• Risks Digest 32.79

    From RISKS List Owner@21:1/5 to All on Tue Aug 3 00:29:02 2021
    RISKS-LIST: Risks-Forum Digest Monday 2 August 2021 Volume 32 : Issue 79

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator

    ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as
    <http://catless.ncl.ac.uk/Risks/32.79>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    If you don't trust AI yet, you're not wrong. (NYTimes)
    Phantom Warships Are Courting Chaos in Conflict Zones (WiReD)
    Chair moved to clean in control room, bumps switch, shutting reactor in
    Taiwan (The Register)
    World's first re-progammable commercial satellite set to launch (phys.org) AirDropped Image Of AirSoft Weapon Leads to UAL Flight Evacuation (AVweb)
    On The Contours of Our Insecurity' & Related Obduracy... (Forbes)
    Hackers Turning to 'Exotic' Programming Languages for Malware Development
    (The Hacker News)
    As Cyberattacks Surge, Security Start-Ups Reap the Rewards (NYTimes)
    Albertans' personal information exposed after national health-care provider
    hacked, data put up for sale (Edmonton Journal)
    Human Risk Management is the FIX. (The Hacker News)
    Don't click links in text messages (Tom Van Vleck)
    Florida Sheriff's Office Now Notifying People It Will Be Inflicting Its
    Pre-Crime Program On Them (TexchDirt)
    Ancient Printer Security Bug Affects Millions of Devices Worldwide
    (Mayank Sharma)
    ML Technique Used to Pinpoint Quantum Errors (Q-CTRL and.Sydney)
    QR Codes Are Here to Stay. So Is the Tracking They Allow. (NYTimes)
    The Robocall Rebellion (NYTimes)
    Joint USTPC/CRA Comments to the White House's OSTP on Enhancing
    Scientific Integrity Policies (PGN)
    Re: Disinformation for Hire, a Shadow Industry, Is Quietly Booming,
    (Richard Thieme)
    Re: Some locals say a bitcoin mining operation is ruining one of
    the Finger Lakes. Here's how. (John Levine)
    Re: YouTube fined 100 000 Euros delaying court order to restore video
    (Thomas Koenig)
    Re: "Roundoff" (Eric Ferguson)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Fri, 30 Jul 2021 11:33:27 PDT
    From: Peter Neumann <neumann@csl.sri.com>
    Subject: If you don't trust AI yet, you're not wrong. (NYTimes)

    Frank Pasquale and Gianclaudio Malgieri, *The New York Times* (online on 30
    Jul 2021, and in print on the opinion page, 2 Aug 2021)

    [Thanks to Prashanth Mundkur for spotting this one on Friday, when I first
    read it. It was not in print in the National Edition until Monday's paper
    -- with some nifty art work. I PGN-excerpted it on Saturday, and added
    the final paragraph after re-reading the article in print on Monday. PGN]

    https://www.nytimes.com/2021/07/30/opinion/artificial-intelligence-european-union.html

    Americans have good reason to be skeptical of artificial intelligence. Tesla crashes have dented the dream of self-driving cars. Mysterious algorithms predict job applicants' performance based on little more than video
    interviews. Similar technologies may soon be headed to the classroom, as administrators use “learning analytics platforms” to scrutinize students' written work and emotional states. Financial technology companies are using social media and other sensitive data to set interest rates and repayment terms.

    Even in areas where AI seems to be an unqualified good, like machine
    learning to better spot melanoma, researchers are worried that current data sets do not adequately represent all patients’ racial backgrounds. [...]

    In April, the European Union released a new proposal for a systematic regulation of artificial intelligence. If enacted, it will change the terms
    of the debate by forbidding some forms of AI, regardless of their ostensible benefits. Some forms of manipulative advertising will be banned, as will real-time indiscriminate facial recognition by public authorities for law enforcement purposes.

    The list of prohibited AI uses is not comprehensive enough -- for example,
    many forms of nonconsensual AI-driven emotion recognition, mental health diagnoses, ethnicity attribution and lie detection should also be
    banned. But the broader principle -- that some uses of technology are simply too harmful to be permitted -- should drive global debates on AI regulation. [...]

    The European Union is now laying the intellectual foundations for such protections, in a wide spectrum of areas where advanced computation is now
    (or will be) deployed to make life-or-death decisions about the allocation
    of public-assistance services, the targets of policing, and the cost of
    credit. While its regulation will never be adopted by the United States,
    there is much ot learn from its comprehensive approach.

    ------------------------------

    Date: Fri, 30 Jul 2021 00:38:29 -0400
    From: "Gabe Goldberg" <gabe@gabegold.com>
    Subject: Phantom Warships Are Courting Chaos in Conflict Zones (WiReD)

    The latest weapons in the global information war are fake vessels
    behaving badly

    https://www.wired.com/story/fake-warships-ais-signals-russia-crimea/

    ------------------------------

    Date: Wed, 28 Jul 2021 20:18:30 -0700
    From: "Rob Wilcox" <robwilcoxjr@gmail.com>
    Subject: Chair moved to clean in control room, bumps switch, shutting
    reactor in Taiwan (The Register)

    We don't often think about basic house cleaning in mission critical
    facilities. Not cleaning is not an option for operator experience and other reasons. I wonder what the literature is on that in human factors
    engineering?

    The Guosheng Nuclear Power Plant in Taiwan is about 15 miles from Taipei
    and on the ocean. At 985MW, it provides about 3-4% of load this week that varies between about 26,000-38,000MW

    When cleaning the control room, a chair was moved, lifting an acrylic safety cover and activating the protected switch. The switch closed the main steam loop valve which caused the safety sequence to shut down the reactor without further incident.

    The Register tagged their article "Surprisingly a real-life scenario and not
    a plotline from The Simpsons"

    Preliminary report by the Taiwan Atomic Energy Council (Chinese, your
    browser may translate):
    https://www.aec.gov.tw/newsdetail/headline/5757.html

    Local coverage:
    https://en.rti.org.tw/news/view/id/2005816

    More:
    https://www.theregister.com/2021/07/28/taiwan_nuclear_plant_shutdown/

    [Also reported by Dan Jacobson:
    Surprisingly a real-life scenario and not a plotline from The Simpsons.
    PGN]

    ------------------------------

    Date: Fri, 30 Jul 2021 18:25:43 +0800
    From: "Richard Stein" <rmstein@ieee.org>
    Subject: World's first re-progammable commercial satellite set to launch
    (phys.org)

    https://phys.org/news/2021-07-world-re-progammable-commercial-satellite.html

    "The European Space Agency will on Friday launch the world's first
    commercial fully re-programmable satellite, paving the way for a new era of more flexible communications.

    "Unlike conventional models that are designed and 'hard-wired' on Earth and cannot be repurposed once in orbit, the Eutelsat Quantum is based on
    so-called software-defined technology that allows users to tailor the communications to their needs -- almost in real-time."

    A pre-launch bugathon/hackathon, in addition to qualification testing and acceptance sign-off, is a reasonable recommendation.

    ------------------------------

    Date: Wed, 28 Jul 2021 12:30:51 -0400
    From: "Gabe Goldberg" <gabe@gabegold.com>
    Subject: AirDropped Image Of AirSoft Weapon Leads to UAL Flight Evacuation
    (AVweb)

    According to local news sources, a teenage airline passenger “virtually” triggered a security evacuation by AirDropping an electronic image of a
    replica AirSoft weapon to other passengers. The incident occurred before takeoff on a United Airlines flight from San Francisco to Orlando. Security officials ultimately determined that the image had been taken well before
    the time of the flight and the fake gun was not on board. They also
    determined that no malicious intent was involved.

    https://www.avweb.com/aviation-news/airdropped-image-of-airsoft-weapon-leads-to-ual-flight-evacuation/

    ------------------------------

    Date: Thu, 29 Jul 2021 22:31:33 -0400
    From: "Robert Mathews (OSIA)" <mathews@hawaii.edu>
    Subject: On The Contours of Our Insecurity' & Related Obduracy....

    Thomas Brewster, Cybersecurity, FORBES, 29 Jul 2021
    "Meet Paragon: An American-Funded, Super-Secretive Israeli Surveillance
    Startup That ‘Hacks WhatsApp And Signal’" https://www.forbes.com/sites/thomasbrewster/2021/07/29/paragon-is-an-nso-competitor-and-an-american-funded-israeli-surveillance-startup-that-hacks-encrypted-apps-like-whatsapp-and-signal

    "Paragon Solutions doesn’t have a website. There’s very little information at all about them online  ....  But it does have a cofounder, director and chief shareholder that will turn heads: Ehud Schneorson, the former
    commander of Israel’s NSA equivalent, known as Unit 8200. The other cofounders - CEO Idan Nurick, CTO Igor Bogudlov and vice president of
    research Liad Avraham - are ex-Israeli intelligence too. Also on the board
    is cofounding director and former Israeli prime minister Ehud Barak. They
    also have a significant American financial backer: Boston,
    Massachusetts-based Battery Ventures." 

    ------------------------------

    Date: Tue, 27 Jul 2021 12:33:46 -1000
    From: geoff goodfellow" <geoff@iconia.com>
    Subject: Hackers Turning to 'Exotic' Programming Languages for Malware
    Development (The Hacker News)

    Threat actors are increasingly shifting to "exotic" programming languages
    such as Go, Rust, Nim, and Dlang that can better circumvent conventional security protections, evade analysis, and hamper reverse engineering
    efforts.

    "Malware authors are known for their ability to adapt and modify their
    skills and behaviors to take advantage of newer technologies," said <https://www.blackberry.com/us/en/forms/enterprise/report-old-dogs-new-tricks> Eric
    Milam, Vice President of threat research at BlackBerry. "That tactic has multiple benefits from the development cycle and inherent lack of coverage
    from protective products."

    On the one hand, languages like Rust are more secure as they offer
    guarantees like memory-safe programming <https://en.wikipedia.org/wiki/Rust_(programming_language)#Memory_safety>,
    but they can also be a double-edged sword when malware engineers abuse the
    same features designed to offer increased safeguards to their advantage, thereby making malware less susceptible to exploitation and thwart attempts
    to activate a kill-switch <https://thehackernews.com/2020/08/emotet-botnet-malware.html> and render
    them powerless.

    Noting that binaries written in these languages can appear more complex, convoluted, and tedious when disassembled, the researchers said the pivot
    adds additional layers of obfuscation, simply by virtue of them being relatively new, leading to a scenario where older malware developed using traditional languages like C++ and C# are being actively retooled with
    droppers and loaders written in uncommon alternatives to evade detection by endpoint security systems. [...]

    https://thehackernews.com/2021/07/hackers-turning-to-exotic-programming.html

    ------------------------------

    Date: Tue, 27 Jul 2021 22:01:00 -0400
    From: Monty Solomon <monty@roscom.com>
    Subject: As Cyberattacks Surge, Security Start-Ups Reap the Rewards
    (NYTimes)

    Investors have poured $12.2 billion into cybersecurity companies so far this year, nearly $2 billion more than the total for all of 2020.

    https://www.nytimes.com/2021/07/26/technology/cyberattacks-security-investors.html

    ------------------------------

    Date: Fri, 30 Jul 2021 06:46:49 -0600
    From: "Matthew Kruk" <mkrukg@gmail.com>
    Subject: Albertans' personal information exposed after national
    health-care provider hacked, data put up for sale (Edmonton Journal)

    A listing on Marketo, a self-described "leaked data marketplace," claimed to
    be selling more than 180 gigabytes of the company's data including a sample evidence package with documents referencing provincial and national organizations, including Workers' Compensation Board of Alberta, the City of Spruce Grove, Construction Labour Relations, Fortis Alberta, Alberta Motor Association, the University of Lethbridge and Bow Valley College

    https://edmontonjournal.com/news/local-news/albertans-personal-information-exposed-after-national-health-care-provider-hacked-data-put-up-for-sale

    ------------------------------

    Date: Thu, 8 Jul 2021 11:01:15 -1000
    From: geoff goodfellow <geoff@iconia.com>
    Subject: Human Risk Management is the FIX. (The Hacker News)

    Humans are an organization's strongest defence against evolving #cyber
    threats, but security awareness #training alone often isn't enough to
    transform user behaviour.

    Human Risk Management (HRM) is the FIX.

    Checkout this new guide from @getusecure: [...] https://thehackernews.com/2021/07/security-awareness-training-is-broken.html via
    https://twitter.com/TheHackersNews/status/1413158374057730052

    ------------------------------

    Date: Wed, 28 Jul 2021 08:48:46 -0400
    From: "Tom Van Vleck" <thvv@multicians.org>
    Subject: Don't click links in text messages

    Mobile phones have hundreds of options, but there's one important one
    missing. If iPhones had a Messages option named "disable links in Messages"
    I would set it and tell everyone to set it.

    The Bad Guys can send text messages that appear to be from anybody. I get a lot from banks I don't have an account at. If the Bad Guys hack somebody else's phone or email, they might get your mobile number and send you a fake text message with a link in it.

    If you click this link, a web browser on you phone will be sent to a fake
    page of theirs. That page can infect your phone with malware, spyware, ransomware. Spoil your day/week/month.

    Here is a web page that explains the problem. https://theintercept.com/2021/07/27/pegasus-nso-spyware-security/

    (Are you about to click that link, without making sure the mail is really
    from me?)

    ------------------------------

    Date: July 30, 2021 22:23:23 JST
    From: Richard Forno <rforno@infowarrior.org>
    Subject: Florida Sheriff's Office Now Notifying People It Will Be
    Inflicting Its Pre-Crime Program On Them (TexchDirt)

    (the agency's letter, which you can read at the link, is some grade-A
    Orwellin nonsense.... --rick) [via Dave Farber]

    https://www.techdirt.com/articles/20210724/15223647236/florida-sheriffs-office -now-notifying-people-it-will-be-inflicting-pre-crime-program-them.shtml

    ------------------------------

    Date: Wed, 28 Jul 2021 11:56:32 -0400 (EDT)
    From: ACM TechNews <technews-editor@acm.org>
    Subject: Ancient Printer Security Bug Affects Millions of Devices Worldwide
    (Mayank Sharma)

    Mayank Sharma, TechRadar, 21 Jul 2021,
    via ACM TechNews, Wednesday, July 28, 2021

    Cybersecurity researchers at SentinelOne have identified a highly severe privilege escalation vulnerability in HP, Samsung, and Xerox printer
    drivers. The vulnerability appears to have been present since 2005. The researchers said millions of devices and users worldwide likely have been impacted by the buffer overflow vulnerability, which can be exploited
    whether or not a printer is connected to a targeted device. SentinelOne's
    Asaf Amir said, "Successfully exploiting a driver vulnerability might allow attackers to potentially install programs; view, change, encrypt, or delete data, or create new accounts with full user rights." Hackers would need
    local user access to the system to access the affected driver and take advantage of the vulnerability.

    https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2c145x22c913x072638

    ------------------------------

    Date: Fri, 30 Jul 2021 12:59:24 -0400 (EDT)
    From: ACM TechNews <technews-editor@acm.org>
    Subject: ML Technique Used to Pinpoint Quantum Errors (Q-CTRL and.Sydney)

    HPCwire, 29 Jul 2021, via ACM TechNews, Friday, July 30, 2021

    Researchers at Australia's University of Sydney (USYD) and quantum control startup Q-CTRL have designed a method of pinpointing quantum computing
    errors via machine learning (ML). The USYD team devised a means of
    recognizing the smallest divergences from the conditions necessary for executing quantum algorithms with trapped ion and superconducting quantum computing equipment. Q-CTRL scientists assembled custom ML algorithms to process the measurement results, and minimized the impact of background interference using existing quantum controls. This yielded an easy
    distinction between sources of correctable "real" noise and phantom
    artifacts of the measurements themselves. USYD's Michael J. Biercuk said,
    "The ability to identify and suppress sources of performance degradation in quantum hardware is critical to both basic research and industrial efforts building quantum sensors and quantum computers." https://orange.hosting.lsoft.com/trk/click?ref=3Dznwrbbrs9_6-2c1c7x22c9a9x073991&

    [``Who needs error-correcting codes when we have machine learning?'' PGN]

    ------------------------------

    Date: Tue, 27 Jul 2021 21:51:21 -0400
    From: Monty Solomon <monty@roscom.com>
    Subject: QR Codes Are Here to Stay. So Is the Tracking They Allow.
    (NYTimes)

    Fueled by a desire for touchless transactions, QR codes popped up everywhere in the pandemic. Businesses don’t want to give them up.

    https://www.nytimes.com/2021/07/26/technology/qr-codes-tracking.html

    ------------------------------

    Date: Fri, 30 Jul 2021 00:31:50 -0400
    From: Monty Solomon <monty@roscom.com>
    Subject: The Robocall Rebellion

    https://www.nytimes.com/2021/07/28/opinion/the-robocall-rebellion.html

    ------------------------------

    Date: Wed, 28 Jul 2021 20:10:22 PDT
    From: Peter Neumann <neumann@csl.sri.com>
    Subject: Joint USTPC/CRA Comments to the White House's OSTP on Enhancing
    Scientific Integrity Policies

    The White House's Office of Science and Technology Policy (OSTP) made formal Request for Information To Improve Federal Scientific Integrity Policies in June 2021. https://www.federalregister.gov/documents/2021/06/28/2021-13640/request-for-information-to-improve-federal-scientific-integrity-policies
    A joint response has been submitted to OSTP from the Computing Research Association and USTPC. https://www.acm.org/binaries/content/assets/public-policy/cra-acm-comments-si-ftac-rfi.pdf.

    ------------------------------

    Date: Thu, 29 Jul 2021 10:02:35 -0500
    From: "Richard Thieme" <rthieme@thiemeworks.com>
    Subject: Re: Disinformation for Hire, a Shadow Industry, Is Quietly Booming,
    (Max Fisher, RISKS-32.78)

    Max Fisher writes of the disinformation industry as if his illumination
    is news. After I wrote an article about a cyber sleuth who worked online
    25 years ago for an English magazine, Hill and Knowlton, the global PR
    firm, thought I lived in London (we had not acclimated yet to the global presence of everyone on the Internet) and asked me to come by for a
    talk. They wanted to do "brand defense" on the Internet, which meant impersonating multiple people in Usenet groups and the like, all
    forerunners of current practices. This is not new news. I wrote long ago
    that "truth and lies are Siamese twins, joined at the lips," and began
    with speech - or before, with deceptive gestures, as chimps have been
    seen to do.

    ------------------------------

    Date: 28 Jul 2021 01:01:09 -0400
    From: "John Levine" <johnl@iecc.com>
    Subject: Re: Some locals say a bitcoin mining operation is ruining one of
    the Finger Lakes. Here's how. (NBC News, RISKS-32.78)

    The bitcoin mining hardware is physically located at the power plant.

    The retail price I pay for power is about 5.4c/kwh for supply and 5.2c/kwh
    for delivery. While it's certainly cheaper for wholesale customers I think
    that the supply and delivery charges are about equal, so if the miners had
    to pay for delivery, it wouldn't be worth it.

    ------------------------------

    Date: Wed, 28 Jul 2021 07:57:24 +0200
    From: "Thomas Koenig" <tkoenig@netcologne.de>
    Subject: Re: YouTube fined 100 000 Euros delaying court order to restore
    video (RISKS-32-78)

    It seems like hubris for the "Higher Regional Court at Dresden"
    to expect that everyone in the world will recognize that title
    and recognize the court's authority.

    They were served with court papers, and as I wrote, they had representation
    at court. You have to be qualified lawyer to appear before the "Oberlandesgericht", to give it its proper title, and the court order would
    be communicated to them.

    It should take a reasonable time to investigate such a message for authenticity.

    It is simply not credible that a company would confuse a court order communicated through their own lawyers with some random crackpot
    e-mail.

    ------------------------------

    Date: Wed, 28 Jul 2021 12:54:11 +0200
    From: Eric Ferguson <e.ferguson@antenna.nl>
    Subject: Re: "Roundoff" (RISKS-32.78)

    Whether the times are truncated to the lower number of decimals or correctly rounded makes no systematic difference when comparing results.  The
    truncated values are on average exactly 0,5 part of the smallest digit value smaller than the rounded values.  Both expand the smallest difference
    between the input values into a full one unit of the smallest digit value in the shortened number, but do so at different places in the continuum of
    input values.

    As long as you are only comparing results from the same data set, there will
    be no systematic bias.  But if you compare truncated times with rounded
    times, or compare totals of added times, there can be systematic bias.

    ------------------------------

    Date: Mon, 1 Aug 2020 11:11:11 -0800
    From: RISKS-request@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume/previous directories
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 32.79
    ************************

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)