italian as a 2nd or 3rd foreign language. The teacher and
local moderation graded these mostly as grade 4 or 5 passes.

However, due to local demographics, a lot of students who speak Italian as their first language but are living in the part of England covered by the
exam centre also sit the Italian exams to get another GCSE of hopefully high grade. As Italian is their first language, they find the exam quite easy and
in normal years get what are now grades 8 & 9.

As a result of this, the algorithm decided that the cohort of English as a first language students had been under-graded and raised their grades by
around 4 or 5 to meet the results of the Italian students at the centre.

As the higher of the algorithm or teacher awarded grades stands, there are
now a group of students who are apparently brilliant at Italian but in
reality are weak as they did not even complete all the syllabus.

------------------------------

Date: Mon, 1 Aug 2020 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)

The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.

SUBSCRIPTIONS: The mailman Web interface can be used directly to

subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks

SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that

includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.

SPAM challenge-responses will not be honored. Instead, use an alternative

address from which you never send mail where the address becomes public!

The complete INFO file (submissions, default disclaimers, archive sites,

copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!

OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's

searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume/previous directories
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.

Special Offer to Join ACM for readers of the ACM RISKS Forum:

<http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 32.25
************************

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)