[continued from previous message]
higher, demanding fairly stringent precautions. CoVID testing, in
particular, is done regularly, and often very frequently, regardless of how many cases turn up.
Testing for the movie industry is done at private labs, so as not to affect
lab capacity for the public health system. However, even so, the testing is "reportable," and thus the numbers make their way into public figures. The demands of the movie industry are such that 4-5,000 tests may be done daily,
at a time when the public testing capacity is about 16,000 tests per day.
Since the movie industry definitely "overtests," the movie numbers
artificially depress the overall positivity rate. Our positivity rate in BC may actually be twice what the published figures show.
------------------------------
Date: Mon, 16 Nov 2020 17:01:11 -0500
From: Monty Solomon <
monty@roscom.com>
Subject: Mac certificate check stokes fears that Apple logs every app you
run (Ars Technica)
Amid concern that macOS logs app usage in real time, Apple issues assurances.
https://arstechnica.com/gadgets/2020/11/mac-certificate-check-stokes-fears-apple-logs-every-app-you-run/
------------------------------
Date: Mon, 16 Nov 2020 15:42:54 -0800
From: Kent Borg <
kentborg@borg.org>
Subject: Two-Factor Eggs in One Basket
A friend of mine got the newest Iphone. Being latest and greatest he wants
it to be all 5G-est, too, and that part isn't working right. Word is he
needed a different SIM, and I don't follow all the details.
Anyway, at this point some Verizon person probably needs to walk through network settings to fix something set wrong. Okay.
But my friend takes covid-19 seriously and doesn't want to go to the
store. Okay, smart.
I'm sure he could go through the settings by phone call.
Nope: My friend hopped on the two-factor bandwagon and Verizon won't talk to him without texting him aboard their two-factor ritual, and he says that doesn't work with the new SIM. Sure, he could put in the old SIM where it
does work, but he needs to debug the 5G SIM…
I've always thought two-factor was a great idea for really high value
accounts, with lots of talented high end support at the ready, but I don't understand why people think it scales to everyone for everything.
------------------------------
Date: Wed, 18 Nov 2020 12:19:16 -0500 (EST)
From: ACM TechNews <
technews-editor@acm.org>
Subject: 'Most Secure' U.S. Election Not Without Problems
Lucas Ropek, *Government Technology*, 16 Nov 2020
via ACM TechNews, Wednesday, November 18, 2020
Although federal officials declared the 2020 presidential election the "most secure in American history," there were still technical problems. Alleged software glitches caused mistakes in vote tabulation for both presidential
and local races in certain counties, while some communities suffered
temporary miscounts due to clerical errors. Threats of foreign interference appear to have been countered by greater vigilance and stronger
cyberdefenses by watchdogs like the Cybersecurity and Infrastructure
Security Agency, and multi-stakeholder collaboration and information
sharing. However, disinformation and misinformation have continued to fuel polarization of the electorate. Former ACM president Barbara Simons urges greater transparency and committed investment in auditable machinery as top priorities, along with curtailing the use of paperless voting machines.
https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-28148x226823x070792&
------------------------------
Date: Tue, 17 Nov 2020 15:43:35 PST
From: "Peter G. Neumann" <
neumann@csl.sri.com>
Subject: Election Security Experts Contradict Trump's Voting Claims
(Nicole Perlroth)
Nicole Perlroth, *The New York Times*, 16 Nov 2020
Election Security Experts Contradict Trump's Voting Claims
https://www.nytimes.com/2020/11/16/business/election-security-letter-trump.html
Fifty-nine of the country's top computer scientists and election security experts rebuked President Trump's baseless claims of voter fraud and hacking
on Monday, writing that such assertions are ``unsubstantiated or are technically incoherent.''
The rebuttal, in a letter to be published on various websites, did not
mention Mr. Trump by name but amounted to another forceful corrective to the torrents of disinformation that he has posted on Twitter. ``Anyone
asserting that a U.S. election was *rigged* is making an extraordinary
claim, one that must be supported by persuasive and verifiable evidence.''
In the absence of evidence, they added, it is simply `speculation'. ``To
our collective knowledge, no credible evidence has been put forth that
supports a conclusion that the 2020 election outcome in any state has been altered through technical compromise,'' they wrote. [...]
------------------------------
Date: Mon, 16 Nov 2020 12:18:26 -0500 (EST)
From: ACM TechNews <
technews-editor@acm.org>
Subject: Blockchain Voting Risks Undetectable Nation-Scale Failures
(Stilgherrian)
Stilgherrian, ZDNet, 16 Nov 2020
via ACM TechNews, Monday, November 16, 2020
A study by Massachusetts Institute of Technology (MIT) researchers labeled assertions that Internet- and blockchain-based voting would boost election security "misleading," adding that they would "greatly increase the risk of undetectable, nation-scale election failures." The MIT team analyzed
previous research on the security risks of online and offline voting
systems, and found blockchain solutions are vulnerable to scenarios where election results might have been erroneously or deliberately changed. The
MIT researchers proposed five minimal election security mandates: ballot secrecy to deter intimidation or vote-buying; software independence to
verify results with something like a paper trail; voter-verifiable ballots, where voters themselves witness that their vote has been correctly recorded; contestability, where someone who spots an error can persuade others that
the error is real; and an auditing process.
https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-28090x22672ex070514&
------------------------------
Date: Tue, 17 Nov 2020 07:22:00 -1000
From: the keyboard of geoff goodfellow <
geoff@iconia.com>
Subject: Did you know that Dominion's voting software "Allows staff to
adjust tally based on review of scanned ballot images? (Twitter)
4https://twitter.com/CodeMonkeyZ/status/1328342166007992323
So there would be a record if anything was changed.
PGN Response:
If you believe audit records cannot be hacked, we are still offering the Brooklyn Bridge at a huge discount.
On the other hand, the DREs of a decade ago when we were fighting the lack
of an audit trail did not even pretend to have a meaningful audit trail.
------------------------------
Date: Fri, 13 Nov 2020 14:39:51 -0800
From: Henry Baker <
hbaker1@pipeline.com>
Subject: What happens when you test TCL TV's
[Henry's two contributions to this issue were as longer than the rest of
the issue. I have seriously foreshortened both. If you want the full
story for the first one, please ask Henry to sent it to you. The second
has a URL for the PGN-ed text. PGN]
The Chinese have us by their Ten TCL's :-)
You really have to read this TCL 'Smart' TV vulnerability report all the way through; you don't have to be a Linux wizard to start laughing, and it gets better and better as you read!
I don't know which is scarier: the vulnerabilities themselves, or the lack
of response from TCL together with a sneaky 'silent' update to 'fix' these (wink, wink) 'bugs'.
I knew there was a reason why I never enabled the Internet connection on my 'smart' TV; I allow HDMI only.
Previews:
"Port 22 open and allowing SSH access as root:root out of the box"
"When in the history of your career... Have you ever needed to serve the
entire filesystem... over http?"
TCL me, Elmo!!
https://sick.codes/extraordinary-vulnerabilities-discovered-in-tcl-android-tvs-now-worlds-3rd-largest-tv-manufacturer/
Extraordinary Vulnerabilities Discovered in TCL Android TVs, Now World's 3rd Largest TV Manufacturer.
------------------------------
Date: Mon, 16 Nov 2020 09:03:04 -0800
From: Henry Baker <
hbaker1@pipeline.com>
Subject: 'Cheating detection' goes full Orwell during pandemic
I've heard of the 'school-to-prison pipeline', but I had no idea how short
this pipeline had become...
I think they may possibly have misspelled "proctoring" when they referred to contacting a back door into your computer. :-)
Drew Harwell, *The Washington Post*
Cheating-detection companies made millions during the pandemic. Now
students are fighting back. [...]
https://www.msn.com/en-us/news/us/cheating-detection-companies-made-millions-during-the-pandemic-now-students-are-fighting-back/ar-BB1aX8Qa
------------------------------
Date: 13 Nov 2020 20:04:19 -0500
From: "John Levine" <
johnl@iecc.com>
Subject: Re: How to F Up and Aiport, including What It's Like to Stress-Test
Berlin's Brand New Airport (Goldberg)
The Radio Spätkauf podcast has a five part series called "How to F*
Up an Airport" on the bizarre and sad history of the new Berlin airport.
Many of the failures were due to political interference and a staggering
level of arrogance and incompetence, but a certain amount is technical, such
as the fact that physics tells us that if you increase the size of the terminal, the ventilation requirements and particularly the emergency smoke removal ventilation do not scale linearly. Or that it is not a good idea to cram power and signal wires into the same undersized pipe.
It includes a segment about the dress rehearsal described in the Atlas
Obscura page. They said it included plenty of very bad coffee.
https://player.fm/series/how-to-feuk-up-an-airport
------------------------------
Date: Fri, 13 Nov 2020 21:46:10 -0500
From: Chuck Jackson <
clj@jacksons.net>
Subject: Re: Facial recognition used to identify Lafayette Square
protester accused of assault (Levine, RISKS-32.37)
Here's a quote (emphasis added) from *The Washington Post* article on this event:
After the demonstration, Park Police tracked him through Twitter and sent
the image to the Maryland-National Capital Park Police in Prince George's
County, which ran it through NCRFRILS, returning Michael Joseph Peterson
Jr. as a possible match, the court documents state. *Authorities said they
also found a backpack at the scene of the protests containing Peterson's
ID.*
Apparently, he took off leaving his driver's license behind.
------------------------------
Date: Fri, 13 Nov 2020 21:23:14 -0600
From: Charles Cazabon <
charlesc-risks-digest@pyropus.ca>
Subject: Re: CPU-Heat Sink Thermal Paste Effectiveness (Stein, RISKS-32.37)
(1) No AMD Ryzen processor from the Ryzen 5, Ryzen 7, or Ryzen 9 families, whether from the 1st-gen 1000 series, 2nd-gen 2000-series, 3rd-gen 3000
series, or the new 5000 series requires liquid cooling. All are perfectly capable of working at their full specified speeds with a quality air cooler; all but the most recent top-spec versions shipped with such a cooler. They
can typically be overclocked, and they will overclock better with liquid cooling, but it is by no means necessary.
(2) Pretty much any substance with a significant amount of water in it will transfer heat effectively from a CPU to its heatsink (*); CPU cooling is
simply not a particularly demanding application. The advantages in quality heatsink thermal compounds are not in efficacy, but in other areas - less "creep" out of the joints, easier application, longer life without drying
out, etc.
(*) Dan Rutter of dansdata.com famously did a comparison in 2002 of various thermal compounds, from cheap white zinc-based thermal paste to fancy silver-loaded silicone formulations, to toothpaste (!) and vegemite (!!).
http://www.dansdata.com/goop.htm
------------------------------
Date: Mon, 16 Nov 2020 22:32:18 -0700
From: Brian Inglis <
Brian.Inglis@SystematicSw.ab.ca>
Subject: Re: Whale Sculpture Stops Train From Plunge in the Netherlands
(RISKS-32.37)
It was only a fluke that the driver wasn't killed.
[But "a fluke" is also a fish, which the whale is not. PGN]
It was just a fluke it landed on a fluke, which is a tail of a whale, and nobody was killed, so it's a whale of a tale about "Whale Tails", which is named a fluke as well as called a fluke.
[Also a parasitic worm, and a barb on an anchor, arrow, harpoon, hook,
etc. Anyone care to take this any further in those directions: limerick
perhaps?
See also Whale sculpture catches crashed Dutch metro train:
https://www.bbc.com/news/world-europe-54780430
]
------------------------------
Date: Wed, 18 Nov 2020 13:43:53 PST
From: "Peter G. Neumann" <
neumann@csl.sri.com>
Subject: Re: "Did you know that Dominion's voting software "Allows staff to
adjust tally based on review of scanned ballot images"? (RISKS-32.38)
So there would be a record if anything was changed.
If you believe audit records cannot be hacked, we are still offering the Brooklyn Bridge at a huge discount.
On the other hand, the DREs of a decade ago when we were fighting the
lack of an audit trail did not even pretend to have a meaningful audit trail.
------------------------------
Date: Mon, 1 Aug 2020 11:11:11 -0800
From:
RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<
http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!
OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also,
ftp://ftp.sri.com/risks for the current volume/previous directories
or
ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00
ALTERNATIVE ARCHIVES:
http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.
Special Offer to Join ACM for readers of the ACM RISKS Forum:
<
http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 32.38
************************
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)