RISKS-LIST: Risks-Forum Digest Friday 11 December 2020 Volume 32 : Issue 40

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.40>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents:
GE puts default password in radiology devices, leaving healthcare networks
exposed (Ars Technica)
COVID data manager investigated, raided for using publicly available
password (Ars Technica)
Having one password makes it easier in Florida (Ars Technica)
Amnesia: Critical TCP/IP Flaws Affect Millions of IoT Devices
(The Hacker News)
Russian SVR intel service hacks FireEye, obtaining "red team" tools (PGN) Former Israeli space security chief says aliens exist, humanity not ready
(The Jerusalem Post)
CDC Call for Data on Vaccine Recipients Raises Alarm Over Privacy (DNYUZ)
How to steal photos off someone's iPhone from across the street
(Naked Security)
Global losses from cybercrime skyrocketed to nearly $1 trillion in 2020, new
report finds (The Washington Post)
Digital stethoscope uses artificial intelligence for diagnosing lung
abnormalities (medicalxpress.com)
Police Drones Starting to Think for Themselves (Cade Metz)
AI Can Run Your Work Meetings Now (WiReD)
The coming war on the hidden algorithms that trap people in poverty
(Tech Review))
HP Ends 'Free Ink for Life' Subscription Plan (Consumer Reports)
Waymo Terms of Service (waymo.com)
Amazon Wants to Get Even Closer. Skintight (The New York Times)
Designed A Smartwatch App To Help Stop His Dad's Nightmares (npr.org) Differential Privacy for Ordinary Security Mavens (Rob Slade)
Re: Looking for ways to prevent price collusion with AI systems (Wol)
Re: How 30 Lines of Code Blew Up a 27-Ton Generator (Martin Ward)
Re: Utah monolith: Internet sleuths got there, but its origins are still a
mystery (Amos Shapir)
Re: Is Alexa Becoming Anti-semitic (John Wunderlich)
Re: Rashida Tlaib takes on stablecoins, not cryptocurrency (John Levine)
Re: Keyhole wasps may threaten aviation safety (Richard Stein,
Carlos Vilalpando)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Wed, 9 Dec 2020 01:21:54 -0500
From: Gabe Goldberg <gabe@gabegold.com>
Subject: GE puts default password in radiology devices, leaving healthcare
networks exposed (Ars Technica)

Fixing the critical vulnerability isn't s straightforward and com with its
own risks.

Dozens of radiology products from GE Healthcare contain a critical vulnerability that threatens the networks of hospitals and other health providers that use the devices, officials from the US government and a
private security firm said on Tuesday.

The devices—used for CT scans, MRIs, X-Rays, mammograms,
ultrasounds, and positron emission tomography—use a default
password to receive regular maintenance. The passwords are available to
anyone who knows where on the Internet to look. A lack of proper access restrictions allows the devices to connect to malicious servers rather than only those designated by GE Healthcare. Attackers can exploit these shortcomings by abusing the maintenance protocols to access the devices.

From there, the attackers can execute malicious code or view or modify

patient data stored on the device or the hospital or healthcare provider servers.

Aggravating matters, customers can’t fix the vulnerability
themselves. Instead, they must request that the GE Healthcare support team change the credentials. Customers who don’t make such a request
will continue to rely on the default password. Eventually, the device manufacturer will provide patches and additional information.

https://arstechnica.com/information-technology/2020/12/default-password-in-radiology-devices-leaves-healthcare-networks-open-to-attack/

------------------------------

Date: Thu, 10 Dec 2020 19:28:50 -0500
From: Gabe Goldberg <gabe@gabegold.com>
Subject: COVID data manager investigated, raided for using publicly
available password (Ars Technica)

Not only does the whole state share one password, but it's posted publicly.

Florida police said a raid they conducted Monday <https://arstechnica.com/tech-policy/2020/12/florida-police-raid-home-of-former-state-coronavirus-data-manager/>
on the Tallahassee home of Rebekah Jones, a data scientist the state fired
from her job in May, was part of an investigation into an unauthorized
access of a state emergency-responder system. It turns out, however, that
not only do all state employees with access to that system share a single username and password, but also those credentials are publicly available on
the Internet for anyone to read.

https://arstechnica.com/tech-policy/2020/12/florida-posted-the-password-to-a-key-disaster-system-on-its-website/

------------------------------

Date: Wed, 9 Dec 2020 14:35:23 -0500
From: wb8foz <wb8foz@panix.com>
Subject: Having one password makes it easier in Florida (Ars Technica)

So Rebekah Jones was a state data scientist [in] Florida until she got fired from her Dept. of Health job in May for posting COVID stats that made
Governer Ronald DeSantis mad.

She had further upset deSantis by privately continuing to post COVID stats
for FL.

She got raided by Florida Dept of Law Enforcement agents a few days ago.
The basis for the warrant was the allegation she had posted a message to the DOH mailing list.

Now ARS has reported that not only does the DOH system with the list have
only one login & password for all 1700 users, but it's also posted on-line.

So besides the question of if she did post that message, one wonders if is
it [il]legal to use a system with published login/PW data?

<https://arstechnica.com/tech-policy/2020/12/florida-posted-the-password-to-a-key-disaster-system-on-its-website/>

------------------------------

Date: Thu, 10 Dec 2020 09:41:03 -1000
From: geoff goodfellow <geoff@iconia.com>
Subject: Amnesia: Critical TCP/IP Flaws Affect Millions of IoT Devices
()

Cybersecurity researchers disclosed a dozen new flaws in multiple
widely-used embedded TCP/IP stacks impacting millions of devices ranging
from networking equipment and medical devices to industrial control systems that could be exploited by an attacker to take control of a vulnerable
system.

Collectively called "AMNESIA:33 <https://www.forescout.com/research-labs/amnesia33/>" by Forescout
researchers, it is a set of 33 vulnerabilities that impact four open-source TCP/IP protocol stacks -- uIP, FNET, picoTCP, and Nut/Net -- that are
commonly used in Internet-of-Things (IoT) and embedded devices.

As a consequence of improper memory management,* successful exploitation <https://kb.cert.org/vuls/id/815128>* of these flaws could cause memory corruption, allowing attackers to compromise devices, execute malicious
code, performing denial-of-service (DoS) attacks, steal sensitive
information, and even poison DNS cache.

In the real world, these attacks could play out in various ways: disrupting
the functioning of a power station to result in a blackout or taking smoke alarm and temperature monitor systems offline by using any of the DoS vulnerabilities.

The flaws, which will be detailed today at the *Black Hat Europe Security Conference* <https://www.blackhat.com/eu-20/briefings/schedule/index.html#how-embedded-tcpip-stacks-breed-critical-vulnerabilities-21503>,
were discovered as part of Forescout's Project Memoria initiative to study
the security of TCP/IP stacks. [...] https://thehackernews.com/2020/12/amnesia33-critical-tcpip-flaws-affect.html

------------------------------

Date: Tue, 8 Dec 2020 16:19:33 -0500
From: Peter G Neumann <neumann@CSL.SRI.COM.
Subject: Russian SVR intel service hacks FireEye, obtaining "red team" tools
(Sundry)

https://www.nytimes.com/2020/12/08/technology/fireeye-hacked-russians.html https://www.washingtonpost.com/national-security/leading-cybersecurity-firm-fireeye-hacked/2020/12/08/a3369aaa-3988-11eb-98c4-25dc9f4987e8_story.html

------------------------------

Date: Mon, 7 Dec 2020 16:10:41 -1000
From: geoff goodfellow <geoff@iconia.com>
Subject: Former Israeli space security chief says aliens exist, humanity not
ready (The Jerusalem Post)

*This "Galactic Federation" has supposedly been in contact with Israel and
the US for years, but are keeping themselves a secret to prevent hysteria
until humanity is ready.*

Has the State of Israel made contact with aliens?

According to retired Israeli general and current professor Haim Eshed, the answer is yes, but this has been kept a secret because "humanity isn't
ready."

Speaking in an interview to *Yediot Aharonot*, Eshed -- who served as the
head of Israel's space security program for nearly 30 years and is a
three-time recipient of the Israel Security Award -- explained that Israel
and the US have both been dealing with aliens for years.

And this by no means refers to immigrants, with Eshed clarifying the
existence of a "Galactic Federation."

The 87-year-old former space security chief gave further descriptions about exactly what sort of agreements have been made between the aliens and the
US, which ostensibly have been made because they wish to research and understand "the fabric of the universe." This cooperation includes a secret underground base on Mars, where there are American and alien
representatives. [...] https://www.jpost.com/omg/former-israeli-space-security-chief-says-aliens-exist-humanity-not-ready-651405

------------------------------

Date: Wed, 9 Dec 2020 08:21:26 -1000
From: geoff goodfellow <geoff@iconia.com>
Subject: CDC Call for Data on Vaccine Recipients Raises Alarm Over Privacy
(DNYUZ)

The Trump administration is requiring states to submit personal information
of people vaccinated against Covid-19 -- including names, birth dates, ethnicities and addresses -- raising alarms among state officials who fear
that a federal vaccine registry could be misused.

The Centers for Disease Control and Prevention is instructing states to sign so-called *data use agreements* that commit them for the first time to
sharing personal information in existing registries with the federal government. Some states, such as New York, are pushing back, either refusing
to sign or signing while refusing to share the information. <https://www.cdc.gov/vaccines/covid-19/reporting/downloads/vaccine-administration-data-agreement.pdf>

Gov. Andrew M. Cuomo of New York warned that the collection of personal data could dissuade undocumented people from participating in the vaccination program. He called it ``another example of them trying to extort the State
of New York to get information that they can use at the Department of
Homeland Security and ICE that they'll use to deport people.''

Administration officials say that the information will not be shared with
other federal agencies and that it is needed for several reasons: to ensure that people who move across state lines receive their follow-up doses; to
track adverse reactions and address safety issues; and to assess the effectiveness of the vaccine among different demographic groups. [...] https://dnyuz.com/2020/12/08/c-d-c-call-for-data-on-vaccine-recipients-raises-alarm-over-privacy/

------------------------------

Date: Sat, 5 Dec 2020 13:14:36 PST
From: Peter Neumann <neumann@csl.sri.com>
Subject: How to steal photos off someone's iPhone from across the street
(Naked Security)

For your amusement (?), from someone in our lab.

Hollywood version:

Imagine that Ethan Hunt (or Ilsa Faust) walked up to chat with you, and the conversation lasted for several minutes. (to satisfy covid-safety reqt, all people involved worn a mask in this scene) he (or she) thanked you and
walked away. you might think that this was your lucky day, but then you remembered this Ian Beer's ios attack, and you hadn't had time to patch your iphone ... needless to say, the secrets stored in your phone were now in the hands of Hunt (or Faust).

geek version:

https://nakedsecurity.sophos.com/2020/12/02/how-to-steal-photos-off-someones-iphone-from-across-the-street/

if you'd like to challenge yourselves with hardcore details,
here's Ian Beer's blog post: https://googleprojectzero.blogspot.com/2020/12/an-ios-zero-click-radio-proximity.html

------------------------------

Date: Tue, 8 Dec 2020 09:39:38 +0800
From: Richard Stein <rmstein@ieee.org>
Subject: Global losses from cybercrime skyrocketed to nearly $1
trillion in 2020, new report finds (The Washington Post)

https://www.washingtonpost.com/politics/2020/12/07/cybersecurity-202-global-losses-cybercrime-skyrocketed-nearly-1-trillion-2020/

"Estimated global losses from cybercrime are projected to hit just under a record $1 trillion for 2020 as the coronavirus pandemic provided new opportunities for hackers to target consumers and businesses.

"The projection of $945 billion in losses, from a new report out today from
the Center for Strategic and International Studies and computer security company McAfee, is almost double the monetary loss from cybercrime than the $500 billion in 2018.

"The report underscores the growing dangers that ransomware attacks by
foreign criminal enterprises posed to American industries. Lawmakers have
been deeply concerned about the impact of such attacks, including on the financial and health-care sectors, in the pandemic."

https://en.wikipedia.org/wiki/World_economy#World_economy_by_country_groups (retrieved on 08DEC2020) estimates annual global economic output @ ~US$
87.5T. US$ 0.945T/US$ 87T ~= 1.1% of output skimmed via cybertheft of
various flavors.

Cyberinsurance premiums will rise. Businesses that cannot afford the expense for insurance and proactive measures to secure their personnel, processes,
and infrastructure might close or be bought out by competitors.

"Cybercrime-whackamole-control" is impossible without coordinated
international and transnational law enforcement agencies. Significant engagement appears missing. Some countries enable and encourage cybertheft/extortion to harass enemies and boost their own economies.

Risk: Global economic destabilization.

------------------------------

Date: Tue, 8 Dec 2020 18:20:18 +0800
From: Richard Stein <rmstein@ieee.org>
Subject: Digital stethoscope uses artificial intelligence for diagnosing
lung abnormalities (medicalxpress.com)

https://medicalxpress.com/news/2020-12-digital-stethoscope-artificial-intelligence-lung.html

"'Because it can take recordings and telemeter them to physicians, clinical support can be provided for hard-to-reach areas or areas requiring increased medical support,' said West.

"The digital stethoscope also features noise suppression to enhance the auditory signal from the lungs, simplifying the diagnosis process.

"'The noise suppression is a critical aspect that allows it to be used in
even challenging clinics, like we see popping up with increased COVID hospitalizations,' West said. 'No training is required. Noise suppression
runs automatically on the device and provides clear body sounds.

"'In tests of the device, physicians were found to favor it over 95% of the time compared to traditional techniques. Once the algorithm is further improved, the digital stethoscope can be distributed to the field.'"

One expects an AI stethoscope to correctly distinguish and discriminate respiratory sounds from lungs afflicted by pneumonia, chronic obstructive pulmonary disorder, silicosis, emphysema, or bronchitis.

Whatever an AI stethoscope detects and diagnoses requires additional
clinical assessment to confirm initial diagnosis: blood chemistry, x-ray,
lung capacity, biopsy, CAT/MRI, etc. Trust but verify.

Noise suppression mechanisms, if not applied carefully, can erroneously
modify (damp or amplify) respiratory harmonics which might render an
inaccurate diagnosis. The AI stethoscope's diagnostic capabilities will
ideally demonstrate diagnosis based on low false positive/negative outcomes with high-fidelity receiver operating characteristics.

Risk: Inappropriately indicated treatment protocols based on AI-stethoscope diagnosis.

------------------------------

Date: Mon, 7 Dec 2020 11:56:01 -0500 (EST)
From: ACM TechNews <technews-editor@acm.org>
Subject: Police Drones Starting to Think for Themselves (Cade Metz)

Cade Metz, *The New York Times*, 5 Dec 2020, via ACM TechNews, 7 Dec 2020

Police agencies in four U.S. cities are participating in the Drone as First Responder program, launching unmanned aerial vehicles in response to
emergency calls. The Chula Vista, CA, police dispatches drones, with a certified pilot federally on the roof of the Police Department to oversee launches and pilot the drones upon their return; a special drone from
Silicon Valley's Skydio avoids obstacles on its own and can follow a
particular person or vehicle. The latest drone technology would allow police
to operate autonomous drones relatively inexpensively, although civil
liberties proponents are concerned. Greater police use of drones could eliminate any expectation of privacy outside the home, as the drones collect and store more video footage. The American Civil Liberties Union's Jay
Stanley said, "It could allow law enforcement to enforce any area of the law against anyone they want." https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-28602x226c2ax068361&

------------------------------

Date: Mon, 7 Dec 2020 18:01:08 -0500
From: Gabe Goldberg <gabe@gabegold.com>
Subject: AI Can Run Your Work Meetings Now (WiReD)

[Of special interest to organization secretaries! ;-)]

A new wave of startups is trying to optimize meetings, from automated scheduling tools to facial recognition that measures who's paying attention.

Headroom aims to tackle the social distance of virtual meetings in a few
ways. First, it uses computer vision to translate approving gestures into digital icons, amplifying each thumbs up or head nod with little emojis that the speaker can see. Those emojis also get added to the official transcript, which is automatically generated by software to spare someone the task of taking notes. Green and Rabinovich say this type of monitoring is made clear
to all participants at the start of every meeting, and teams can opt out of features if they choose.

More uniquely, Headroom's software uses emotion recognition to take the temperature of the room periodically, and to gauge how much attention participants are paying to whomever is speaking. Those metrics a displayed
in a window on-screen, designed mostly to give the speaker real-time
feedback that can sometimes disappear in the virtual context. ``If five minutes ago everyone was super into what I'm saying and now they're not,
maybe I should think about shutting up,'' says Green.

https://www.wired.com/story/ai-can-run-work-meetings-now-headroom-clockwise/

For those of us who hate being on camera, I hope the software enjoys looking
at my profile picture.

More seriously, there's not a word about how this AI has been trained.
What could go wrong?

------------------------------

Date: Tue, 8 Dec 2020 20:25:32 -0700
From: "Matthew Kruk" <mkrukg@gmail.com>
Subject: The coming war on the hidden algorithms that trap people in poverty
(Tech Review)

A growing group of lawyers are uncovering, navigating, and fighting the automated systems that deny the poor housing, jobs, and basic services.

https://www.technologyreview.com/2020/12/04/1013068/algorithms-create-a-poverty-trap-lawyers-fight-back/

------------------------------

Date: Thu, 10 Dec 2020 20:31:20 -0500
From: Gabe Goldberg <gabe@gabegold.com>
Subject: HP Ends 'Free Ink for Life' Subscription Plan (Consumer Reports)

Rescinding the lifetime deal is already sparking criticism from Instant
Ink subscribers

``HP Regularly reviews pricing and makes adjustments based on a variety of factors. Our updated Instant Ink subscription pricing plans include ending
the free printing plan option while allowing for more roll-over flexibility, options, and benefits.''

https://www.consumerreports.org/printers/hp-ends-free-ink-for-life/

Just like limiting unlimited bandwidth, terminating free-for-life.

------------------------------

Date: Mon, 7 Dec 2020 12:00:03 +0800
From: Richard Stein <rmstein@ieee.org>
Subject: Waymo Terms of Service (waymo.com)

https://waymo.com/terms/ retrieved on 07DEC2020 (Pearl Harbor Day!)

NOTE: Capitalized words used selectively for emphasis.

"9. Indemnification

"To the fullest extent permitted by applicable law, YOU will INDEMNIFY,
DEFEND, and HOLD HARMLESS Waymo and its affiliates, and each of their respective officers, directors, agents, partners and employees (individually and collectively, the 'Waymo Parties') FROM AND AGAINST ANY loss, liability, claim, demand, damages, expenses or costs ('Claims') arising out of or
related to (a) your ACCESS to or USE of our Services; (b) your User Content
or Feedback; (c) your violation of these Terms; (d) your violation, misappropriation or infringement of any rights of another (including intellectual property rights or privacy rights); and (e) your conduct in connection with our Services. You agree to promptly notify Waymo Parties of
any third-party Claims, cooperate with Waymo Parties in defending such
Claims and pay all fees, costs and expenses associated with defending such Claims (including, but not limited to, attorneys' fees). You also agree
that the Waymo Parties will have control of the defense or settlement, at Waymo's sole option, of any third-party Claims. This indemnity is in
addition to, and not in lieu of, any other indemnities set forth in a
written agreement between you and Waymo or the other Waymo Parties."

Ironclad indemnification protects Waymo Parties arising from Service
incidents, mishaps, or injuries.

"11. Limitation of Liability

"To the fullest extent permitted by applicable law, Waymo and the other
Waymo Parties will not be liable to you under any theory of liability -- whether based in contract, tort, negligence, strict liability, warranty, or otherwise -- for any indirect, consequential, exemplary, incidental,
punitive or special damages or lost profits, even if Waymo or the other
Waymo Parties have been advised of the possibility of such damages.

"The total liability of Waymo and the other Waymo Parties, for any claim arising out of or relating to these Terms or our Services, regardless of the form of the action, is limited to the amount paid, if any, by you to use our Services."

If Waymo's liability is miraculously established, the cost of the Service
will be reimbursed.

Given these service terms, is it any wonder why the DV industry is poised
for "blastoff"?

The National Safety Council publishes https://injuryfacts.nsc.org/all-injuries/preventable-death-overview/odds-of-dying/
(retrieved on 07DEC2020).

The odds of dying in a motor vehicle accident are 1 in 106. The DV industry
is betting that their services can beat these odds. Is their bet a
beneficial "risk shift" (public risk for private profit) or will it become
yet another example of "Profit Without Honor" (https://www.amazon.com/Profit-Without-Honor-Looting-Criminal/dp/0134871421)?

------------------------------

Date: Mon, 7 Dec 2020 00:06:38 -0500
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Amazon Wants to Get Even Closer. Skintight (The New York Times)

In the pursuit of surveillance as a service, Jeff Bezos is intent on
recording even our moods. How much personal data is too much to give to
Amazon?

https://www.nytimes.com/2020/11/27/opinion/amazon-halo-surveillance.html

------------------------------

Date: Mon, 7 Dec 2020 14:12:08 +0800
From: Richard Stein <rmstein@ieee.org>
Subject: Designed A Smartwatch App To Help Stop His Dad's Nightmares
(npr.org)

https://www.npr.org/2020/12/06/943647610/he-designed-a-smartwatch-app-to-help-stop-his-dads-nightmares
retrieved on 07DEC2020.

There is an urgent public health need to treat post traumatic stress
disorder (PTSD) in military service veterans, especially those exposed to combat conditions. I do hope this app is effective.

Consulting the QuickSearch option of FDA's Product Classification
Database @ https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfPCD/pcdsimplesearch.cfm (type in "PTSD") yields:

https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfPCD/classification.cfm?IDMZ.

To learn a bit more, access https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfTPLC/tplc.cfm?id=3909.

The FDA's Total Product Lifecycle (TPLC) linkage on Product Code QMZ reveals
no published MAUDE medical device report (MDR) submissions to date for
injury, malfunction, death or other event types. The TPLC platform
aggregates device problems and patient problem categories. Patient problems are traced to injury, malfunction, death or other MDR event labels. Revisit TPLC Product Code QMZ in a year or so to observe the net public health
benefit or deployment effectiveness of the app.

Attempting to determine benefit or harm from historical medical device use
can be challenging. There appears to be no federal regulation requiring the device manufacturer or supplier to periodically disclose use volumes.

Device manufacturer financial reports document revenue and percentage change
in revenue; no tables disclose product inventory counts sold or returned for inspection/failure analysis. See "Medtronic FY20 Irish Financial Report" @ https://investorrelations.medtronic.com/static-files/5b588fc9-9447-427d-9d51-6ff7b73370aa
table on pg. 4/pdf pg. 6, retrieved on 07DEC2020.

The FDA's systems do not publish totalized counts of device
implants/explants or use/disuse. MDR narratives must be searched to discover language stating 'device was returned for analysis', 'implanted',
'explanted', 'removed', or 'replaced'.

Further, every patient is different (pre-existing morbidities, genetics, gender, age, etc.) As a result, it is sometimes challenging to conclude if
the device initiated the MDR event, or if the patient's underlying
condition(s) contributed/caused the event. For this reason, focusing exclusively on MDR death events can be misleading as a predictive indicator
of future therapeutic prescription outcome. Device malfunctions and injuries arising from their use are more tightly correlated.

The FDA's disclaimer is VERY CLEAR about attempting to project outcomes
based solely on the TPLC and MAUDE historical device/patient problem
counts. See https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfMAUDE/TextSearch.cfm#disclaimer
retrieved on 07DEC2020.

The rate of device use by healthcare professionals/systems (hospitals) can
be determined from historical procedure billing found in the United States Center for Medicare and Medicaid Services (CMS.gov). With that information,
one can estimate probabilities for future patient or device problems based
on historical procedure billing counts and population statistics. --

------------------------------

Date: Wed, 9 Dec 2020 10:09:03 -0800
From: Rob Slade <rmslade@shaw.ca>
Subject: Differential Privacy for Ordinary Security Mavens

A friend, and NYIT, have asked me to do a CISSP review seminar. Since I've taught the seminars for two decades, first for ISC2 and then for various
other commercial training companies, this is not hard. I'm about 70%
through my first draft. At the same time, I'm going to be giving the differential privacy presentation on Friday. https://infosecbc.org/2020/11/27/december-11th-2020-meeting/ https://community.isc2.org/t5/P/D/m-p/41128 So Gloria asked me if I was
going to be putting any differential privacy content into the review
seminar.

I had to think about that. For one thing, knowing what I know about the
CISSP exam question process, I very much doubt that anyone (other than
myself) has yet created any questions about differential privacy in the
CISSP exam question style. (There is *plenty* of trivia in regard to differential privacy that can be used to make up questions to prove how
smart *you* are in comparison to the other guy, but that isn't the CISSP question style.)
https://community.isc2.org/t5/Exams/CISSP-questions/m-p/18626

But the next problem is, where would I put it within the domains? Would it
go in Law, Investigation, and Ethics, which is where we usually talk about privacy? But differential privacy isn't really about privacy. At least not *your* privacy. It's not something you can do, but something that
enterprises, developers, and whole infrastructures of the IT universe have
to put in place in order to protect privacy on a much larger scale. Do I
put it in crypto? There's lots of math involved, some of it similar to a
lot of work in various corners of crypto (although not exactly the same).
Or should it go into Applications Security, since most of it primarily
applies to databases and queries and it has to be baked in to database
design at a pretty structural level in order to actually work.

Part of the problem is that differential privacy isn't actually a single "thing." It's an amalgam of a number of ideas and technologies, none of
them actually new, trying to address some interesting, and long-term,
problems of privacy and disclosure. Trying to see whether these approaches actually work has raised some new issues and concepts, and differential
privacy probably will provide some important and interesting approaches to
some aspects of privacy and database design in the years to come. But it's kind of like Public Key Infrastructure (PKI) in crypto: you've got a lot of moving parts, and you have to make sure they are all properly in place in
order to have the system work properly and not be in danger of some kind of attack on your implementation. It's also kind of the quantitative risk analysis of privacy and database design: there are a lot of details, and
it's a lot of work, and most people are going to be too lazy to try to make
it work properly.

------------------------------

Date: Sat, 5 Dec 2020 09:01:31 +0000
From: Wols Lists <antlists@youngman.org.uk>
Subject: Re: Looking for ways to prevent price collusion with AI systems
(RISKS-32.39)

And how is this different from what already happens today?

It is now recognised that certain market dynamics (mainly customer inertia
in switching suppliers) ALREADY gives rise to the appearance of collusion
when there is none.

This is why utility prices rise quickly when raw costs go up, but fall
slowly when they go down.

This is why brands invest heavily in brand loyalty.

And the fix needs to be the same -- keep humans in the loop, looking for the opportunity to steal a march on their opponents by intervening and cutting prices to steal customers.

------------------------------

Date: Sat, 5 Dec 2020 10:23:04 +0000
From: Martin Ward <martin@gkc.org.uk>
Subject: Re: How 30 Lines of Code Blew Up a 27-Ton Generator
(Goldberg, RISKS-32.39)

30 lines of code = 140KB?

On my machine a two-line "Hello world" compiles to 20kB. So with static linking of more libraries, 30 lines could easily compile to 140kB.

But it might also mean 30 lines of code were changed in a larger file.

------------------------------

Date: Sat, 5 Dec 2020 14:12:19 +0200
From: Amos Shapir <amos083@gmail.com>
Subject: Re: Utah monolith: Internet sleuths got there, but its
origins are still a mystery (RISKS-32.39)

Actually, the Mystery of the Monolith had been solved.

The Article: The Mystery Of The Utah Monolith May Have Been Solved By
Internet Sleuths details how the monolith was found; the last paragraph also details who had created it. <https://www.iflscience.com/editors-blog/the-mystery-of-the-utah-monolith-may-have-been-solved-by-internet-sleuths/>

------------------------------

Date: Sun, 6 Dec 2020 08:45:16 -0500
From: John Wunderlich <john@wunderlich.ca>

[continued in next message]

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)