1. Forum
  2. Usenet
  3. COMP.RISKS

  • Risks Digest 32.68 (2/2)

    From RISKS List Owner@21:1/5 to Martin Ward on Fri May 21 22:26:25 2021
    [continued from previous message]

    computer science graduates pursue cybersecurity careers.

    https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2b1dcx22b659x069602&

    ------------------------------

    Date: Thu, 13 May 2021 17:42:18 -0700
    From: Tom Van Vleck <thvv@multicians.org>
    Subject: Re: Marvin hacked (RISKS-32.67)

    PGN suggested
    (Security was of course not in Turing's threat model.)

    Yes, "security" is meaningful only relative to a model.

    ------------------------------

    Date: Thu, 13 May 2021 20:07:34 -0700
    From: Kim Zetter <kzetter@gmail.com>
    Subject: Re: RISKS and Zero Day

    I noticed that you mis-credited CNN with the information that the Colonial Pipeline had been shut down in part due to the fact that it's billing
    system had been locked up by the ransomware. That information was first reported by me four days ago in these two pieces (and CNN didn't give me credit) published on my Zero Day substack publication:

    https://zetter.substack.com/p/ransomware-infection-on-colonial https://zetter.substack.com/p/biden-declares-state-of-emergency

    Author: *Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon*

    ------------------------------

    Date: Sat, 15 May 2021 15:11:03 -0700
    From: merlyn@stonehenge.com (Randal L. Schwartz)
    Subject: Re: I have been pwned! -- but not really (Slade, RISKS-32.65)

    I've had stonehenge.com since about the earliest possible time I could
    register it. While I do get the expected misdirected pile of mail for that
    big rock group in England, and the occasional mail for some other stonehenge-like organization, the biggest breaches were back in the early
    90s.

    It seems that a large venture capital firm opened up, and although their company name was something like Stonehenge Holdings Limited, every senior
    staff member (and their assistants) seemed to think that their email address was "some.name@stonehenge.com". You have not seen misdirected email until you've had complete business plans, various investment strategies, and other private communications delivered to your inbox, all meant for people with
    large sums of money to hand out.

    I tried repeatedly to explain this to everyone I could find at the company,
    but most of the time, they either apologized (and then forgot), or somehow accused me of hacking. I could almost imagine that their business cards
    might have even been wrong.

    Thank goodness they eventually went out of business.

    ------------------------------

    Date: Thu, 13 May 2021 20:59:14 -0400
    From: "Bernie Cosell" <cosell@alum.mit.edu>
    Subject: Re: A mom panicked when her 4-year-old bought $2,600 in
    SpongeBob, Popsicles (RISKS-32.65)

    On 13 May 2021 at 15:02, Martin Ward wrote:

    Install the NoScript Firefox extension and ensure that
    washingtonpost.com is blocked. You can then read all the articles
    without the annoying popup asking you to subscribe or login.

    How handy! We needed a forum on how to "share" things that we ought to pay for. Next fun activity on RISKS -- how to get ATMs to spit out money.

    NB: I don't mean to start a fight but I don't think that kind of "help" is appropriate for RISKS.

    [I don't think so either, but ran that item as a sort of test, for which
    you are the only one thus far who responded. However, perhaps we have
    done The Post a service by noting the lacuna, or perhaps they know about
    it and believe it helps business. Historically, you might remember the
    lame encryption used in early online games that seems to have increased
    business by alerting more people to the game. PGN]

    ------------------------------

    Date: Tue, 18 May 2021 11:54:26 -0400
    From: Nancy Leveson via Ata-watchers <ata-watchers@airlinersafety.info> Subject: MIT STAMP/STPA Virtual Workshop 2021

    The free MIT STAMP/STPA Workshop be held virtually again this year (maybe
    next year we can meet in person) spread out over the period from June
    21-June 30. In case you are not aware, STAMP is a new accident causality
    model based on systems theory and systems thinking described in Nancy
    Leveson's book *Engineering a Safer World*. STAMP integrates into
    engineering analysis the causal factors in our increasingly complex systems such as software, human-decision making and human factors, new technology, social and organizational design, and safety culture. STPA is a powerful new hazard/cybersecurity analysis technique based on STAMP while CAST is the equivalent for accident/incident analysis. These tools are now used globally
    in almost every industry.

    Free tutorials or videos of tutorials from last year will be provided so everyone can participate, regardless of experience with STAMP or the STAMP-based analysis techniques. You can access the tutorials from last year
    at the PSAS website (http://psas.scripts.mit.edu/home) as well as
    presentations from previous workshops. You will also find more information about this year's workshop at the PSAS website as it becomes available.

    The workshop is free, but In order to avoid spamming people, this is the
    only message we will send to those who have not registered. We will also
    use the registration list to send out passwords for the workshop in order to provide security and avoid zoom bombers. You can register at http://psas.scripts.mit.edu/home/2021-stamp-workshop-registration/

    If you are unable to get to the registration site, please send me ( leveson@mit.edu) the following information: Name, Email, Affiliation
    (company, government agency, university, etc.), Country, Industry, and Level
    of Experience with STAMP-based methods) and I will make sure you are registered.

    The program is below although we are still working out details about day and time. There were a large number of abstracts submitted so we could accept
    only 20% of those submitted. The exact days and times will be provided
    later. We expect speakers and attendees worldwide from almost every time
    zone (last year there were over 3000 attendees) so we are still trying to optimize timing. The presentations on any day will be limited to avoid zoom fatigue.

    *Presentations*

    *Effectiveness of CAST, 5M and HFACS in Accident Investigation and
    Prevention*, KAEFER Guenter (Austrian Air Force), KOGLBAUER Ioana (Graz
    University of Technology, Austria)

    *Safety Analysis of a Low-cost Insulin Infusion Pump using STPA: A Case
    Study with Brazilian Company*, Aldo Martinazzo (Federal University of
    S=C3=A3o Paulo), Luiz Eduardo Martins (Federal University of S=C3=A3o
    Paulo), Tatiana Cunha (Federal University of S=C3=A3o Paulo)

    *STPA Evaluation of Potential Conflicts between Large Commercial Air
    Traffic and Small Uncrewed Aircraft Systems in the Terminal Airspace*,
    Paul Stanley (Boeing), Victor Arcos Barraquero (Boeing)

    *STPA at Google*, Tim Falzone (Google)

    *STPA Return on Investment -- An Industry Perspective*, Marc Nance (Boeing
    Retired, STAMP Engineering Services), Mark Vernacchia (General Motors),
    Lori Smith (Boeing Retired, STAMP Engineering Services)

    *Leveraging STPA to Create a More Informed Risk Matrix*, Sam Yoo and Dro
    Gregorian (MIT)

    *Analyzing National Responses to COVID-19 Pandemic using STPA*, Shufeng
    Chen (WMG, University of Warwick)

    *STPA Analysis Self-Driving Vehicles on level crossings -- lessons
    learned*, Elma Dijkerman (Movares), Gea Kolk (Movares), Ello Weits
    (Movares)

    *Safety analysis of interoperability conformance profiles in Medical
    Information Exchange*, Jens Weber (University of Victoria)

    *Key Safety Indicators using STPA*, Stuart Williams (University of
    Strathclyde, Glasgow)

    *Introducing STAMP to a Major Health Organisation*, Wallace Grimmett
    (MATER)

    *Applying STPA in Development of Autonomous Container Handling Machinery*,
    Eetu Heikkil=C3=A4 (VTT Technical Research Centre of Finland Ltd.)

    *STPA in Support of Next-Gen Automotive E/E Architecture Development*.
    Sandro N=C3=BCesch (Huawei Technologies Duesseldorf GmbH), Christoph
    Ainhauser (Huawei Technologies Duesseldorf GmbH), Gereon Hinz (STTech GmbH
    )

    *Lightning Talks*

    *Consideration of STPA in Civil Aviation*, Linh Le (Federal Aviation
    Administration), Eric M Peterson (Federal Aviation Administration)

    *Discussion on STPA Validation, Replicability and Analyst Bias*, Idoaldo
    Lima (RWTH Aachen)

    *Cybersecurity Incident Analysis by CAST using the Report of Unauthorized
    Access to the Information System*, Tomoko Kaneko, Ph.D. (Researcher of
    National Institute of Informatics)

    *Hazard Analysis of Teaming Systems*, Andrew Kopeikin (MIT)

    *Using STPA to Address Challenges in Achieving SOTIF*, Amardeep Sidhu
    (Independent)

    *Safety Analysis for an In-wheel Electric Motor Powertrain*, Joaquim Maria
    Castella Triginer (Virtual Vehicle), Helmut Martin (Virtual Vehicle)

    *Incorporating STPA into DoD Acquisition Program*, Drake Mailes (USAF)

    *Open STPA with RAAML and Gaphor*, Dan Yeaw (Ford Motor Company), Kyle Post
    (Ford Motor Company)

    *Applying CAST to Human Error Related Manufacturing Mishaps*, Jess Reid
    (Boeing)

    *STPA-sec Supporting Zero Trust Partners*, William Young (USAF)

    *Using STPA to identify conflicts in coal mining safety procedures*,
    Alicja Krzemien (GIG Research Institute), Stanislaw Prusek (GIG Research
    Institute)

    *Panel Sessions*

    Panel sessions with expert industry practitioners will give participants a chance to ask questions and learn how they were able to implement
    STAMP-based methods successfully.

    Introducing STPA and CAST into Organizations
    Progress on Including STPA in Industry Standards
    And more...

    *Interesting Uses Spotlights*

    These will be very short introductions to new and interesting applications
    that are not complete enough yet for a regular presentation:

    Machine Learning (AI)
    Indigenous healthcare in Australia
    Pharmaceutical Order Entry Systems
    Introducing STAMP in Organizations
    Prioritizing Scenarios
    Linux Medical Application

    Prof. Nancy Leveson, Aeronautics and Astronautics, MIT, Room 33-334
    77 Massachusetts Ave., Cambridge, MA 02142
    Email: leveson@mit.edu URL: http://sunnyday.mit.edu

    ------------------------------

    Date: Wed, 19 May 2021 15:53:21 -0400
    From: Gabe Goldberg <gabe@gabegold.com>
    Subject: Californian RoboCop Had To Deal With Its First Crime, And It Did
    Not Go Well (IFLScience)

    Picture a world where police robots roam the streets dealing with crime, and
    I can pretty much guarantee you'll either think of a nightmarish
    all-powerful police state where everything has gone horribly wrong and/or Robocop.

    But it turns out robot police are already here and it's nothing like either
    of those options: They just don't really give a shit about citizens. [...]

    Why no help from the robot, you may ask. Perhaps they have already turned on humans and are only interested in robocrimes?

    Well, it turns out that RoboCop is in no way connected to the actual
    police. The calls instead go to the robots' creator, Knightscope, who leases the robots to the police department.

    Knightscope also made the robot security guard that famously "committed suicide" in 2017.

    It turns out, the robots' cameras, which are capable of recording 360-degree high definition video and live-streaming it to police phones, are not
    connected to the police yet, nor are its abilities to read license plates
    and track cell phone use in the area. Police Chief Cosme Lozano told NBC
    News that the robot is there on a trial basis, and will eventually be fully connected to the department's dispatch center.

    But for the moment if you see RoboCop you can be assured it doesn't actually
    do anything. It just potters around LA, tells citizens worried about crime
    to get out of the way, and sometimes, just sometimes, chats to Elon Musk on Twitter. At a cost of $60,000-$70,000 a year.

    https://www.iflscience.com/technology/californian-robocop-had-to-deal-with-its-first-crime-and-it-did-not-go-well/

    From October 2019

    ------------------------------

    Date: Mon, 17 May 2021 15:27:11 -0400
    From: Gabe Goldberg <gabe@gabegold.com>
    Subject: The United States should make cybercrime a high priority (WashPost)

    The May 11 editorial: *The ransomware emergency is here* failed to point out that American computer experts can break any encryption scheme at any time anywhere in the world. The United States, after all, is home to more than
    100 supercomputers, the fastest of which is operated by the Energy
    Department. Russia, in contrast, has only three supercomputers in the entire country. Americans should perhaps assign a higher priority to defeating
    cyber criminals in general and ransomware criminals in particular.

    https://www.washingtonpost.com/opinions/letters-to-the-editor/the-united-states-should-make-cyber-crime-a-high-priority/2021/05/14/5237a4d6-b373-11eb-bc96-fdf55de43bef_story.html

    ...and assign higher priority to developing minimal technology literacy
    among citizens and newspaper editors.

    ------------------------------

    Date: Wed, 19 May 2021 15:59:50 -0400
    From: Gabe Goldberg <gabe@gabegold.com>
    Subject: Mob Violence Against Palestinians in Israel Is Fueled by Groups on
    WhatsApp (NYTimes)

    Mob Violence Against Palestinians in Israel Is Fueled by Groups on WhatsApp https://www.nytimes.com/2021/05/19/technology/israeli-clashes-pro-violence-groups-whatsapp.html

    Of course, as comments note, it's used in the other direction as well.

    ------------------------------

    Date: Wed, 19 May 2021 16:05:37 -0400
    From: Gabe Goldberg <gabe@gabegold.com>
    Subject: Coinbase is down for some users as Bitcoin sees massive sell-off
    (CNBC)

    Crypto-exchange Coinbase said its site and app resumed service after a brief outage earlier in the day.

    Coinbase was down for some users Wednesday morning as digital coins plunged.

    Several social media users seemed frustrated at the app and site's error
    while cryptocurrencies were plunging, looking to buy the dip.

    Coinbase is down for some users as Bitcoin sees massive sell-off <https://www.cnbc.com/2021/05/19/coinbase-is-down-for-some-users.html?__sourceiosappshare%7Ccom.apple.UIKit.activity.Mail>

    ------------------------------

    Date: Wed, 19 May 2021 19:04:03 -0400
    From: "Robert Mathews (OSIA)" <mathews@hawaii.edu>
    Subject: Dutch civil servants used social media to spy on citizens, says
    study (EuroNews)

    Hebe Campbell   & Matthew Holro, EURONEWS, 19 May 2021 https://www.euronews.com/2021/05/19/dutch-civil-servants-used-social-media-to-spy-on-citizens-says-study

    ------------------------------

    Date: Thu, 20 May 2021 02:14:23 -0400
    From: Gabe Goldberg <gabe@gabegold.com>
    Subject: How to Solve Captchas -- and Why They've So Hard to Solve (WiReD)

    https://www.wired.com/story/im-not-a-robot-why-captchas-hard-to-solve/

    Headline lies -- no tips here.

    ------------------------------

    Date: Thu, 20 May 2021 02:23:04 -0400
    From: Gabe Goldberg <gabe@gabegold.com>
    Subject: Cracking the Code of Letterlocking (Atlas Obscura)

    A tale of Black Chambers, lost correspondence, and high technology.

    https://www.atlasobscura.com/articles/letterlocking-virtual-unfolding

    Early message security...

    ------------------------------

    Date: Mon, 1 Aug 2020 11:11:11 -0800
    From: RISKS-request@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume/previous directories
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 32.68
    ************************

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)