RISKS-LIST: Risks-Forum Digest Friday 12 February 2021 Volume 32 : Issue 53
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator
***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <
http://www.risks.org> as
<
http://catless.ncl.ac.uk/Risks/32.53>
The current issue can also be found at
<
http://www.csl.sri.com/users/risko/risks.txt>
Contents:
Confusing computer-interface complexity causes train crash (Mark Brader) Expectations of GPS accuracy contribute to train derailment (Mark Brader) Boeing calls for global grounding of 777s with Pratt&Whitney engines
(NYTimes)
NOAA begins transition exclusively to electronic navigation charts
(Gabe Goldberg)
Weather Service set to discontinue `advisories' for hazardous weather in
2024 (WashPost)
Never seen anything like this': Chaos strikes global shipping (NYTimes)
New Browser Attack Allows Tracking Users Online With JavaScript Disabled
(The Hacker News)
Calling All Ham Radio Operators (
Kentucky mom alleges hospital workers missed her cancer, then
Microsoft's dream of decentralized IDs enters the real world (WiReD)
What the worldwide shortage of semiconductor chips is *really*
Why a YouTube chat about chess got flagged for hate speech (WiReD)
Farms are going to need different kinds of robots (bbc.com)
The robots are coming for Phil in accounting (NYTimes)
Spy agencies have big hopes for AI (The Economist via Ross Anderson)
A new type of supply-chain attack with serious consequences is flourishing
(Ars Technica)
Google will remove *facts* if they think they're harmful (geoff goodfellow) Thousands of Android and iOS Apps Leak Data From the Cloud (WiReD)
Hackers are finding ways to hide inside Apple's walled garden
(Techology Review)
ICE investigators used a private utility database covering millions to
pursue immigration violations (WashPost)
L.A. sheriff's office gets warrant for 'black box' in Tiger Woods' crashed
SUV. (NBC News)
Amazon has become a prime revolving-door destination in Washington
(Mother Jones)
Too much choice is hurting America (Paul Krugman via Richard Stein)
CDC Links Restaurant Dining with Spread of Covid-19 in U.S. (Jonathan Spira) Those fever scanners that everyone is using to fight covid can be wildly
inaccurate, researchers find (WashPost)
The problems with anti-vaccers' precautionary principle arguments
(The Logic of Science)
You got a vaccine. Walgreens got your data. (Vox)
Research highlights impact of Digital Divide (University of Houston)
ES&S hashcode testing is wrong in 3 ways (Andrew Appel)
At least 30,000 U.S. organizations newly hacked via holes in Microsoft's
email software (geoff goodfellow)
Texas PUC to electricity users who received outragrous bills from grid
mismanagment during winter storm: SCREW YOU! (NPR via Lauren Weinstein) Rookie coding mistake prior to Gab hack came from site's CTO (Ars Technica) What lies beneath... on disaster respone (NYU Tandon)
Re: Post Office scandal (Peter Bernard Ladkin)
Re: Fed outage shuts down U.S. payment system (John Levine)
Re: his lights stayed on during Texas's storm. Now he owes $16,752
(John Levine)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Thu, 4 Mar 2021 19:19:11 -0500 (EST)
From: Mark Brader <
msb@Vex.Net>
Subject: Confusing computer-interface complexity causes train crash
In November 2019, the driver of an "Intercity Express" class 800 train was heading into the maintenance depot at Neville Hill, near Leeds, England. Another empty train was in front of him on the same track into the depot, so
he waited for it to start moving, then put on power at the lowest setting.
About 30 seconds later the two trains collided. (There were no injuries,
but his train was derailed and both trains needed repairs.)
Although an experienced driver, the man was relatively unfamiliar with the class 800, and didn't realize that even the lowest power setting would accelerate this train so fast. So he'd assumed it was safe to look down at
the computerized controls for a little while.
The reason he needed to do this was that, partly for political reasons, the class 800 is equipped both with on-board diesel engines and with a
pantograph for overhead electric power. So the pantograph should be raised, and the diesels turned off, if and only if there *is* an overhead wire.
Rather than leave the control of this to fallible humans, it is implemented
by computer ("Automatic Power Changeover" or APCO).
Trackside beacons mark the key positions where things have to be done, and
the specific train service must be identified to the computer by the driver typing its 4-character code into the control console touchscreen.
The train's previous code of 5D29 had expired when it got to Leeds, and the driver should have changed it to 1D29 to go into the depot, but the system would not accept it. This was because, after typing the 4 characters, he
was supposed to touch a "Check Stops" button, which would cause the computer
to display a list of the stops for this train service, and then a "Home"
button to return the console to the home screen. Well, the driver knew
there weren't any stops before getting to the depot, so he skipped Check
Stops and just touched "Home". But what his training on the controls had
*not* mentioned was that this canceled the change of code.
Seeing that this hadn't worked, and not wanting the diesels to come on unnecessarily, he used the controls to disable the APCO, and then when he passed the last beacon before the depot, re-enabled it -- as he had been trained to, so that the next driver wouldn't be confused. And it was the re-enabling step what distracted him from avoiding the crash.
More detail in "Modern Railways" magazine, January 2021, pages 30-32. Full report, raising a number of points I haven't mentioned here, at:
https://assets.publishing.service.gov.uk/media/5fb3c146d3bf7f63e1b6f55a/R132020_201118_Neville_Hill.pdf
------------------------------
Date: Thu, 4 Mar 2021 20:26:16 -0500 (EST)
From: Mark Brader <
msb@Vex.Net>
Subject: Expectations of GPS accuracy contribute to train derailment
In January 2020 a freight train derailed on an overpass over a road in north London, England. There were no injuries, but the train was damaged as well
as a considerable length of track.
The track on the bridge was supported on wooden beams running lengthwise
under the rails (like on the old Great Western Railway) and connected by
steel cross-members. This design is lighter than conventional track and therefore allowed the bridge to be more lightly built, but the long-term
plan is to eliminate it from use.
In this case the configuration did not allow the wood to be easily
inspected, and it had deteriorated, but this was not known. What could
readily be done, and was done regularly, was to check the position of the
rails by running a track-recording train over the line, and repair any
problems seen.
On several occasions in the preceding months, this train had reported a
problem in the area of this bridge: the rails were wide to gauge, i.e. too
far apart. Crews were sent out to the location it reported, repaired some faults they saw in the track, and then checked that the rails were within
the allowed tolerance of the correct gauge.
But the train had reported its position using GPS, and while this was
claimed to be accurate to 1 meter, it wasn't. Crews were expected to use handheld GPS devices to locate the same position within 3 meters, but the
work they did was a few meters west of the bridge, not where they might have seen the actual problem.
This wasn't the only cause of the accident, but it is the one I'm mentioning here. Full report at:
https://assets.publishing.service.gov.uk/media/5faea3a68fa8f55de55af7c9/R122020_201116_Wanstead_Park.pdf
------------------------------
Date: Sat, 6 Mar 2021 23:32:14 +0800
From: Richard Stein <
rmstein@ieee.org>
Subject: Boeing calls for global grounding of 777s with Pratt&Whitney engines
(NYTimes)
https://www.nytimes.com/2021/02/21/business/faa-boeing-777-engines.html
"Boeing said on Sunday that all 128 of its 777 jetliners powered by a particular Pratt & Whitney engine model should be grounded worldwide until
the Federal Aviation Administration determines the best way to inspect the engines."
Several hundred passengers experienced "the flight of their lives" in two incidents, apparently due to engine blade fracture from metal fatigue.
Curiously, discloses the FAA met a few days before the UAL 328 incident on 20FEB2021 to discuss airline engine inspection frequency.
https://edition.cnn.com/2021/02/24/politics/faa-meeting-engine-inspections/index.html
The investigatory dust will eventually settle. A revised Pratt & Whitney jet engine inspection protocol will become regulation standard operating
procedure.
The flying public relies on trained and qualified professionals to certify
an aircraft as safe-to-fly. Their ethics, competence, and professional
judgment are key to sustain aircraft maintenance life cycle, and the air transportation industry reliability. Public safety depends on inspection to determine essential aircraft maintenance actions.
Aircraft maintenance is an example of the "expert service problem." It is a well-known subject in economics. See "When Trust in an Expert Is Unwise,"
via
https://www.nytimes.com/2007/11/07/business/07leonhardt.html
"...the same expert who is diagnosing the flaw is the one who will be paid
to fix it. In most of these cases, consumers aren’t sophisticated
enough to make an independent judgment. That’s why they went to the
expert."
Jet engine blade fracture from metal fatigue exemplifies the expert service problem. Jet mechanics and engineers apply procedures and tools to diagnose engine problems and recommend maintenance. They are paid to repair engines
to achieve safety compliance.
Consumers rely on jet engine maintenance experts to sustain safe-to-fly readiness. Faulty, or compromised, expertise can intensify consumer air transportation risks. These incidents are notable, and sometimes
spectacular.
Aircraft maintenance records are apparently analogous to personal medical records: they constitute confidential information requiring protections
against disclosure. Devastating economic consequences would materialize if aircraft maintenance records were stolen, manipulated or falsified, and
leaked.
Hypotheticals:
How many passengers involved in these two incidents would have chosen to book a different flight if they knew the engine blades on their flights were identified as vulnerable to fracture from metal fatigue? How many passengers would be deterred from booking the flight given the chance to examine the engine inspection records at the point-of-sale?
Risk: Aircraft maintenance record disclosure.
------------------------------
Date: Thu, 4 Mar 2021 15:23:34 -0500
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: NOAA begins transition exclusively to electronic navigation charts
(NOAA)
As Lauren Weinstein says: [What could go wrong?] NOAA begins transition exclusively to electronic navigation charts
Well, let's see. How about, if your device battery goes dead or the device dies in other ways. Or gets wet maybe and shorts out? You don't have a
chart any more. Yeah. Great thinking, NOAA! -L
And keep in mind, to be useful, printed charts need to be larger than letter-size paper. So now NOAA expects people to print their own pages and
tape them together? Wow.
https://www.noaa.gov/media-release/noaa-begins-transition-exclusively-to-electronic-navigation-charts
------------------------------
Date: Thu, 4 Mar 2021 22:41:32 -0500
From: Monty Solomon <
monty@roscom.com>
Subject: Weather Service set to discontinue `advisories' for hazardous
weather in 2024 (WashPost)
It's part of a larger hazard simplification effort; watches and warnings
will remain.
https://www.washingtonpost.com/weather/2021/03/04/national-weather-service-advisories/
------------------------------
Date: Sat, 6 Mar 2021 23:15:53 -0500
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: Never seen anything like this': Chaos strikes global shipping
(NYTimes)
The pandemic has disrupted international trade, driving up the cost of
shipping goods and adding a fresh challenge to the global economic recovery.
https://www.nytimes.com/2021/03/06/business/global-shipping.html
The risk? Everything is connected...
------------------------------
Date: Fri, 12 Mar 2021 11:19:07 -1000
From: geoff goodfellow <
geoff@iconia.com>
Subject: New Browser Attack Allows Tracking Users Online With JavaScript
Disabled (The Hacker News)
Researchers have discovered a new side-channel that they say can be
reliably exploited to leak information from web browsers that could then be leveraged to track users even when JavaScript is completely disabled.
"This is a side-channel attack which doesn't require any JavaScript to run," the researchers said. "This means script blockers cannot stop it. The
attacks work even if you strip out all of the fun parts of the web browsing experience. This makes it very difficult to prevent without modifying deep parts of the operating system."
In avoiding JavaScript, the side-channel attacks are also architecturally agnostic, resulting in microarchitectural website fingerprinting attacks
that work across hardware platforms, including Intel Core, AMD Ryzen,
Samsung Exynos 2100, and Apple M1 CPUs =E2=80=94 making it the first known side-channel attack on the iPhone maker's new ARM-based chipsets.
The *findings* <
https://arxiv.org/abs/2103.04952>, which come from a group
of academics from the Ben-Gurion Univ. of the Negev, the University of Michigan, and the University of Adelaide, will be presented at the USENIX Security Symposium in August 2020.
Side-channel attacks typically rely on indirect data such as timing, sound, power consumption, electromagnetic emissions, vibrations, and cache behavior
in an effort to infer secret data on a system. Specifically,
microarchitectural side-channels exploit the shared use of a processor's components across code executing in different protection domains to leak
secret information like cryptographic keys.
Additionally, studies have also previously demonstrated fully automated
attacks such as Rowhammer <
https://arxiv.org/pdf/1507.06955v1.pdf> that rely
on nothing but a website with malicious JavaScript to trigger faults on
remote hardware, thereby gaining unrestricted access to systems of website visitors. [...]
https://thehackernews.com/2021/03/new-browser-attack-allows-tracking.html
------------------------------
Date: Mon, 8 Feb 2021 11:30:40 -0500
From: Rebecca Mercuri <
notable@mindspring.com>
Subject: Calling All Ham Radio Operators
I'd have thought if they were smarter they'd have used a more obscure code,
but this was readily available and reasonably ubiquitous.
https://www.bleepingcomputer.com/news/security/new-phishing-attack-uses-morse-code-to-hide-malicious-urls/
Writer Lawrence Abrams describes the attack as follows:
An email includes an HTML attachment named in such a way as to appear to
be an Excel invoice for the company. These attachments are named in the
format '[company_name]_invoice_[number]._xlsx.hTML.' The attachment
includes JavaScript that maps letters and numbers to Morse code. For
example, the letter '*a*' is mapped to '*.-*' and the letter '*b*' is
mapped to '*-...*', etc.
The script then calls a decodeMorse() function to decode a Morse code string into a hexadecimal string. This hexadecimal string is further decoded
into JavaScript tags that are injected into the HTML page.These injected scripts combined with the HTML attachment contain the various resources necessary to render a fake Excel spreadsheet that states their sign-in timed out and prompts them to enter their password again.
Once a user enters their password, the form will submit the password to a remote site where the attackers can collect the login credentials.
This campaign is highly targeted, with the threat actor using the logo.clearbit.comservice to insert logos for the recipient's companies into
the login form to make it more convincing. If a logo is not available, it
uses the generic Office 365 logo.
------------------------------
Date: Wed, 3 Mar 2021 20:09:16 -0500
From: Monty Solomon <
monty@roscom.com>
Subject: Kentucky mom alleges hospital workers missed her cancer, then
covered up their mistake (NBC News)
https://www.nbcnews.com/news/us-news/kentucky-mom-alleges-hospital-workers-missed-her-cancer-then-covered-n1258533
------------------------------
Date: Wed, 3 Mar 2021 20:23:10 -0500
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: Microsoft's dream of decentralized IDs enters the real world (WiReD)
The company will launch a public preview of its identification platform this spring -- and has already tested it at the UK's National Health Service.
For years, tech companies have touted blockchain technology as a means to develop identity systems that are secure and decentralized. The goal is to build a platform that could store information about official data without holding the actual documents or details themselves. Instead of just storing
a scan of your birth certificate, for example, a decentralized ID platform might store a validated token that confirms the information in it. Then when you get carded at a bar or need proof of citizenship, you could share those pre-verified credentials instead of the actual document or data. Microsoft
has been one of the leaders of this pack -- and is now detailing tangible progress toward its vision of a decentralized digital ID.
https://www.wired.com/story/microsoft-decentralized-id-blockchain/
------------------------------
Date: Sat, 6 Mar 2021 11:18:36 +0800
From: Richard Stein <
rmstein@ieee.org>
Subject: What the worldwide shortage of semiconductor chips is *really*
teaching us (guardknox.com)
https://blog.guardknox.com/what-the-worldwide-shortage-of-semiconductor-chips-is-really-teaching-us
"After the start of development, every change request requires a lengthy process to approve, as suppliers are attempting to increase the impact of
the change (due to financial and risk considerations) and the OEMs are
trying to downplay the change (to reduce costs). This leads to a very inflexible process. This is made worse by the fact that introducing
additional suppliers or specialized suppliers to solve a particular issue,
is almost impossible. This is true for software level changes, and even more
so for hardware level changes."
"The Resilient Enterprise: Overcoming Vulnerability for Competitive
Advantage," by Yossi Sheffi teaches that whipsawing multiple suppliers on
price and quantity procurement affords a reflexive means to sustain manufacturing capacity. (
https://www.amazon.com/Resilient-Enterprise-Overcoming-Vulnerability-Competitive/dp/0262693496)
But if there's a supply shortage? One cannot whipsaw during a supply deficit without procurement cost escalation (aka biding war).
The semiconductor manufacturing shortage reveals a global capacity gap
arising from pandemic-driven demand signals, similar to commodity shortages (oil or rare earth metals) when demand out-paces supply. Semiconductor manufacturing is principally performed in Asia; the US and Europe dominate semiconductor design, but find greater profit margins from license
royalties.
What drove the semiconductor manufacturing exodus from US and European
shores? Follow the money: "The Private Equity Party Might Be Ending.
It's About Time," @
https://www.nytimes.com/2021/02/28/opinion/business-economics/private-equity-reckoning.html.
Risk: Market-driven industrial policy
------------------------------
Date: Wed, 3 Mar 2021 20:38:09 -0500
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: Why a YouTube chat about chess got flagged for hate speech (WiReD)
AI programs that analyze language have difficulty gauging context. Words
such as *black*, *white*, *attack* can have different meanings.
Last June, Antonio Radic [with superscript c overstrikc '], the host of a YouTube chess channel with more than a million subscribers, was
live-streaming an interview with the grandmaster Hikaru Nakamura when the broadcast suddenly cut out.
Instead of a lively discussion about chess openings, famous games, and
iconic players, viewers were told Radic's video had been removed for
*harmful and dangerous* content*. Radic saw a message stating that the
video, which included nothing more scandalous than a discussion of the
King's Indian Defense, had violated YouTube's community guidelines. It
remained offline for 24 hours.
Exactly what happened still isn't clear. YouTube declined to comment beyond saying that removing Radic's video was a mistake. But new study suggests it reflects shortcomings in artificial intelligence programs designed to automatically detect hate speech, abuse, and misinformation online.
https://www.wired.com/story/why-youtube-chat-chess-flagged-hate-speech/
------------------------------
Date: Sun, 7 Mar 2021 10:43:41 +0800
From: Richard Stein <
rmstein@ieee.org>
Subject: Farms are going to need different kinds of robots (bbc.com)
https://www.bbc.com/news/business-56195288
"From autonomous harvesting robots and drones that can spray crops, to artificial intelligence, and the use of 'big data', farmers around the world are turning to high-tech solutions to address issues ranging from food insecurity, to climate change, and pandemic-induced staff cuts.
"Collectively, this increased use of technology in agriculture is known as 'precision farming', and it is a booming industry. One report suggests that
its global value will reach $12.9bn (£9.1bn) by 2027, with average annual growth of 13% between now and then."
US Department of Agriculture estimates 2019 agricultural and food sector economy @ US$ 1.1T.
The farm contribution to this US$ 1.1T figure is ~US$ 125B with the food service industry (restaurants, primarily) contributing ~US$ 400B.
https://www.ers.usda.gov/data-products/ag-and-food-statistics-charting-the-essentials/ag-and-food-sectors-and-the-economy/)
I cannot locate farm expense breakdown (labor, seed, fertilizer, pesticide, irrigation, equipment, insurance, power) to estimate rate of robotic substitution for human harvest given the projected 13% 'precision farming' growth rate.
Robotic farm operations will emerge as corporate cost reduction strategies
are pursued.
Risk: 'Precision farming' practices reduce ecosystem genetic diversity,
promote pesticide resistance
------------------------------
Date: Sat, 6 Mar 2021 14:58:48 -0500
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: The robots are coming for Phil in accounting (NYTimes)
Workers with college degrees and specialized training once felt relatively
safe from automation. They aren't.
The robots are coming. Not to kill you with lasers, or beat you in chess, or even to ferry you around town in a driverless Uber.
These robots are here to merge purchase orders into columns J and K of next quarter's revenue forecast, and transfer customer data from the invoicing software to the Oracle database. They are unassuming software programs with names like Auxiliobits DataTable To Json String, and they are becoming the
star employees at many American companies.
Some of these tools are simple apps, downloaded from online stores and installed by corporate I.T. departments, that do the dull-but-critical tasks that someone named Phil in Accounting used to do: reconciling bank
statements, approving expense reports, reviewing tax forms. Others are expensive, custom-built software packages, armed with more sophisticated
types of artificial intelligence, that are capable of doing the kinds of cognitive work that once required teams of highly-paid humans.
https://www.nytimes.com/2021/03/06/business/the-robots-are-coming-for-phil-in-accounting.html
Great. It's bad enough now having errors introduced by undebuggable spreadsheets, now there'll be black-box apps massaging numbers. It'll all be gospel, of course. What could go wrong.
------------------------------
Date: Thu, 4 Mar 2021 11:34:13 PST
From: Peter Neumann <
neumann@csl.sri.com>
Subject: Spy agencies have big hopes for AI
[Thanks to Ross Anderson]
*The Economist* has just run a piece that's bang on topic:
https://www.economist.com/science-and-technology/2021/03/02/spy-agencies-have-big-hopes-for-ai
Spy agencies have big hopes for AI; This isn't their first attempt
*The Economist*, 2 Mar 2021
When it comes to artificial intelligence (AI), spy agencies have been at it longer than most. In the cold war, America's National Securit Agency (NSA)
and Britain's Government Communications Headquarters (GCHQ) explored early
AI to help transcribe and translate the enormous volumes of Soviet phone-intercepts they began hoovering up in the 1960s.
Yet the technology was immature. One former European intelligence officer
says his service did not use automatic transcription or translation in Afghanistan in the 2000s, relying on native speakers instead. Now the spooks are hoping to do better. The trends that have made AI attractive for
business -- more data, better algorithms, and more processing power to make
it all hum -- are giving spy agencies big ideas, too.
On February 24th GCHQ published a paper on how AI might change its work. ``Machine-assisted fact-checking'' could spot faked images, check disinformation against trusted sources and identify social-media bots. AI might block cyber-attacks by ``analysing patterns of activity on networks
and devices'', and fight organised crime by spotting suspicious chains of financial transactions.
This sort of thing is now commonplace. The Nuclear Threat Initiative, an
NGO, recently showed that applying machine learning to publicly available
trade data could spot previously unknown companies suspected of involvement
in the illicit nuclear trade. But spy agencies are not restricted to
publicly available data.
Some hope that, aided by their ability to snoop on private information, such modest applications could pave the way to an AI-fueled juggernaut. ``AI
will revolutionise the practice of intelligence, gushed a report published
on March 1st by America's National Security Commission on Artificial Intelligence, a high-powered study group co-chaired by Eric Schmidt, a
former executive chairman of Alphabet, Google's parent company; and Bob
Work, a former deputy defence secretary.
The report does not lack ambition. It says that by 2030 America's 17 or so
spy agencies ought to have built a "federated architecture of continually learning analytic engines" that crunches everything from human intelligence
to satellite imagery to foresee looming threats. The commission points approvingly to the Pentagon's response to covid-19, which integrated dozens
of data sets to identify covid hotspots and manage demand for supplies.
Yet what is possible in public health is not always so easy in national security. Western intelligence agencies must contend with laws governing how private data may be gathered and used. In its paper, GCHQ says that it will
be mindful of systemic bias, such as whether voice-recognition software is
more effective with some groups than others, and transparent about margins
of error and uncertainty in its algorithms. American spies say, more
vaguely, that they will respect `human dignity, rights, and These
differences may need to be ironed out. One suggestion made by a recent task force of former American spooks in a report published by the Centre for Strategic and International Studies (CSIS) in Washington was that the Five
Eyes intelligence alliance -- America, Australia, Britain, Canada and New Zealand -- create a shared cloud server on which to store data.
In any case, the constraints facing AI in intelligence are as much practical
as ethical. Machine learning is good at spotting patterns -- such as distinctive patterns of mobile-phone use -- but poor at predicting
individual behaviour. That is especially true when data are scarce, as in counter-terrorism. Predictive-policing models can crunch data from thousands
of burglaries each year. Terrorism is much rarer.
That rarity creates another problem, familiar to medics pondering mass-screening programs for rare diseases. Any predictive model will
generate false positives, in which innocent people are flagged for investigation. Careful design can drive the false-positive rate down. But because the "base rate" is lower still -- there are, mercifully, very few terrorists -- even a well-designed system risks sending large numbers of
spies off on wild-goose chases.
Even the data that do exist may not be suitable. Data from drone cameras, reconnaissance satellite and intercepted phone calls, for instance, are not currently formatted or labeled in ways that that are useful for machine learning. Fixing that is a ``tedious, time-consuming, and still primarily
human task exacerbated by differing labeling standards across and even
within agencies'', notes the CSIS report. That may not be quite what
would-be spies signed up for.
------------------------------
Date: Sun, 7 Mar 2021 11:21:02 -0800
From: Tom Van Vleck <
thvv@multicians.org>
Subject: A new type of supply-chain attack with serious consequences is
flourishing (Ars Technica)
https://arstechnica.com/gadgets/2021/03/more-top-tier-companies-targeted-by-new-type-of-potentially-serious-attack/
Ars Technica article by Dan Goodin:
The goal of these attacks is to execute unauthorized code inside a
target's internal software build system. The technique works by uploading
malicious packages to public code repositories and giving them a name
that's identical to a package stored in the target developer's internal
repository.
Two attack mechanisms are mentioned in the article: putting evil code in a module with the same name as a target developer's code but with an
apparently newer version, or putting the evil code in a post-install script which is part of the fake package.
The people tricked by these attacks trusted external repositories and
package manager programs that turned out to be vulnerable. Ken Thompson's
1984 "Reflections on Trusting Trust" is a clear description of the risk.
"The moral is obvious. You can't trust code that you did not totally create yourself."
https://dl.acm.org/doi/pdf/10.1145/358198.358210
(In the 1090s I worked for Silicon Valley companies that had a strongly enforced policy against using any kind of code obtained from the Internet, public domain or not. This rule was justified as a way to avoid
intellectual property disputes.)
------------------------------
Date: Fri, 5 Mar 2021 15:48:08 -1000
From: geoff goodfellow <
geoff@iconia.com>
Subject: Google will remove *facts* if they think they're harmful
https://twitter.com/sullydish/status/1367951537260072961
------------------------------
Date: Sat, 6 Mar 2021 22:12:00 -0500
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: Thousands of Android and iOS Apps Leak Data From the Cloud (WiReD)
It's the digital equivalent of leaving your windows or doors open when you leave the house -- and in some cases, leaving them open all the time.
For years, simple setup errors have been a major source <
https://www.wired.com/story/amazon-s3-data-exposure/> of exposure <
https://www.wired.com/story/magecart-amazon-cloud-hacks/> when companies
keep data in the cloud. Instead of carefully restricting who can access the information stored in their cloud infrastructure, organizations too often misconfigure their defenses. It's the digital equivalent of leaving the
windows or doors open at your house before going on a long vacation. That
leaky data problem applies to more than just the web services that typically
[continued in next message]
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)