1. Forum
  2. Usenet
  3. COMP.RISKS

  • Risks Digest 32.38 (2/2)

    From RISKS List Owner@21:1/5 to All on Mon Nov 23 05:17:36 2020
    [continued from previous message]

    higher, demanding fairly stringent precautions. CoVID testing, in
    particular, is done regularly, and often very frequently, regardless of how many cases turn up.

    Testing for the movie industry is done at private labs, so as not to affect
    lab capacity for the public health system. However, even so, the testing is "reportable," and thus the numbers make their way into public figures. The demands of the movie industry are such that 4-5,000 tests may be done daily,
    at a time when the public testing capacity is about 16,000 tests per day.
    Since the movie industry definitely "overtests," the movie numbers
    artificially depress the overall positivity rate. Our positivity rate in BC may actually be twice what the published figures show.

    ------------------------------

    Date: Mon, 16 Nov 2020 17:01:11 -0500
    From: Monty Solomon <monty@roscom.com>
    Subject: Mac certificate check stokes fears that Apple logs every app you
    run (Ars Technica)

    Amid concern that macOS logs app usage in real time, Apple issues assurances.

    https://arstechnica.com/gadgets/2020/11/mac-certificate-check-stokes-fears-apple-logs-every-app-you-run/

    ------------------------------

    Date: Mon, 16 Nov 2020 15:42:54 -0800
    From: Kent Borg <kentborg@borg.org>
    Subject: Two-Factor Eggs in One Basket

    A friend of mine got the newest Iphone. Being latest and greatest he wants
    it to be all 5G-est, too, and that part isn't working right. Word is he
    needed a different SIM, and I don't follow all the details.

    Anyway, at this point some Verizon person probably needs to walk through network settings to fix something set wrong. Okay.

    But my friend takes covid-19 seriously and doesn't want to go to the
    store. Okay, smart.

    I'm sure he could go through the settings by phone call.

    Nope: My friend hopped on the two-factor bandwagon and Verizon won't talk to him without texting him aboard their two-factor ritual, and he says that doesn't work with the new SIM. Sure, he could put in the old SIM where it
    does work, but he needs to debug the 5G SIM…

    I've always thought two-factor was a great idea for really high value
    accounts, with lots of talented high end support at the ready, but I don't understand why people think it scales to everyone for everything.

    ------------------------------

    Date: Wed, 18 Nov 2020 12:19:16 -0500 (EST)
    From: ACM TechNews <technews-editor@acm.org>
    Subject: 'Most Secure' U.S. Election Not Without Problems

    Lucas Ropek, *Government Technology*, 16 Nov 2020
    via ACM TechNews, Wednesday, November 18, 2020

    Although federal officials declared the 2020 presidential election the "most secure in American history," there were still technical problems. Alleged software glitches caused mistakes in vote tabulation for both presidential
    and local races in certain counties, while some communities suffered
    temporary miscounts due to clerical errors. Threats of foreign interference appear to have been countered by greater vigilance and stronger
    cyberdefenses by watchdogs like the Cybersecurity and Infrastructure
    Security Agency, and multi-stakeholder collaboration and information
    sharing. However, disinformation and misinformation have continued to fuel polarization of the electorate. Former ACM president Barbara Simons urges greater transparency and committed investment in auditable machinery as top priorities, along with curtailing the use of paperless voting machines.

    https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-28148x226823x070792&

    ------------------------------

    Date: Tue, 17 Nov 2020 15:43:35 PST
    From: "Peter G. Neumann" <neumann@csl.sri.com>
    Subject: Election Security Experts Contradict Trump's Voting Claims
    (Nicole Perlroth)

    Nicole Perlroth, *The New York Times*, 16 Nov 2020
    Election Security Experts Contradict Trump's Voting Claims https://www.nytimes.com/2020/11/16/business/election-security-letter-trump.html

    Fifty-nine of the country's top computer scientists and election security experts rebuked President Trump's baseless claims of voter fraud and hacking
    on Monday, writing that such assertions are ``unsubstantiated or are technically incoherent.''

    The rebuttal, in a letter to be published on various websites, did not
    mention Mr. Trump by name but amounted to another forceful corrective to the torrents of disinformation that he has posted on Twitter. ``Anyone
    asserting that a U.S. election was *rigged* is making an extraordinary
    claim, one that must be supported by persuasive and verifiable evidence.''
    In the absence of evidence, they added, it is simply `speculation'. ``To
    our collective knowledge, no credible evidence has been put forth that
    supports a conclusion that the 2020 election outcome in any state has been altered through technical compromise,'' they wrote. [...]

    ------------------------------

    Date: Mon, 16 Nov 2020 12:18:26 -0500 (EST)
    From: ACM TechNews <technews-editor@acm.org>
    Subject: Blockchain Voting Risks Undetectable Nation-Scale Failures
    (Stilgherrian)

    Stilgherrian, ZDNet, 16 Nov 2020
    via ACM TechNews, Monday, November 16, 2020

    A study by Massachusetts Institute of Technology (MIT) researchers labeled assertions that Internet- and blockchain-based voting would boost election security "misleading," adding that they would "greatly increase the risk of undetectable, nation-scale election failures." The MIT team analyzed
    previous research on the security risks of online and offline voting
    systems, and found blockchain solutions are vulnerable to scenarios where election results might have been erroneously or deliberately changed. The
    MIT researchers proposed five minimal election security mandates: ballot secrecy to deter intimidation or vote-buying; software independence to
    verify results with something like a paper trail; voter-verifiable ballots, where voters themselves witness that their vote has been correctly recorded; contestability, where someone who spots an error can persuade others that
    the error is real; and an auditing process. https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-28090x22672ex070514&

    ------------------------------

    Date: Tue, 17 Nov 2020 07:22:00 -1000
    From: the keyboard of geoff goodfellow <geoff@iconia.com>
    Subject: Did you know that Dominion's voting software "Allows staff to
    adjust tally based on review of scanned ballot images? (Twitter)

    4https://twitter.com/CodeMonkeyZ/status/1328342166007992323
    So there would be a record if anything was changed.

    PGN Response:

    If you believe audit records cannot be hacked, we are still offering the Brooklyn Bridge at a huge discount.

    On the other hand, the DREs of a decade ago when we were fighting the lack
    of an audit trail did not even pretend to have a meaningful audit trail.

    ------------------------------


    Date: Fri, 13 Nov 2020 14:39:51 -0800
    From: Henry Baker <hbaker1@pipeline.com>
    Subject: What happens when you test TCL TV's

    [Henry's two contributions to this issue were as longer than the rest of
    the issue. I have seriously foreshortened both. If you want the full
    story for the first one, please ask Henry to sent it to you. The second
    has a URL for the PGN-ed text. PGN]

    The Chinese have us by their Ten TCL's :-)

    You really have to read this TCL 'Smart' TV vulnerability report all the way through; you don't have to be a Linux wizard to start laughing, and it gets better and better as you read!

    I don't know which is scarier: the vulnerabilities themselves, or the lack
    of response from TCL together with a sneaky 'silent' update to 'fix' these (wink, wink) 'bugs'.

    I knew there was a reason why I never enabled the Internet connection on my 'smart' TV; I allow HDMI only.

    Previews:

    "Port 22 open and allowing SSH access as root:root out of the box"

    "When in the history of your career... Have you ever needed to serve the
    entire filesystem... over http?"

    TCL me, Elmo!!

    https://sick.codes/extraordinary-vulnerabilities-discovered-in-tcl-android-tvs-now-worlds-3rd-largest-tv-manufacturer/

    Extraordinary Vulnerabilities Discovered in TCL Android TVs, Now World's 3rd Largest TV Manufacturer.

    ------------------------------

    Date: Mon, 16 Nov 2020 09:03:04 -0800
    From: Henry Baker <hbaker1@pipeline.com>
    Subject: 'Cheating detection' goes full Orwell during pandemic

    I've heard of the 'school-to-prison pipeline', but I had no idea how short
    this pipeline had become...

    I think they may possibly have misspelled "proctoring" when they referred to contacting a back door into your computer. :-)

    Drew Harwell, *The Washington Post*
    Cheating-detection companies made millions during the pandemic. Now
    students are fighting back. [...]

    https://www.msn.com/en-us/news/us/cheating-detection-companies-made-millions-during-the-pandemic-now-students-are-fighting-back/ar-BB1aX8Qa

    ------------------------------

    Date: 13 Nov 2020 20:04:19 -0500
    From: "John Levine" <johnl@iecc.com>
    Subject: Re: How to F Up and Aiport, including What It's Like to Stress-Test
    Berlin's Brand New Airport (Goldberg)

    The Radio Spätkauf podcast has a five part series called "How to F*
    Up an Airport" on the bizarre and sad history of the new Berlin airport.

    Many of the failures were due to political interference and a staggering
    level of arrogance and incompetence, but a certain amount is technical, such
    as the fact that physics tells us that if you increase the size of the terminal, the ventilation requirements and particularly the emergency smoke removal ventilation do not scale linearly. Or that it is not a good idea to cram power and signal wires into the same undersized pipe.

    It includes a segment about the dress rehearsal described in the Atlas
    Obscura page. They said it included plenty of very bad coffee.

    https://player.fm/series/how-to-feuk-up-an-airport

    ------------------------------

    Date: Fri, 13 Nov 2020 21:46:10 -0500
    From: Chuck Jackson <clj@jacksons.net>
    Subject: Re: Facial recognition used to identify Lafayette Square
    protester accused of assault (Levine, RISKS-32.37)

    Here's a quote (emphasis added) from *The Washington Post* article on this event:

    After the demonstration, Park Police tracked him through Twitter and sent
    the image to the Maryland-National Capital Park Police in Prince George's
    County, which ran it through NCRFRILS, returning Michael Joseph Peterson
    Jr. as a possible match, the court documents state. *Authorities said they
    also found a backpack at the scene of the protests containing Peterson's
    ID.*

    Apparently, he took off leaving his driver's license behind.

    ------------------------------

    Date: Fri, 13 Nov 2020 21:23:14 -0600
    From: Charles Cazabon <charlesc-risks-digest@pyropus.ca>
    Subject: Re: CPU-Heat Sink Thermal Paste Effectiveness (Stein, RISKS-32.37)

    (1) No AMD Ryzen processor from the Ryzen 5, Ryzen 7, or Ryzen 9 families, whether from the 1st-gen 1000 series, 2nd-gen 2000-series, 3rd-gen 3000
    series, or the new 5000 series requires liquid cooling. All are perfectly capable of working at their full specified speeds with a quality air cooler; all but the most recent top-spec versions shipped with such a cooler. They
    can typically be overclocked, and they will overclock better with liquid cooling, but it is by no means necessary.

    (2) Pretty much any substance with a significant amount of water in it will transfer heat effectively from a CPU to its heatsink (*); CPU cooling is
    simply not a particularly demanding application. The advantages in quality heatsink thermal compounds are not in efficacy, but in other areas - less "creep" out of the joints, easier application, longer life without drying
    out, etc.

    (*) Dan Rutter of dansdata.com famously did a comparison in 2002 of various thermal compounds, from cheap white zinc-based thermal paste to fancy silver-loaded silicone formulations, to toothpaste (!) and vegemite (!!). http://www.dansdata.com/goop.htm

    ------------------------------

    Date: Mon, 16 Nov 2020 22:32:18 -0700
    From: Brian Inglis <Brian.Inglis@SystematicSw.ab.ca>
    Subject: Re: Whale Sculpture Stops Train From Plunge in the Netherlands
    (RISKS-32.37)

    It was only a fluke that the driver wasn't killed.

    [But "a fluke" is also a fish, which the whale is not. PGN]

    It was just a fluke it landed on a fluke, which is a tail of a whale, and nobody was killed, so it's a whale of a tale about "Whale Tails", which is named a fluke as well as called a fluke.

    [Also a parasitic worm, and a barb on an anchor, arrow, harpoon, hook,
    etc. Anyone care to take this any further in those directions: limerick
    perhaps?

    See also Whale sculpture catches crashed Dutch metro train:
    https://www.bbc.com/news/world-europe-54780430
    ]

    ------------------------------

    Date: Wed, 18 Nov 2020 13:43:53 PST
    From: "Peter G. Neumann" <neumann@csl.sri.com>
    Subject: Re: "Did you know that Dominion's voting software "Allows staff to
    adjust tally based on review of scanned ballot images"? (RISKS-32.38)

    So there would be a record if anything was changed.

    If you believe audit records cannot be hacked, we are still offering the Brooklyn Bridge at a huge discount.

    On the other hand, the DREs of a decade ago when we were fighting the
    lack of an audit trail did not even pretend to have a meaningful audit trail.

    ------------------------------

    Date: Mon, 1 Aug 2020 11:11:11 -0800
    From: RISKS-request@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume/previous directories
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 32.38
    ************************

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)