RISKS-LIST: Risks-Forum Digest Monday 15 June 2019 Volume 31 : Issue 33

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/31.33>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents:
How Fake News Could Lead to Real War (Politico)
Collision on Hong Kong metro (MTR)
Cyber-incident Exposes Potential Vulnerabilities Onboard Commercial
Vessels (Coast Guard)
"Vulnerabilities found in GE anesthesia machines" (Catalin Cimpanu)
Inside the world of bogus medicine, where smoothies and salads can
supposedly kill cancer (WashPost)
"Robot that started fire costs Ocado $137M" (Greg Nichols)
Anaesthetic devices 'vulnerable to hackers' (bbc.com)
FDA seeks comment on cybersecurity warnings and security upgrades
(Federal Register)
EU "Galileo" GPS system remains down (BBC)
Tiny flying insect robot has four wings and weighs under a gram
(New Scientist)
Smartphone payment system by Seven-Eleven Japan hacked from day 1:
lack of two stage authentication, etc. (Japan Times)
Border Patrol agents tried to delete their horrific Facebook posts
-- but they were already archived (NSFW -- The Intercept)
Professor faces 219-year prison sentence for sending missile chip
tech to China (The Verge)
London Police's Facial Recognition System Has 81 Percent Error Rate? (Geek) "GDPR: Record British Airways fine shows how data protection
legislation is beginning to bite" (Danny Palmer)
D-Link Agrees to Make Security Enhancements to Settle FTC Litigation
(Federal Trade Commission)
As Florida cities use insurance to pay $1 million in ransoms to
hackers, Baltimore and Maryland weigh getting covered (WashPost)
House Democrats introduce a bill to tighten airport security stings
(WashPost)
Introducing ERP software: The biggest risk to your business (Faz)
European regulators to tighten rules for use of facial recognition
(Politico)
"New Windows 7 'security-only' update installs telemetry/snooping,
uh, feature" (Woody Leonhard)
"The Windows 10 misinformation machine fires up again" (Ed Bott)
"WTF, Microsoft?" (Steven J. Vaughan-Nichols)
"Raspberry Pi 4 won't work with some power cables due to its USB-C
design flaw" (Liam Tung)
Confirmed: Zoom Security Flaw Exposes Webcam Hijack Risk,
Change Settings Now (Forbes)
Texas County Purchases DRE Machines Over Expert Security Objections
(Brian Bethel)
The Hard-Luck Texas Town That Bet on Bitcoin -- and Lost (WiReD)
Thoughtcrime --> Thoughtaccidents (WiReD)
Mass Attacks in Public Spaces - 2018 (Secret Service National
Threat Assessment Center)
Google audio recordings of users leaked (Marc Thorson)
New Bedford computer outages continue for sixth day (WBSM)
Feds: New Bedford police officer arrested after 194 child porn
files found on computer (WHDH)
7-Eleven's 7pay app hacked in a day due to 'appalling security lapse'
(TechBeacon)
On the Bugginess of This Year's OS Betas From Apple (Daring Fireball)
"Apple disables Walkie-Talkie app due to snooping vulnerability"
(Adrian Kingsley-Hughes)
Stripe Outage Smacked Businesses for Two Hours (Fortune)
Google/Amazon/Apple are you listening to me? (Rob Slade)
Your Pa$$word doesn't matter - Microsoft Tech Community - 731984
(Alex Weinert)
The New York Times blocks viewing in private mode (Thomas Koenig)
Re: Line just went Orwellian on Japanese users with its social
credit-scoring system (Amos Shapir)
Re: Autonomous vehicles don't need provisions and protocols (Dan Jacobson)
Re: Line just went Orwellian on Japanese users with its social
credit-scoring system (Dan Jacobson)
Fernando Corbato dies (Katie Hafner via PGN)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Fri, 5 Jul 2019 15:05:48 -1000
From: the keyboard of geoff goodfellow <geoff@iconia.com>
Subject: How Fake News Could Lead to Real War (Politico)

*Ambassador Daniel Benjamin is director of the John Sloan Dickey Center for International Understanding at Dartmouth College and served as coordinator
for counterterrorism at the State Department 2009-2012.Steven Simon is
visiting professor of history at Amherst College. He served as the National Security Council senior director for counterterrorism and for the Middle
East and North Africa, respectively, in the Clinton and Obama
administrations.*

EXCERPT:

Who really bombed the oil tankers in the Persian Gulf two weeks ago? Was it Iran, as the Trump administration assured us? Or was it Saudi Arabia, the United Arab Emirates or Israel -- or some combination of the three?

Here's a confession from two former senior government officials: For days
after the attacks, we weren't sure. Both of us believed in all sincerity
there was a good chance these actions were part of a false flag operation,
an effort by outsiders to trigger a war between the United States and Iran. Even the film of Iranians hauling in an unexploded limpet mine from near the side of tanker, we reasoned, might be a fabrication -- deep fake footage
just like the clip of Nancy Pelosi staggering around drunk.

Perhaps you felt that way too. But for the two of us, with 30 years of government service and almost 20 more as think tankers between us -- this
was shocking. Yes, we are card-carrying members of the Blob, the all-too-conventionally minded Washington foreign policy establishment, but
we weren't sure whether to believe our government or not.

This was more than a little disconcerting. Imagine waking up one morning and catching yourself thinking that alt-right conspiracy theorist Alex Jones was making good sense, that perhaps the Sandy Hook shooting was faked or that
the 9/11 attacks were really an inside job? Imagine what it might be like to
be in the grip of a conspiracy theory, when you've spent your whole professional life being one of those policy mandarins who could smell a conspiracy theory a mile away?...

https://www.politico.com/magazine/story/2019/07/05/fake-news-real-war-227272

------------------------------

Date: Sat, 6 Jul 2019 22:33:27 +0100
From: "Clive D.W. Feather" <clive@davros.org>
Subject: Collision on Hong Kong metro (MTR)

http://www.mtr.com.hk/archive/corporate/en/press_release/PR-19-044-E.pdf

MTR (the operators of the Hong Kong metro) are converting several lines to
use the Thales/Alstom SelTrac system. During a test of the system outside service hours, the computer signaled two trains on to intersecting tracks, resulting in a collision; one driver was slightly injured.

In this system, there are no fixed signals beside the track indicating
whether it is safe to proceed. Instead, the central control computer gives
each train a "movement authority" indicating exactly where it is allowed to proceed to. Only when the rear of the train passes an intersection is
another train given a movement authority that passes over the same intersection. These authorities are updated every few seconds.

Each control area (the line in question has two) has three control
computers: A (normally active), B (hot standby), and C (warm standby). All three are the same design and run the same software. Computer C is at a different physical location. Computer A keeps B constantly updated with the complete status but, to prevent common mode failures, it only passed some
data to computer C. In particular, the "Conflict Zone Data" (which I am guessing is a table of which train is allowed on a given intersection) is
not passed across; computer C is expected to re-compute it independently.

During a test computers A and B were both turned off, causing computer C to take over. At this point C does not transmit any movement authorities to
the trains, which therefore all make an emergency stop. The traffic
controller (a person in the control centre) then tells C to allow each
train in turn to depart, giving it a new movement authority.

The report's conclusions are:

(1) The software development documentation did not state that the conflict
zone data was not passed to computer C, so no test and safety analysis was done.

(2) A bug in the software meant that computer C failed to recalculate the conflict zone data correctly, allowing the collision.

(3) The take-over process did not require the conflict zone data to be
present before C moved from warm backup state to active state.

------------------------------

Date: Thu, 11 Jul 2019 18:00:15 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Cyber-incident Exposes Potential Vulnerabilities Onboard Commercial
Vessels (Coast Guard)

In February 2019, a deep draft vessel on an international voyage bound for
the Port of New York and New Jersey reported that they were experiencing a significant cyber-incident impacting their shipboard network.   An
inter-agency team of cyber-experts, led by the Coast Guard, responded and conducted an analysis of the vessel's network and essential control
systems. The team concluded that although the malware significantly degraded the functionality of the onboard computer system, essential vessel control systems had not been impacted. Nevertheless, the interagency response found that the vessel was operating without effective cybersecurity measures in place, exposing critical vessel control systems to significant
vulnerabilities.

https://www.dco.uscg.mil/Portals/9/DCO%20Documents/5p/CG-5PC/INV/Alerts/0619.pdf

------------------------------

Date: Wed, 10 Jul 2019 09:35:41 -0700
From: Gene Wirchenko <gene@shaw.ca>
Subject: "Vulnerabilities found in GE anesthesia machines" (Catalin Cimpanu)

Catalin Cimpanu for Zero Day | 9 Jul 2019 https://www.zdnet.com/article/vulnerabilities-found-in-ge-anesthesia-machines/

GE recommends not connecting vulnerable anesthesia machines to hospital networks.

Security researchers have discovered vulnerabilities in two models of
hospital anesthesia machines manufactured by General Electric (GE).

The two devices found to be vulnerable are GE Aestiva and GE Aespire --
models 7100 and 7900. According to researchers from CyberMDX, a healthcare cybersecurity firm, the vulnerabilities reside in the two devices' firmware.

CyberMDX said attackers on the same network as the devices -- a hospital's network -- can send remote commands that can alter devices' settings.

The researcher claims the commands can be used to make unauthorized
adjustments to the anesthetic machines' gas composition, such as modifying
the concentration of oxygen, CO2, N2O, and other anesthetic agents, or the
gas' barometric pressure.

CyberMDX said that such unauthorized modifications could put patients at
risk. Furthermore, attackers could also silence device alarms for low/high levels of various agents and modify timestamps inside logs.

------------------------------

Date: Sat, 6 Jul 2019 13:20:24 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Inside the world of bogus medicine, where smoothies and salads can
supposedly kill cancer (WashPost)

Companies are trying to rein in medical misinformation on social media, but the problem isn't just technological. It's also human.

https://www.washingtonpost.com/lifestyle/style/they-turn-to-facebook-and-youtube-to-find-a-cure-for-cancer--and-get-sucked-into-a-world-of-bogus-medicine/2019/06/25/6df3ddae-7cdc-11e9-a5b3-34f3edf1351e_story.html

------------------------------

Date: Wed, 10 Jul 2019 09:58:24 -0700
From: Gene Wirchenko <gene@shaw.ca>
Subject: "Robot that started fire costs Ocado $137M" (Greg Nichols)

Greg Nichols for Robotics | 10 Jul 2019

Safety is a massive unaddressed issue in the rapidly evolving automation sector.

https://www.zdnet.com/article/robot-that-started-fire-costs-ocado-137m/

In February, a robot at an Ocado fulfillment warehouse sparked a massive
fire. The warehouse was destroyed, and the British grocer has just revealed
the price tag of the damage: $137M.

------------------------------

Date: Thu, 11 Jul 2019 07:53:59 -0700
From: Richard Stein <rmstein@ieee.org>
Subject: Anaesthetic devices 'vulnerable to hackers' (bbc.com)

https://www.bbc.com/news/technology-48935111

"A type of anaesthetic machine that has been used in NHS hospitals can be hacked and controlled from afar if left accessible on a hospital computer network, a cyber-security company says.

"A successful attacker would be able to change the amount of anaesthetic delivered to a patient, CyberMDX said."

The DHS CERT link https://www.us-cert.gov/ics/advisories/icsma-19-190-01.

I have been digging into FDA MAUDE on a different device class over the past few months, and wrote a crawler using mechanize.py and beautifulsoup4 to
fish through the HTML reports. It was easy enough to find medical device reports (MDRs) on the anesthesia machines mentioned in the BBC article.

For instance: https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfMAUDE/detail.cfm?mdrfoi__id=8319602

"'the hospital reported a patient had cardiac arrest during a case. It was
alleged the ventilator had stopped mechanically ventilating in pressure
mode towards the end of the case without alarming. It was unknown how long
ventilation had stopped. The patient was resuscitated and remains in the
icu."

This particular MDR, submitted by the manufacturer, is curious because it
lists the device manufacturing date as 01/01/1970! Must be a typo.

Another MDR:

https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfMAUDE/detail.cfm?mdrfoi__id=8451207
"It was reported that when replacing a failing internal power backup
battery, our company representative noticed that the battery had leaked
battery acid into the battery compartment of the anesthesia workstation.
There was no injury reported. (b)(4)."

The following Pareto documents deaths, malfunctions, and injuries reported
for all devices assigned the product code BSZ -- gas-machine,
anesthesia. The product code includes all manufacturers, including the
Aespire and Aestiva 7100 and 7900 mentioned in the article. Here's the data from 01JAN2017-30JUN2019:

Deaths -- 9
Injury -- 65
Malfunctions -- As shown per period (5181 total, average ~370 +/- 107
per 60 days, or ~6 per day).

01/01/2017-02/28/2017 364
03/01/2017-04/30/2017 344
05/01/2017-06/30/2017 424
07/01/2017-08/31/2017 391
09/01/2017-10/31/2017 346
11/01/2017-12/31/2017 470
01/01/2018-02/28/2018 369
03/01/2018-04/30/2018 389
05/01/2018-06/30/2018 420
07/01/2018-08/31/2018 425
09/01/2018-10/31/2018 459
11/01/2018-12/31/2018 489
01/01/2019-03/31/2019 88
04/01/2019-06/30/2019 203

Note that FDA's MAUDE platform carries a long list of disclaimers and
advisory information about the Medical Device Report Content. Among them
are:

"MDR data alone cannot be used to establish rates of events, evaluate a
change in event rates over time or compare event rates between devices. The number of reports cannot be interpreted or used in isolation to reach conclusions about the existence, severity, or frequency of problems
associated with devices."

Find the full list at https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfMAUDE/search.cfm

------------------------------

Date: Fri, 12 Jul 2019 11:29:15 -0700
From: Paul Burke <box1320@gmail.com>
Subject: FDA seeks comment on cybersecurity warnings and security upgrades
(Federal Register)

https://federalregister.gov/d/2019-14141
Meeting Sept 10 in Maryland, open to public, and comments can be sent by
July 30. Requests to speak due by July 22

The committee receiving comments does not approve/disapprove medical
devices. They advise on "which factors should be considered by FDA and industry when communicating cybersecurity risks to patients and to the
public, including but not limited to the content, phrasing, the methods used
to disseminate the message and the timing of that communication. The recommendations will also address concerns patients have about changes to
their devices to reduce cybersecurity risk...

background material available to the public no later than 2 business days
before the meeting... at
https://www.fda.gov/advisory-committees/committees-and-meeting-materials/patient-engagement-advisory-committee

The committee members seem politically connected, and not cyber experts, so
one hopes they would value expert comments. https://www.fda.gov/advisory-committees/patient-engagement-advisory-committee/roster-patient-engagement-advisory-committee

FDA has pages of guidance on communicating device risks, (pages 7, 13-15,
39), though not yet on cyber specifically. https://www.fda.gov/media/71030/download

------------------------------

Date: Sun, 14 Jul 2019 15:46:53 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: EU "Galileo" GPS system remains down (BBC)

The EU's "Galileo" GPS system is down. And it remains down, except for
search and rescue transmissions functionality:

https://www.bbc.com/news/science-environment-48985399

------------------------------

Date: Fri, 12 Jul 2019 15:30:03 -1000
From: geoff goodfellow <geoff@iconia.com>
Subject: Tiny flying insect robot has four wings and weighs under a gram
(New Scientist)

A solar-powered winged robot has become the lightest machine capable of
flying without being attached to a power source.

Weighing just 259 milligrams, the insect-inspired RoboBee X-Wing has four
wings that flap 170 times per second. It has a wingspan of 3.5 centimetres
and stands 6.5 centimetres high.

The flying robot was developed by Noah Jafferis and his colleagues at
Harvard University...

https://www.newscientist.com/article/dn24638-four-winged-robot-flies-like-a-jellyfish/
https://www.newscientist.com/article/0-watch-this-robotic-fruit-fly-swoop-dive-and-perform-impressive-flips/
https://www.newscientist.com/article/2207687-tiny-flying-insect-robot-has-four-wings-and-weighs-under-a-gram

[Not encouraging. The equivalent of a mosquito bite can be deadly. PGN]

------------------------------

Date: Sun, 7 Jul 2019 16:56:27 +0900
From: "Ishikawa,chiaki" <ishikawa@yk.rim.or.jp>
Subject: Smartphone payment system by Seven-Eleven Japan hacked from day 1:
lack of two stage authentication, etc. (Japan Times)

Japanese operator of ubiquitous Seven-Eleven has introduced its smartphone-based payment system since July 1st. It has been hacked since
day 1 and the press conference announcing the limited operation to protect
the users revealed that the president of the operation did not know what
"two stage authentication" is, and its VIP of IT claimed that the system did not have any security issues whereas

- the system did not have two-stage authentication, and

- the system would send out the link to change password to an e-mail address that is *NOT* the original e-mail address that was used when the user registered for the service, etc.

Unbelievable lapse of proper security.

No wonder it was abused form day 1.

The press reported about 900 users' accounts were abused and about JPN 55,000,000 YEN (about half a million US dollars) have been used by third
party to buy easy to cash items such as cigarette cartons.

I have read the lapse of security mechanisms and could not believe a big
name company like Seven-Eleven would let such a system put into
operation. But it did. To be honest, ever since the emergence of web-based services, I noticed the drop of the quality of software in general, not to mention the security side of the services, but this confirms my suspicion
that there are many improperly trained so called professional in ICT
industry in Japan. But I am afraid that the situation may not be that great
in other countries, too.

Some English articles from Japan Times. https://www.japantimes.co.jp/news/2019/07/04/business/corporate-business/users-7-elevens-mobile-payment-service-lose-total-%C2%A555-million-900-accounts-hacked/

https://www.japantimes.co.jp/news/2019/07/06/national/crime-legal/government-urges-seven-eleven-japan-beef-security-7pay-mobile-payment-fraud/

Seven-Eleven has a lot to explain and clean up and improve their internal ID system, which I suspect was already know to be vulnerable to crackers.

------------------------------

Date: Sat, 6 Jul 2019 07:15:56 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Border Patrol agents tried to delete their horrific Facebook posts
-- but they were already archived (NSFW -- The Intercept)

https://theintercept.com/2019/07/05/border-patrol-facebook-group/

[via NNSquad]

------------------------------

From: Monty Solomon <monty@roscom.com>
Date: Sat, 6 Jul 2019 11:58:06 -0400
Subject: Professor faces 219-year prison sentence for sending missile chip
tech to China (The Verge)

https://www.theverge.com/2019/7/6/20683177/china-missile-semiconductors-trial-professor-yi-chi-shih-guilty

------------------------------

Date: Mon, 8 Jul 2019 15:10:00 -1000
From: the keyboard of geoff goodfellow <geoff@iconia.com>
Subject: London Police's Facial Recognition System Has 81 Percent Error Rate?
(Geek)

Don't be surprised if you're arrested next time you visit the UK.

Facial recognition technology trialed by the Metropolitan Police is
reportedly 81 percent inaccurate. The system, according to a study by the University of Essex mistakenly targets four out of five innocent people as wanted suspects.

It is likely to be found unlawful if challenged in court.

In order to compile an independent report on the London police service's testing, Peter Fussey and Daragh Murray were granted what the University
called *unprecedented* access to six of the 10 trials, completed between
June 2018 to February 2019.

The pair joined officers in LFR control rooms and on the ground; they also attended briefing and debriefing sessions and planning meetings...

https://www.geek.com/tech/london-polices-facial-recognition-system-has-81-percent-error-rate-1794564/

------------------------------

Date: Mon, 08 Jul 2019 10:04:32 -0700
From: Gene Wirchenko <gene@shaw.ca>
Subject: "GDPR: Record British Airways fine shows how data protection
legislation is beginning to bite" (Danny Palmer)

https://www.zdnet.com/article/gdpr-record-british-airways-fine-shows-how-data-protection-legislation-is-beginning-to-bite/

Danny Palmer | 8 Jul 2019

The ICO's proposed £183m fine should act as a wake-up call for other organisations: make sure your cybersecurity and data protection policies are GDPR-compliant - or you could be next.

opening text:

It was always only a matter of time, and a little over a year after General Data Protection Regulation (GDPR) came into force across Europe, a data protection agency has announced plans to issue the first mega-fine as the result of a data breach.

------------------------------

Date: Tue, 9 Jul 2019 00:15:45 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: D-Link Agrees to Make Security Enhancements to Settle FTC
Litigation (Federal Trade Commission)

Commission alleged the company failed to secure its routers and Internet-connected cameras

Smart home products manufacturer D-Link Systems, Inc., has agreed to
implement a comprehensive software security program in order to settle
Federal Trade Commission allegations over misrepresentations that the
company took reasonable steps to secure its wireless routers and Internet-connected cameras.

The settlement ends FTC litigation against D-Link stemming from a 2017 complaint <https://www.ftc.gov/news-events/press-releases/2017/01/ftc-charges-d-link-put-consumers-privacy-risk-due-inadequate>
in which the agency alleged that, despite claims touting device security, vulnerabilities in the company's routers and Internet-connected cameras left sensitive consumer information, including live video and audio feeds,
exposed to third parties and vulnerable to hackers.

``We sued D-Link over the security of its routers and IP cameras, and these security flaws risked exposing users' most sensitive personal information to prying eyes,'' said Andrew Smith, Director of the FTC's Bureau of Consumer Protection. ``Manufacturers and sellers of connected devices should be aware that the FTC will hold them to account for failures that expose user data to risk of compromise.''

Despite promoting the security of its products by claiming it offered ``advanced network security,'' D-Link failed to perform basic secure
software development, including testing and remediation to address
well-known and preventable security flaws, according to the FTC's
complaint. These flaws included using hard-coded login credentials on its D-Link camera software with the easily guessed username and password, ``guest,'' and storing mobile app login credentials in clear, readable text
on a user's mobile device.

As part of the proposed settlement, D-Link is required <https://www.ftc.gov/system/files/documents/cases/dlink_proposed_order_and_judgment_7-2-19.pdf>
to implement a comprehensive software security program, including specific steps to ensure that its Internet-connected cameras and routers are
secure. This includes implementing security planning, threat modeling,
testing for vulnerabilities before releasing products, ongoing monitoring to address security flaws, and automatic firmware updates, as well as accepting vulnerability reports from security researchers.

In addition, D-Link is required for 10 years to obtain biennial,
independent, third-party assessments of its software security program. The assessor must keep all documents it relies on for its assessment for five
years and provide them to the Commission upon request. The settlement also requires the assessor to identify specific evidence for its findings -- and
not rely solely on the assertions of D-Link's management. Finally, the order gives the FTC authority to approve the third-party assessor D-Link chooses.

https://www.ftc.gov/news-events/press-releases/2019/07/d-link-agrees-make-security-enhancements-settle-ftc-litigation

------------------------------

Date: Sun, 7 Jul 2019 21:02:00 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: As Florida cities use insurance to pay $1 million in ransoms to
hackers, Baltimore and Maryland weigh getting covered (WashPost)

https://www.washingtonpost.com/local/as-florida-cities-use-insurance-to-pay-1-million-in-ransoms-to-hackers-baltimore-and-maryland-weigh-getting-covered/2019/07/06/d1c0dc16-9f77-11e9-9ed4-c9089972ad5a_story.html

------------------------------

Date: Sun, 7 Jul 2019 21:02:29 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: House Democrats introduce a bill to tighten airport security stings
(WashPost)

https://www.washingtonpost.com/transportation/2019/06/26/house-democrats-introduce-bill-tighten-airport-security-stings/

------------------------------

Date: Thu, 11 Jul 2019 08:10:33 +0200
From: Thomas Koenig <tkoenig@netcologne.de>
Subject: Introducing ERP software: The biggest risk to your business (Faz)

If you want to see the face of a CEO of a company which has just
introduced new ERP software, look at

https://www.faz.net/aktuell/wirtschaft/erp-software-chaos-erzuernt-liqui-moly-chef-ernst-prost-16277813.html

(the article itself is in German).

EPR (enterprise resource planning) software is absolutely central to
companies do these days - almost all business processes are done
done using this software.

The company in question, Liqui Moly, has just switched from home-grown
COBOL programs to an ERP supplier and is now facing increased costs and
delays in their business processes ("Only the hourglass is running on everybody's screen...").

To keep delivery dates, new people have to be hired, containers are only
half filled, trucks have to wait, and expensive air freight needs to be
booked.

The vendor for his ERP software is not mentioned, because "this is such
a typical problem." And yet, this kind of thing has attracted very
attention, probably because nobody likes to talk about their failures.

Let us hope that this article helps to break the circle of silence.

------------------------------

Date: Tue, 9 Jul 2019 7:49:28 PDT
From: "Peter G. Neumann" <neumann@csl.sri.com>
Subject: European regulators to tighten rules for use of facial recognition
(Politico)

Mark Scott and Laurens Cerulus, Politico Europe:

Europe's privacy watchdogs are looking to beef up restrictions for the use
of facial recognition in a move that will affect how governments and big
tech companies use the technology. Data protection agencies will discuss new guidelines Tuesday at a joint meeting in Brussels that would reclassify
facial recognition data as biometric data, which under European privacy
rules requires explicit consent from the person whose data is being
collected. Under the GDPR, biometric information -- a category under which
the technology would soon fall -- is considered as sensitive data, meaning
that its collection is prohibited https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/how-my-personal-data-protected/how-data-my-religious-beliefs-sexual-orientation-health-political-views-protected_en?utm_source=3DPOLITICO.EU
unless individuals give explicit consent or the information has been made public.

The draft change, which was confirmed by two data protection officials from different authorities who spoke on the condition of anonymity because the guidelines are not yet public, has potentially far-reaching impact at a time when facial recognition tools are becoming more widespread in public spaces
and consumer technology. More stringent demands for consent could challenge police forces and security services that are turning to facial recognition
to keep tabs on crowds, with experiments already under way or completed in London, https://politico.us8.list-manage.com/track/click?u=3De26c1a1c392386a968d02fdbc

They are also likely to weigh on tech companies like Facebook. The social
media giant reintroduced its use of facial recognition https://politico.us8.list-manage.com/track/click?u=3De26c1a1c392386a968d02fdbc in Europe last year following a ban. The company had used the onset of the General Data Protection Regulation (GDPR) as a chance to ask users whether
they want to opt in to using the platform's facial recognition tool for automatic tagging of their photographs. At the time, privacy activists
argued that the consent was not valid because even users who opted out would have their biometric data scanned.

The Irish Data Protection agency -- Facebook's lead regulator within the EU
-- sought guidance from other European agencies. A spokesman for Facebook declined to comment. ``We'll get the right level of consent to use facial recognition going forward,'' Stephen Deadman, Facebook's global deputy chief privacy officer, said in an interview last year in reference to the technology's rollout in Europe.

If companies and governments fail to obtain a higher level of consent, they
may not be able to deploy facial recognition tools. Current tools for
obtaining consent for video surveillance, like signs informing people they being recorded, are not likely to meet the higher standard of consent
required for collection of biometric data.

The guidelines are expected to go through a public consultation process
before being finalized by the watchdogs. A spokesperson for the European
Data Protection Board, the pan-EU group of privacy regulators, declined to comment.

------------------------------

Date: Thu, 11 Jul 2019 08:43:07 -0700
From: Gene Wirchenko <gene@shaw.ca>
Subject: "New Windows 7 'security-only' update installs telemetry/snooping,
uh, feature" (Woody Leonhard)

Woody Leonhard, Columnist, Computerworld | PT

https://www.computerworld.com/article/3408496/new-windows-7-security-only-update-installs-telemetrysnooping-uh-feature.html

Three years ago, Microsoft promised to keep Win7 and 8.1 updated with two tracks of patches -- Monthly Rollups that include everything and

[continued in next message]

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)