• Risks Digest 31.33 (2/2)

    From RISKS List Owner@21:1/5 to All on Mon Jul 15 18:23:28 2019
    [continued from previous message]

    "security-only" patches that are supposed to be limited to security
    fixes. Guess what just happened.

    ------------------------------

    Date: Sun, 07 Jul 2019 20:16:05 -0700
    From: Gene Wirchenko <gene@shaw.ca>
    Subject: "The Windows 10 misinformation machine fires up again" (Ed Bott)

    Ed Bott, ZDNet, 8 Jul 2019 https://www.zdnet.com/article/the-windows-10-misinformation-machine-fires-up-again/

    The loudest voices screaming about Windows 10 sometimes have no idea what they're talking about. Case in point: This dire warning from Gordon Kelly at Forbes, who is as ill-informed as ever.

    opening text:

    Gordon Kelly of Forbes is at it again, pushing his unique blend of scary
    words about Windows 10, mixed with an absolutely overwhelming lack of
    knowledge about the underlying technologies.

    [And so on. He then debunks Kelly. The risk? At least one of them is
    wrong. There is a lot of wrong data out there. Too many people have an
    overly high opinion of their opinions. (It is hard to avoid, and I do not think that I do a perfect job myself.) In the middle of this mess, we have
    to work out what is or appears to be true and decide what to do. I wish it were easier.]

    ------------------------------

    Date: Thu, 11 Jul 2019 08:39:03 -0700
    From: Gene Wirchenko <gene@shaw.ca>
    Subject: "WTF, Microsoft?" (Steven J. Vaughan-Nichols)

    Steven J. Vaughan-Nichols, Computerworld
    For months Microsoft hid the fact that its Registry backup feature no longer worked, while Windows 10 kept reporting that it was completing
    successfully. What were you thinking, guys?

    https://www.computerworld.com/article/3406846/wtf-microsoft.html

    selected text:

    When things have gone wrong on standalone Windows machines -- and they often have -- one of my repair tricks of last resort has been to restore the
    Windows Registry to an earlier known good state. A lot of times, doing a restore was faster than a backup.

    Good thing I haven't had to do that lately, though. Microsoft quietly
    removed this feature in October 2018's Windows 10 version 1803. But it
    didn't bother to tell users about it until late June 2019.

    But let's get back to the really important question for Microsoft: Why did
    you hide this from users? Windows kept reporting that the backups were being *completed successfully*. But were you to browse to the \Windows\System32\config\RegBack folder in Windows Explorer, you would see
    each Registry hive backup -- with a size of 0Kbit. Zero.

    I said ``were you to browse, -- meaning, on the slim, not to say minuscule, chance that you would do this.'' I mean, I always dive deep into obscure
    file folders to make sure the operating system isn't lying to me when it
    tells me a job has been completed. Doesn't everyone?

    That is the real pain in the rump of this entire affair: not that the
    feature is missing, but that Windows lied to its users, and Microsoft hid
    this from us for months. That is unacceptable.

    ------------------------------

    Date: Wed, 10 Jul 2019 09:30:33 -0700
    From: Gene Wirchenko <gene@shaw.ca>
    Subject: "Raspberry Pi 4 won't work with some power cables due to its USB-C
    design flaw" (Liam Tung)

    Liam Tung, ZDNet, 9 Jul 2019
    Did Raspberry Pi Foundation fail to test Raspberry Pi 4 properly?
    Either way, one expert says new flagship is not USB-C compliant and
    must be fixed. https://www.zdnet.com/article/raspberry-pi-4-wont-work-with-some-power-cables-due-to-its-usb-c-design-flaw/

    opening text:

    The Raspberry Pi Foundation has confirmed its brand-new Raspberry Pi 4 Model
    B has a problem with some USB-C cables failing to charge the little
    computer.

    The Raspberry Pi 4 is the first version to include a USB-C port capable of supplying power to it. The problem, as some early users have found, is that certain charging cables don't work. But they would have if the Raspberry Pi Foundation had simply followed the USB-C specification to the letter.

    ------------------------------

    Date: Tue, 9 Jul 2019 12:28:57 -0400
    From: Gabe Goldberg <gabe@gabegold.com>
    Subject: Confirmed: Zoom Security Flaw Exposes Webcam Hijack Risk,
    Change Settings Now (Forbes)

    Forwarded message:

    Seems to be specific to Mac users of the Zoom videoconferencing app, but all should check your settings.

    https://www.forbes.com/sites/zakdoffman/2019/07/09/warning-as-millions-of-zoom-users-risk-webcam-hijack-change-your-settings-now/

    I have tough-to-hack handy slide shield over iPad camera (not that iOS seems implicated in this risk.

    ------------------------------

    Date: Wed, 10 Jul 2019 4:06:28 PDT
    From: "Peter G. Neumann" <neumann@csl.sri.com>
    Subject: Texas County Purchases DRE Machines Over Expert Security Objections
    (Brian Bethel)
    Taylor County elections chief defends security of new voting system
    Brian Bethel, Politico, July 8, 2019
    County plans to spend more than $2.1 million to upgrade its voting machines, replacing machines bought in 2005 with newer, touch-screen models. https://www.gannett-cdn.com/uxstatic/reporternews/uscp-web-static-4511.0.0/images/sprites/icon_close.png]

    That decision, likely to be cemented by county commissioners Tuesday, has raised questions from a science advocacy organization, the Center for Scientific Evidence in Public Issues (EPI Center). It recommends the use of paper ballots as a way of ensuring that votes are counted securely and accurately.

    But Freda Ragan, the county's elections administrator, countered Monday that the type of machines selected, known as direct recording electronic machines (DREs) are highly secure, with redundancies built in and no remote access.

    The system should be familiar to voters, while making the path smooth for
    the county's elections office, she said.

    "There are currently no state mandates or requirements for counties to
    purchase paper," Ragan said.

    The system the county likely will purchase does have the ability to be converted to paper ballots, "if we are ever required or mandated to do so,"
    she said.

    https://eb2.3lift.com/pass?tl_clickthrough=3Dtrue [cid:e0fea9da-6e27-42a6-88e9-d204ff482dd4]

    Ragan said in an email last week the voting program being considered, Texas-based Hart InterCivic's Verity Voting system, is already in use throughout the state.

    The system attained certification from the federal U.S. Election Assistance Commission, she said, and successfully has passed through Texas Secretary of State Elections Office independent testing and certification processes.

    To be awarded certification at the federal level, by the EAC, and to attain state certification, which is required in Texas, voting systems must meet or exceed established security standards.

    ------------------------------

    Date: Thu, 11 Jul 2019 20:37:36 -0400
    From: Gabe Goldberg <gabe@gabegold.com>
    Subject: The Hard-Luck Texas Town That Bet on Bitcoin -- and Lost (WiReD)

    In 1952, The Saturday Evening Post christened Rockdale, Texas, ``The Town
    Where It Rains Money.'' An estimated 100-million tons of lignite coal lay buried a few miles south of the city limits, and Alcoa had just swooped in
    to build a $100-million smelter that would use the cheap energy source to produce aluminum for fighter planes, skyscrapers, automobiles, and
    more. ``At the mere mention of somebody blowing into town with $100,000,000
    to spend, many citizens were seized by attacks of vertigo,'' wrote local
    author George Sessions-Perry. ``Others merely went off and lay down in an effort to regain their composure. Then things began to happen.''

    Seemingly overnight, Rockdale's population doubled to 5,000. A photo accompanying the Post story shows resident millionaire H. H. ``Pete''
    Coffield and the mayor hosting a party for new Alcoa employees on a patio surrounded by a lush garden. The women wear cocktail dresses, and the men
    wear ties. ``What makes us feel best of all,'' Sessions-Perry continued,
    ``is that we're making a sizable pile of something that the nation needs.''

    More recently, though, prosperity has eluded Rockdale. The Alcoa smelter was shuttered in 2008, and an adjoining coal-fired power plant closed last
    year. More than 1,000 jobs vanished, sending Rockdale and surrounding Milam County, population 25,000, into a nosedive.

    Then, last summer, a ray of hope pierced the gloom. Bitmain, a Chinese
    company that makes specialized computers for ``mining'' cryptocurrency, said
    it would invest $500 million in what was to be the world's largest bitcoin-mining facility at the closed Alcoa smelter, which, crucially, was still connected to massive electrical lines. The large buildings where
    aluminum was made, called potrooms, would be filled with shipping containers stocked with 325,000 mining machines. Most important for Milam County,
    Bitmain promised to create between 400 and 600 jobs. New industry would
    replace the old.

    https://www.wired.com/story/hard-luck-texas-town-bet-bitcoin-lost/

    ------------------------------

    Date: Wed, 10 Jul 2019 17:40:16 -0400
    From: Gabe Goldberg <gabe@gabegold.com>
    Subject: Thoughtcrime --> Thoughtaccidents (WiReD)

    https://www.wired.com/story/waze-data-help-predict-car-crashes-cut-response-time/

    FOOD FOR THOUGHT

    Users of the Google traffic app Waze are fastidious about reporting all
    manner of roadside obstacles and slowdowns, including traffic accidents.
    Some studies show that "Wazers" actually reports crashes more quickly than callers to emergency services. Aarian Marshall reports for Wired on
    researchers now seeing if they can combine vast amounts of Waze reports with other data sets to predict crashes before they happen. It's not an easy problem, as computer apps generally are not good at predicting rare events.

    ``You have to have a lot of data, and diverse types of data, and then be
    able to analyze it for it to be actionable instead of just piling up,'' says Christopher Cherry, an engineering professor with the University of Kentucky who recently completed a study of how traffic data could be used to improve road safety. The traffic data itself is useful, sure. But to predict the
    risk of crashes, and to prevent them, you should also probably have a sense
    for where crashes are happening, and what the roads in question look like,
    and how those roads perform under different weather conditions. And then you have to link all those datasets up and help them ``talk'' to each other --
    no small feat.

    ------------------------------

    Date: Thu, 11 Jul 2019 18:01:46 -0400
    From: Gabe Goldberg <gabe@gabegold.com>
    Subject: Mass Attacks in Public Spaces - 2018 (Secret Service National
    Threat Assessment Center)

    https://www.secretservice.gov/data/press/reports/USSS_FY2019_MAPS.pdf

    ------------------------------

    Date: Fri, 12 Jul 2019 11:23:31 -0700
    From: Mark Thorson <eee@dialup4less.com>
    Subject: Google audio recordings of users leaked

    "More than 1,000 recordings were obtained by Belgian broadcaster VRT NWS,
    which noted in a story that some contained sensitive personal conversations
    --- as well as information that identified the person speaking."

    I suppose it's bad enough when a company obtains sensitive personal
    information without the full awareness of the user, but then they gotta leak
    it too?

    http://www.taipeitimes.com/News/biz/archives/2019/07/13/2003718564

    ------------------------------

    Date: Fri, 12 Jul 2019 18:09:17 -0400
    From: Monty Solomon <monty@roscom.com>
    Subject: New Bedford computer outages continue for sixth day (WBSM)

    https://www.southcoasttoday.com/news/20190710/new-bedford-computer-outages-continue-for-sixth-day

    Earlier: https://wbsm.com/new-bedford-computer-outage-spreads-to-fire-department/

    ------------------------------

    Date: Fri, 12 Jul 2019 18:10:02 -0400
    From: Monty Solomon <monty@roscom.com>
    Subject: Feds: New Bedford police officer arrested after 194 child porn
    files found on computer (WHDH)

    https://whdh.com/news/feds-new-bedford-police-officer-arrested-after-194-child-porn-files-found-on-computer/

    -----------------------