RISKS-LIST: Risks-Forum Digest Friday 19 February 2021 Volume 32 : Issue 50

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.50>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents:
Texas vs FERC's "best practices" for anticipating disasters (PGN)
U.S. Water Supply Has Few Protections Against Hacking (WSJ)
Python wheel-jacking in supply chain attacks (VDOO)
A Windows Defender Vulnerability Lurked Undetected for 12 Years (WiReD) Mercedes-Benz cars giving out *wrong* location info
(Car and Driver Magazine)
Growing size of vehicle screens sparks safety concerns
(The Center for Auto Safety)
Forget Self-Driving Cars: the Pentagon Wants Autonomous Ships, Choppers, and
Jets (WSJ)
California DMV suffers massive third-party data breach (TechCrunch)
Researcher hacks over 35 tech firms in novel supply chain attack (Ax Sharma) How faster Internet is being blocked by politics and poverty throughout the
eastern U.S. (CNET)
'Spy pixels in emails have become endemic' (BBC News)
Google has bowed to pressure and will make 'significant' payments to Rupert
Murdoch's News Corp (Business Insider)
The losers in the news battle (Lauren Weinstein)
Fixing Chrome 88's suddenly broken custom search-engine behavior
(Lauren Weinstein)
Facebook blocks news in Australia over government's payment rules
(Dylan Byers)
Woke teachers want Shakespeare cut from curriculum: 'This is about White
supremacy' (Washington Times)
Facebook to Label Climate Change Posts Like Covid, Vote Content (Yahoo!)
France Ties Russia's Sandworm to a Multiyear Hacking Spree (WiReD)
Citibank can't get back $900 million it wired by mistake (CNN)
Incredibly poor software design costs Citigroup $500M (Matt Levine)
Climate Change Could Shred Guitars Known for Shredding (Scientific American) Data breach warning after California DMV contractor hit by file-stealing
ransomware (TechCrunch)
Entitled People Are More Likely To Be Angry at Bad Luck
(Scientific American)
Who Should Stop Unethical A?I (Matthew Hutson)
AI may mistake chess discussions as racist talk (Techxplore)
"Holy cow. Bitcoin is using half a percent of all the world's electricity?
(geoff goodfellow)
Nvidia limits crypto-mining on new graphics card (msn.com)
The IRS Cashed Her Check, Then the Late Notice Started Coming (ProPublica) Authorities have taken down the dark web's largest illegal marketplace
vendor (The Verge)
U.S. election cybersecurity (CDT)
People answer scientists' queries in real time while dreaming
(Scientific American)
How Oracle Sells Repression in China (The Intercept)
The Untold History of America's Zero-Day Market (WiReD)
"Vaccine" passport? (Rob Slade)
Man offered vaccine after error lists him as 6.2cm tall (BBC)
Gorilla COVID risks (CNN)
Japanese contact tracing software of Covid-19 patient on Android did not
work for four months (Kyodo News)
Bruce Schneier's CRYPTO-GRAM, 15 Feb 2021 (PGN)
Re: Calling All Ham Radio Operators (Bob Wilson)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Fri, 19 Feb 2021 10:49:28 PST
From: Peter Neumann <neumann@csl.sri.com>
Subject: Texas vs FERC's "best practices" for anticipating disasters

Richard Parker,
Texas Could Have Kept the Lights On:
The state's powerful [sic] utilities failed to prepare for the worst Editorial, *The New York Times*, 18 Feb 2021 https://www.nytimes.com/2021/02/17/opinion/texas-blackout-energy-abbott.html

Paul Krugman,
Texas, Land of Wind and Lies:
When post-truth politics meets energy policy, the outlook is bleak
Editorial, *The New York Times*, 19 Feb 2021

PGN's mini-editorial for RISKS:

Many of the lessons from 35 years of the ACM Risks Forum have been massively ignored in Texas, in this case resulting in massive power outages with no potable water, and added difficulties for COVID-19 vaccines that needed deep refrigeration). The lessons from dozens of previous propagating outages
have been partially addressed in other states, with considerable diminution
in massively cascading multi-state fiascoes over time. However, the earlier notion of having spare electricity to share with other regions has been deprecated, which could otherwise help out in emergencies. Furthermore, Texas's desire to go it alone has seriously backfired, especially in that
there were explicit warnings from the Federal Emergency Regulatory
Commission that extensive cold-hardening was needed after a serious cold
snap in 2011 that effected millions with no power -- evidently ignored
without any sensible system engineering for resilience. The Texas disaster clearly violates the Albert Einstein principle: Everything should be made as simple as possible but no simpler. This is a horrible example of "much too simple". As usual, the blame can be widely distributed, but in this case
most of it is mercilessly self-inflicted. Furthermore, the incredible
fantasy of the Governor and others in blaming this disaster on alternative energy sources such as wind power borders on insanity.

In this case, even the "best practices" recommended by FERC a decade ago may not have been good enough, but could have avoided much of the effects of
this disaster.

The loss of the Challenger shuttle was another example of a lesson to be learned in anticipating cold weather (e.g., RISKS-5.78 and 5.80). What made that particularly unfortunate was that Roger Boisjoly had explicitly warned
not to launch in freezing weather because it was known that the O-rings
might not hold. Thus, in that case the risks were known in advance, but not adequately considered. (See RISKS-12.40 for more on that.)

In our RISKS-related archives is also a major six-week complete power-outage disaster in Quebec in the winter of 1996-1997 when transmission towers froze and collapsed from the weight of ice under the prolonged hard freeze, and
the outage lasted for months. Water was also a relevant issue there as in Texas, because there were no available public water sources during the
entire outage. (Surely, cold weather was not a surprise there.)

------------------------------

Date: Thu, 18 Feb 2021 10:26:45 -1000
From: geoff goodfellow <geoff@iconia.com>
Subject: Python wheel-jacking in supply chain attacks (VDOO)

Recently, a novel supply-chain attack was published by security researcher
Alex Birsan, detailing how dependency confusion (or "name-squatting") in package managers can be misused in order to execute malicious code on production and development systems.

In short, most package managers such as pip and npm do not distinguish
between internal packages (hosted on internal company servers) and external ones (hosted on public servers). [...] https://www.vdoo.com/blog/python-wheel-jacking-supply-chain-attacks

------------------------------

Date: Sat, 13 Feb 2021 09:25:54 -1000
From: geoff goodfellow <geoff@iconia.com>
Subject: U.S. Water Supply Has Few Protections Against Hacking (WSJ)

Vulnerabilities highlighted after cyber intruder tampered with treatment
plant in Florida

A Florida city whose water system was hacked last week said Friday that it completed a federally mandated security-risk assessment three months ago,
but hadn't yet integrated the findings into its emergency plans.

The hacking incident -- occurring after a security review -- has thrown into stark relief a vulnerability of the more than 50,000 community water systems that supply most Americans with their drinking water: they don't have to
meet any national standard for cybersecurity.

That is in contrast to electric utilities, which have had to meet
increasingly stringent rules since 2008 for the physical and cybersecurity
of key assets and, more recently, for parts of their supply chains. Rules
for the electric industry are reinforced by monetary penalties for
violations.

On Feb. 5, an engineer at a water treatment plant in Oldsmar, Fla., in
Pinellas County, detected that a hacker had accessed the facility's control system and attempted to increase the amount of lye used to treat the water
to a potentially dangerous level. The control engineer witnessed the
tampering, as a ghostly hand moved a cursor over his screen, and he reversed
it immediately, officials said. But the episode highlighted how few
protections are mandated to defend the U.S. water supply.

The incident comes as officials warn about the growing sophistication and brazenness of attacks on critical infrastructure. Many attacks are never publicly revealed, but The Wall Street Journal identified targets in a
Russian campaign in 2017 to pierce electric-utility defenses, by first penetrating trusted suppliers, and another effort in 2019 by unidentified hackers who targeted electric utilities in at least 18 states.

More recently, the government has said the sprawling SolarWinds hack,
disclosed in December, compromised more than half a dozen federal agencies including the State, Commerce and Treasury departments, and critical infrastructure organizations -- whose names, as yet, haven't been revealed.

The federal government took a small step toward addressing the problem of insufficient cyber-defenses in the water industry in 2018 with passage of
the America's Water Infrastructure Act. The law requires water providers serving about 80% of the U.S. population to do security-risk reviews and integrate findings into their emergency plans.

The biggest water providers were required to complete that work last year,
and all but 10 of 542 organizations complied, according to the Environmental Protection Agency. But nearly 9,000 smaller suppliers -- including the water department in Oldsmar -- have until the end of this year to complete their reviews and implement findings.

The smallest of suppliers -- the 40,000 organizations with fewer than 3,300 customers, each -- are exempt.

Even though water systems must certify completion of their work to the EPA, they aren't required to share copies of their work product with the agency.
As a result, the EPA doesn't actually assess the quality of their action. Because the agency doesn't possess the documents, they are effectively
beyond the reach of federal public-records law. [...]

Federal officials advised water utilities this week to take a hard look at remote access tools, which have been especially popular during the
pandemic. Industry experts said many improvements can be made at little or
no expense -- such as enforcing password protection and utilizing encryption and firewalls -- but that small utilities struggle with things as simple as cyber training.

The Federal Bureau of Investigation, which is investigating the intrusion,
said it has probed other incidents in which desktop sharing software was
used as an attack vector against critical infrastructure providers.

Cybersecurity experts said preliminary information about the Oldsmar water department -- such as that employees shared a single password on TeamViewer
-- suggested broader security problems.

The Water Information Sharing and Analysis Center, a nonprofit clearinghouse for threat information geared to water suppliers, said the incident appeared
to be ``more opportunistic than sophisticated,'' partly because the intruder didn't attempt to hide the fact he was messing with the chemical delivery system.

Christopher Krebs, former director of the Cybersecurity and Infrastructure Security Agency, said in congressional testimony Wednesday that it is
possible the intruder was a disgruntled employee or a foreign actor.
``That's why we do investigations,'' he said, adding that the municipal utility's defenses were ``not where anybody, any operational security professional would like for that security posture to be.''

Unfortunately, he added, ``Oldsmar is probably the rule rather than the exception.''

He urged Congress to consider offering the industry more financial
assistance to make cyber upgrades.

An EPA official said the agency estimates that $750 billion is needed to replace pipes, upgrade water treatment facilities and improve cyber-preparedness at water utilities a big lift.

Kevin Morley, manager of federal relations for the American Water Works Association, an industry group, said that $10 million was authorized in 2018
to help small utilities pay for security upgrades but Congress never appropriated the money. There are other federal programs that provide grants and low-interest loans.

https://www.wsj.com/articles/u-s-water-supply-has-few-protections-against-hacking-11613154238

------------------------------

Date: Sat, 13 Feb 2021 13:58:07 -0500
From: Gabe Goldberg <gabe@gabegold.com>
Subject: A Windows Defender Vulnerability Lurked Undetected for 12 Years
(WiReD)

Microsoft has finally patched the bug in its antivirus program after researchers spotted it last fall.

Just because a vulnerability is old doesn't mean it's not useful. Whether
it's Adobe Flash hacking or the EternalBlue exploit for Windows, some
methods are just too good for attackers to abandon, even if they're years
past their prime. But a critical 12-year-old bug in Microsoft's ubiquitous Windows Defender antivirus was seemingly overlooked by attackers and
defenders alike until recently. Now that Microsoft has finally patched it,
the key is to make sure hackers don't try to make up for lost time.

https://www.wired.com/story/windows-defender-vulnerability-twelve-years/

------------------------------

Date: Mon, 15 Feb 2021 17:56:45 +0000 ()
From: danny burstein <dannyb@panix.com>
Subject: Mercedes-Benz cars giving out *wrong* location info
(Car and Driver Magazine)

Mercedes-Benz is recalling almost 1.3 million vehicles from the 2016 through 2021 model years to fix a problem with the communication module for the
eCall emergency call system. Affected vehicles could indicate the wrong location to emergency services when used in case of an incident on the road. [...]

The National Highway Traffic Safety Administration (NHTSA), in its recall notice, says the problem is expected to affect 100 percent of the 1,292,258 Mercedes-Benz and Mercedes-AMG vehicles subject to the recall by
Mercedes-Benz USA

https://www.caranddriver.com/news/a35498170/mercedes-benz-emergency-call-system-recall/

------------------------------

Date: Sun, 14 Feb 2021 21:18:13 -0500
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Growing size of vehicle screens sparks safety concerns
(The Center for Auto Safety)

Mercedes is unveiling a 56-inch smart screen in one of its cars later this year, part of a new trend safety groups say could pose real dangers on the road.

https://www.autosafety.org/growing-size-of-vehicle-screens-sparks-safety-concerns/

------------------------------

Date: Wed, 17 Feb 2021 13:05:51 -0500 (EST)
From: ACM TechNews <technews-editor@acm.org>
Subject: Forget Self-Driving Cars: the Pentagon Wants Autonomous Ships,
Choppers, and Jets (WSJ)

Andy Pasztor,*The Wall Street Journal*, 13 Feb 2021
via ACM TECHNEWS, Wednesday, February 17, 2021

The Pentagon is pushing for increased use of automation in the
U.S. military, outpacing efforts in commercial automation as officials aim
to counter technological advances among adversaries. These autonomous technologies are expected to emerge in future civilian aircraft, air traffic control systems, and drone applications, but unlike commercial automation, there are concerns about the lack of regulation over the Pentagon's initiatives. While these advanced systems will not be deployed immediately,
the recent $740 billion defense authorization bill includes provisions to expand and promote automation across the military. Military projects in the works include pairing an autonomous jet fighter with a traditional one in
mock dogfights and using autonomous helicopters to deliver supplies to
remote outposts, an autonomous vehicle for transporting ground troops,
undersea vehicles to carry cargo and gather intelligence, and artificial intelligence to assume the role of a U-2 reconnaissance plane pilot for navigation. https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-297d5x228694x070110&

------------------------------

Date: Thu, 18 Feb 2021 07:53:51 -0800
From: Lauren Weinstein <lauren@vortex.com>
Subject: California DMV suffers massive third-party data breach (TechCruch)

https://techcrunch.com/2021/02/18/california-motor-vehicles-afts-ransomware/

------------------------------

Date: Wed, 17 Feb 2021 13:05:51 -0500 (EST)
From: ACM TechNews <technews-editor@acm.org>
Subject: Researcher hacks over 35 tech firms in novel supply chain attack
(Ax Sharma)

Ax Sharma, BleepingComputer, 9 Feb 2021
via ACM TECHNEWS, Wednesday, February 17, 2021

Security researcher Alex Birsan launched a novel software supply chain
attack that breached the internal systems of more than 35 major companies, including Microsoft, Apple, PayPal, Shopify, Netflix, Yelp, Tesla, and
Uber. The attack involved uploading malware to open source repositories like PyPI, npm, and RubyGems, which then was distributed downstream automatically into the company's internal applications. The attack did not need action by
the victim, unlike traditional typo-squatting or brandjacking attacks,
instead taking advantage of dependency confusion, a unique design flaw of open-source ecosystems. Birsan explained that "vulnerabilities or design
flaws in automated build or installation tools may cause public dependencies
to be mistaken for internal dependencies with the exact same name." Birsan
has earned more than $130,000 from bug bounty programs and pre-approved penetration testing arrangements for his research. "https://www.bleepingcomputer.com/news/security/researcher-hacks-over-35-tech-firms-in-novel-supply-chain-attack/"

------------------------------

Date: Thu, 18 Feb 2021 12:10:41 -1000
From: geoff goodfellow <geoff@iconia.com>
Subject: How faster Internet is being blocked by politics and poverty
throughout the eastern U.S. (CNET)

*Biden's broadband plan faces a serious test case in Appalachia's digital divide, where a potent mix of extreme poverty, lack of infrastructure and
poor data present tremendous hurdles to the president's dream of closing the broadband gap.*

For one public school teacher in Laurel County, Kentucky, proper education means making a painful and difficult decision. While her home is connected
to AT&T's U-Verse Internet service, it's only fast enough to support one
person at a time. So in the midst of a pandemic-driven mandate for remote learning, she often has to choose between teaching her students and ensuring her own school-age kids are able to log on.

"We have really done a horrible job making sure they have the means," said
the teacher, who requested we withhold her name out of fear of losing her
job.

One pandemic-driven solution in Kentucky has been to put mobile hotspots in public school parking lots so kids without internet at home can keep up with schoolwork, but that isn't without its own flaws. <https://www.cnet.com/news/drastically-speed-up-your-android-phones-hotspot-with-this-simple-setting/>
"If they don't have gas money to come and get their child at the school
when they're sick, they're sure not going to have gas money to drive to the school every day to download their assignments," she said. [...] https://www.cnet.com/features/biden-broadband-plan-digital-divide-appalachia-rural-test-case/

------------------------------

Date: Wed, 17 Feb 2021 12:36:06 -0500
From: Gabe Goldberg <gabe@gabegold.com>
Subject: 'Spy pixels in emails have become endemic' (BBC News)

The use of "invisible" tracking tech in emails is now "endemic", according
to a messaging service that analysed its traffic at the BBC's request.

Hey's review indicated that two-thirds of emails sent to its users' personal accounts contained a "spy pixel", even after excluding for spam.

Its makers said that many of the largest brands used email pixels, with the exception of the "big tech" firms.

Defenders of the trackers say they are a commonplace marketing tactic.

And several of the companies involved noted their use of such tech was mentioned within their wider privacy policies.

https://www.bbc.com/news/technology-56071437

Hardly news, just a reminder...

------------------------------

Date: Wed, 17 Feb 2021 13:55:02 -0800
From: Lauren Weinstein <lauren@vortex.com>
Subject: Google has bowed to pressure and will make 'significant' payments
to Rupert Murdoch's News Corp (Business Insider)

It's difficult to disagree with Jeff Jarvis' view as described in this
article. This is a slippery slope that goes a significant way toward
breaking the fundamental principles of the Web, toward a "pay to link" model that would destroy competition and could leave the big boys the only ones standing. And this could make disinformation/misinformation problems worse
as well. -L

https://www.businessinsider.com/google-news-payments-deal-rupert-murdoch-wall-street-journal-australia-2021-2

------------------------------

Date: Wed, 17 Feb 2021 21:18:24 -0800
From: Lauren Weinstein <lauren@vortex.com>
Subject: The losers in the news battle

The ultimate losers in the battle between news organizations, Facebook, and Google, isn't any of those. It's ordinary users, who will be impotent
observers as the Internet they've come to know collapses around them in a
sea of pay-to-link sites that will bleed the Web dry.

------------------------------

Date: Sat, 13 Feb 2021 21:29:15 -0800
From: Lauren Weinstein <lauren@vortex.com>
Subject: Fixing Chrome 88's suddenly broken custom search-engine behavior

Fixing Chrome 88's suddenly broken custom search engine behavior

[C'mon Google!] In the last 24 hours or so, the standard Chrome
"custom search engines" shortcut behavior (e.g. yt<space> to search on YouTube), that I've depended on for many years, stopped working in
Chrome 88.

To fix it: Go to: chrome://flags/#omnibox-keyword-search-button
DISABLE. Then RELAUNCH.

Please don't suddenly change stuff like this, Google, without any warning or explanation! And please don't deprecate this fix!

------------------------------

Date: Wed, 17 Feb 2021 12:34:11 -0800
From: Lauren Weinstein <lauren@vortex.com>
Subject: Facebook blocks news in Australia over government's payment rules
(Dylan Byers)

https://www.nbcnews.com/tech/tech-news/facebook-blocks-news-australia-governments-payment-rules-rcna292

Facebook said Wednesday that Australian users and publishers will not be
able to post news content to its social network after the country's
government threatened to force it to pay publishers.

The announcement is the most significant and severe split between Facebook
and a foreign government over growing calls for big tech companies to pay publishers to feature their content. [...]

------------------------------

Date: Thu, 18 Feb 2021 12:13:55 -1000
From: geoff goodfellow <geoff@iconia.com>
Subject: Woke teachers want Shakespeare cut from curriculum:
'This is about White supremacy' (Washington Times)

The crown teachers once put on William Shakespeare now lies uneasy upon his head as the English playwright comes under assault from teachers who fault
his unwoke attitudes regarding race, sexuality, gender and class.

For the new breed of teachers, Shakespeare is seen less as an icon of literature and more as a tool of imperial oppression, an author who should
be dissected in class or banished from the curriculum entirely.

``This is about white supremacy and colonization,'' declared the teachers who founded #DisruptTexts, a group that wants staples of Western literature
removed or subjected to withering criticism.

The anti-Shakespeare teachers say fans of the plays ignore the author's problematic worldview. They say readers of Shakespeare should be required to address the ``whiteness'' of their thinking.

If Shakespeare must be taught, these educators say, then it should be
presented with watered-down versions of the original or supplemental texts focused on equality issues. [...] https://www.washingtontimes.com/news/2021/feb/15/woke-teachers-want-shakespeare-cut-curriculum-abou/

------------------------------

Date: Thu, 18 Feb 2021 14:24:16 PST
From: Peter Neumann <neumann@csl.sri.com>
Subject: Facebook to Label Climate Change Posts Like Covid, Vote Content
(Yahoo!)

Facebook Inc. will begin labeling some user posts that mention climate
change in the same way it has annotated posts discussing elections and Covid-19, a sign the social network is taking climate-related
misinformation more seriously.

The labels will direct users to Facebook's Climate Science Information
Center -- an existing hub that includes related news articles, climate
change data and recommendations for Pages to follow. The new labels will be added to some posts about climate change, regardless of their accuracy, a strategy Facebook has used with other widely discussed topics as a way to
fight falsehoods.

Chief Executive Officer Mark Zuckerberg has argued that the best way to
keep misinformation from spreading on its networks is not just to remove misleading posts, but to offer people accurate information from
authoritative sources. The labels are rolling out first to users in the
U.K., though the plan is to bring them to more countries soon, according to
a Facebook blog post.

Facebook has been used to spread climate misinformation in much the same way the service is used for sharing all kinds of misleading posts. False
statements about climate change reviewed by Facebook's fact-checkers are flagged, but unlike Covid-19 misinformation, climate posts are not typically removed. That's because Facebook doesn't consider most climate
misinformation to pose an imminent threat of harm, which is the bar for removing false information from the service. [...] https://finance.yahoo.com/news/facebook-label-climate-change-posts-110000858.html

------------------------------

Date: Wed, 17 Feb 2021 19:14:58 -0500
From: Gabe Goldberg <gabe@gabegold.com>
Subject: France Ties Russia's Sandworm to a Multiyear Hacking Spree
(WiReD)

A French security agency warns that the destructively minded group has exploited an IT monitoring tool from Centreon.

https://www.wired.com/story/sandworm-centreon-russia-hack/

------------------------------

Date: Wed, 17 Feb 2021 11:37:13 -0500
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Citibank can't get back $900 million it wired by mistake

New York (CNN Business)After committing one of the "biggest blunders in
banking history," Citibank won't be allowed to recover the almost half a billion dollars it accidentally wired to Revlon's lenders, a US District
Court judge ruled.

Citibank, which was acting as Revlon's loan agent, meant to send about $8 million in interest payments to the cosmetic company's lenders. Instead, Citibank accidentally wired almost 100 times that amount, including $175 million to a hedge fund. In all, Citi (C) accidentally sent $900 million to Revlon's lenders.

https://www.cnn.com/2021/02/16/business/citibank-revlon-lawsuit-ruling/index.html

------------------------------

Date: Wed, 17 Feb 2021 13:34:31 -0500
From: George Mannes <gmannes@gmail.com>
Subject: Incredibly poor software design costs Citigroup $500M
(Matt Levine)

From the incomparable Bloomberg columnist Matt Levine

(Relevant excerpts from paywalled item):

... The ``easiest (or perhaps only)'' way to pay off some lenders but not others was to instruct the software to pay off all the lenders! But tell it only to *pretend* to pay them! Just send that money to a wash account! This
is all fine! Let's read another horrifying paragraph!

Because the vast majority of wire transactions processed by Citibank using Flexcube involve the payment of funds to third parties, any payment entered into the system is released as a wire payment unless the maker suppresses
the default option. Citibank's internal Fund Sighting Manual provides instructions for suppressing Flexcube's default. When entering a payment,
the employee is presented with a menu with several *boxes* that can be *checked* along with an associated field in which an account number can be input. The Fund Sighting Manual explains that, in order to suppress payment
of a principal amount, ``ALL of the below field[s] must be set to the wash account: FRONT[;] FUND[; and] PRINCIPAL'' -- meaning that the employee had
to check all three of those boxes and input the wash account number into the relevant fields.

This is just demented stuff. If you want to send out interest payments in
cash, but send the principal payment to the wash account, you have to check
the box next to PRINCIPAL and also the boxes next to FRONT and FUND.
PRINCIPAL sounds like principal: You are sending the principal to the wash account, sure, right, yes, check that box. FRONT and FUND sound like
nothing. So the Citi operations people messed it up:

Notwithstanding these instructions, Ravi, Raj, and Fratta all believed -- incorrectly -- that the principal could be properly suppressed solely by setting the PRINCIPAL field to the wash account. Accordingly, as Ravi built
out the transaction between 5:15 and 5:45 p.m. in his role as maker, he
checked off only the PRINCIPAL field, neglecting the FRONT and FUND
fields. Figure 1, below, ``is an accurate image of the Flexcube screen after [Ravi] input the data.''

At 5:45 p.m., Ravi emailed Raj for approval of the transaction, explaining
that ``Princip[al] to Wash A[ccount] & Interest to DDA A[ccount].'' The
``DDA Account'' referenced the Demand Deposit Account, which is an
operational, external-facing account used by Citibank to collect payments
from customers and make transfers to lenders. After reviewing the
transaction, Raj believed -- incorrectly -- that the principal would be sent
to the wash account and only the interest payments would be sent out to the Lenders. Raj then emailed Fratta, seeking final approval under the six-eye review process, explaining ``NOTE: Principal set to Wash and Interest Notice released to Investors.'' Fratta, also believing incorrectly that the default instructions were being properly overridden and the principal payment would
be directed to the wash account, not to the Lenders, responded to Raj via email, noting, ``Looks good, please proceed. Principal is going to wash.''

The software gave him a warning, but not a very good one:

Raj then proceeded with the final steps to approve the transfers, which prompted a warning on his computer screen -- referred to as a ``stop sign''
-- stating: ``Account used is Wire Account and Funds will be sent out of the bank. Do you want to continue?'' But ``[t]he stop sign' did not indicate the amount that would be sent out of the bank,' or whether it constituted an
amount equal to the intended interest payment, an amount equal to the outstanding principal on the loan, or a total of both.'' Because Raj
intended to release ``the interim interest payment to [the] [L]enders,'' he therefore clicked ``YES.''

Here's Figure 1; it does not particularly explain itself:

See, the ``don't actually send the money'' box next to ``PRINCIPAL'' is checked, but that doesn't do anything, you have to check two other boxes to make it not actually send the money.

When they discovered the error the next day, their first reaction was not
to email the lenders asking for the money back (that was their second reaction); their *first *reaction was to email tech support to say the
software was broken:

At 10:26 a.m., Fratta emailed Citibank's technology support group:
``Yesterday we processed a payment with Principal to the wash and Interest
to be sent to lenders. All details in the front end screens yesterday le[d]
us to believe that the payment would be handled in that manner. . . .

[continued in next message]

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)