RISKS-LIST: Risks-Forum Digest Monday 12 August 2019 Volume 31 : Issue 36

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/31.36>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents:
A Boeing Code Leak Exposes Security Flaws Deep in a 787's Guts (WiReD)
This Tesla Mod Turns a Model S Into a Mobile 'Surveillance Station' (WiReD) "New Windows malware can also brute-force WordPress websites"
(Catalin Cimpanu)
Getting physical: warshipping (Fortune)
These Legit-Looking iPhone Lightning Cables Will Hijack Your Computer (VICE) Inside the Hidden World of Elevator Phone Phreaking (WiReD)
Popular kids' tablet patched after flaws left personal data vulnerable
(Danny Palmer)
Watch a Drone Take Over a Nearby Smart TV (WiReD)
5G Wireless Networks Are Not Harmful to Health, FCC Says (Fortune)
Phishing attack: Students' personal information stolen in university data
breach (Danny Palmer)
Navy Reverting DDGs Back to Physical Throttles, After Fleet Rejects
Touchscreen Controls (USNI News)
This High-Tech Solution to Disaster Response May Be Too Good to Be True
(The New York Times)
Scam pulse-monitoring app returns to Apple Store (Ben Lovejoy)
He Tried Hiding From Silicon Valley in a Pile of Privacy Gadgets (Bloomberg) GDPR's unintended consequences (The Register)
Black Hat: GDPR privacy law exploited to reveal personal data (BBC News) Password policy recommendations: Here's what you need to know. (HPE)
Re: Russian hackers are infiltrating companies via the office printer
(Kelly Bert Manning)
Climate change: how the jet stream is changing your weather (FT)
Re: AI Predictive Policing (George Jansen)
Re: Hawley/SMART Act (Rob Slade, Dimitri Maziuk)
Re: Apple's Siri overhears your drug deals and sexual activity
(Amos Shapir)
Re: Siemens contractor pleads guilty to planting logic bomb in company,
spreadsheets (Martin Ward)
Researchers wrest control of one of world's most secure industrial
controllers (The Times of Israel)
Writing about writing (Rob Slade)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Thu, 8 Aug 2019 23:36:06 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: A Boeing Code Leak Exposes Security Flaws Deep in a 787's Guts
(WiReD)

But Boeing counters that it has both "additional protection mechanisms" in
the CIS/MS that would prevent its bugs from being exploited from the ODN,
and another hardware device between the semi-sensitive IDN -- where the
CIS/MS is located -- and the highly sensitive CDN. That second barrier, the company argues, allows only data to pass from one part of the network to the other, rather than the executable commands that would be necessary to affect the plane's critical systems.

"Although we do not provide details about our cybersecurity measures and protections for security reasons, Boeing is confident that its airplanes are safe from cyberattack," the company's statement concludes.

Boeing says it also consulted with the Federal Aviation Administration and
the Department of Homeland Security about Santamarta's attack. While the DHS didn't respond to a request for comment, an FAA spokesperson wrote in a statement to WIRED that it's "satisfied with the manufacturer'
s assessment
of the issue."

https://www.wired.com/story/boeing-787-code-leak-security-flaws/

...or not.

------------------------------

Date: Sat, 10 Aug 2019 23:24:51 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: This Tesla Mod Turns a Model S Into a Mobile 'Surveillance Station'
(WiReD)

Automatic license plate reader cameras are controversial enough when law enforcement deploys them, given that they can create a panopticon of transit throughout a city. Now one hacker has found a way to put a sample of that
power -- for safety, he says, and for surveillance -- into the hands of
anyone with a Tesla and a few hundred dollars to spare.

https://www.wired.com/story/tesla-surveillance-detection-scout/

------------------------------

Date: Wed, 07 Aug 2019 10:53:43 -0700
From: Gene Wirchenko <gene@shaw.ca>
Subject: "New Windows malware can also brute-force WordPress websites"
(Catalin Cimpanu)

Catalin Cimpanu for Zero Day | 7 Aug 2019
Avast discovers strange new malware strain that besides stealing and
mining cryptocurrency on infected hosts, it also launches brute-force
attacks on WordPress sites. https://www.zdnet.com/article/new-windows-malware-can-also-brute-force-wordpress-websites/

------------------------------

Date: Sat, 10 Aug 2019 23:46:31 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Getting physical: warshipping (Fortune)

IBM researchers are hyping a new hacking technique called "warshipping" that involves breaking into corporate networks using a cheap Wi-Fi device sent in the mail. <https://click.newsletters.fortune.com/?qs=8ca880a24f65b13bbf1097ec6804d32f1ffb7de5935835a13584039deae81cfe53c9ee23603bed92fc636294f47dfb2778c1a3aa2eeb7fc6>
A hacker has turned a Tesla vehicle into a mobile surveillance station
capable of storing facial imagery and license plate numbers. Elevator "
phone freaking is the latest hacker fad. <https://click.newsletters.fortune.com/?qs=8ca880a24f65b13b7662e50aa5a2d43d15fba0902b481d798855677ffbd570785ab461d582afc4e165f52882da362bd2502daba18beb92f3>
<https://click.newsletters.fortune.com/?qs=8ca880a24f65b13b6e83f3afdc450e002267ca04e8cbf3f0e32231b5db7100e9038d360436e6baeeb540aa22fe1f438db6cf381e823afe53>"

...from Fortune magazine newsletter.

------------------------------

Date: Mon, 12 Aug 2019 17:53:56 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: These Legit-Looking iPhone Lightning Cables Will Hijack Your
Computer (VICE)

It looks like an Apple lightning cable. It works like an Apple lightning
cable. But it will give an attacker a way to remotely tap into your
computer.

https://www.vice.com/en_us/article/evj4qw/these-iphone-lightning-cables-will-hack-your-computer

------------------------------

Date: Sat, 10 Aug 2019 23:22:02 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Inside the Hidden World of Elevator Phone Phreaking (WiReD)

Author writes:

The first time I called into an elevator, I picked up my iPhone and dialed
the number-labeled on my list as the Crown Plaza Hotel in Chicago—and
immediately heard two beeps, then a recording of a woman's voice, who told
me to press one to talk. When I did, I was suddenly in aural space filled
with the hum of motors and the muffled twanging of steel cables under
tension. "Hello, can anyone hear me?" I asked the void. The void did not
respond.

I hung up and tried another number on my list: A Hilton hotel in Grand
Rapids, Michigan. After just one ring I heard a series of four tones and
was immediately listening to the inside of another elevator. I heard a
chime, perhaps a signal that it had reached a floor, followed by the
rumble of what might have been a door opening. "Hi, is anyone in here?" I
asked. This time I heard a few muffled voices, then a woman answered:
"There are people in here, yes."

https://www.wired.com/story/elevator-phone-phreaking-defcon/

------------------------------

Date: Wed, 07 Aug 2019 10:31:38 -0700
From: Gene Wirchenko <gene@shaw.ca>
Subject: Popular kids' tablet patched after flaws left personal data
vulnerable (Danny Palmer)

Danny Palmer, ZDNet, 7 Aug 2019
Researchers also found security holes that gave away personal data and
credit card information of children's parents. https://www.zdnet.com/article/popular-kids-tablet-patched-after-flaws-left-personal-data-vulnerable/

selected text:

Security vulnerabilities in a popular children's tablet could have allowed attackers to collect sensitive information about its young users, as well as enabling hackers to steal their parents' names, address and credit card details.

In addition to this, researchers found that the Pet Chat protocol didn't require any authentication between devices, meaning anyone running Pet Chat within 100ft of a user could send messages to the child's device, albeit in
the set phrases allowed by Pet Chat, something that could potentially put
the child at risk.

------------------------------

Date: Mon, 12 Aug 2019 17:58:31 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Watch a Drone Take Over a Nearby Smart TV (WiReD)

For all the focus on locking down laptops and smartphones, the biggest
screen in millions of living rooms remains largely unsecured <https://www.wired.com/2017/03/worried-cia-hacked-samsung-tv-heres-tell/>,
even after years of warnings <https://www.wired.com/2017/02/smart-tv-spying-vizio-settlement/>. Smart TVs today can fall prey to any number of hacker tricks -- including one still-viable radio attack, stylishly demonstrated by a hovering drone.

At the Defcon hacker conference Sunday, independent security researcher
Pedro Cabrera showed off, in a series of hacking proof of concept attacks,
how modern TVs -- and particularly smart TVs that use the Internet-connected HbbTV standard implemented in his native Spain, across Europe, and much of
the rest of the world -- remain vulnerable to hackers. Those techniques can force TVs to show whatever video a hacker chooses, display phishing messages that ask for the viewer's passwords, inject keyloggers that capture the
user's remote button presses, and run cryptomining software. All of those attacks stem from the general lack of authentication in TV networks' communications, even as they're increasingly integrated with Internet
services that can allow a hacker to interact with them in far more dangerous ways than in a simpler era of one-way broadcasting.

"The lack of security means we can broadcast with our own equipment anything
we want, and any smart TV will accept it," Cabrera says. "The transmission hasn't been at all authenticated. So this fake transmission, this channel injection, will be a successful attack."

At the Defcon hacking conference in Las Vegas, a security researcher showed
how easy it is to compromise a smart TV with a DJI quadcopter. See for yourself. Harald Sund/Getty Images

https://www.wired.com/story/smart-tv-drone-hack/

------------------------------

Date: Fri, 9 Aug 2019 15:36:27 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: 5G Wireless Networks Are Not Harmful to Health, FCC Says (Fortune)

The Feds Try To End the Debate Over 5G Health Concerns' Data Sheet

It's the question everyone wants to go away: are 5G wireless networks safe
or are they a risk to human health?

On Thursday, the Federal Communications Commission and the Food and Drug Administration tried to put the question to bed once more. The FCC announced
it would hold its radio frequency exposure limits for cell phones, cellular towers, and other wireless gear at current levels. The use of some new frequencies as part of the 5G rollout did not change the situation, the
agency said. After a review of the scientific record and consultations with health agencies, ``we find it appropriate to maintain the existing radio frequency limits, which are among the most stringent in the world for cell phones,'' Julius Knapp, chief of the FCC's Office of Engineering and Technology, said. That came backed with excerpted comments from Jeffrey
Shuren, director of the Food and Drug Administration's Center for Devices
and Radiological Health. The ``available scientific evidence to date does
not support adverse health effects in humans due to exposures at or under
the current limit'' and ``[n]o changes to the current standards are
warranted at this time,'' Shuren explained in a letter cited in part by the FCC.

That's also the same conclusion that the scientific association the
Institute of Electrical and Electronics Engineers, or IEEE, came to back in February, when it completed a review of recommended exposure limits and also agreed to maintain them at current levels.

But the announcements are unlikely to end the debate <https://fortune.com/2019/05/22/health-concerns-5g-cellphones-cancer/>. Worriers can point to a few studies and the decision by the World Health Organization's International Agency for Research on Cancer to classify
cellular radio waves as a possible carcinogen back in 2011. And countries
like Belgium and Switzerland have delayed 5G networks over health concerns.
On the other side, research from the American Cancer Society and the
National Institutes of Health, among others, have concluded there are no
risks. And so round it goes. The WHO has a vast, new study underway that, perhaps, will offer a more definitive result. For a truly deep dive, check
out the page maintained by the National Cancer Institute on cell phones and cancer research <https://www.cancer.gov/about-cancer/causes-prevention/risk/radiation/cell-phones-fact-sheet>.

https://fortune.com/2019/08/09/the-feds-try-to-end-the-debate-over-5g-health-concerns-data-sheet/

------------------------------

Date: Wed, 07 Aug 2019 10:26:47 -0700
From: Gene Wirchenko <gene@shaw.ca>
Subject: Phishing attack: Students' personal information stolen in
university data breach (Danny Palmer)

Danny Palmer, ZDNet, 23 Jul 2019

University says it has fallen victim to a "a sophisticated and malicious phishing attack" -- and students are being warned to look out for suspicious emails. https://www.zdnet.com/article/phishing-attack-students-personal-information-stolen-in-university-data-breach/

Hackers have stolen personal data of prospective and current students at Lancaster University after gaining access to databases that contained
personal information -- with victims now the targets of additional cyberattacks.

Names, addresses, telephone numbers, and email addresses have been
compromised by cyberattackers who gained unauthorised entry to undergraduate students' application records for 2019 and 2020. The university has over
13,000 students, but there's currently no figure on the number of people who have been caught up in the attack.

------------------------------

Date: Mon, 12 Aug 2019 17:51:04 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Navy Reverting DDGs Back to Physical Throttles, After Fleet Rejects
Touchscreen Controls (USNI News)

SAN DIEGO – The Navy will begin reverting destroyers back to a physical throttle and traditional helm control system in the next 18 to 24 months,
after the fleet overwhelmingly said they prefer mechanical controls to touchscreen systems in the aftermath of the fatal USS John S. McCain
(DDG-56) collision.

The investigation into the collision showed that a touchscreen system that
was complex and that sailors had been poorly trained to use contributed to a loss of control of the ship just before it crossed paths with a merchant
ship in the Singapore Strait. After the Navy released a Comprehensive Review related to the McCain and the USS Fitzgerald (DDG-62) collisions, Naval Sea Systems Command conducted fleet surveys regarding some of the engineering recommendations, Program Executive Officer for Ships Rear Adm. Bill Galinis said.

https://news.usni.org/2019/08/09/navy-reverting-ddgs-back-to-physical-throttles-after-fleet-rejects-touchscreen-controls

Nice work on testing design, getting user input...

...and funny juxtaposition:

https://www.wired.com/story/gesture-controls-phones-samsung-lg-google/

------------------------------

Date: Sat, 10 Aug 2019 09:52:00 -0700
From: Richard Stein <rmstein@ieee.org>
Subject: This High-Tech Solution to Disaster Response May Be Too Good
to Be True (The New York Times)

https://www.nytimes.com/2019/08/09/us/emergency-response-disaster-technology.html

Emergency response simulation, for sale, adopted by several municipalities
(and at least on country -- Japan) to optimize first responder resource allocation and prioritization. The `One Concern' AI platform relies on residential census data.

As noted in the NY Times piece:

"But when T.J. McDonald, who works for Seattle's office of emergency management, reviewed a simulated earthquake on the company's damage
prediction platform, he spotted problems. A popular big-box store was grayed out on the web-based map, meaning there was no analysis of the conditions there, and shoppers and workers who might be in danger would not receive immediate help if rescuers relied on One Concern's results.

"'If that Costco collapses in the middle of the day, there's going to be a
lot of people who are hurt,' he said."

The US census collects household income data. This component might be
accorded greater algorithmic weight. Similarly, what would happen to
disaster response prioritization if crime statistics, such as homicide rate, were integrated? Or if there's an EPA superfund site in the locality?

Algorithmic bias remains a significant risk to public safety and health.
Trust that dedicate public servants, like Mr. McDonald, are vigilant and accountable to direct emergency response where and when disaster strikes.

------------------------------

Date: Wed, 7 Aug 2019 12:05:06 -0400
From: George Mannes <gmannes@gmail.com>
Subject: Scam pulse-monitoring app returns to Apple Store (Ben Lovejoy)

[Fiendishly clever, or cleverly fiendish:]

https://9to5mac.com/2019/08/07/scam-heartrate-app/

Ben Lovejoy
Scam heart rate app is back in the App Store, trying to steal $85/year

A scam heart rate app that tried to con iPhone users out of $89/year is now back in the App Store under a new name, some eight months after Apple
removed the original version.

The app specifically targets people who own iPhones with Touch ID.

What the app does is ask users to place their finger on the Home button, supposedly to take a heart-beat reading. In reality, the app dims the
display brightness its minimum to hide the content -- which is actually
Apple's dialogue requesting authorization for a recurring in-app purchase.
If users place a registered Touch ID finger on the Home button, that
completes the purchase.

Apple removed the app in November of last year following our report, but Brazil's Mac Magazine reports that it has now returned. ...

Now the app presents itself as `Pulse Heartbeat' and its developer is registered as BIZNES-PLAUVANNYA, PP.

The in-app purchase is now for 340 Brazilian reals, which is equivalent to around US$85. As before, the app is targeting Portuguese speakers. ...

The reality [no pun intended?] is that the app review process is a manual
one, and prone to human error. Scammers will usually submit an innocuous app and then update it with rogue code after approval. Although Apple reviews updates too, there is a general belief that this review is less thorough
than for a new app.

The report does show that even in a curated app store, there are still
risks. ...

------------------------------

Date: Sat, 10 Aug 2019 00:44:45 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: He Tried Hiding From Silicon Valley in a Pile of Privacy Gadgets
(Bloomberg)

Avoiding digital snoops takes more than throwing money at the problem,
but that part can be really fun.

https://www.bloomberg.com/news/features/2019-08-08/i-tried-hiding-from-silicon-valley-in-a-pile-of-privacy-gadgets

------------------------------

Date: Fri, 9 Aug 2019 13:33:14 -0400
From: Steven Klein <steven@klein.us>
Subject: GDPR's unintended consequences (The Register)

GDPR, the EU's General Data Protection Regulation, is supposed to protect personal data and user privacy for EU cititzens. But it has made it life
much easier for identity thieves. The law obligates companies to provide a
copy of any personal data they have, but doesn't require companies to verify the identity of those requesting the info.

``James Paver, a PhD student at Oxford University who usually specialises in satellite hacking, explained how he was able to game the GDPR system to get
all kinds of useful information on his fiancée [with her permission], including credit card and social security numbers, passwords, and even her mother's maiden name. [...] Over the space of two months Pavur sent out 150 GDPR requests in his fiancée's name, asking for all and any data on her. In all, 72 per cent of companies replied back, and 83 companies said that they
had information on her. ... Of the responses, 24 per cent simply accepted
an email address and phone number as proof of identity and sent over any
files they had on his fiancée.''

``A threat-intelligence company sent over a list of her email addresses and passwords which had already been compromised in attacks. Several of these
still worked on some accounts.''

Source: The Register <https://www.theregister.co.uk/2019/08/09/gdpr_identity_thief/>

------------------------------

Date: Thu, 8 Aug 2019 17:51:23 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Black Hat: GDPR privacy law exploited to reveal personal data
(BBC News)

About one in four companies revealed personal information to a woman's
partner, who had made a bogus demand for the data by citing an EU privacy
law.

The security expert contacted dozens of UK and US-based firms to test how
they would handle a "right of access" request made in someone else's name.

In each case, he asked for all the data that they held on his fiancee.

In one case, the response included the results of a criminal activity check.

Other replies included credit card information, travel details, account
logins and passwords, and the target's full US social security number.

University of Oxford-based researcher James Pavur has presented his findings
at the Black Hat conference in Las Vegas.

It is the first known test of its kind to exploit the EU's General Data Protection Regulation (GDPR), which came into force in May 2018.

"Generally if it was an extremely large company -- especially tech ones --
they tended to do really well," he told the BBC.

"Small companies tended to ignore me.

https://www.bbc.com/news/technology-49252501

[Also noted by others. PGN]

------------------------------

Date: Tue, 6 Aug 2019 19:42:26 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Password policy recommendations: Here's what you need to know. (HPE)

Complexity, uniqueness, and periodic change have long been the top best practices for passwords, but new recommendations have led to changes around password policies.

https://www.hpe.com/us/en/insights/articles/password-policy-recommendations-heres-what-you-need-to-know-1908.html

------------------------------

Date: Thu, 8 Aug 2019 13:06:33 -0400
From: Kelly Bert Manning <bo774@freenet.carleton.ca>
Subject: Re: Russian hackers are infiltrating companies via the office
printer (RISKS-31.35)

Russia may be a new player, but I first became concerned about printer
hacking when I read the manuals for the shiny new IP connected Lexmark
printers that replaced PC connected and IBM SNA printers back in the 1990s.
I contacted IT security to note that the printers came from the factory with
a standard remote admin login ID and password, suggesting that it might be
wise to change those.

The response was Move Along, Nothing to Worry About Here, even from BC
Ministry of Health IT security.

Fast forward a couple of years and all Lexmark printers in the Ministry have
to be disconnected, shut down and purged of a Lexmark Virus.

Things like that happened often enough that new staff were advised to always stay on my right side, although my view was that sometimes I found it a challenge to be influential and persuasive, in addition to being correct.
White Hat Social Engineering, persuading and influencing people to make the correct choice, can be as important as having the best analysis, solution or mitigation.

------------------------------

Date: Tue, 6 Aug 2019 14:25:36 -1000
From: the keyboard of geoff goodfellow <geoff@iconia.com>
Subject: Climate change: how the jet stream is changing your weather (FT)

*Northern Atlantic current is shifting course -- with implications for crops and sea levels*

EXCERPT:

At the summit of the Greenland ice cap the temperature rarely rises above
zero degrees centigrade -- the elevation is 3,200m and the ice below is more than a mile thick.

But last Friday, as the sun beat down, a small weather station laden with sensors captured something highly unusual: the temperature crept past zero
and up to 3.6C -- the highest since records began three decades ago. As temperatures rose across the massive ice sheet, which blankets an area five times the size of Germany, around 60 per cent of the surface started to
melt, one of the largest ever recorded.

Scientists know of only three prior occasions in the past 800 years when
there has been melting at the very top of the ice cap, which is kept chilled
by the large volume of ice beneath. But this seems to be getting more
frequent -- it is now the second time this decade it has happened.

``The last time we saw melting at the summit, in 2012, we thought it was the extreme of the extremes, and wouldn't happen again so quickly,'' says Konrad Steffen, a professor of climate and cryosphere at ETH Zurich, who operates a network of 18 monitoring stations across the ice sheet. ``But now we are facing more of these extremes.;;

Prof Steffen's data shows that between July 30 and August 2 a heatwave in Greenland produced several record highs across the ice sheet, including at
East Grip, the second highest monitoring station. ``If you start melting at the top of the ice sheet, we are going to lose [the] Greenland ice sheet long-term,''he adds.

The immediate trigger for the heatwave was a shift in atmospheric currents
high above the earth's surface: the North Atlantic Jet Stream, a fast
current of wind that blows from west to east, had formed a buckle that was trapping warm air over Greenland. The same pattern had caused a
record-setting heatwave in Europe a few days earlier, before shifting over
to sit on top of the Greenland ice sheet.

It's not just Greenland's weather that is governed by the jet stream.
Across Europe and North America, it controls extreme weather conditions of
all kinds, from winter cold snaps, to heatwaves, to storms...

https://www.ft.com/content/591395fe-b761-11e9-96bd-8e884d3ea203

------------------------------

Date: Tue, 6 Aug 2019 18:36:29 -0400
From: <gjansen@aflcio.org>
Subject Re: AI Predictive Policing (RISKS-31.35)

When this started making the news, I found myself thinking of entry 66 in Notebook F of Lichtenberg's *The Waste Books*:

"If physiognomy becomes what Lavater expects it to become, children will
be hanged before they have perpetrated the deeds that deserve the gallows;
a new kind of confirmation will thus be performed every year. A
physiognomical *auto-da-fe*."

(There are slighting references to Lavater elsewhere in *The Waste Books, *which NYRB has brought back into print: https://www.nyrb.com/collections/all/products/the-waste-books?variant=3D1094932745)

------------------------------

Date: Tue, 6 Aug 2019 15:44:21 -0700
From: Rob Slade <rmslade@shaw.ca>
Subject: Re: Hawley/SMART Act (Stein/Goldberg, RISKS-31.35)

Saints preserve us from "well-intentioned" politicians. This time around
it's Josh Hawley, who wants to save us from social media addiction. I don't know anything about him. Wikipedia seems to indicate that he's a nice guy (except for that bit about not wanting people to have health care). OK, I'm with him so far. But the way he wants to do it is to make a simple fix. (Saints preserve us from "simple" solutions to complex problems.) He wants
to limit how much "feed" you can get from a social media site on one go.
Also limit your time on any given site to half an hour a day. (Ah, gee,
Dad!)

Right. I think I see the problem here. You see, Hawley is a lawyer.
Lawyers have to go to law school, so they are fairly smart. And they help people with problems, so they like to fix problems. All good so far. The problem is that lawyers get used to thinking they are smarter than other
people (which is generally true), and that they can fix pretty much any
problem (which is not true). In particular, they tend to start thinking
they can start fixing problems they don't know anything about, especially
when they pupate out of the larval (lawyer) stage and into full-grown politicians.

See, having a limit on how much socmed you can get in one go probably won't solve anything. And it's going to be a nuisance for many. Yesterday I had
a meeting downtown. So, since I use Twitter for news, I went to my favorite bus stop, fired up Twitter, scrolled down as far as I could go, hopped on
the 210 when it came, and noted which stories I wanted to read (later) all
the way to the meeting. Which usually takes an hour. It would have been annoying to be limited to enough to cover just a few blocks. Not very effective use of my time.

(Nor, when I come to think of it, very possible. I mean, I was only "on" Twitter for the few minutes it took to load the feed. Is he going to make Twitter, and all other apps, cut off after being on screen for 30 minutes? How's that going to work for people with perceptual disabilities, who need
more time to read things?)

And the sweet young thing beside me, following all of her friends and their latest "haul" videos, is not going to be limited by having to refresh the screen every few entries. She's doing that anyway. It just means that
she's going to be refreshing the screen at some point when she should be watching for that car coming through the intersection where she's crossing
the street. Plus, after she gets finished with Instagram, she'll be onto Whatapp, and then Facebook, and then ... well, you get the picture.

Sorry, Josh. You haven't solved anything.

------------------------------

Date: Tue, 6 Aug 2019 16:24:21 -0500
From: Dimitri Maziuk <dmaziuk@bmrb.wisc.edu>
Subject: Re: Hawley/SMART, Act (Stein/Goldberg, RISKS-31.35)

... infinite scroll would be illegal, as would autoplay videos.

Great! I will once again be able to see how much content there is on a page
by just looking at the scroll bar. And it won't distract my eyes and waste bandwidth on the junk I never wanted to see in the first place.

------------------------------

Date: Wed, 7 Aug 2019 18:00:03 +0300
From: Amos Shapir <amos083@gmail.com>
Subject: Re: Apple's Siri overhears your drug deals and sexual activity
(RISKS-31.35)

In other words, never discuss SIRIous matters (or a TV SERIes, etc, etc..)
when Siri is present.

------------------------------

Date: Fri, 9 Aug 2019 12:03:57 +0100
From: Martin Ward <martin@gkc.org.uk>
Subject: Re: Siemens contractor pleads guilty to planting logic bomb in
company, spreadsheets (RISKS-31.35)

Two quotes from the ZDNet article:

But while Tinley's files worked for years, they started malfunctioning
around 2014. Every time the scripts would crash, Siemens would call
Tinley, who'd fix the files for a fee.

It seems that if you work for Siemens, the poorer the quality of the work
you produce, the more you will get paid. Just don't try to get too clever
and use automation to emulate poor quality work: or at least, if you do,
don't hand over the administrative password. You don't want your customer to gain control over the software which runs *their* business!

If you are wondering why there is so much poor quality software
out there: an ecosystem which gives higher rewards for poorer quality
might possibly be a contributor!

At least this particular contractor didn't try to use plausibly deniable
bug injection: cf the "Underhanded C Contest" https://en.wikipedia.org/wiki/Underhanded_C_Contest

------------------------------

Date: Thu, 8 Aug 2019 23:31:31 -0400
From: Gabe Goldberg <gabe@gabegold.com>

[continued in next message]

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)