RISKS-LIST: Risks-Forum Digest Friday 28 June 2019 Volume 31 : Issue 31

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/31.31>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents:
Slugfest (BBC)
Inside the West's failed fight against China's Cloud Hopper hackers
(Reuters)
Iranian hackers step up cyber-efforts, impersonate email from president's
office (The Times of Israel)
US-Israeli cyber firm uncovers huge global telecom hack, apparently by China
(The Times of Israel)
China's big brother casinos can spot who's most likely to lose big
(Bloomberg)
Large scale government IT efforts do not have great track records (Reuters)
AI rejects scientific article, flagging literature citations as plagiarism
(J.F.Bonnefon)
Cybercriminals Targeting Americans Planning Summer Vacations (McAfee)
Riviera Beach $600k data ransom (Tony Doris)
Rolos Unveils New Cryptocurrency Exclusively For Rolos Customers (The Onion) Facebook Libra: Three things we don't know about the digital currency
(TechReview)
Man's $1M Life Savings Stolen as Cell Number Is Hijacked (NBC Bay Area)
Flaws in self-encrypting SSDs let attackers bypass disk encryption
(Gabe Goldberg)
Here's how I survived a SIM swap attack after T-Mobile failed me -- twice
(Matthew Miller)
Your iPhone is not secure: Cellebrite UFED Premium is here (TechBeacon)
New vulnerabilities may let hackers remotely SACK Linux and FreeBSD systems
(Ars Technica)
Hackers, farmers, and doctors unite! Support for Right to Repair laws slowly
grows (Ars Technica)
Oracle issues emergency update to patch actively exploited WebLogic flaw
(Ars Technica)
Cloudflare aims to make HTTPS certificates safe from BGP hijacking attacks
(Ars Technica)
Jibo (The Verge)
Computer problems may have led to miscarriages of justice in Denmark
(Zap Katakonk)
C, Fortran, and single-character strings (Thomas Koenig)
How to: Reset C by GE Light Bulbs (YouTu)
Too many name collisions (JEremy Epstein)
Re: Ross Anderson's non-visa (John Levine)
Oh, darn, maybe cell phones don't really make you grow horns (John Levine)
Re: Info stealing Android apps can grab one time passwords to evade 2FA
protections (Amos Shapir)
Re: Auto-renting bugs (Martin Ward)
Re: In Stores, Secret Surveillance Tracks Your Every Move (Toebs Douglass) Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Sat, 22 Jun 2019 16:11:53 -0700
From: Steve Lamont <spl@tirebiter.org>
Subject: Slugfest (BBC)

https://www.bbc.com/news/world-asia-48729110

Rogue slug blamed for Japanese railway chaos, BBC News, 22 June 2019

A power cut that disrupted rail traffic on a Japanese island last month was caused by a slug, officials say. More than 12,000 people's journeys were affected when nearly 30 trains on Kyushu shuddered to a halt because of the slimy intruder's actions. Its electrocuted remains were found lodged inside equipment next to the tracks, Japan Railways says.

The incident in Japan has echoes of a shutdown caused by a weasel at
Europe's Large Hadron Collider in 2016. When the weasel took a fatal chew
on wiring inside a high-voltage transformer, it caused a short circuit which temporarily stopped the work of the particle accelerator.

In Japan, local media on the trail of the slug report that it managed to squeeze through a tiny gap to get into a load disconnector.

A British cousin of the ill-fated mollusc achieved notoriety in 2011, *The Guardian* reports, when it crawled inside a traffic light control box in the northern town of Darlington and caused a short circuit, resulting in
`traffic chaos'.

------------------------------

Date: Wed, 26 Jun 2019 09:49:25 -1000
From: geoff goodfellow <geoff@iconia.com>
Subject: Inside the West's failed fight against China's Cloud Hopper hackers
(Reuters)

*Eight of the world's biggest technology service providers were hacked by Chinese cyber spies in an elaborate and years-long invasion, Reuters found.
The invasion exploited weaknesses in those companies, their customers, and
the Western system of technological defense.*

EXCERPT:

Hacked by suspected Chinese cyber spies five times from 2014 to 2017,
security staff at Swedish telecoms equipment giant Ericsson had taken to
naming their response efforts after different types of wine.

Pinot Noir began in September 2016. After successfully repelling a wave of earlier, Ericsson discovered the intruders were back. And
this time, the company's cybersecurity team could see exactly how they got
in: through a connection to information-technology services supplier
Hewlett Packard Enterprise.

Teams of hackers connected to the Chinese Ministry of State Security had penetrated HPE's cloud computing service and used it as a launchpad to
attack customers, plundering reams of corporate and government secrets for years in what U.S. prosecutors say was an effort to boost Chinese economic interests.

The hacking campaign, known as Cloud Hopper, was the subject of a U.S. indictment in December that accused two Chinese nationals of identity
theft and fraud. Prosecutors described an elaborate operation that
victimized multiple Western companies but stopped short of naming
them. A Reuters report at the time identified two: Hewlett Packard
Enterprise and IBM.

Yet the campaign ensnared at least six more major technology firms,
touching five of the world's 10 biggest tech service providers...

https://www.reuters.com/investigates/special-report/china-cyber-cloudhopper/

------------------------------

Date: Sat, 22 Jun 2019 22:48:03 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Iranian hackers step up cyber-efforts, impersonate email from
president's office (The Times of Israel)

WASHINGTON (AP) Iran has increased its offensive cyberattacks against the US government and critical infrastructure as tensions have grown between the
two nations, cybersecurity firms say.

In recent weeks, hackers believed to be working for the Iranian government
have targeted US government agencies, as well as sectors of the economy, including oil and gas, sending waves of spear-phishing emails, according to representatives of cybersecurity companies CrowdStrike and FireEye, which regularly track such activity.

It was not known if any of the hackers managed to gain access to the
targeted networks with the emails, which typically mimic legitimate emails
but contain malicious software.

https://www.timesofisrael.com/iranian-hackers-step-up-cyber-campaign-amid-tensions-with-us/

------------------------------

Date: Wed, 26 Jun 2019 01:02:43 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: US-Israeli cyber firm uncovers huge global telecom hack, apparently
by China (The Times of Israel)

A US-Israeli cybersecurity firm said Tuesday it had uncovered a massive hack
of several global telecommunications companies involving the theft of vast amounts of personal data that was apparently carried out by state-backed
actors in China.

Cybereason, which is based in Boston and has offices in Tel Aviv, London,
and Tokyo, said the hacking included the specific targeting of people
working in government, law enforcement and politics.

The company said in a statement it had found a “nation state-backed
operation against multiple cellular providers that has been underway for years.”

https://www.timesofisrael.com/us-israeli-cyber-firm-uncovers-massive-telecom-company-hack-apparently-by-china/

...interesting, not much reported elsewhere.

------------------------------

Date: Wed, 26 Jun 2019 09:50:44 -1000
From: geoff goodfellow <geoff@iconia.com>
Subject: China's big brother casinos can spot who's most likely to
lose big (Bloomberg)

Some of the world's biggest casino operators in Macau, the Chinese
territory that's the epicenter of global gaming, are starting to deploy
hidden cameras, facial recognition technology, digitally-enabled poker
chips and baccarat tables to track which of their millions of customers are likely to lose the most money.

The new technology uses algorithms that process the way customers behave at
the betting table to determine their appetite for risk. In general, the
higher the risk appetite, the more a gambler stands to lose and the more
profit a casino tends to make, sometimes up to 10 times more.

This embrace of high-tech surveillance comes as casino operators
jostle for growth in a slowing industry that's under pressure
globally from economic headwinds and regulatory scrutiny. In the
world's biggest gaming hub, where expansion is reaching its
limits, two casino operators -- the Macau units of Las Vegas Sands
Corp. and MGM Resorts International -- have already started to deploy
some of these technologies on hundreds of their tables, according to
people familiar with the matter. Sands plans to extend them to an
additional more-than 1,000 tables, said the people.

Three others, Wynn Macau Ltd., Galaxy Entertainment Group Ltd. and
Melco Resorts & Entertainment Ltd., are in discussions with suppliers
about also deploying the technology, according to the people, who
asked not to be identified because they're not authorized to
speak publicly about the plans...

https://www.bnnbloomberg.ca/china-s-big-brother-casinos-can-spot-who-s-most-likely-to-lose-big-1.1278496

------------------------------

Date: Thu, 20 Jun 2019 04:07:17 -0700
From: geoff goodfellow <geoff@iconia.com>
Subject: Large scale government IT efforts do not have great track records
(Reuters)

Defense Department officials worry an AI-based system cannot work as well as in-person investigations, said one source involved in the transition.

https://www.reuters.com/article/us-usa-security-clearances/top-secret-trumps-revamp-of-u-s-security-clearances-stumbling-officials-report-idUSKCN1TK127

------------------------------

Date: Sun, 23 Jun 2019 09:40:53 +0200
From: Thomas Koenig <tkoenig@netcologne.de>
Subject: AI rejects scientific article, flagging literature citations as
plagiarism (J.F.Bonnefon)

An automated system apparently rejected a scientific article as plagiarized.
It also returned a copy of the paper to the authors, flagging the
plagiarized parts. This is where it gets hilarious.

What was flagged were things like author's affiliation (well, obviously
copied from earlier papers), standardized methods of describing experiments, and, citations. Obviously, other authors had cited the same papers before,
so this must be a clear case of plagiarism.

Also interesting is that Wiley, a well-known scientific publishing house, wanted to get the name of the author. Apparently, they automatically assumed that this was one of theirs, and wanted to save some cost going through the debug logs.

Maybe `Artificial Intelligence' is the wrong term in this context,
`Artificial Incompetence', maybe?

https://twitter.com/jfbonnefon/status/1140946785474633729

------------------------------

From: Gabe Goldberg <gabe@gabegold.com>
Date: Sat, 22 Jun 2019 22:32:58 -0400
Subject: Cybercriminals Targeting Americans Planning Summer Vacations
(McAfee)

Santa Clara, Calif. Cybercriminals are targeting Americans planning summer vacations to places like Mexico and Europe through online booking scams, according to a new report by cybersecurity firm *McAfee*. The company said
that cybercriminals are taking advantage of high search volumes for accommodation and deals to drive unsuspecting users to potentially malicious websites that can be used to install malware and steal personal information
or passwords. Top destinations being targeted include Cabo San Lucas,
Mexico; Puerto Vallarta, Mexico; Amsterdam, Netherlands; Venice, Italy; and Canmore, Canada. McAfee's survey of 1,000 Americans planning vacations found that nearly one in five either have been scammed or have come very close to being scammed. Bargain-hunters are most at risk, with nearly a third of victims being defrauded after spotting a deal that was too good to be
true. A smaller group of victims (13%) said their identity was stolen after sharing their passport details with cybercriminals during the booking
process. The company suggests only booking through verified websites, using trusted platforms and verified payment methods and, if conducting
transactions on a public Wi-Fi connection, utilizing a virtual private
network (VPN).

https://www.mcafee.com/enterprise/en-us/about/newsroom/press-releases/press-release.html%3Fnews_id%3D20190612005079
http://trk.cp20.com/click/e06u-150ky9-jykhyh-7fgw0x83/

One in five seems high. Why would McAfee exaggerate risks? Oh, wait...

------------------------------

Date: Wed, 19 Jun 2019 16:03:07 -0700
From: Paul Saffo <paul@saffo.com>
Subject: Riviera Beach $600k data ransom (Tony Doris)

Riviera Beach agrees to $600,000 ransom payment to regain data access
Tony Doris, Palm Beach Post, 19 Jun 2019

Riviera Beach -- The Riviera Beach City Council has authorized the city's insurer to pay nearly $600,000 worth of ransom to regain access to data
walled off through an attack on the city's computer systems.

In a meeting Monday night announced only days before, the board voted 5-0 to authorize the city insurer to pay 65 bitcoins, a hard-to-track
cryptocurrency valued at approximately $592,000. An additional $25,000 would come out of the city budget, to cover its policy deductible. Without
discussion on the merits, the board tackled the agenda item in two minutes, voted and moved on.

The dollar amount was not mentioned before or after the vote, only that the insurer would pay through bitcoins, ``whose value changes daily.''

The city's email and computer systems, including those that control city finances and water utility pump stations and testing systems, are still only partially back online, two weeks after the ransomware attack was disclosed.
But crucial data encrypted by the attackers remains beyond reach and there
was no explanation of whether the city has any guarantee that the ransomers will release it if paid.

The FBI, Secret Service and Department of Homeland Security are
investigating the attack, which officials said began after someone in the police department opened an infected email May 29.

More than 50 cities across the United States, large and small, have been hit
by ransomware attacks over the past two years. Among them: Atlanta;
Baltimore; Albany, N.Y.; Greenville, N.C.; Imperial County, Cal.; Cleveland, Ohio; Augusta, Maine; Lynn, Mass.; Cartersville, Ga.; and in April, nearby Stuart, Fla.

The Atlanta attack alone cost that city an estimated $17 million, Vice
News reported.

The Palm Beach County village of Palm Springs was hit in 2018, paid an undisclosed amoun to ransom but nonetheless lost two years of data,
according to one source who asked not to be identified.

``This whole thing is so new to me and so foreign and it's almost where I
can't even believe that this happens but I'm learning that it's not as
uncommon as we would think it is,'' Riviera Beach Council Chairwoman
KaShamba Miller-Anderson said Wednesday. ``Every day I'm learning how this
even operates, because it just sounds so far fetched to me.''

The ransomware attack paralyzed the computer system, sending all operations offline. Everyone from the city council on down was been left without email
and phone service. Paychecks that were supposed to be direct-deposited to employee bank accounts instead had to be hand-printed by Finance Department staffers working overtime. Police searched their closets to find paper
tickets for issuing traffic citations.

Interim Information Technology Manager Justin Williams told the council
Monday that the city website and email is back up, as are Finance Department and water utility pump stations.

Miller-Anderson said city officials have been briefed by investigating
agencies and asked not to discuss details. The agencies advised the city but
it was up to the council to decide whether the information lost was so
valuable that the city should comply with the ransom demand and hope the ransomers provide a decryption key, she said. ``It's a risk. Those were
the two options: Either do it or don't.'' The insurance company negotiated
on the city's behalf, she said.

She said she did not know if police department records were compromised.
Water quality never was in jeopardy but water quality sampling had to be
done manually, she said.

The attack has prompted the city to replace much of its computer system
sooner than expected.

The council on June 4 authorized $941,000 for 310 new desktop and 90 laptop computers and other hardware. Insurance will cover more than $300,000 of
that total.

The city already planned to spend $300,000 for equipment replacements in the next budget and will accelerate that expense, Councilwoman Julie Botel
said. Much of the existing hardware was a half-dozen years old and
vulnerable to another malware attack, so it was time to replace it anyway,
she said.

------------------------------

Date: Wed, 26 Jun 2019 01:19:07 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Rolos Unveils New Cryptocurrency Exclusively For Rolos Customers
(The Onion)

At press time, investors in RoloBucks had already lost over $7.8 billion in
the Rolo market.

https://www.theonion.com/rolos-unveils-new-cryptocurrency-exclusively-for-rolos-1835695340

------------------------------

Date: June 20, 2019 at 8:08:49 PM GMT+9
From: geoff goodfellow <geoff@iconia.com>
Subject: Facebook Libra: Three things we don't know about the digital currency
(TechReview)

The launch of Facebook's new coin is certainly a big event, but so much
about it remains unsettled.

If it's not the most high-profile cryptocurrency-related event ever,
Facebook's launch of a test network for its new digital currency, called
Libra coin, has been the most hyped. It is also polarizing among
cryptocurrency enthusiasts. Some think it's good for the crypto industry; others dislike the fact that a big tech company appears to be co-opting a technology that was supposed to help people avoid big tech companies. Still others say it's not even a real cryptocurrency.

Peel away the hype and controversy, though, and there are at least three important questions worth asking at this point.

Is Libra really a cryptocurrency?

Well, that depends on how you define cryptocurrency. The Libra coin will run
on a blockchain, but it will be a far cry from Bitcoin.

To begin with, it will not be a purely digital asset with fluctuating value; rather, it will be designed to maintain a stable value. Taking cues from
other so-called stablecoins, it will be ``fully backed with a basket of bank deposits and treasuries from high-quality central banks,'' according to a
new paper (PDF) describing the project.

Besides that, Bitcoin's network is permissionless, or public, meaning that anyone with an internet connection and the right kind of computer can run
the network's software, help validate new transactions, and mine new coins
by adding new transactions to the chain. Together these computers keep the network's data secure from manipulation. Libra's network won't work that
way. Instead, running a validator node requires permission. To begin with, Facebook has signed up dozens of firms -- including Mastercard, Visa,
PayPal, Uber, Lyft, Vodafone, Spotify, eBay, and popular Argentine
e-commerce company MercadoLibre -- to participate in the network that will validate transactions. Each of these founding members has invested around
$10 million in the project.

That obviously runs counter to the pro-decentralization ideology popular
among cryptocurrency enthusiasts. The distributed power structure of public networks like Bitcoin and Ethereum gives them a quality that many purists
see as essential to any cryptocurrency: censorship resistance. It's
extremely difficult and expensive to manipulate the transaction records of popular permissionless networks. Networks like the one Facebook has
described for Libra are more vulnerable to censorship and centralization of power, since they have a relatively small, limited number of stakeholders
that could be compromised or pool together to attack the network...

https://www.technologyreview.com/s/613801/facebooks-libra-three-things-we-dont-know-about-the-digital-currency/

------------------------------

Date: Wed, 26 Jun 2019 15:32:38 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Man's $1M Life Savings Stolen as Cell Number Is Hijacked
(NBC Bay Area)

Carrier workers bribed or tricked into helping hackers

https://www.nbcbayarea.com/news/local/Mans-1M-Life-Savings-Stolen-In-Cell-Phone-Scam-509097961.html

------------------------------

Date: Sat, 22 Jun 2019 22:35:12 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Flaws in self-encrypting SSDs let attackers bypass disk encryption

--- -- --- Forwarded Message from a friend --- -- ---

Date: Sat, 22 Jun 2019 17:27:43 -0700
Subject: Flaws in self-encrypting SSDs let attackers bypass disk encryption

I was wondering if hw-encrypted external SSDs were worth looking into and
found this:

https://www.zdnet.com/article/flaws-in-self-encrypting-ssds-let-attackers-bypass-disk-encryption/

``the SEDs they've analyzed, allowed users to set a password that
decrypted their data, but also came with support for a so-called 'master
password' that was set by the SED vendor. Any attacker who read an SED's
manual can use this master password to gain access to the user's encrypted
password, effectively bypassing the user's custom password.''

`Flaw' seems like an understatement.

------------------------------

Date: Wed, 26 Jun 2019 10:01:33 -0700
From: Gene Wirchenko <gene@shaw.ca>
Subject: Here's how I survived a SIM swap attack after T-Mobile failed me --
twice (Matthew Miller)

1. Matthew Miller for Smartphones and Cell Phones, 17 Jun 2019

SIM swap horror story: I've lost decades of data and Google won't lift a
finger First they hijacked my T-Mobile service, then they stole my Google
and Twitter accounts and charged my bank with a $25,000 Bitcoin purchase.
I'm stuck in my own personal Black Mirror episode. Why will no one help me?

https://www.zdnet.com/article/how-i-survived-a-sim-swap-attack-and-how-my-carrier-failed-me/

After a crazy week where T-Mobile handed over my phone number to a hacker twice, I now have my T-Mobile, Google, and Twitter accounts back under my control. However, the weak link in this situation remains and I'm wary of
what could happen in the future.

2. Matthew Miller for Smartphones and Cell Phones, 26 Jun 2019

Last week, I shared a horror story: My SIM was swapped. My Google and
Twitter accounts were also stolen, and $25,000 was withdrawn from my bank account for a Bitcoin purchase. I thought I was targeted for my online presence. Turns out, the attack was likely driven by a Coinbase account I experimented with in early 2018 that was never closed.

While I already provided many details about my experience, I wanted to
update you on the progress made to date -- while also offering some advice. Readers offered me fantastic advice in the comments to last week's article,
and I sincerely appreciate all the helpful feedback, tips, and tricks.

------------------------------

Date: Fri, 21 Jun 2019 00:09:34 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Your iPhone is not secure: Cellebrite UFED Premium is here
(TechBeacon)

*Think your iPhone or iPad is secure from prying eyes?* /Think again./

*Companies such as Cellebrite,* with its Universal Forensic Extraction
Device (UFED), operate lucrative businesses helping people around the world
to unlock your devices. Of course, Cellebrite promises to only sell to legit law enforcement, but then what?

*Once that genie is out of the bottle,* how can they contain it? In
this week's /Security Blogwatch, we wish for more wishes.

https://techbeacon.com/contributors/richi-jennings

------------------------------

Date: Thu, 20 Jun 2019 10:38:29 -0400
From: Monty Solomon <monty@roscom.com>
Subject: New vulnerabilities may let hackers remotely SACK Linux and FreeBSD
systems (Ars Technica)

https://arstechnica.com/information-technology/2019/06/new-vulnerabilities-may-let-hackers-remotely-sack-linux-and-freebsd-systems/

------------------------------

Date: Thu, 20 Jun 2019 09:57:23 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Hackers, farmers, and doctors unite! Support for Right to Repair
laws slowly grows (Ars Technica)

https://arstechnica.com/gadgets/2019/06/hackers-farmers-and-doctors-unite-support-for-right-to-repair-laws-slowly-grows/

------------------------------

Date: Thu, 20 Jun 2019 10:02:54 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Oracle issues emergency update to patch actively exploited WebLogic
flaw (Ars Technica)

https://arstechnica.com/information-technology/2019/06/oracle-issues-emergency-update-to-patch-actively-exploited-weblogic-flaw/

------------------------------

Date: Thu, 20 Jun 2019 10:06:14 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Cloudflare aims to make HTTPS certificates safe from BGP hijacking
attacks (Ars Technica)

https://arstechnica.com/information-technology/2019/06/cloudflare-aims-to-make-https-certificates-safe-from-bgp-hijacking-attacks/

------------------------------

Date: Fri, 21 Jun 2019 15:14:48 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Jibo (The Verge)

Every aspect of Jibo was designed to make the robot as lovable to humans as possible, which is why it startled owners when Jibo presented them with an unexpected notice earlier this year: someday soon, Jibo would be shutting
down. The company behind Jibo had been acquired, and Jibo's servers would be going dark, taking much of the device's functionality with it. ...

For him and many other owners, Jibo has become like a dog that greets them whenever they walk into the house. It also sometimes takes on the role of an overbearing parent or kid sibling and tells owners, “don't work too hard,” or “remember to take bathroom breaks,” before they leave for work.

But with the update and the company's silence, owners expect Jibo's time to
be winding down, and they're thinking about Jibo's mortality and what
they'll do when its last day arrives.

``People that really do love him and live with him daily,'' Nusbaum says. ``It's like having somebody very, very sick that you don't know: is this
close to the end? Are they going to get better? Is this a false alarm?
Yeah, it's not a great feeling right now.”''

https://www.theverge.com/2019/6/19/18682780/jibo-death-server-update-social-robot-mourning

------------------------------

Date: Sat, 22 Jun 2019 12:22:43 +0200
From: Zap Katakonk <zapkatakonk1943.6.22@gmail.com>
Subject: Computer problems may have led to miscarriages of justice in Denmark

In many trials, information garnered by the police from telephone companies plays an important part in determining whether a suspect has been at a
certain place at a certain time. However, the Rigspolitiet national police force has discovered an error in the computer program that converts the information from the different telephone companies, reports DR Nyheder. http://cphpost.dk/news/computer-problems-may-have-led-to-miscarriages-of-justice.html

More in Danish: https://politiken.dk/search/%3Fie%3Dutf8%26oe%3Dutf8%26hl%3Dda%26q%3Drigspolitiet%2520telefon

dr.phil. Donald B. Wagner, DK-3600 Frederikssund, Denmark

------------------------------

Date: Sat, 22 Jun 2019 16:53:39 +0200
From: Thomas Koenig <tkoenig@netcologne.de>
Subject: C, Fortran, and single-character strings

Recently, a decades-old bug in the way that many software packages used to
call Fortran from C has surfaced. People apparently have been assuming that
it was safe not to pass the length of a character argument to a Fortran
routine when calling it from C, basically invoking undefined behavior.

A change to gfortran exposed this, leading to crashes when calling routines from the well-known (and standard) linear algebra package LAPACK. This was first noticed by the developers of the R programming language.

The discussion revealed positions ranging from ``people should just fix
their code'' to ``This interface has worked for decades, this is the de facto interface, even broken code must be supported.''

Fortran has a standard way of interfacing with C since the Fortran 2003 standard, but the old interface code often predates this standard, and
people also appear to be quite reluctant to use standard features of newer Fortran versions. This is despite the fact that all relevant compilers today support this feature.

As a result, gfortran now contains a workaround for this particular bug in
user code.

There is a nice writeup on LWN: https://lwn.net/SubscriberLink/791393/90b4a7adf99d95a8/

Here the gcc bug dealing with the issue: https://gcc.gnu.org/bugzilla/show_bug.cgi%3Fid%3D90329

Here the correspoinding Redhat bug: https://bugzilla.redhat.com/show_bug.cgi%3Fid%3D1709538

And finally a write-up by the R developer who analyzed this: https://developer.r-project.org/Blog/public/2019/05/15/gfortran-issues-with-lapack/

------------------------------

Date: Thu, 20 Jun 2019 13:22:24 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: How to: Reset C by GE Light Bulbs (YouTu)

Bulb Insanity: How to factory reset your GE C smart bulb. Legit. Really!

https://youtu.be/1BB6wj6RyKo

Read many brilliant comments.

Among them: Hey GE, ``how many people does it take to change a light bulb''
is a joke set-up, not a goal.

(This follows conversation I had yesterday about how technology and
interfaces are often awful if not nightmarish)

------------------------------

Date: Thu, 20 Jun 2019 15:43:05 -0400
From: Jeremy Epstein <jeremy.j.epstein@gmail.com>
Subject: Too many name collisions

I learned recently from Twitter (source of all knowledge) [1] that the
American Kennel Club allows no more than 37 dogs of any given breed with the same name [2]. The reason is amusing -- dogs with the same name are given suffixes in Roman numerals, and 37 is the largest number that can be represented in six characters (XXXVII). There's something in how programs
are printed that limits the width of the column -- going to a wider number field would require reducing font size or reducing the width of some other field.

This seems to date from before easy typesetting of variable-width fonts. I wonder if AKC even knows why this limit exists, or whether it's been in
place so long that the institutional memory has been lost and recently rediscovered? Or whether they've considered relaxing the limit due to variable-width fonts?

Of course moving from Roman numerals to Arabic numerals [*] would make the issue go away, albeit at the cost of not having the panache of something
that takes some focus to understand.

The Risk? The historic requirement (fixed-width typesetting) drives what is (perhaps) an obsolete feature (the number of dogs with the same name).
There are undoubtedly plenty of other historic decisions that could be rethought today, perhaps with different results. On the other hand, AKC
gets some value from the use of (possibly?) prestigious Roman numerals, so maybe this is a feature rather than a bug.

[1] https://twitter.com/leftoblique/status/1139737041162272768
[2] https://www.akc.org/register/information/naming-of-dog/

[* Based on an item in a recent RISKS, I presume Arabic dogs would then
have to be disallowed as well? PGN]

------------------------------

Date: 21 Jun 2019 18:16:57 -0400
From: "John Levine" <johnl@iecc.com>
Subject: Re: Ross Anderson's non-visa (RISKS-31.30)


[continued in next message]

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)