[continued from previous message]

It's the kind of mistake that could happen to anyone -- but is especially inconvenient coming so close to the election.

Cryptocurrency Scammers Hack Donald Trump's Campaign Website

In other "Republicans compromised by avoidable scam" news, hackers managed
to alter Donald Trump's campaign website, albeit for less than 30 minutes.
The hackers made the dubious claim that they had accessed "internal and
secret conversations" relating to Trump, along with links to send them
Monero cryptocurrency. Defacing a website is a far cry from actually hacking
a candidate, though, and it seems unlikely that this amounts to anything
more than an act of digital vandalism.

https://www.wired.com/story/wisconsin-gop-email-scam-ransomware-security-news/

------------------------------

Date: Sun, 1 Nov 2020 19:54:06 -0500
From: Monty Solomon <monty@roscom.com>
Subject: New 'Media Manipulation Casebook' from Harvard teaches how to
detect misinformation campaigns (WashPost)

And other lessons on spotting fake news from the News Literacy Project.

https://www.washingtonpost.com/education/2020/10/28/new-media-manipulation-casebook-harvard-teaches-how-detect-misinformation-campaigns/

------------------------------

Date: Fri, 30 Oct 2020 08:44:07 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: How a fake persona laid the groundwork for a Hunter Biden
conspiracy deluge (NBC News)

https://www.nbcnews.com/tech/security/how-fake-persona-laid-groundwork-hunter-biden-conspiracy-deluge-n1245387?cid=sm_npd_nn_tw_ma

------------------------------

Date: Fri, 30 Oct 2020 15:39:30 -0700
From: Henry Baker <hbaker1@pipeline.com>
Subject: NSA Pot calling Chinese Kettle Black ()

No way the NSA would do that! Huawei?
Black ops matter!

Do we really want unelected NSA spooks to be purposely sabotaging our cybersecurity? And with code that *will* be repurposed by other state actors and criminals into weapons and ransomware used against U.S. companies and citizens?

The NSA deliberately inserting vulnerabilities into U.S. products is
completely equivalent to the so-called "gain-of-function" virus research (Google it) that the U.S. accuses China of performing, because there is no
way to control the "blowback" against both friends and enemies.

"NSA now requires that before a back door is sought, the agency must weigh
the potential fallout and arrange for some kind of *warning* if the back
door gets discovered and manipulated by adversaries."

Ha! Both the CIA and NSA have already had their "Oh Shit!" moments due to their cyberweapons being exposed and repurposed against the U.S.

A mere "warning" won't be sufficient.

https://www.reuters.com/article/uk-usa-security-congress-insight/spy-agency-ducks-questions-about-back-doors-in-tech-products-idINKBN27D1DP

https://www.cnbc.com/2020/10/28/spy-agency-ducks-questions-about-back-doors-in-tech-products.html

Joseph Menn, Reuters
Spy agency ducks questions about 'back doors' in tech products

SAN FRANCISCO (Reuters) - The U.S. National Security Agency is rebuffing efforts by a leading Congressional critic to determine whether it is
continuing to place so-called back doors into commercial technology
products, in a controversial practice that critics say damages both
U.S. industry and national security.

The NSA has long sought agreements with technology companies under which
they would build special access for the spy agency into their products, according to disclosures by former NSA contractor Edward Snowden and
reporting by Reuters and others.

These so-called back doors enable the NSA and other agencies to scan large amounts of traffic without a warrant. Agency advocates say the practice has eased collection of vital intelligence in other countries, including interception of terrorist communications.

The agency developed new rules for such practices after the Snowden leaks in order to reduce the chances of exposure and compromise, three former intelligence officials told Reuters. But aides to Senator Ron Wyden, a
leading Democrat on the Senate Intelligence Committee, say the NSA has stonewalled on providing even the gist of the new guidelines.

"Secret encryption back doors are a threat to national security and the
safety of our families -- it's only a matter of time before foreign hackers
or criminals exploit them in ways that undermine American national
security," Wyden told Reuters. "The government shouldn't have any role in planting secret back doors in encryption technology used by Americans."

The agency declined to say how it had updated its policies on obtaining
special access to commercial products. NSA officials said the agency has
been rebuilding trust with the private sector through such measures as
offering warnings about software flaws.

"At NSA, it's common practice to constantly assess processes to identify and determine best practices," said Anne Neuberger, who heads NSA's year-old Cybersecurity Directorate. "We don't share specific processes and
procedures."

Three former senior intelligence agency figures told Reuters that the NSA
now requires that before a back door is sought, the agency must weigh the potential fallout and arrange for some kind of warning if the back door gets discovered and manipulated by adversaries.

The continuing quest for hidden access comes as governments in the United States, the United Kingdom and elsewhere seek laws that would require tech companies to let governments see unencrypted traffic. Defenders of strong encryption say the NSA's sometimes-botched efforts to install back doors in commercial products show the dangers of such requirements.

Critics of the NSA's practices say they create targets for adversaries, undermine trust in U.S. technology and compromise efforts to persuade allies
to reject Chinese technology that could be used for espionage, since
U.S. gear can also be turned to such purposes.

In at least one instance, a foreign adversary was able to take advantage of
a back door invented by U.S. intelligence, according to Juniper Networks
Inc, which said in 2015 its equipment had been compromised. In a previously unreported statement to members of Congress in July seen by Reuters, Juniper said an unnamed national government had converted the mechanism first
created by the NSA. The NSA told Wyden staffers in 2018 that there was a "lessons learned" report about the Juniper incident and others, according to Wyden spokesman Keith Chu.

"NSA now asserts that it cannot locate this document," Chu told Reuters. NSA and Juniper declined to comment on the matter.

JUNIPER'S COMPROMISE

The NSA has pursued many means for getting inside equipment, sometimes
striking commercial deals to induce companies to insert back doors, and in other cases manipulating standards - namely by setting processes so that companies unknowingly adopt software that NSA experts can break, according
to reports from Reuters and other media outlets.

The tactics drew widespread attention starting in 2013, when Snowden
leaked documents referencing these practices.

Tech companies that were later exposed for having cut deals that allowed backdoor access, including security pioneer RSA, lost credibility and customers. Other U.S. firms lost business overseas as customers grew wary of the NSA's reach.

All of that prompted a White House policy review.

"There were all sorts of 'lessons learned' processes," said former White
House cybersecurity coordinator Michael Daniel, who was advising
then-president Barack Obama when the Snowden files erupted. A special commission appointed by Obama said the government should never "subvert" or "weaken" tech products or compromise standards.

The White House did not publicly embrace that recommendation, instead
beefing up review procedures for whether to use newly discovered software
flaws for offensive cyber-operations or get them fixed to improve defense, Daniel and others said.

The secret government contracts for special access remained outside of the formal review.

"The NSA had contracts with companies across the board to help them out, but that's extremely protected," said an intelligence community lawyer.

The starkest example of the risks inherent in the NSA's approach involved an encryption-system component known as Dual Elliptic Curve, or Dual EC. The intelligence agency worked with the Commerce Department to get the
technology accepted as a global standard, but cryptographers later showed
that the NSA could exploit Dual EC to access encrypted data.

RSA accepted a $10 million contract to incorporate Dual EC into a widely
used web security system, Reuters reported in 2013. RSA said publicly that
it would not have knowingly installed a back door, but its reputation was tarnished and the company was sold.

Juniper Networks got into hot water over Dual EC two years later. At the end
of 2015, the maker of Internet switches disclosed that it had detected malicious code in some firewall products. Researchers later determined that hackers had turned the firewalls into their own spy tool by altering
Juniper's version of Dual EC.

Juniper said little about the incident. But the company acknowledged to security researcher Andy Isaacson in 2016 that it had installed Dual EC as
part of a "customer requirement," according to a previously undisclosed contemporaneous message seen by Reuters. Isaacson and other researchers
believe that customer was a U.S. government agency, since only the U.S. is known to have insisted on Dual EC elsewhere.

Juniper has never identified the customer, and declined to comment for this story.

Likewise, the company never identified the hackers. But two people familiar with the case told Reuters that investigators concluded the Chinese
government was behind it. They declined to detail the evidence they used.

The Chinese government has long denied involvement in hacking of any
kind. In a statement to Reuters, the Chinese foreign ministry said
that cyberspace is "highly virtual and difficult to trace. It is
extremely irresponsible to make accusations of hacker attacks without
complete and conclusive evidence. At the same time, we also noticed
that the report mentioned that it was the U.S. intelligence agency -
the National Security Agency - that created this backdoor technology."

NERVOUS COMPANIES

Wyden remains determined to find out exactly what happened at Juniper and
what has changed since as the encryption wars heat up.

This July, in previously unreported responses to questions from Wyden and allies in Congress, Juniper said that an unidentified nation was believed to
be behind the hack into its firewall code but that it had never investigated why it installed Dual EC in the first place.

"We understand that there is a vigorous policy debate about whether and how
to provide government access to encrypted content," it said in a July
letter. "Juniper does not and will not insert back doors into its products
and we oppose any legislation mandating back doors."

A former senior NSA official told Reuters that many tech companies remain nervous about working covertly with the government. But the agencies'
efforts continue, the person said, because special access is seen as too valuable to give up.

Reporting by Joseph Menn; editing by Jonathan Weber and Edward Tobin

------------------------------

Date: Wed, 28 Oct 2020 08:42:14 +0000
From: Julian Bradfield <jcb@inf.ed.ac.uk>
Subject: Re: How does Google's monopoly hurt you? (RISKS-32.34)

Back in

2008, Brent Simmons published That New Sound, about The Clash's London Calling. Here's a challenge: Can you find either of these with Google?
Even if you read them first and can carefully conjure up exact-match
strings, and then use the site: prefix? I can't. [...]

Google t bray lou reed animal
and you are taken straight to the review.

Google "Brent Simmons" "That New Sound"
and you are taken straight to the review.

There, that wasn't hard, was it?

Whether Bray's complaint was ever true, it isn't now.

------------------------------

Date: Wed, 28 Oct 2020 15:00:34 +0000 (GMT)
From: David Alexander <davidalexander440@btinternet.com>
Subject: Re: Air Force updates code on plane mid-flight (Baker, RISKS-32.34))

Henry Baker wonders what code could be updated on an airframe dating back to the 1950s when computers wouldn't fit into an aircraft, especially one as
small as a U2. It's quite simple, newsflash -- they updated it, and more
than once. Aircraft receive modifications periodically, some for safety
reasons (e.g., Boeing 737 Max) and some for performance improvement -- for flight, fighting, longevity, sensing or survival.

When I signed the F700 for an RAF airframe before strapping it on back in
the late 70s and 80s they regularly had an entry documenting an
update/upgrade of some sort that the 'driver, airframe' needed to be aware
of. When I got back and signed the airframe in I had to make note of
anything I thought needed attention before anyone else took it skywards
("don't worry Chiefy, you can buff that out...").

Sensors packages get better, computers get smaller and lighter and
technology moves on. Making those changes and integrating technology brings benefits but also might create all sorts of risks that have been discussed
many times before on this list. I won't repeat the list or approaches for treating them when you can search the archive.

It's not just built-in computing power either. There is a (long) interview <https://www.youtube.com/watch?v=4o4XJystc_8> with a U2 pilot on Youtube
where he describes the use of an iPad for navigational purposes, using Foreflight and checking the weather.

[I'm sure Peter Ladkin will have much more to say on the subject.]

------------------------------

Date: Wed, 28 Oct 2020 18:07:30 -0400
From: Dick Mills <dickandlibbymills@gmail.com>
Subject: Re: UK national police computer down for 10 hours after
engineer pulled the plug (RISKS-32.34)

"it is at once hard and easy to believe that such a critical system could
be vulnerable to total failure through the action of one person "switching
it off"."

I can easily imagine an even bigger outcry if other certain systems were
found to be impossible to switch off by the actions of a single person.

------------------------------

Date: Wed, 28 Oct 2020 18:59:08 -0400
From: Sam Steingold <sds@gnu.org>
Subject: Re: Censorship or Sensibility? (Gold, RISKS-32.34)

If a company owns newspaper delivery trucks doesn't want to deliver newspapers with a story its owners don't like, that's their privilege.
And the newspapers can decide not to use that company any more.

Alas, today all the newspaper delivery trucks are owned by Facebook, Twitter and Google. In this oligopoly environment, your argument does not apply.

"Freedom of the press belongs to the man who owns the press." Same
with the delivery company.

Precisely.

"unique legal benefits": those same legal benefits protect Reddit and 4chan and Tumbler, and a BBS that I help moderate and several "furry" that I use, all of which include some sexually-oriented material. I think section 230 of the Communications Decency Act is the greatest boon to free speech ever passed by Congress. (And to think it appeared in a law that attempted to impose censorship on the Internet...)

I think the exact opposite.

CDA230 created a 3rd option for communications providers: in addition to
"wire providers" (think ATT: no control over content, no responsibility for
it) and "information providers" (think CNN: full control over content, full responsibility), we now have FB/Twitter/Google who have full control and no responsibility.

How about applying CDA230 only to _small_ players?
If you have more than 10% of all US users, you cannot censor content.
If you want to censor content, split up the company.

Facebook outright ``has monopoly power in the market for social
networking,'' and that power is ``firmly entrenched and unlikely to be
eroded by competitive pressure'' from anyone at all due to `high entry
barriers' including strong network effects, high switching costs, and
Facebook's significant data advantage -- that discourage direct
competition by other firms to offer new products and services.

Okay, so FB has a lot of economic power. Why? Because they have been highly successful in satisfying consumer demand for a place to talk to each other.

I should note that there are a lot of very rich Republicans. I would guess that over 75% of billionaires lean Conservative in their views. Let them take some of their money and start right-slanted competitors to Facebook and Twitter. It's not cheap, but it's well within the reach of any ten billionaires, and if they do it right they might get even richer in the process.

Gab tried, and is being suppressed by the existing infrastructure.

In a marketplace ruled by monopolies, the standard libertarian free
market arguments do not apply.

That's what the competition in the marketplace is supposed to be about. If the "barrier to entry" is simply that you need to invest some money, that is no barrier in an age when the the US alone has over 500 billionaires, over 2,000 worldwide.

No, the barrier to entry is "preferential attachment" (as in random
graph theory).
In the computer communication space the marginal cost of an additional
user is 0, and the benefit for a user of an existing user base is huge ("everyone is on twitter, so who will I talk to on gab?")
This leads to monopolies: Google, FB, Twitter have no
competitors in their respective core spaces.
(The only competition is in the area of AI personal assistants and the political message of all the offerings is virtually identical).

------------------------------

Date: Thu, 29 Oct 2020 02:44:14 +0800
From: Dan Jacobson <jidanni@jidanni.org>
Subject: Re: More on erroneous Alexa/third-party data provider
evacuation notices in Boulder County, Colorado (RISKS-32.34)

My case is I am at home in Firstburg, with my cellphone connected to a tower
in Secondburg, and I am getting warnings meant for Thirdsburg.

Because that part of Thirdsburg is too far away from Thirdsburg Town Hall,
all those addresses have been, by the government, by "temporary arraignment" changed to Secondburg. Yup, within that remote part of Thirdsburg all the
house addresses say Secondburg in their names, not Thirdsburg.

However actually changing the boundaries is too scary for the elected officials. So the informal arraignment persists, despite my protests to them that those boring boundaries stored in geographical information systems do affect real life.

And there is no way to disable (Taiwan) "Presidential level" cellphone warnings, beyond "airplane mode".

OK, let's say one day they fix the situation, and I start getting the Secondburg warnings that I deserve.

But house is in Firstburg in the first place.

OK, then they should be sending me messages for where my house is
registered, not what cell tower I am connected to.

But wait, what if today I am at a friends home in Secondburg, and a
disaster is approaching?

OK, (automatically) subscribe me to warnings for both where I am and
where I live. And be sure to say the area name in the warning.

------------------------------

Date: Thu, 29 Oct 2020 18:29:09 +0000
From: Martin Ward <martin@gkc.org.uk>
Subject: Re: Why cars are more "fragile": more technology has reduced
robustness (Drewe, RISKS-32.32)

Wols Lists <antlists@youngman.org.uk>

aiui, UK law defines a "historic vehicle" as one over 25 years old
... these cars are exempt from tax, they're now exempt from the MOT

Actually it is over *40* years old, and there has to be no "substantial changes" made to the vehicle in the last 30 years, for example replacing the chassis, body, axles or engine to change the way the vehicle works:

https://www.gov.uk/historic-vehicles

------------------------------

Date: Wed, 28 Oct 2020 13:26:21 +1100
From: 3daygoaty <threedaygoaty@gmail.com>
Subject: Re: F-35s and Teslas? (Re: RISKS-32.34)

F-35 crashes and Tesla self-drive deployed?

It's perhaps a risk that Teslas don't have an eject feature when the CPU is overloaded?

------------------------------

Date: Mon, 1 Aug 2020 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)

The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.

SUBSCRIPTIONS: The mailman Web interface can be used directly to

subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks

SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that

includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.

SPAM challenge-responses will not be honored. Instead, use an alternative

address from which you never send mail where the address becomes public!

The complete INFO file (submissions, default disclaimers, archive sites,

copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!

OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's

searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume/previous directories
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.

Special Offer to Join ACM for readers of the ACM RISKS Forum:

<http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 32.35
************************

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)