[continued from previous message]

------------------------------

Date: Mon, 1 Mar 2021 11:21:05 -1000
From: geoff goodfellow <geoff@iconia.com>
Subject: Is Your Browser Extension a Botnet Backdoor? (Krebs on Security)

A company that rents out access to more than 10 million Web browsers so that clients can hide their true Internet addresses has built its network by
paying browser extension makers to quietly include its code in their
creations. This story examines the lopsided economics of extension
development, and why installing an extension can be such a risky
proposition.

Singapore-based *Infatica[.]io* is part of a growing industry of shadowy
firms trying to woo developers who maintain popular browser extensions -- desktop and mobile device software add-ons available for download from
*Apple*, *Google*, *Microsoft* and *Mozilla* designed to add functionality
or customization to one's browsing experience.

Some of these extensions have garnered hundreds of thousands or even
millions of users. But here's the rub: As an extension's user base grows, maintaining them with software updates and responding to user support
requests tends to take up an inordinate amount of the author's time. Yet extension authors have few options for earning financial compensation for
their work.

So when a company comes along and offers to buy the extension -- or pay the author to silently include some extra code -- that proposal is frequently
too good to pass up.

For its part, Infatica seeks out authors with extensions that have at least 50,000 users. An extension maker who agrees to incorporate Infatica's
computer code can earn anywhere from $15 to $45 each month for every 1,000 active users. [...] https://krebsonsecurity.com/2021/03/is-your-browser-extension-a-botnet-backdoor/

------------------------------

Date: Thu, 25 Feb 2021 15:16:49 PST
From: Peter Neumann <neumann@csl.sri.com>
Subject: When Companies Skimp on Cybersecurity (Bruce Schneier)

Why was SolarWinds so vulnerable to hackers?
Bruce Schneier, *The New York Times*, Op-Ed, 24 Feb 2021

Worth reading! Last paragraph:

In today's unregulated markets, it's just too easy for software companies
like SolarWinds to save money by skimping on security and to hope for the
best[*]. That's a rational decision in our free-market world, and the
only way to change that is to change the economic incentives.

[* Note: "Hoping for the *best*" is totally unrealistic. It's really more
like hoping that they get away with it even if there are failures that are
not too serious! However, RISKS readers know that everything can
potentially be compromised (at least by insiders, if not from outsiders). I keep harping on the underlying problem that even the software is not flawed, total-system compromises may result from exploitation of hardware vulnerabilities or errors. Thus the total-system supply chain is
particularly critical. PGN]

------------------------------

Date: Sun, 28 Feb 2021 13:06:56 -0500
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Former SolarWinds CEO blames intern for "solarwinds123" password
leak (CNNPolitics)

Washington (CNN) Current and former top executives at SolarWinds are blaming
a company intern for a critical lapse in password security that apparently
went undiagnosed for years.

The password in question, "solarwinds123," was discovered in 2019 on the
public Internet by an independent security researcher who warned the company that the leak had exposed a SolarWinds file server.

https://www.cnn.com/2021/02/26/politics/solarwinds123-password-intern/index.html

A system so insecure that an intern can compromise it.

------------------------------

Date: Mon, 1 Mar 2021 09:56:06 -0800
From: Lauren Weinstein <lauren@vortex.com>
Subject: Post Office scandal: Postmasters have convictions quashed

[Re: Error-prone software that reportedly ruined lives] https://www.bbc.com/news/business-55271193

------------------------------

Date: Sat, 27 Feb 2021 20:30:15 -1000
From: geoff goodfellow <geoff@iconia.com>
Subject: Objective or Biased

Less prejudice, more objectivity: An application process that is not
influenced by the personal preferences of a recruiter. That is the promise
of many AI companies entering the market worldwide, including a start-up
based in Munich.

According to the software developer, the artificial intelligence analyzes
tone of voice, language, gestures and facial expressions and creates a behavioural personality profile. The application process will not only be ``faster, but also more objective and fair'', according to the start-up.

Apparently that sounds promising: the company has just received a
seven-digit funding from investors. The start-up states that it cooperates
with DAX-listed companies, the brand logos of Lufthansa, BMW Group and ADAC
can be found on the website.

Similar products are already in use in the US. Hirevue, a company from the
US state of Utah, claims to have 700 companies as customers. Hirevue
products have drawn criticism from AI experts, the software's results were considered to be opaque.

And yet, AI is considered a key technology and already now it's hard to
imagine a future without it =93 =AFalso in recruiting.

For this reason, a team of reporters from Bayerischer Rundfunk (German
Public Broadcasting), performed several experiments with such a product in taking a closer look at the software of a Munich based start-up. [...] https://web.br.de/interaktiv/ki-bewerbung/en/

------------------------------

Date: Sun, 28 Feb 2021 17:09:42 -0500
From: Monty Solomon <monty@roscom.com>
Subject: Amazon's new rotating, follow-you camera is useful —- and invasive
(WashPost)

The Echo Show 10 tracks your movement to make sure you're always in the
frame on video calls. But it also doubles as a surveillance camera inside
your home.

https://www.washingtonpost.com/technology/2021/02/26/amazon-echo-show-10/

------------------------------

Date: Wed, 24 Feb 2021 10:50:58 +0000
From: Clive Page <clivegpage@gmail.com>
Subject: Vaccine passport certificates already exist (Re: Slade, RISKS-32.50)

I'd like to point out vaccine certificates have existed for many years, and I've just dug mine out of the filing cabinet to look at it carefully. It is
a bright yellow booklet about the size of a passport but much thinner. It
is labeled in English and French "International Certificate of Vaccination
In accordance with the International Health Regulations of the World Health Organisation". It is primarily for Yellow Fever, of course, but has pages dedicated for Typhoid, Cholera, and "Other" which could surely cover
Covid-19. Mine has stamps on several pages, and I've carried it a few times when visiting countries where Yellow Fever vaccination might be required.
My certificate reminds me to get another Yellow Fever vaccination by the end
of November 2021.

So the format exists, is WHO approved, and internationally recognised. It
is very easy to carry and read, does not require data connectivity, has no battery to run down, and will never prompt me to update its software. No
doubt the current document format is easy to forge but that could easily be improved as we know from modern plastic banknotes bearing holograms that
many countries now use (but perhaps not the USA yet?). Is it really
necessary to adopt a brand-new digital format that would require lengthy negotiations to achieve international recognition when we already have something in printed form that appears to work well?

[Clive, I was waiting for someone to post what you did since i ran Rob's
item. I did not have time to dig into the predecessors the way you have.
Thanks. PGN]

------------------------------

Date: Mon, 1 Mar 2021 15:51:48 +0000 (UTC)
From: Joe Weiss <joe.weiss@realtimeacs.com>
Subject: Texas power outages demonstrate grid cyber-vulnerability and
inadequacy of existing regulations (Control Global)

Following severe man-made or natural disasters, the grid and other critical infrastructure are subject to cyberthreats but with much less
cyberprotection than normal. The recent Texas outages that were caused by severe storms could have had the outages and recovery significantly impacted
by cyberthreats. The existing regulations and standards such as the NERC
CIPs were shown to be dangerously lacking. These gaps apply to all US
utilities and have been exploited resulting in wide-spread outages and equipment damage. There is an opportunity to use the Texasexperience to make needed changes to regulations and guidance on cybersecurity of critical infrastructures. It is evident that our adversaries are watching what
happened, how we are responding, and what is being done to prevent future
grid impacts. As such, resilience means addressing what could possibly be expected. The solution to building and operating a more resilient grid and other critical infrastructures lies with leadership in industry, government, Congress, and stakeholders such as credit rating agencies and insurance companies.

https://www.controlglobal.com/blogs/unfettered/texas-power-outages-demonstrate-grid-cyber-vulnerability-and-inadequacy-of-existing-regulations/
Respectfully,Joe

------------------------------

Date: Fri, 26 Feb 2021 08:16:15 -0700
From: "Keith Medcalf" <kmedcalf@dessus.com>
Subject: Re: His Lights Stayed on During Texas's Storm. Now He Owes $16,752
(RISKS-32.51)

Under some of the plans, when demand increases, prices rise. The goal, architects of the system say, is to balance the market by encouraging >consumers to reduce their usage and power suppliers to create more >electricity.

This is the simplified view for the proletariat.

The market clearing price represents the marginal cost to "generate" one additional mWh of power in the current clearing period for the current
supply and demand.

When fully operational this marginal price system (which is used in the
pricing of all demand-produced commodities ranging from Natural Gas, Oil and Gasoline, to Electricity) is used to balance a more-or-less theoretical
price sensitive demand above baseload against the cost of production of that commodity.

But when last week's crisis hit and power systems faltered, the state's >Public Utilities Commission ordered that the price cap be raised to its >maximum limit of $9 per kilowatt-hour, easily pushing many customers' daily >electric costs above $100. And in some cases, like Mr. Willoughby's bills >rose by more than 50 times the normal cost.

And this is the root of the problem -- political interference in the
operation of a perfectly good system by artificial setting of the marginal price such that it did not represent current operational conditions.

It is entirely possible to have low demand and rolling blackouts and
at the same time a low (or negative) marginal price. Just because large segments of the grid are offline does not affect the marginal price
of the supply/demand balance for the parts that are working.

Many of the people who have reported extremely high charges, including
Mr. Willoughby, are customers of Griddy, a small company in Houston that provides electricity at wholesale prices, which can quickly change based
on supply and demand.

This is because it is obvious to anyone with even half a working brain-cell that in the long run paying the marginal price is more cost effective than paying a fixed price. If this were not the case, then all the offerers of fixed pricing would be bankrupt because they would not be charging their markup.

------------------------------

Date: Mon, 1 Aug 2020 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)

The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.

SUBSCRIPTIONS: The mailman Web interface can be used directly to

subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks

SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that

includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.

SPAM challenge-responses will not be honored. Instead, use an alternative

address from which you never send mail where the address becomes public!

The complete INFO file (submissions, default disclaimers, archive sites,

copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!

OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's

searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume/previous directories
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.

Special Offer to Join ACM for readers of the ACM RISKS Forum:

<http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 32.52
************************

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)