RISKS-LIST: Risks-Forum Digest Sunday 22 November 2020 Volume 32 : Issue 38
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator
***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <
http://www.risks.org> as
<
http://catless.ncl.ac.uk/Risks/32.38>
The current issue can also be found at
<
http://www.csl.sri.com/users/risko/risks.txt>
Contents:
State-sponsored actors 'very likely' looking to attack electricity supply,
says intelligence agency (CBC)
An Engineer Gets 9 Years for Stealing $10M From Microsoft (WiReD)
Shoppers warned against buying cheap electronics online (BBC News)
Technology To Catch HOV Lane Violators Is Coming To Virginia (Deist)
Migration to new CMS can go embarrassingly wrong (BBC)
Researchers hacked a robotic vacuum cleaner to record speech and music
remotely (Techxplore.com)
Microsoft Is Making a Secure PC Chip with Intel and AMD's Help (WiReD)
Internet censorship report (Rob Slade)
Online password '123456' more popular than ever and easy to crack (CBC)
Apple Lets Some of its Big Sur macOS Apps Bypass Firewall and VPNs (Applre) Apple to pay $113M to settle state investigation into iPhone *Battererygate*
(WashPost)
Privacy labeling for Apple apps (Rob Slade)
Indistinguishability Obfuscation (WiReD)
Why experts urge caution in using covid risk and tracking tools (WashPost) Functional and assurance requirements and CoVID (Rob Slade)
Wrong GPS usual suspects First Responder avoidance (Dan Jacobson)
Letter to Consumer Reports magazine (Gabe Goldberg)
How the U.S. Military Buys Location Data from Ordinary Apps (Vice)
'Bot Battle' Shows What Happens When Two AI Programs Go On a Date (Vice)
AI is wrestling with a replication crisis (MIT Tech Review)
The iOS Covid App Ecosystem Has Become a Privacy Minefield (WiReD)
Metrics and CoVID (Rob Slade)
Mac certificate check stokes fears that Apple logs every app you run
(Ars Technica)
Two-Factor Eggs in One Basket (Kent Borg)
'Most Secure' U.S. Election Not Without Problems (Lukas Ropek)
Election Security Experts Contradict Trump's Voting Claims (Nicole Perlroth) Blockchain Voting Risks Undetectable Nation-Scale Failures (Stilgherrian)
Did you know that Dominion's voting software "Allows staff to adjust tally
based on review of scanned ballot images? (Twitter)
What happens when you test TCL TV's (Nenry Baker)
'Cheating detection' goes full Orwell during pandemic (Henry Baker)
Re: How to F Up and Aiport, including What It's Like to Stress-Test Berlin's
Brand New Airport (John Levine)
Re: Facial recognition used to identify Lafayette Square protester accused
of assault (Chuck Jackson)
Re: CPU-Heat Sink Thermal Paste Effectiveness (Charles Cazabon)
Re: Whale Sculpture Stops Train From Plunge in the Netherlands
(Brian Inglis)
Re: "Did you know that Dominion's voting software "Allows staff to adjust
tally based on review of scanned ballot images"? (PGN)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Wed, 18 Nov 2020 19:51:24 -0700
From: "Matthew Kruk" <
mkrukg@gmail.com>
Subject: State-sponsored actors 'very likely' looking to attack electricity
supply, says intelligence agency (CBC)
https://www.cbc.ca/news/politics/cse-threat-assesment-1.5806213
State-sponsored actors are "very likely" trying to shore up their cyber capabilities to attack Canada's critical infrastructure - such as the electricity supply - to intimidate or to prepare for future online assaults,
a new intelligence assessment warns.
"As physical infrastructure and processes continue to be connected to the Internet, cyber threat activity has followed, leading to increasing risk to
the functioning of machinery and the safety of Canadians," says a new
national cyber threat assessment drafted by the Communications Security Establishment.
"We judge that state-sponsored actors are very likely attempting to develop
the additional cyber capabilities required to disrupt the supply of
electricity in Canada."
------------------------------
Date: Sun, 15 Nov 2020 23:15:45 -0500
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: An Engineer Gets 9 Years for Stealing $10M From Microsoft (WiReD)
A former Microsoft software engineer from Ukraine has been sentenced <
https://www.justice.gov/usao-wdwa/pr/former-microsoft-software-engineer-sentenced-nine-years-prison-stealing-more-10-million>
to nine years in prison for stealing more than $10 million in store credit
from Microsoft's <
https://www.wired.com/tag/microsoft/> online store. From
2016 to 2018, Volodymyr Kvashuk worked for Microsoft as a tester, placing
mock online orders to make sure everything was working smoothly.
The software automatically prevented shipment of physical products to
testers like Kvashuk. But in a crucial oversight, it didn't block the
purchase of virtual gift cards. So the 26-year-old Kvashuk discovered that
he could use his test account to buy real store credit and then use the
credit to buy real products. [...]
Kvashuk has been ordered to pay $8.3 million in restitution, though it seems unlikely he'll ever be able to do that. The government says he may be
deported after serving his time in prison.
https://www.wired.com/story/an-engineer-gets-9-years-for-stealing-dollar10m-from-microsoft/
------------------------------
Date: Tue, 17 Nov 2020 16:19:38 -0500
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: Shoppers warned against buying cheap electronics online (BBC News)
A laptop that caught fire after being fitted with a battery bought on Amazon has prompted safety charity Electrical Safety First to warn of the dangers
of buying cheap electronics online.
It said that it had found "some extremely dangerous items" for sale on
Amazon, eBay and Wish.
The warnings were echoed by watchdog Which? and the Trading Standards Institute.
The charity wants to see government legislation on the issue.
https://www.bbc.com/news/technology-54973538
------------------------------
Date: Tue, 17 Nov 2020 17:00:09 -0500
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: Technology To Catch HOV Lane Violators Is Coming To Virginia
(Deist)
https://dcist.com/story/20/11/17/technology-hov-lane-violators-cameras-virginia/
New Technology Allows Virginia To Verify That HOV Drivers Have The Right
Number Of Passengers
[Comment already there: Nowadays dolls can be so convincing. The good new
is, you only need the top half to simulate a passenger; the bottom half
can be reserved for other uses.]
I hope cameras can detect objects as large as trucks which don't belong in Express Lanes! They're frequently there cheating and only rarely do I see
one stopped by police.
------------------------------
Date: Wed, 18 Nov 2020 07:54:52 +0100
From: Anthony Thorn <
anthony.thorn@atss.ch>
Subject: Migration to new CMS can go embarrassingly wrong (BBC)
On 15 Nov 2020, Radio France International (RFI) published the obituaries of "about 100" personages who were (are) still alive.
Including: the Queen, Clint Eastwood, Pele, Brigitte Bardot. Ayatollah Ali Khamenei, Jimmy Carter, Raul Castro, Bernard Tapie...
https://www.bbc.com/news/world-europe-54965098 https://nypost.com/2020/11/17/french-radio-accidentally-publishes-obits-for-still-alive-celebs/
(I hope the Queen was amused ;-)
[Also noted by Gabe Goldberg. PGN]
https://www.nytimes.com/2020/11/17/world/europe/france-website-obituaries.html
------------------------------
Date: Wed, 18 Nov 2020 16:42:27 +0800
From: Richard Stein <
rmstein@ieee.org>
Subject: Researchers hacked a robotic vacuum cleaner to record speech and
music remotely (Techxplore.com)
https://techxplore.com/news/2020-11-hacked-robotic-vacuum-cleaner-speech.html
"We welcome these devices into our homes, and we don't think anything about it," said Roy, who holds a joint appointment in the University of Maryland Institute for Advanced Computer Studies (UMIACS). "But we have shown that
even though these devices don't have microphones, we can repurpose the
systems they use for navigation to spy on conversations and potentially
reveal private information."
What could be the next household device hack target for surveillance?
Perhaps that IoT-enabled dental floss dispenser?
------------------------------
Date: Thu, 19 Nov 2020 02:04:05 -0500
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: Microsoft Is Making a Secure PC Chip with Intel and AMD's Help
(WiReD)
The Pluton security processor will give the software giant an even more prominent role in locking down Windows hardware.
https://www.wired.com/story/microsoft-pluton-secure-processor/
------------------------------
Date: Thu, 19 Nov 2020 09:10:55 -0800
From: Rob Slade <
rslade@gmail.com>
Subject: Internet censorship report
The University of Michigan has created an automated censorship measuring
tool, Censored Planet, and has now released a report from the collected
data.
https://news.umich.edu/extremely-aggressive-internet-censorship-spreads-in-the-worlds-democracies/
The tool uses public Internet servers, and measures, and reports, when
access to Websites is blocked. Billions of measurements are taken automatically, and further filters analyze the data.
The findings, presented at the 2020 ACM Conference on Computer and Communications Security, demonstrate that even democracies are doing considerable censorship, and that tools are in place for much more.
------------------------------
Date: Wed, 18 Nov 2020 19:48:15 -0700
From: "Matthew Kruk" <
mkrukg@gmail.com>
Subject: Online password '123456' more popular than ever and easy to crack
(CBC)
Maker of password manager app details worst passwords of 2020
https://www.cbc.ca/news/business/nordpass-list-of-most-common-and-worst-passwords-1.5807089
People are still using the most basic of Internet passwords that can be
easily cracked, according to a database analysis by password manager
NordPass.
Its list of the 200 most common passwords for online accounts in 2020 was released after a review of nearly 275.7 million passwords.
Coming in first was "123456," used by 2.5 million people, after landing in second place last year. NordPass said it has been breached more than 23.5 million times.
The data shows many people stubbornly cling to using weak passwords, even though they're the worst in terms of security.
------------------------------
Date: Wed, 18 Nov 2020 12:36:23 PST
From: "Peter G. Neumann" <
neumann@csl.sri.com>
Subject: Apple Lets Some of its Big Sur macOS Apps Bypass Firewall and VPNs
[via Geoff Goodfellow]
Apple is facing the heat for a new feature in macOS Big Sur that allows many
of its own apps to bypass firewalls and VPNs, thereby potentially allowing malware to exploit the same shortcoming to access sensitive data stored on users' systems and transmit them to remote servers.
The issue was first spotted last month by a Twitter user named Maxwell in a beta version of the operating system.
"Some Apple apps bypass some network extensions and VPN Apps," Maxwell *tweeted* <
https://twitter.com/mxswd/status/1318305284524183552>. "Maps for example can directly access the Internet bypassing any NEFilterDataProvider
or NEAppProxyProviders you have running."
But now that the iPhone maker has released the latest version of macOS to
the public on November 12, the behavior has been left unchanged, prompting concerns from security researchers, who say the change is ripe for abuse.
Of particular note is the possibility that the bypass can leave macOS
systems open to attack, not to mention the inability to limit or block
network traffic at users' discretion.
According to Jamf security researcher *Patrick Wardle* <
https://twitter.com/patrickwardle/status/1327726496203476992>, the
company's 50 Apple-specific apps and processes have been exempted from firewalls like Little Snitch and Lulu.
The change in behavior comes as Apple *deprecated support* <
https://developer.apple.com/support/kernel-extensions/> for Network Kernel Extensions last year in favor of Network Extensions Framework [...]
https://thehackernews.com/2020/11/apple-lets-some-of-its-big-sur-macos.html
------------------------------
Date: Thu, 19 Nov 2020 02:13:10 -0500
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: Apple to pay $113M to settle state investigation into iPhone
*Battererygate* (WashPost)
Apple will pay $113 million to settle an investigation by nearly three dozen states into the tech giant’s past practice of slowing custome'
old iPhones in an attempt to preserve their batteries.
https://www.washingtonpost.com/technology/2020/11/18/apple-fine-battery/
I think I filed claims for two affected phones; I also had batteries
replaced in them for $29/each when Apple was doing that for penance.
I have to say that this...
That December, Apple acknowledged the practice, explaining that it had
tweaked its technology starting a year earlier so that some older models, including the iPhone 6S, did not shut down unexpectedly or experience other malfunctions due to excessive demands on their dated batteries. The
widespread blowback also prompted Apple to issue a public apology -- a
rarity for the image-conscious tech giant -- and to begin offering battery-replacement discounts for consumers.
...doesn't sound entirely malign -- would shutdowns or other malfunctions really have been better than slowdowns? -- except it was done secretly. And given the huge set of Settings options, adding battery controls wouldn't
have been burdensome. Now, at least, battery health can be user determined (though apparently there are more comprehensive battery tests only Apple can run). And, weirdly, iPadOS doesn't display iPad battery health; you need nifty/free PC/Mac utility iMazing for that).
------------------------------
Date: Mon, 16 Nov 2020 11:30:07 -0800
From: Rob Slade <
rmslade@shaw.ca>
Subject: Privacy labeling for Apple apps
Apple will, as of December 8th, start requiring standardized summaries of information gathering and privacy behaviour for new and updated apps in the
app store.
https://www.theregister.com/2020/11/06/apple_privacy_advice/ In
the announcement, Apple referred to the summaries as being like nutritional labels on food, which phrase seems to have caught the media's imagination.
Details of the requirements are given at
https://developer.apple.com/app-store/app-privacy-details/ The "labels"
don't seem to be that far removed from the "permissions" that Android apps list, and don't give that much more information about collection.
Having recently created a presentation on differential privacy, it strikes
me that this is one of the first outcomes of Apple's grand announcement of
its commitment to the technology in 2016. Differential privacy does allow
for some version of metrics for privacy, but so far it has been a rather academic exercise.
This announcement doesn't push it much further.
------------------------------
Date: Mon, 16 Nov 2020 11:47:19 -0800
From: Rob Slade <
rmslade@shaw.ca>
Subject: Indistinguishability Obfuscation (WiReD)
https://www.wired.com/story/computer-scientists-achieve-the-crown-jewel-of- cryptography/
First reaction: this sounds very much like trying to build a Bell and
LaPadula [Multilevel-secure] computer. It sounds like the type of formal
and theoretical abstraction that is useful as an exercise, but seldom
results in an actual, useful, working device. I am, again, reminded of differential privacy: some great ideas, but the outcomes that people tend to actually present are less than earth-shattering, in reality.
Second reaction: although the article seems to be reasonably detailed, there simply isn't enough information on iO in there to make any real assessment.
------------------------------
Date: Tue, 17 Nov 2020 11:28:09 +0800
From: Richard Stein <
rmstein@ieee.org>
Subject: Why experts urge caution in using covid risk and tracking tools
(WashPost)
https://www.washingtonpost.com/lifestyle/wellness/understanding-risk-covid-tracker-tools/2020/11/13/95adb654-2504-11eb-952e-0c475972cfc0_story.html
"Instead of relying on any one tool, Landon recommended people use multiple data sources to help with decisions and reference community and federal resources. The CDC recently updated its guidance for Thanksgiving
gatherings, suggesting many ways for people to celebrate the holiday without putting themselves or their loved ones at increased risk.
"'If you unknowingly spread covid to higher-risk individuals in your family, there's no do-over for that,' Landon said."
Confronting a go/no-go choice based on imperfect information is an age-old problem.
Second opinions can be helpful, but if their recommendations differ? Choose
a 3rd, and accept a "best two-out-of-three" result?
A deficit of civil forbearance appears to sustain COVID-19 pandemic waves in the US. A commonsense vaccine to replenish diminished public trust is
urgently needed.
------------------------------
Date: Tue, 17 Nov 2020 08:12:18 -0800
From: Rob Slade <
rmslade@shaw.ca>
Subject: Functional and assurance requirements and CoVID
With the recent surges in CoVID-19 cases (pretty much everywhere), parents
have become (understandably) concerned about the welfare and safety of their children, particularly at school. There have been widespread calls for
school closures, or, at the very least, mandatory mask wearing for all staff and students. However, looking at the situation in terms of both functional and assurance requirements demonstrates that these concerns are unnecessary, or, at least, misplaced.
First lets look at the functional requirements. For the most part, controls against the pandemic are still basic and widely known. But they are problematic in regard to schools. Isolation is the most effective.
However, classrooms are too few, and too small, for completely effective isolation. Desktop and other barrier systems are possibly expensive and time-consuming to construct and install in many places, and, in any case,
are limited at best. Distance learning carries its own set of problems. Handwashing is good, and, particularly in the younger grades, you can really get students to buy into it. But it's not complete. (And forget trying to
get teenagers to do it regularly.) And any teacher knows that telling kids, especially in the primary grades, to keep physically distant from each other
is just not going to work. (Actually, if you tell students in the primary grades that it's a game, that their friends are radioactive, and that if
they get close enough for their outstretched hand to touch their friends' outstretched hands they'll both explode, it'd probably work. It's the teenagers who seem to think that social distancing means six inches.) And
I've written elsewhere about masks, but it is difficult to get kids, particularly younger kids, to wear them consistently and properly.
However, when we look at assurance requirements, we find a much different picture. One of the assurance requirements is detailed contact tracing, looking at where, how, and in what situations the infection actually (as opposed to theoretically) does spread. Part of this, of course, gives us information about which controls actually do work. But often it just gives
us information about risk levels. And, even in these "resurgent" times, schools are not dangerous places.
Detailed contact tracing has demonstrated that the number of actual transmissions of the infection in schools is startlingly small, given the problems we have just looked at with functional requirements and controls.
In British Columbia, while general case numbers jumped from 5,000 to over 20,000, there were only three outbreaks in schools, and, in those outbreaks,
it seems to be impossible to prove that any infections actually took place
*at* school. Schools do seem to reflect the prevalence of the case numbers, and, during this surge, exposure events at schools have increased, but cases
of actual transmission seem to be vanishingly small.
Unfortunately, we do not yet have enough data to know exactly why this is
the case. It may be that children, particularly young children, have differences in their immune systems that make them less susceptible to the coronavirus, but that would not explain why there are almost no cases of student to teacher transmission. It may be that, despite the problematic nature of the functional controls, the fact that children are better at "sticking to the rules" means that the layered defence works better than in adults (who often seem to think that wearing a mask means you can neglect
all the other safeguards). At this point we still don't know enough to
explain it.
There are other things that the assurance requirement of detailed contact tracing can demonstrate, but not explain. We have seen that transmission in restaurants is low, but transmission in bars is very much higher. Why is
that the case? The two situations are very similar. Bars do the same level
of cleaning as restaurants, and often have the same capacity limitations. Alcohol is served at restaurants as well as bars. But bars have higher transmission rates. In fact, the data even shows that transmission rates,
in both bars *and* restaurants, is higher after 10 pm than before. Why? Is
it just because patrons are drunker (and drunk people make worse decisions about sticking to the rules)? We can't yet explain why, but we do know that
it is the case.
In security, we often pursue functional requirements and neglect assurance. After all, it is functional requirements that direct us to technologies and systems and processes that keep us safe. But it is assurance requirements
that tell us whether the technologies and systems and processes actually
*do* keep us safe, or whether we are wasting resources on controls that
don't actually do anything for us. We need that assurance.
------------------------------
Date: Mon, 16 Nov 2020 23:15:43 +0800
From: Dan Jacobson <
jidanni@jidanni.org>
Subject: Wrong GPS usual suspects First Responder avoidance
Today I noticed that my friends' cell phones' GPS all show the same wrong
place when not fully warmed up. Year in and year out.
So that got me thinking, there must be about one of these points every few kilometers.
So all rescue departments need to do is keep a list of them. Then, say,
someone calls in "Help me, I'm at xxx.xxx,yyy.yyy," the First Responders
could reply, "Give your GPS a few more minutes to warm up, then call us
back."
Actually they don't need a full list. All they need is the algorithms of how those points are arrived at. Yes, they are like 12.000 for 12.345, but "binary". Sure, different chips have different algorithms. And maybe AGPS is involved, etc. OK, now generate a list for your local area.
So next time somebody calls in with one of those suspect coordinate pairs, right down to the millimeter, just tell them to take a deep breath...
------------------------------
Date: Sun, 15 Nov 2020 15:28:06 -0500
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: Letter to Consumer Reports magazine
Your December TV ratings data includes "Data privacy" and "Data security" columns not mentioned in text. Those deserve explanation, along with advice
for enhancing privacy/security. Such as not connecting "smart" TVs to the Internet. I don't, and my large-screen TV works just fine, handling cable,
DVD, and Roku content. I avoid the TV snooping or compromising anything and don't miss the TV's remote voice control feature since I use a universal
remote to control ALL devices. The TV whines occasionally that it longs to
go online but I don't let it -- thus also avoiding problems with unneeded software updates. TVs should be TVs, not computers.
------------------------------
Date: Mon, 16 Nov 2020 12:44:23 -1000
From: geoff goodfellow <
geoff@iconia.com>
Subject: How the U.S. Military Buys Location Data from Ordinary Apps
*A Muslim prayer app with over 98 million downloads is one of the apps connected to a wide-ranging supply chain that sends ordinary people's
personal data to brokers, contractors, and the military.* [...]
https://www.vice.com/en/article/jgqm5x/us-military-location-data-xmode-locate-x
------------------------------
Date: Mon, 16 Nov 2020 12:55:11 -1000
From: the keyboard of geoff goodfellow <
geoff@iconia.com>
Subject: 'Bot Battle' Shows What Happens When Two AI Programs Go On a Date
(Vice)
To test its superiority, one AI company put out a call for tech firms to challenge their AI bot head-to-head.
What happens when two AI programs go on a date? Well, apparently, a few stumbles, a lot of flattery, and one, ``It is exciting that I get to kill people'' comment.
AI company Pandorabots, Inc. and Facebook AI have gone head-to-head in a
``Bot Battle'' for the ages. Streamed on Twitch, the two programs interacted with each other for three weeks straight. Viewers were able to vote on
which company's mascot they believe held conversation the best.
Pandorabot's Kuki, a female embodied agent sporting a neon bob haircut, won
in a landslide victory picking up 78 percent of the vote. Her opponent was Facebook's Blenderbot, who sports a ``Make Facebook Great Again'' hat in true Zucker-bro style.
Pandorabots created the competition to put their program on display, a
Medium post by Kuki's creator, Steve Worswick, explains. ``We are planning
to get more bots -- and some humans! -- into the arena to hang with
Kuki. We will also continue to iterate and update the avatars," he wrote.
During the battle, which drew more than 400,000 views during the three-week stream, the bots talked about everything from the election to an in-depth history of Pac-Man. The two even gave an attempt at making jokes. Remember,
the conversation was completely autonomous from human involvement and the
bots are running day and night. Still, at best the conversation was
followable and somewhat complex. At times it turned into a staring contest where nothing was said. Many of the silences were awkward. And other times
the conversation completely derailed into a splurge of courteous
compliments. [...]
https://www.vice.com/en/article/5dpbaz/bot-battle-shows-what-happens-when-two-ai-programs-go-on-a-date
------------------------------
Date: Sun, 15 Nov 2020 11:00:02 -1000
From: geoff goodfellow <
geoff@iconia.com>
Subject: AI is wrestling with a replication crisis (MIT Tech Review)
*Tech giants dominate research but the line between real breakthrough and product showcase can be fuzzy. Some scientists have had enough.*
Last month Nature published a damning response <
https://www.nature.com/articles/s41586-020-2766-y> written by 31 scientists
to a study from Google Health <
https://www.nature.com/articles/s41586-019-1799-6> that had appeared in the journal earlier this year. Google was describing successful trials of an AI that looked for signs of breast cancer in medical images. But according to
its critics, the Google team provided so little information about its code
and how it was tested that the study amounted to nothing more than a
promotion of proprietary tech.
``We couldn't take it anymore,'' says Benjamin Haibe-Kains, the lead author
of the response, who studies computational genomics at the University of Toronto. ``It's not about this study in particular -- it's a trend we've
been witnessing for multiple years now that has started to really bother
us.''
Haibe-Kains and his colleagues are among a growing number of scientists
pushing back against a perceived lack of transparency in AI research.
``When we saw that paper from Google, we realized that it was yet another example of a very high-profile journal publishing a very exciting study that has nothing to do with science,'' he says. ``It's more an advertisement for cool technology. We can't really do anything with it.''
Science is built on a bedrock of trust, which typically involves sharing
enough details about how research is carried out to enable others to
replicate it, verifying results for themselves. This is how science self-corrects and weeds out results that don't stand up. Replication also allows others to build on those results, helping to advance the field.
Science that can't be replicated falls by the wayside.
At least, that's the idea. In practice, few studies are fully replicated because most researchers are more interested in producing new results than reproducing old ones. But in fields like biology and physics--and computer science overall--researchers are typically expected to provide the
information needed to rerun experiments, even if those reruns are rare.
Ambitious noob...
[...]
https://www.technologyreview.com/2020/11/12/1011944/artificial-intelligence-replication-crisis-science-big-tech-google-deepmind-facebook-openai/
------------------------------
Date: Fri, 13 Nov 2020 18:29:40 -0500
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: The iOS Covid App Ecosystem Has Become a Privacy Minefield (WiReD)
An analysis of nearly 500 Covid-related apps worldwide shows major
differences in how much data they expect you to give up.
The results show that only 47 of that subset of 359 apps use Google and
Apple's more privacy-friendly exposure-notification system, which restricts apps to only Bluetooth data collection. More than six out of seven Covid-focused iOS apps worldwide are free to request whatever privacy permissions they want, with 59 percent asking for a user's location when in
use and 43 percent tracking location at all times. Albright found that 44 percent of Covid apps on iOS asked for access to the phone's camera, 22
percent of apps asked for access to the user's microphone, 32 percent asked
for access to their photos, and 11 percent asked for access to their
contacts.
https://www.wired.com/story/covid-19-ios-apps-privacy/
I guess it wants to check whether your photo has been near photo of someone with Covid.
------------------------------
Date: Tue, 17 Nov 2020 06:01:53 -0800
From: Rob Slade <
rmslade@shaw.ca>
Subject: Metrics and CoVID
Another security lesson from CoVID is in regard to metrics. Those who have tried to create security metrics will know, all too well, how difficult it
is to choose those that are actually useful, rather than just being
collections of numbers. (Brotby and Hinson's PRAGMATIC acronym is very
helpful in providing guidance.)
Among the various statistics that CoVID has generated, such as case rates,
new cases, doubling time of cases, hospitalization rates, et cetera, one
single number that has been consistently useful is the positivity rate.
This is the number of cases confirmed, divided by the total tests done.
Donald Trump to the contrary, while there are a number of additional factors
to consider, it seems to be generally felt that a positivity rate of about
two percent is probably reasonable. Any lower, and it is likely that you
are testing too many people too indiscriminately, and wasting money and resources. Any higher, and it is likely that you aren't testing enough, and that cases are, or shortly will be, increasing. Positivity has proven
itself "Relevant" from the PRAGMATIC list.
Recently, in British Columbia, we have seen how difficult it may be to keep such metrics "Meaningful" and "Accurate."
BC, often known as "Hollywood North," is home to a thriving and active film industry. If you are a fan of Hallmark romances and mysteries, and other
such "made for TV" fare, chances are very good that they were shot here.
(When Gloria and I watch them, it is often as much to play "spot the
location" as to follow the plots.) This is especially true now during the pandemic, when BC has been a relatively safe place to do film shoots. There are, of course, a number of restrictions to keep filmmaking safe, some
imposed by local health authorities, and some required by unions,
particularly from the US and places where the case rates have been much
[continued in next message]
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)