RISKS-LIST: Risks-Forum Digest Friday 13 May 2022 Volume 33 : Issue 20
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator
***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <
http://www.risks.org> as
<
http://catless.ncl.ac.uk/Risks/33.20>
The current issue can also be found at
<
http://www.csl.sri.com/users/risko/risks.txt>
Contents:
Oops! Looks like your Mirror isn't connected to a network (geoff goodfellow) Companies envision taxis flying above jammed traffic (techxplore)
Global cost of cybercrime topped $6 trillion in 2021 (techxplore)
As Cryptocurrencies Melt Down, $300 Billion Evaporaites in Days (NYTimes) Crypto's Audacious Algorithmic Stablecoin Experiment Crumbles (Bloomberg) Decade-Old Bugs Discovered in Avast, AVG Antivirus Software
(Charlie Osborne)
Costa Rica Declares Emergency in Ongoing Cyberattack (ABC)
Why Twitter May Be Doomed (Lauren Weinstein)
Facebook is trying to capitalize on my grief (Rob Slade)
EU plans to require backdoor to encrypted messages for child protection
(Apple)
Cellphones have no real off switch (Peter Gutmann)
ICE 'now operates as a domestic surveillance agency,' think tank says
(Engadget)
ACM, Ethics, and Corporate Behavior (Moshe Vardi, CACM March 2022)
Did bad interface design lead to the sinking of the Moskva?
(Paul Robinson)
Re: Bitcoin Is Unlikely to Go Green (John Levine)
Re: Squirrels (Elinor Mills)
Re: FBI Told Israel It Wanted Pegasus Hacking Tool for Investigations
(Jan Wolitzky)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Thu, 12 May 2022 18:04:21 -1000
From: geoff goodfellow <
geoff@iconia.com>
Subject: Oops! Looks like your Mirror isn't connected to a network
https://twitter.com/LordRavenscraft/status/1524482648315473922
[That won't work in Red Rock Canyon Park (RISKS-30.72) and many other
places with no wireless. PGN]
------------------------------
Date: Tue, 10 May 2022 16:33:53 +0800
From: Richard Stein <
rmstein@ieee.org>
Subject: Companies envision taxis flying above jammed traffic
(techxplore.com)
https://techxplore.com/news/2022-05-companies-envision-taxis-traffic.html
Without or without pilots? Droned if you or droned if you don't!
------------------------------
Date: Wed, 11 May 2022 09:57:38 +0800
From: Richard Stein <
rmstein@ieee.org>
Subject: Global cost of cybercrime topped $6 trillion in 2021
(techxplore.com)
https://techxplore.com/news/2022-05-global-cybercrime-topped-trillion-defence.html
The world's economy, per GDP estimates, is estimated @ US$ ~104T per
https://en.wikipedia.org/wiki/World_economy (retrieved on 11MAY2022).
The essay cites a deficit of ~200K cyber-security professionals, in Europe specifically, as a possible remedy to reduce grift and cut the skim.
Investing in people, training, and infrastructure is proactive and usually, with supportive leadership, effective.
The outrage expressed by corporate lobbyists' to recently proposed SEC regulations (see
https://www.sec.gov/files/33-11038-fact-sheet.pdf)
indicates that disclosing corporate CxO cyber-skillsets for the investing public to assess might accelerate essential investments to tame the
cybertheft wildfire.
See "Industry Report" in
https://www.washingtonpost.com/politics/2022/05/10/costa-rica-shows-damage-ransomware-can-do-country/
(retrieved on 11MAY2022) for a discussion.
------------------------------
Date: Fri, 13 May 2022 15:02:13 PDT
From: Peter Neumann <
neumann@csl.sri.com>
Subject: As Cryptocurrencies Melt Down, $300 Billion Evaporaites in Days
David Yaffe-Bellany, Erin Griffith, and Ephrat Livni
*The New York Times*, 13 May 2022, National Edition front page + A20
[PGN-ed]
Bitcoin fell as low as $26,000, down 60% from its November 2021 peak, and
down 20% in just the past five days. Just a few months ago, blockchain proponents were predicting the price would rise as high as $100,000 this
year.
"Stablecoin" TerraUSD imploded to a low of $0.23 (not backed by cash,
and depending on Luna, which lost almost its entire value).
Treasury's leader suggested a *regulatory framework* is needed.
[See also:
Cryptocurrencies Melt Down in a 'Perfect Storm' of Fear and Panic
https://www.nytimes.com/2022/05/12/technology/cryptocurrencies-crash-bitcoin.html
]
------------------------------
Date: Wed, 11 May 2022 12:03:17 -0400 (EDT)
From: ACM TechNews <
technews-editor@acm.org>
Subject: Crypto's Audacious Algorithmic Stablecoin Experiment Crumbles
(Bloomberg)
Stacy-Marie Ishmael, Bloomberg, 10 May 2022, via ACM TechNews, 11 May 2022
The algorithmic stablecoin cryptocurrency does not provide greater stability than other cryptocurrencies. Conventional stablecoin issuers say their
tokens are underpinned by "real" assets like cash or highly rated bonds, and can theoretically maintain stability because they can be readily swapped for cash or highly liquid cash equivalents. Algorithmic stablecoins try holding their value through a mix of instructions encoded in algorithms and active treasury management. The failure of such cryptoassets' price stability mechanisms could carry systemic ramifications for other coins and protocols,
as CoinMarketCap counts roughly 18.5 billion TerraUSD stablecoins in circulation. Said Kyle Samani at the Multicoin Capital investment firm, "The biggest losers from all of this will be retail [investors] that didn't understand the risks they were taking."
https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2e9bfx233b92x071163&
------------------------------
Date: Mon, 9 May 2022 12:08:31 -0400 (EDT)
From: ACM TechNews <
technews-editor@acm.org>
Subject: Decade-Old Bugs Discovered in Avast, AVG Antivirus Software
(Charlie Osborne)
Charlie Osborne, ZDNet, 5 May 2022, via ACM TechNews, 9 May 2022
Researchers at cybersecurity software company SentinelOne reported two high-severity bugs in Avast and AVG antivirus products that have gone undetected for a decade. The researchers said the flaws have existed since 2012, and could have affected "dozens of millions of users worldwide." They found the bugs in the Avast Anti Rootkit driver, and the first vulnerability resided in a socket connection handler used by the kernel driver
aswArPot.sys; hackers could hijack a variable during routine operations to escalate privileges, potentially disable security solutions, or meddle with target operating systems. The researchers described the second bug as "very similar" to the first, and rooted in the aswArPot+0xc4a3 function. Sentinel Labs on Dec. 20 informed Avast of the vulnerabilities, and the company had patched them by Feb. 11, with no active exploitation in the wild indicated.
https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2e95ax233ad9x071942&
------------------------------
Date: Fri, 13 May 2022 12:20:02 -0400 (EDT)
From: ACM TechNews <
technews-editor@acm.org>
Subject: Costa Rica Declares Emergency in Ongoing Cyberattack (ABC)
Javier Cordoba, ABC News, 12 May 2022 via ACM TechNews; 13 May 2022
Costa Rica has declared a state of emergency after enduring a month of ransomware attacks that have hobbled critical systems. The siege began last month when Costa Rica's Finance Ministry reported that its tax collection, customs, and other systems were affected; the hackers also targeted the nation's social security agency human resources system and its Labor
Ministry. The Russian-speaking Conti gang took credit for the attack. Costa Rica's emergency declaration describes the perpetrators as "cybercriminals"
and "cyberterrorists." The U.S. State Department said the gang has
orchestrated hundreds of ransomware attacks over the past two years, collectively targeting more than 1,000 victims and extorting them for more
than $150 million as of January 2022. '
https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2e9fdx233c2dx071807&
------------------------------
Date: Mon, 9 May 2022 14:56:01 -0700
From: Lauren Weinstein <
lauren@vortex.com>
Subject: Why Twitter May Be Doomed
If a Musk "new regime" ruling @Twitter permits all speech that "is legal" -- Twitter is doomed. Because the parade of legal (in the U.S.) hate speech
that will flood the platform will drive away most advertisers, brands, and support services that Twitter needs to operate.
------------------------------
Date: Fri, 13 May 2022 05:49:22 -0700
From: "Rob Slade, greatgrandpa and widower" <
rslade@gmail.com>
Subject: Facebook is trying to capitalize on my grief
So, I posted what I thought was a bit of a joke (albeit maybe a dark one)
about being pathetically lonely following bereavement.
https://twitter.com/rslade/status/1522345541522235392 https://www.blogger.com/blog/post/edit/626389518384655417/6860285728885858232# https://fibrecookery.blogspot.com/2022/05/ding.html https://www.facebook.com/rslade/posts/10160304212242853?notif_id=1651913627430909
https://www.blogger.com/blog/post/edit/626389518384655417/6860285728885858232#
And posted it various places, including Facebook.
Facebook has decided that either I am trying to raise money, or that I need
to raise money. (Facebook, being obsessed with money? I think I'll have a heart attack and die from **NOT** being surprised.) Facebook has somehow flagged my post with a suggestion that I ask my "community" for "support,"
that is, money. They even include a link to a page that will help you
create "a fundraiser on Facebook in a few quick steps." (The page opens
with a grid of 15 options for different categories of fundraisers, including "Other".)
I mean, I understand that you have zero privacy on Facebook. I understand
that Facebook considers everything you post there to be Facebook's property.
I understand that they have programs that automatically read, categorize,
and harvest everything you post. But, somehow, this seems more than vaguely creepy. I assume that Facebook is, somehow, going to monetize (for
themselves) any funding that anyone does raise using Facebook. (I don't
know those business models, but I assume that, at the very least, any money they raise for **anyone** helps them sell themselves as a fundraising
vehicle to major charities.) But flagging (I assume) the word "bereaved"
and then tying it to a pitch to raise money just seems a bit beyond the
pale. Facebook is trying to capitalize on my (and others') grief.
------------------------------
Date: Wed, 11 May 2022 07:53:40 -0700
From: Lauren Weinstein <
lauren@vortex.com>
Subject: EU plans to require backdoor to encrypted messages for child
protection (Apple)
https://appleinsider.com/articles/22/05/11/eu-plans-to-require-backdoor-to-encrypted-messages-for-child-protection
------------------------------
Date: Fri, 13 May 2022 10:24:39 +0000
From: Peter Gutmann <
pgut001@cs.auckland.ac.nz>
Subject: Cellphones have no real off switch
[This is an old topic in RISKS -- devices that are never off. PGN]
WiSec has an upcoming paper on this for the specific case of iPhones:
https://dl.acm.org/doi/10.1145/3507657.3528547
The full paper is available via the parallel-publication mechanism on arXiv:
https://arxiv.org/pdf/2205.06114
------------------------------
Date: May 11, 2022 at 18:53:10 GMT+9
From: Dewayne Hendricks <
dewayne@warpspeed.com>
Subject: ICE 'now operates as a domestic surveillance agency,' think tank
says (Engadget)
[Note: This item comes from friend David Rosenthal. DLH]
ICE 'now operates as a domestic surveillance agency,' think tank says A
study by the Center on Privacy and Technology found that ICE uses data
brokers to avoid restrictions.
By K. Holt, Engadget, 10 Nay 2022
https://www.engadget.com/ice-surveillance-report-us-government-193206600.html
Although it's supposed to be restricted by surveillance rules at local,
state and federal levels, Immigration and Customs Enforcement (ICE) has
built up a mass surveillance system that includes details on almost all US residents, according to a report from a major think tank. Researchers from Georgetown Law's Center on Privacy and Technology said ICE "now operates as
a domestic surveillance agency" and that it was able to bypass regulations
in part by purchasing databases from private companies.
"Since its founding in 2003, ICE has not only been building its own capacity
to use surveillance to carry out deportations but has also played a key role
in the federal government's larger push to amass as much information
as possible about all of our lives," the report's authors state. "By
reaching into the digital records of state and local governments and buying databases with billions of data points from private companies, ICE has
created a surveillance infrastructure that enables it to pull detailed
dossiers on nearly anyone, seemingly at any time."
The researchers spent two years looking into ICE to put together the
extensive report, which is called "American Dragnet: Data-Driven Deportation
in the 21st Century." They obtained information by filing hundreds of
freedom of information requests and scouring more than 100,000 contracts and procurement records.
The agency is said to be using data from the Department of Motor Vehicles
and utility companies, along with the likes of call records, child welfare records, phone location data, healthcare records and social media posts. ICE
is now said to hold driver's license data for 74 percent of adults and can track the movement of cars in cities that are home to 70 percent of the
adult population in the US.
The study shows that ICE, which falls under the Department of Homeland Security, has already used facial recognition technology to search through driver's license photos of a third of adults in the US. In 2020, the agency signed a deal with Clearview AI to use that company's controversial
technology. In addition, the report states that when 74 percent of adults
hook up gas, electricity, phone or Internet utilities in a new residence,
ICE was able to automatically find out their updated address.
The authors wrote that ICE is able to carry out these actions in secret and without warrants. Along with the data it acquired from other government departments, utilities, private companies and third-party data brokers, "the power of algorithmic tools for sorting, matching, searching and analysis has dramatically expanded the scope and regularity of ICE surveillance," the
report states.
Spending transactions reviewed by the researchers showed that, between 2008
and last year, ICE spent around $2.8 billion on "new surveillance, data collection and data-sharing initiatives." It spent approximately $569
million on data analysis, including $186.6 million in contracts with
Palantir Technologies to help it make sense of its vast troves of
data. Records showed that ICE also spent more than $1.3 billion on
geolocation tech during that timeframe and $389 million on telecom interception, which includes tech that helps the agency track someone's
phone calls, emails, social media activity and real-time Internet use.
In addition, the findings suggest the agency started engaging in certain surveillance activities much earlier than previously believed. The
researchers found a contract from 2008 that granted ICE access to the Rhode Island motor vehicle department's facial recognition database. Prior to
that, it was understood that ICE started conducting facial recognition
search es on state and local data sets in 2013.
------------------------------
Date: Tue, 10 May 2022 09:26:40 +0200
From: "Diego.Latella" <
diego.latella@isti.cnr.it>
Subject: ACM, Ethics, and Corporate Behavior (Moshe Vardi, CACM March 2022)
A *great* note by Moshe Vardi. Sorry for late dissemination:
ACM, Ethics, and Corporate Behavior
https://cacm.acm.org/magazines/2022/3/258894-acm-ethics-and-corporate-behavior/fulltext
------------------------------
Date: Sun, 8 May 2022 11:45:17 +0000 (UTC)
From: "Paul Robinson" <
paul@paul-robinson.us>
Subject: Did bad interface design lead to the sinking of the Moskva?
"Bad design can kill: Missile defense and user fatigue"
ttps://www.youtube.com/watch?v=gaiVjJWOUWE
Russian Cruiser Moskva was sank by the Ukrainian Army. This was a
significant win for Ukraine, because the Moskva was the Flagship of the
Russian Navy, and its sinking is an irreplaceable loss, since Russia can't build ships due to various problems in its shipyards, as well as sanctions.
Now, of course, most of us reading this are glad this happened, but what
does it have to do with Risks? I'm glad you asked. Here's why.
There is a significant weakness in Russian defense systems, and it may be
the reason or a significant reason why the Moskva failed to defend itself against incoming missiles: he user interface of the operator consoles, and operator fatigue. There are some who say the reason the Moskva was sunk was
due to holes in radar coverage (like thinking ship's radar only provides 180 degrees of coverage), and thus the ship was blind to theĀ approaching missiles. This opinion is a misunderstanding how ship's radar works.
Instead, it is argued the problem was because the radar operators missed
seeing the missiles, and might actually not have been paying attention.
Russian military doctrine generally makes soldiers follow the exact plan and not to deviate. This does not promote innovative or "out of the box"
thinking. But, however, life has a nasty habit of making plans ineffective
or useless.
Russian ships tend to be heavily dependent on manual operation. Data from tracking systems is subject to human interpretation, and data in one system
has to be transferred by hand. Russian navigation radar tends to be of the classic concentric circles, with refresh caused by a rotating line circling around the radius of the display, technology that was state of the art --
back in the 1980s. Now, it is not that old stuff doesn't work, it is capable
of very good performance. The problem is, it's labor-intensive. To be
effective in this environment, crews must be of high quality and
performance, in order for these manual systems to work.
which then moves to the elephant in the room: operator fatigue. Now, in exercises and otherpractice drills, people are often very alert because
the exercises are timed and the crew know something is going to happen. On real-world missions, the assumption is that there won't be any events. So imagine a sailor in the combat information center in a Russian warship is watching a green, circular "rotating cursor" radar display, for hours on
end. Modern radar displays provide much more information, in ways that
aren't effectively hypnotic. The average person -- or even the average sailor -- probably could not stare at that display for 30 solid minutes and
maintain focus.
Now, consider that sailor is staring at that screen, eight hours a day for seven weeks, and nothing happened. I think it is very likely that it would
be difficult to maintain focus. So operator fatigue sets in. Consider that, with incoming missiles, the operator has about two minutes from first appearance of a dot on the radar until the missile hits. This demands
immediate action to engage the missile, not enough time to call battle
stations or their commanding officer for orders.
So, after weeks of intense boredom, the operator might be distracted, half asleep, or smoking. The operator might not have seen the missile for maybe a minute, or never saw it at all, and even if the alarm was sounded, there is
now not enough time to stop the missile from striking the ship. In short,
only a well-trained crew and defined procedures to handle the attack could
have saved them.
So, this is one example of the potential risk of badly designed operator interfaces.
------------------------------
Date: 8 May 2022 18:42:57 -0400
From: "John Levine" <
johnl@iecc.com>
Subject: Re: Bitcoin Is Unlikely to Go Green (RISKS-33.18)
The most illuminating aspect of Proof of Stake is that it shows that many blockchain technologists/boosters are entirely innocent of any knowledge
of business, or, at least, the history of business failures and frauds.
Considering that they equally don't know economic history, such as why every country abandoned the gold standard, why deflation makes countries
miserable, and why hyperinflation was always a political decision, it's not surprising.
------------------------------
Date: Mon, 9 May 2022 06:52:03 -0700
From: Peter G Neumann <
neumann@CSL.SRI.COM>
Subject: Re: Squirrels
[Thanks to Elinor Mills. PGN]
Free *Washington Post* article:
https://wapo.st/3yn5L2u
Kicking off Squirrel Week 2022 with some squirrels in the news
"Meanwhile, in early March, the power went out in 4,000 homes in three New Orleans neighborhoods. A squirrel got the blame. <
https://www.wwltv.com/article/news/local/orleans/first-bird-now-squirrel-second-animal-related-power-outage-in-week/289-280c3d91-68a0-47dd-91d3-3f41af6d925b>
We look out here and we can see the squirrels, Jim Bulling told WWL-TV squirrels commuting along the power lines."
Bulling lives across the street from a substation and every morning watches...
------------------------------
Date: Fri, 13 May 2022 05:20:08 -0400
From: Jan Wolitzky <
jan.wolitzky@gmail.com>
Subject: Re: FBI Told Israel It Wanted Pegasus Hacking Tool for
Investigations (NYTimes)
[See RISKS-33.02,03,05,06 for earlier items on this. PGN]
WASHINGTON -- The FBI informed the Israeli government in a 2018 letter that
it had purchased Pegasus, the notorious hacking tool, to collect data from mobile phones to aid ongoing investigations, the clearest documentary
evidence to date that the bureau weighed using the spyware as a tool of law enforcement.
The FBI's description of its intended use of Pegasus came in a letter from a top FBI official to Israel's Ministry of Defense that was reviewed by *The
New York Times(. Pegasus is produced by an Israeli firm, NSO Group, which
needs to gain approval from the Israeli government before it can sell the hacking tool to a foreign government.
https://www.nytimes.com/2022/05/12/us/politics/fbi-pegasus-spyware-israel.h= tml
------------------------------
Date: Mon, 1 Aug 2020 11:11:11 -0800
From:
RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<
http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!
OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also,
ftp://ftp.sri.com/risks for the current volume/previous directories
or
ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-33.00
ALTERNATIVE ARCHIVES:
http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.
Special Offer to Join ACM for readers of the ACM RISKS Forum:
<
http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 33.20
************************
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)