• Risks Digest 32.93 (1/3)

    From RISKS List Owner@21:1/5 to All on Tue Nov 23 00:54:34 2021
    RISKS-LIST: Risks-Forum Digest Monday 22 November 2021 Volume 32 : Issue 93

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator

    ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as
    <http://catless.ncl.ac.uk/Risks/32.93>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    FBI e-mail system breach (Reuters)
    Do-It-Yourself artificial pancreas given approval by team of experts
    (MedicalXpress.com)
    International Space Station nearly struck by Chinese satellite debris
    (JPost)
    DoS Sabotage by Telegram (Bertrand Meyer)
    Palestinians Were Targeted by Israeli Firm’s Spyware, Experts Say
    (NYTimes via Jan Wolitzky)
    Congress mandates new car technology to stop drunken driving
    (techxplore.com)
    Thermal Grease Degradation is an underappreciated hazard (Bob Gezelter) Unconsidered automatic filtering creates damaging side-effects
    (Bob Gezelter)
    QR codes, URL's, and restaurants (Jerry Leichter)
    "Political Ads During 2020 Presidential Election Cycle Collected Personal
    Information, Spread Misleading Information" (UWash)
    Algorithmic Tracking 'Damaging Mental Health' of UK Workers (Dan Milmo) Scammers impersonate guest editors to get sham papers published (Nature) Ransomware operators have a compliance department (Matt Levine)
    Bipartisan bill would force Big Tech to offer algorithm-free feeds, search
    results (Ars Technica via Lauren Weinstein)
    Edge and Windows 11 — the return of Microsoft's IE fiasco? (Computerworld) Google 2021 AI Principles Progress Update (Googleleapis)
    You've Got an Enemy at Chase! (Paul Robinson)
    UK regulator seeks to improve the privacy of video conferencing
    (Peter Houppermans)
    Cryptocurrency, NTFs or other such digital assets faces a quantum computing
    problem (CNET)
    Security Vulnerabilities in Computer Memories
    These Parents Built a School App. Then the City Called the Cops (WiReD)
    Cars Are Going Electric. What Happens to the Used Batteries? (WiReD)
    Open Source Doesn't Mean More Software Is Better Software (WiReD)
    The Era Of D.C.’s New (771) Area Code Has Begun (DCist)
    Hackers Targeted Apple Devices in Hong Kong for Widespread Attack (WiReD)
    This Company Tapped AI for Its Website—and Landed in Court (WiReD)
    Contract lawyers face a growing invasion of surveillance programs that
    monitor their work (WashPost)
    The next normal: Algorithms will take over college, from admissions to
    advising (WashPost)
    Google loses appeal against $2.7 billion antitrust fine over its
    comparison-shopping practices in Europe (Fortune)
    Caller ID fun (Comcast)
    Debris From Test of Russian Antisatellite Weapon Forces Astronauts to
    Shelter (NYTimes)
    Apple announces-Self Service Repair (Apple via Gabe Goldberg)
    Re: Trojan Source Bug Threatens the Security of All Code (Henry Baker)
    Re: SpaceX Under Fire After Autonomous Rocket Hits Pedestrian
    (Mark Brader, Scott Dorsey)
    Re: spider bites, or Using Google search to deliver customers or worse
    (John Levine)
    Facebook 3rd party single-sign-on failure (Paul Robinson)
    After a pandemic, fire season, and now floods, are you ready to get trained
    for emergencies and disasters? (Rob Slade)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Sun, 14 Nov 2021 10:06:23 -0500
    From: Peter G Neumann
    Subject: FBI e-mail system breach

    https://www.reuters.com/world/us/hackers-compromise-fbis-external-email-system-bloomberg-news-2021-11-13/

    [Thanks to Arik Hesseldahl. PGN]

    13 Nov 2021 (Reuters) -- Hackers compromised a Federal Bureau of
    Investigation email system on Saturday and sent tens of thousands of
    messages warning of a possible cyberattack, according to the agency and security specialists.

    Fake emails appeared to come from a legitimate FBI email address ending in @ic.fbi.gov, the FBI said in a statement.

    Although the hardware impacted by the incident "was taken offline quickly
    upon discovery of the issue," the FBI said, "This is an ongoing situation."

    The hackers sent tens of thousands of emails warning of a possible
    cyberattack, threat-tracking organization Spamhaus Project said on its
    Twitter account.

    ------------------------------

    Date: Wed, 17 Nov 2021 09:40:13 +0800
    From: "Richard Stein" <rmstein@ieee.org>
    Subject: Do-It-Yourself artificial pancreas given approval by team of
    experts (MedicalXpress.com)

    https://medicalxpress.com/news/2021-11-do-it-yourself-artificial-pancreas-team-experts.html

    "Dominic Nutt, 54 from South West London, was diagnosed with diabetes aged
    15. He has a personalized algorithm that controls his glucose monitor and insulin pump automatically. He manages the process through a smartphone, putting in when he eats carbohydrates or exercises, as this affects his
    blood sugar."

    The DIY diabetic management combination confers life-sustaining convenience
    and freedom from the routine finger prick, blood glucose measurement, and insulin injection protocol.

    The artificial pancreas systems likely apply Bluetooth to communicate and coordinate their operation. See "Guidelines for the use of Continuous
    Glucose Monitors (CGM) and Sensors in the School Setting" retrieved from https://www.diabetes.org/sites/default/files/2019-06/CGM%20guidelines.pdf on 15NOV2021 for typical deployed solution identified for juveniles.

    A comp.risks search returns ~100 submissions containing "bluetooth" since ~OCT2000.

    One way to learn about medical device issues traced to their patients is to visit and type in "insulin" or "glucose monitor" in the textbox. https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfPCD/PCDSimpleSearch.cfm

    17 TPLC product code records are returned for insulin (e.g., product code
    OZO) and 9 product code records (e.g., product code QLG) materialize. Each product code links to tabulations for 5 years of manufacturer device and patient problems submitted to the FDA as medical device reports
    (MDRs). Interpreting the MDRs is another matter: significant subject matter expertise required.

    Each MDR documents a product defect escape, with many characterized as "No Consequences Or Impact To Patient" or "No Clinical Signs, Symptoms or Conditions" -- meaning that a patient might have been involuntary compelled
    to visit their physician to check on the device's behavior and verify their condition.

    ------------------------------

    Date: Fri, 12 Nov 2021 13:33:19 -0700
    From: geoff goodfellow <geoff@iconia.com>
    Subject: International Space Station nearly struck by Chinese satellite debris
    (JPost)

    *Space debris has become a major concern for all satellites orbiting the
    Earth, not just the football-field-sized ISS* [...] https://www.jpost.com/science/international-space-station-nearly-struck-by-chinese-satellite-debris-684809

    ------------------------------

    Date: Wed, 10 Nov 2021 17:26:40 +0100
    From: Bertrand Meyer <Bertrand.Meyer@inf.ethz.ch>
    Subject: DoS Sabotage by Telegram

    Antivax activists are not limited to the US. To promote Covid vaccination,
    the Swiss confederation is financing a set of concerts with star performers, free but requiring registration to control the number of participants, e.g.
    to 500 yesterday in Lausanne. It looks like anti-vaccine activists colluded through a Telegram group to sabotage the events, by reserving many of the
    seats with no intent to show up. As a result, fewer than 100 people (50 per some sources) actually attended. See https://bit.ly/3qr7Neg (French), https://bit.ly/30a4spf (German).

    ------------------------------

    Date: Mon, 8 Nov 2021 10:23:03 -0500
    From: "Jan Wolitzky" <jan.wolitzky@gmail.com>
    Subject: Palestinians Were Targeted by Israeli Firm’s Spyware, Experts Say

    International hacking experts said on Monday that Palestinians belonging to rights groups recently outlawed by Israel had been targeted by spyware made
    by the Israeli technology firm NSO Group. The accusations put the
    relationship between the Israeli government and the company, recently blacklisted by the United States, under renewed scrutiny.

    https://www.nytimes.com/2021/11/08/world/middleeast/nso-israel-palestinians-spyware.html

    Also: Palestinians: Israeli NSO spyware found on officials’ phones

    JERUSALEM (AP) — The Palestinian Foreign Ministry on Thursday said it has detected spyware developed by the Israeli hacker-for-hire company NSO Group
    on the phones of three senior officials and accused Israel of using the military-grade Pegasus software to eavesdrop on them.

    The Palestinian accusations against NSO came as the embattled Israeli firm acknowledged that it had called off the appointment of its incoming chief executive in the wake of U.S. accusations that its spyware has been used by repressive governments around the world.

    Thursday’s announcement by the Foreign Ministry marked the first time Palestinian officials have claimed NSO software was used to spy on them.

    https://apnews.com/article/technology-business-israel-software-spyware-1fab8f8b88e8a7181887728e3e6bc39d

    ------------------------------

    Date: Thu, 11 Nov 2021 08:56:45 +0800
    From: "Richard Stein" <rmstein@ieee.org>
    Subject: Congress mandates new car technology to stop drunken driving
    (techxplore.com)

    https://techxplore.com/news/2021-11-congress-mandates-car-technology-drunken.html

    "Congress has created a new requirement for automakers: Find a high-tech
    way to keep drunken people from driving cars."

    "Each year, around 10,000 people are killed due to alcohol-related
    crashes in the U.S., making up nearly 30% of all traffic fatalities,
    according to NHTSA."

    But not intoxicated or abusing other substances like methamphetamine,
    opiates or marijuana?

    "Drugged Driving DrugFacts" from https://www.drugabuse.gov/publications/drugfacts/drugged-driving
    (retrieved on 11NOV2021) states, "According to the 2018 National Survey
    on Drug Use and Health (NSDUH), in 2018, 20.5 million people aged 16 or
    older drove under the influence of alcohol in the past year and 12.6
    million drove under the influence of illicit drugs."

    Drugged-driving represents a significant risk.

    [Hypothetical: If Theranos had not cratered, would a blood-test gizmo
    appear in your Tesla dashboard?]

    [Risks: Trying to solve social problems with technology, a major theme in
    running through many past RISKS issues. PGN]

    ------------------------------

    Date: Wed, 10 Nov 2021 12:04:48 -0500
    From: Bob Gezelter <gezelter@rlgsc.com>
    Subject: Thermal Grease Degradation is an underappreciated hazard

    It has often been said that one can as easily die due to some minor
    component as an exotic event. Thermal grease on CPUs and other processors
    may be a mundane issue, but when it degrades, it can cause failures in
    systems large and small.

    Thermal compound ensures heat transfer from CPUs to heat sinks. Eminently useful, thermal grease has a finite life, measured in significantly less
    than a decade. Grease degradation results in overheating and damage to processors and other components.

    Thermal grease failure can masquerade as many different problems, with the common root cause being processor overheating. One could easily think that
    the problem is elsewhere, perhaps a failed CPU, clogged fan, or failed fan;
    all of which are far more costly than the US$10 for a small syringe of
    thermal grease.

    An Intel article on replacing thermal grease can be found at: https://www.intel.com/content/www/us/en/gaming/resources/how-to-apply-thermal-paste.html

    ------------------------------

    Date: Mon, 15 Nov 2021 07:38:27 -0500
    From: Bob Gezelter <gezelter@rlgsc.com>
    Subject: Unconsidered automatic filtering creates damaging side-effects

    A real example of the old adage, "Assume makes an ass out of you and me". In this particular case it creates an "ume".

    Those implementing "bad word" filters on www sites should carefully consider the implications of their decisions and how their filters can have consequences.

    I recently saw a case of a social site which has apparently implemented a filter to remove the word "ass", presumably among other "dirty" or offensive words. However, the implementation matched the sequence "ass", not the word
    " ass " (no requirement for the presence of the separating spaces).

    Therefore, the words "passion", "association", "assume", and many others
    have the sequence "ass" removed, yielding "pion", "ociation", and "ume",
    among others.

    An example of how simple it is to transform proper English into something
    that sounds illiterate.

    ------------------------------

    Date: Sun, 7 Nov 2021 13:03:57 -0500
    From: "Jerry Leichter" <leichter@lrw.com>
    Subject: QR codes, URL's, and restaurants

    For years, we've been telling people not to click on links in email.
    Companies require their employees to go through annual training, wasting
    time they could be doing useful work being told "don't click on URL's in
    email, they might be malicious." (Of course then the same companies turn around and send out their own emails, complete with embedded links, to those same employees.)

    Many restaurants these days have "gone modern." Rather than providing traditional menus, they put a card on the table with a QR code on it. Scan
    it on your phone and the menu pops up in your browser. But ... why exactly should you trust the URL encoded in that QR code? You actually have less context to verify it than you do in typical email URL's! Oh, sure, it's at
    a restaurant you know and trust ... but the last patron could have easily replaced the piece of paper the restaurant owner put there. Sure, you *can*
    - if you have the right software -- look at the URL before viewing it. But
    the typical URL won't be managed by the restaurant itself -- it'll be
    provided by some third party you never heard of.

    There are "touchless" systems that go beyond this. Not only do you see your menu on your phone -- you place your order and pay for it on the Web site the QR code brings up. If a URL in an email asked for your credit card information, you might be suspicious -- but if the restaurant's entire order/pay experience is through the QR code, that's just expected. Oh, and
    to make it even better, these things often show up on your next credit bill
    as from some third party you never heard of, not the restaurant itself.
    Someone could probably skim a good fraction of payments from a restaurant
    for quite a while without either the restaurant or any customer noticing
    that something was amiss: The customer would see and pay an expected charge
    (to the wrong party, but he has no way to check); the restaurant would eventually notice that its receipts didn't match expectations, but tracking down why might take a while.

    These touchless, automated systems were probably in the planning stages well before COVID, but the pandemic has greatly speeded their adoption. I
    haven't heard of any frauds ... but I'll be astonished if it stays that way.

    ------------------------------

    Date: Wed, 10 Nov 2021 12:17:15 -0500 (EST)
    From: ACM TechNews <technews-editor@acm.org>
    Subject: "Political Ads During 2020 Presidential Election Cycle Collected
    Personal Information, Spread Misleading Information" (UWash)

    University of Washington News (11/08/21) Sarah McQuate ; Rebecca Gourley

    University of Washington (UW) researchers say online political ads during
    the 2020 U.S. presidential election often employed manipulative techniques, including spreading misinformation. The researchers scrolled through
    nearly750 news sites with a Web crawler, and studied over 1 million ads
    between September 2020 and January 2021; natural language processing
    determined almost 56,000 ads were political. UW's Miranda Wei said fake poll ads harvested personal information like email addresses, and attempted to exploit people's political leanings, "then use that information to send
    spam, malware, or just general email newsletters." The most popular
    political ad was click-bait news that typically mentioned top politicians in sensationalist headlines, while the actual articles contained little of substance. The researchers advise Web surfers to be cautious about taking
    such content at face value, and to use ad blockers.

    https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2d5e0x22f43dx074152&

    ------------------------------

    Date: Fri, 12 Nov 2021 12:30:14 -0500 (EST)
    From: ACM TechNews <technews-editor@acm.org>
    Subject: Algorithmic Tracking 'Damaging Mental Health' of UK Workers
    (Dan Milmo)

    Dan Milmo, *The Guardian*, 11 Nov 2021
    via ACM TechNews, Friday, November 12, 2021

    A report by the UK Parliament's All-Party Parliamentary Group (AAPG) calls
    for new legislation to control the use of algorithms to monitor workers and
    set performance targets for them. The report said pervasive monitoring and target-setting technologies in particular "are associated with pronounced negative impacts on mental and physical well-being as workers experience the extreme pressure of constant, real-time micro-management and automated assessment." The group is calling for an "accountability for algorithms act"
    to ensure performance-driven regimes are evaluated to assess their impact,
    and that workers participate in the design and use of algorithm-driven
    systems.

    https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2d630x22f53ax074337&

    ------------------------------

    Date: Mon, 8 Nov 2021 10:48:02 -0800
    From: Lauren Weinstein <lauren@vortex.com>
    Subject: Scammers impersonate guest editors to get sham papers published

    https://www.nature.com/articles/d41586-021-03035-y

    ------------------------------

    Date: Wed, 10 Nov 2021 16:27:55 -0700
    From: Joe Loughry <joe@netoir.com>
    Subject: Ransomware operators have a compliance department (Matt Levine)

    From Matt Levine's *Money Stuff* newsletter on Bloomberg, 8 November 2021:

    Ransomware

    In October, the infamous ransomware gang known as Conti released thousands
    of files stolen from the UK jewelry store Graff.

    Now, the hackers would like the world to know that they regret their
    decision, perhaps in part because they released files belonging to very
    powerful people....

    "We found that our sample data was not properly reviewed before being
    uploaded to the blog," the hackers wrote in an announcement published on
    Thursday. "Conti guarantees that any information pertaining to members
    of Saudi Arabia, UAE, and Qatar families will be deleted without any
    exposure and review."

    "Our Team apologizes to His Royal Highness Prince Mohammed bin Salman
    and any other members of the Royal Families whose names were mentioned
    in the publication for any inconvenience," the hackers added.

    Imagine being a big-time ransomware hacker, thinking that you're pretty
    tough, fancying yourself a master criminal, giving yourself an
    intimidating online alias, maybe even being able, in certain
    circumstances, to call down violence on your enemies, and then realizing
    one day that you'd accidentally hacked a guy who had a journalist
    kidnapped, tortured to death and then dismembered with a bone saw for
    criticizing him.

    They are adding new compliance procedures to make sure this won't happen
    again:

    The hackers also said that other than publishing the data on their site,
    they did not sell it or trade, and that from now on they will "implement
    a more rigid data review process for any future operations."

    We have talked before about the compliance function at ransomware
    firms. If you run a legal company, you have a compliance department to
    make sure that you don't do anything illegal, or at least, if your company
    is really big, to keep the illegality within acceptable limits. If you run
    a criminal gang, you have concerns that are different in degree but
    directionally similar: Your whole business is doing illegal things, sure,
    but you don't want to do too many things that are too illegal. You want to
    do crimes that make you money, but not crimes that get you shut down. You
    want to steal information from rich people and extort money from them. But
    not Mohammed bin Salman! Good lord!

    Source: https://www.bloomberg.com/newsletters/money-stuff/latest

    ------------------------------

    Date: Tue, 9 Nov 2021 14:44:48 -0800
    From: Lauren Weinstein <lauren@vortex.com>
    Subject: Bipartisan bill would force Big Tech to offer algorithm-free feeds,
    search results

    [As nutty a concept as they come.]

    As currently proposed, this concept is nuts. A search engine without prioritization is a massive, useless phone book. We're decades past that
    stage on the Net. -L

    https://arstechnica.com/tech-policy/2021/11/bill-proposes-algorithm-free-option-on-big-tech-platforms-may-portend-bigger-steps/

    ------------------------------

    Date: Fri, 19 Nov 2021 18:34:42 -0500
    From: "Gabe Goldberg" <gabe@gabegold.com>
    Subject: Edge and Windows 11 — the return of Microsoft's IE fiasco?
    (Computerworld)

    Microsoft, are you really planning to repeat your biggest business blunder?

    This is no bug. This is a deliberate move throughout Windows to return
    to the past when your only real browser choice was the Microsoft choice.
    It backfired on the company then; I hope it backfires now.

    https://www.computerworld.com/article/3641233/edge-and-windows-11-the-return-of-microsofts-ie-fiasco.html

    [Lauren Weinstein noted this take on SearchEngineLand) https://searchengineland.com/windows-11-update-forces-users-into-edge-regardless-of-their-default-browser-376030

    ------------------------------

    Date: Thu, 18 Nov 2021 16:22:09 -0800
    From: Lauren Weinstein <lauren@vortex.com>
    Subject: Google 2021 AI Principles Progress Update

    https://storage.googleapis.com/gweb-uniblog-publish-prod/documents/2021_AI_Principles_Progress_Update.pdf

    ------------------------------

    Date: Sat, 20 Nov 2021 09:50:35 +0000 (UTC)
    From: "Paul Robinson" <paul@paul-robinson.us>
    Subject: You've Got an Enemy at Chase!

    My story is entitled "You've Got an Enemy at Chase!" as while I'm not sure
    if JPMorgan Chase Bank, N.A. has ever used the slogan "You've Got a Friend
    at Chase!" they certainly have, not a method to win friends and influence people, but instead, the abysmal performance I experienced of the type that
    can make you believe they hate you and ARE your enemy.

    I discover (no pun intended, it's a Visa card) that my Chase credit card is missing. I think I lost it, so I'll just cancel it and have them issue a bew one.  So I bring up Chase.Com and  there is a big "Welcome" and "please log in" button. I click the button, a new prompt comes up where it asks for my username and password. Firefox brings up a drop-down box showing two
    options: a username I've used before in all UPPER CASE and the same username
    in all lower case. This is, in fact correct behsvior, because some websites have (the really stupid, in my opinion) "feature" (or maybe it's a bug) of case-sensitive usernames. I pick the all caps one, Firefox auto-fills the password field. I try it. Chase doesn't recognize my login, So I try the all lower case one, which Firefox auto-fills. Nope, that one doesn't work
    either.

    Okay, I must have the wrong password, so I click on the link "forgot username/password?" This brings up a new box requesting Social Security
    number (quite reasonable, I fill that in) and account number (oh s---!). I
    try leaving the account number blank, and hit the "Next" button. I get an
    angry red message above the account number box saying "Account, card or application number", and below the box, saying "Please tell us your account, card or application number to continue." I don't know about you, but I'm
    not in the habit of writing down my account number in case I lose my card,
    and I think most people do not, either.

    Well, that means I can't use their website to report my card lost, so I'll
    have to call them.  Let's not forget voicemail systems are also software applications, just running on hardware dedicated to that purpose (and with
    the open-source PBX program Asterix, can be a PC running Linux).

    So I call the 800 number -- if you type "what is chase bank credit card phone number" Google will give you, in a nice big font -- 1 (800) 432-3117. So I
    dial the number.

    It asks me for my credit card number. Then it says that if I don't have the number, press 1. It asks me to punch in my social security
    number. Fine. Then it asks me to punch in the full 16-digit account number.

    There is a YouTuber named Undoomed, who critiques other people's
    videos. When the other person says something that on its face was stupid, he responds with, "Hey Moron! F---ing Moron!" This was one of those moments.

    I'll make this real simple for the morons at Chase. If your voicemail system has given someone a path to use when they are missing an authentication,
    you're not supposed to ask them for the very same authentication they just
    told you that they don't have.

    ------------------------------

    Date: Mon, 8 Nov 2021 13:14:01 +0100
    From: "Peter Houppermans" <peter@houppermans.net>
    Subject: UK regulator seeks to improve the privacy of video conferencing

    In July 2020, six data protection and privacy authorities from Australia, Canada, Gibraltar, Hong Kong SAR, China, Switzerland and the United Kingdom jointly signed an open letter to video teleconferencing (VTC) companies. The letter highlighted concerns about whether privacy safeguards were keeping
    pace with the rapid increase in use of VTC services during the global
    pandemic, and provided VTC companies with some guiding principles to address key privacy risks.''

    https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2021/10/joint-statement-on-global-privacy-expectations-of-video-teleconferencing-companies/

    Let's just say I have a fairly jaundiced view of what providers do in
    reality with such efforts, but it's not a bad thing they tart paying
    attention.

    In general, video conferencing got a lot easier now WebRTC functionality is part of most browsers, although not all implementations are great. Firefox seems to be the best balance between multi platform functionality and
    avoiding Google Chrome. You can effectively roll your own service with what the Jitsi team has made available at https://jitsi.org <https://jitsi.org/>, provided you protect the server component -- that's where all the streams cross. iOS users best use their app as it has significantly less lag,
    Apple's mandated Webkit as used for Safari and Firefox appears as yet not
    quite up to the task.

    But I digress -- we're making progress here.

    ------------------------------

    Date: Fri, 12 Nov 2021 13:23:31 -0700
    From: geoff goodfellow <geoff@iconia.com>
    Subject: Cryptocurrency, NTFs or other such digital assets faces a quantum
    computing problem (CNET)

    *Two cutting-edge technologies that promise to revolutionize entire fields
    may be on a collision course.*

    Cryptocurrencies hold the potential to change finance, eliminating middlemen and bringing accounts to millions of unbanked people around the
    world. *Quantum computers* could upend the way pharmaceuticals and materials are designed by bringing their extraordinary power to the process.

    Here's the problem: The blockchain accounting technology that powers cryptocurrencies could be vulnerable to sophisticated attacks and forged transactions if quantum computing matures faster than efforts to
    future-proof digital money.

    Cryptocurrencies are secured by a technology called public key cryptography. The system is ubiquitous, protecting your online purchases and scrambling
    your communications for anyone other than the intended recipient. The technology works by combining a public key, one that anyone can see, with a private key that's for your eyes only.

    If current progress continues, quantum computers will be able to crack
    public key cryptography, potentially creating a serious threat to the crypto world, where *some currencies are valued*
    at *hundreds of billions of dollars* <https://coinmarketcap.com/>. If encryption is broken, attackers can impersonate the legitimate owners of cryptocurrency, *NFT* or other such digital assets. [...]

    <https://time.com/nextadvisor/investing/cryptocurrency/why-do-bitcoins-have-value/>
    <https://www.cnet.com/news/you-can-get-a-free-dc-x-palm-nft-tomorrow-what-to-know-about-the-digital-tokens-now/>s
    <https://www.cnet.com/tech/computing/google-quantum-supremacy-only-first-taste-of-computing-revolution/>
    https://www.cnet.com/personal-finance/crypto/cryptocurrency-faces-a-quantum-computing-problem/

    ------------------------------

    Date: Wed, 17 Nov 2021 11:44:54 -0500 (EST)
    From: ACM TechNews <technews-editor@acm.org>
    Subject: Security Vulnerabilities in Computer Memories (oliver Morsch)

    Oliver Morsch, ETH Zurich (Switzerland), 15 Nov 2021
    via ACM TechNews, Wednesday, November 17, 2021

    A team of researchers from the Swiss Federal Institute of Technology, Zurich (ETH Zurich), the Netherlands' Vrije Universiteit Amsterdam, and
    semiconductor manufacturer Qualcomm Technologies identified major security flaws in dynamic random-access memory (DRAM) devices. ETH Zurich's Kaveh
    Razavi said the Rowhammer vulnerability in DRAMs, exploited by hackers to induce bit errors and access restricted areas inside the computer, remains unaddressed. Countermeasures designed to neutralize Rowhammer merely detect simple attacks. Razavi said the researchers' Blacksmith software, which systematically applies complex hammering patterns, found a successful
    exploit in each of 40 DRAM memories tested. This means current DRAM memories could remain hackable by Rowhammer attacks for years to come. https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2d6b4x22f6e5x074830&

    [See the source: https://comsec.ethz.ch/research/dram/blacksmith/]

    ------------------------------

    Date: Sun, 7 Nov 2021 15:14:03 -0500
    From: "Gabe Goldberg" <gabe@gabegold.com>
    Subject: These Parents Built a School App. Then the City Called the Cops
    (WiReD)

    In the weeks that followed, Landgren teamed up with fellow developers
    and parents Johan Öbrink and Erik Hellman, and the trio hatched a plan.
    They would create an open source version of the Skolplattform and
    release it as an app that could be used by frustrated parents across
    Stockholm. Building on Landgren’s earlier work, the team opened Chrome’s developer tools, logged into the Skolplattform, and wrote down all the
    URLs and payloads. They took the code, which called the platform’s
    private API and built packages so it could run on a phone—essentially creating a layer on top of the existing, glitchy Skolplattform.

    The result was the Öppna Skolplattformen, or Open School Platform. The
    app was released on February 12, 2021, and all of its code is published
    under an open source license on GitHub. Anyone can take or use the code,
    with very few limitations on what they can do with it. If the city
    wanted to use any of the code, it could. But rather than welcome it with
    open arms, city officials reacted with indignation. Even before the app
    was released, the City of Stockholm warned Landgren that it might be
    illegal. [...]

    The police report, shared with WIRED by Landgren, references the Certezza security review, which was commissioned by the city and completed on
    February 17, 2021. The review concluded that the open source app wasn’t sending any sensitive information to third parties and didn’t pose a threat to users. The police report went further in clearing the Öppna
    Skolplattformen developers. “All information that Öppna Skolplattformen has used is public information that the City of Stockholm voluntarily distributed,” it said.

    https://www.wired.com/story/sweden-stockholm-school-app-open-source/

    The risk? Providing better U/I and making official IT look silly, so
    they call cops...

    ------------------------------

    Date: Sun, 7 Nov 2021 15:18:22 -0500
    From: "Gabe Goldberg" <gabe@gabegold.com>
    Subject: Cars Are Going Electric. What Happens to the Used Batteries? (WiReD)


    [continued in next message]

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)