RISKS-LIST: Risks-Forum Digest Tuesday 16 August 2022 Volume 33 : Issue 39
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator
***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <
http://www.risks.org> as
<
http://catless.ncl.ac.uk/Risks/33.39>
The current issue can also be found at
<
http://www.csl.sri.com/users/risko/risks.txt>
Contents:
'Ring Nation' Is Amazon's Reality Show for Our Surveillance Dystopia
(Deadline)
Meta finds new way of tracking users across websites (The Guardian)
Amazon, Oracle shrug off lawmaker fears of abortion data sales
(techxplore.com)
Zoom's Auto-Update Feature Came With Hidden Risks on Mac (WiReD)
A Single Flaw Broke Every Layer of Security in MacOS (WiReD)
Michigan plot to breach voting machines points to a national pattern
(WashPost)
On TikTok, Election Misinformation Thrives Ahead of Midterms (NYTimes)
How Frustration Over TikTok Has Mounted in Washington (NYTimes)
A New Jailbreak for John Deere Tractors Rides the Right-to-Repair Wave
(WiReD)
Workplace Productivity: Are You Being Tracked? (NYTimes)
How thieves are using cell phones to see what's inside your car
(The Hacker News)
Sloppy Software Patches Are a Disturbing Trend (WiReD)
Sloppy Use of Machine Learning Is Causing a Reproducibility Crisis in
Science (WiReD)
You can lose health data de-centrally as well (Debora Weber-Wulff)
Buying real estate in the metaverse is 'dumbest' idea ever (Mark Cuban)
What do ordinary computer users NOT care about? Breaking up Big Tech
(Lauren Weinstein)
It's Potentially Illegal: As Crypto Crashed, Coinbase Stopped Some
Notifications (Mother Jones)
It Might Be Our Data, But It's Not Our Breach (Krebs on Security)
How Russia Took Over Ukraine's Internet in Occupied Territories (NYTimes)
Why Is Web3 Security Such a Garbage Fire? Let Us Count the Ways (PCMag)
The Danger of Posting Selfies (NowIKnow)
Quote of The Day (Edward Snowden)
CRYPTO-GRAM (Bruce Schneier PGN excerpted)
Re: "Dr. Birx ADMITS She 'Knew' COVID... (Steve Lamont)
Re: Tesla faces new probes into motorbike deaths, false advertising
(Steve Bacher)
Re: What about Signal or Whatsapp, etc. vs. voice callsignal or Whatsapp,
etc. vs. voice calls privacy/security? (John Levine)
Re: Tech giants, including Meta, Google, and Amazon, want to put an end to
leap-seconds (Arthur T.)
Re: Chinese Hackers Backdoored MiMi Chat App to Target Windows, Linux,
macOS Users (via geoff goodfellow)
Re: Rainwater everywhere on Earth unsafe to drink due to *forever
chemicals*, study finds (Craig S. Cottingham)
Re; Doug Jones's review (Mark Brader)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Fri, 12 Aug 2022 18:01:02 -0700
From: geoff goodfellow <
geoff@iconia.com>
Subject: 'Ring Nation' Is Amazon's Reality Show for Our Surveillance
Dystopia (Deadline)
*Amazon's newest effort to normalize its surveillance network will feature footage from Ring surveillance cameras and commentary from comedian Wanda Sykes.*
Amazon's propaganda campaign to normalize surveillance is about to hit a
higher gear: Wanda Sykes is going to host a new show featuring videos taken from Ring surveillance cameras, Deadline reported <
https://deadline.com/2022/08/wanda-sykes-host-syndicated-viral-video-show-ring-doorbell-technology-1235089510/>
on Thursday. It will be called *Ring Nation*.
The show is being produced by MGM Television, which is owned by Amazon, and
Big Fish Entertainment, which ran another dystopian reality show: a piece of copaganda called *Live PD* which centered on commentary of police footage.
According to Deadline, the show will feature lighthearted viral content captured on Ring cameras, such as "neighbors saving neighbors, marriage proposals, military reunions and silly animals." These types of videos frequently go viral online, but hardly represent the reality of what Ring is used for. Besides home surveillance, Ring is a source of surveillance video
for police departments in the U.S. and abroad.
Amazon has done a lot of work to turn the U.S. into a Ring nation
off-camera. Ring's surveillance cameras and surveillance network have been aggressively rolled out by Amazon mainly by cultivating fear in suburbs <
https://www.vice.com/en/article/ywaa57/how-ring-transmits-fear-to-american-suburbs> about crime, and by entering partnerships with police departments
<
https://www.vice.com/en/article/bjw9e8/inside-rings-quest-to-become-law-enforcements-best-friend> to give them unfettered access
<
https://www.politico.com/news/2022/07/13/amazon-gave-ring-videos-to-police-without-owners-permission-00045513> to surveillance footage
<
https://www.vice.com/en/article/v7memd/police-are-tapping-into-ring-cameras-to-expand-surveillance-network-in-mississippi>. Last year, advocacy
groups pushed for Amazon's Ring to be banned entirely <
https://www.vice.com/en/article/3aq4b9/48-advocacy-groups-call-on-the-ftc-to-ban-amazon-surveillance> by the Federal Trade Commission over concerns
its facial surveillance technology could fuel criminalization of Black and brown people in public spaces. [...]
https://www.vice.com/en/article/7k8x49/ring-nation-is-amazons-reality-show-for-our-surveillance-dystopia
------------------------------
Date: Sat, 13 Aug 2022 07:57:22 +0100
From: paul cornish <
paul.a.cornish@googlemail.com>
Subject: Meta finds new way of tracking users across websites (The Guardian)
Following Apple's introduction of blocks that stopped Facebook from tracking users activity across many websites it looks like Meta has developed a
Facebook Mobile Browser to do just that.
https://www.theguardian.com/technology/2022/aug/11/meta-injecting-code-into-websites-visited-by-its-users-to-track-them-research-says?CMP=Share_iOSApp_Other
Clicking a hyperlink in Facebook does NOT open your preferred browser but a browser from Facebook. They also modify the websites pages by inserting
code (surely a copyright issue?!) that enables the tracking.
From that browsers Settings menu it appears Facebook are recording data used to complete any forms and also payment details.
As a user our response is to turn off the saving of data and to remember to click the bottom right on the Facebook browser window and select Open in Browser.
------------------------------
Date: Sun, 14 Aug 2022 22:37:48 +0000
From: Richard Marlon Stein <
rmstein@protonmail.com>
Subject: Amazon, Oracle shrug off lawmaker fears of abortion data sales
(techxplore.com)
https://techxplore.com/news/2022-08-amazon-oracle-lawmaker-abortion-sales.html
'While all the companies detailed ways they keep data anonymized, "similar practices and policies at a number of brokers have already proven
insufficient, even before the overturning of Roe raised the stakes for tens
of millions of women," Trahan said Friday in a statement to Bloomberg.'
Does business calculate brand outrage risk arising from data breach? Yes,
but they repeatedly trivialize financial fallout as a cost of doing business
-- an operating expense passed along to the consumers via shrink-flation product prices traced to rising cyber-incident insurance premiums.
If breach penalties imposed minimum mandatory jail time for the CxOs and
boards of directors, one would expect businesses to adopt risk mitigation measures with greater sincerity and purpose.
While there's no guarantee that criminal penalties can motivate data breach reduction, attempted compliance with CISA standards and measures can reduce breach potential.
Alternatively, restricting indemnification from product terms of services -- excluding data breach from indemnification coverage -- will remind business governance that their own personal freedom is as much at risk as the
consumer data they readily exploit for profit.
------------------------------
Date: Sat, 13 Aug 2022 16:56:04 -0400
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: Zoom's Auto-Update Feature Came With Hidden Risks on Mac (WiReD)
The popular video meeting app makes it easy to keep the software up to dateâbut it also introduced vulnerabilities.
To exploit any of these flaws, an attacker would need to already have an initial foothold in a target's device, so you're not in imminent danger of having your Zoom remotely attacked. But Wardle's findings are an important reminder to keep updatingâautomatically or not.
https://www.wired.com/story/zoom-auto-update-mac-flaws/
------------------------------
Date: Sat, 13 Aug 2022 20:29:54 -0400
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: A Single Flaw Broke Every Layer of Security in MacOS (WiReD)
Mac exposure -- esoteric and not exploited -- yet
An injection flaw allowed a researcher to access all files on a Mac. Apple issued a fix, but some machines may still be vulnerable.
There is no evidence to date that the vulnerability has been exploited in
the real world. However, the flaw shows how, in some instances, it may be possible for attackers to move through an entire operating system,
increasingly being able to access more data. In the description for his
talk, Alkemade says that as local security on macOS moves more toward an iOS model, this highlights that multiple parts of the system need to be
reexamined.
https://www.wired.com/story/a-single-flaw-broke-every-layer-of-security-in-macos
------------------------------
Date: Mon, 15 Aug 2022 09:14:20 -0400
From: Monty Solomon <
monty@roscom.com>
Subject: Michigan plot to breach voting machines points to a national
pattern (WashPost)
A state inquiry found evidence of a conspiracy that has echoes elsewhere in
the country.
https://www.washingtonpost.com/politics/2022/08/14/michigan-voting-machine-breach/
------------------------------
Date: Sun, 14 Aug 2022 11:28:58 -0400
From: Monty Solomon <
monty@roscom.com>
Subject: On TikTok, Election Misinformation Thrives Ahead of Midterms (NYT)
On TikTok, Election Misinformation Thrives Ahead of Midterms
The fast-growing platformâs poor track record during recent voting abroad
does not bode well for elections in the U.S., researchers said.
https://www.nytimes.com/2022/08/14/business/media/on-tiktok-election-misinformation.html
------------------------------
Date: Sun, 14 Aug 2022 10:54:42 -0400
From: Monty Solomon <
monty@roscom.com>
Subject: How Frustration Over TikTok Has Mounted in Washington (NYTimes)
National security concerns over the Chinese-owned viral video app remain unresolved. Lawmakers and regulators are increasingly pushing for action.
https://www.nytimes.com/2022/08/14/technology/tiktok-china-washington.html
------------------------------
Date: Tue, 16 Aug 2022 00:45:02 -0400
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: A New Jailbreak for John Deere Tractors Rides the Right-to-Repair
Wave (WiReD)
A hacker has formulated an exploit that provides root access to two popular models of the companyâs farm equipment.
John Deere did not respond to WIRED's request for comment about the
research.
https://www.wired.com/story/john-deere-tractor-jailbreak-defcon-2022
------------------------------
Date: Mon, 15 Aug 2022 22:58:23 -0400
From: Monty Solomon <
monty@roscom.com>
Subject: Workplace Productivity: Are You Being Tracked? (NYTimes)
The Rise of the Worker Productivity Score
Across industries and incomes, more employees are being tracked, recorded
and ranked. What is gained, companies say, is efficiency and
accountability. What is lost?
https://www.nytimes.com/interactive/2022/08/14/business/worker-productivity-tracking.html
------------------------------
Date: Sun, 14 Aug 2022 15:45:38 -0700
From: geoff goodfellow <
geoff@iconia.com>
Subject: How thieves are using cell phones to see what's inside your car
(The Hacker News)
Another reason not to leave personal belongings inside your vehicle.
Memphis police say car thieves are using their cell phone cameras to look through tinted windows.
During a crime forum in the Cooper-Young neighborhood <
https://wreg.com/news/local/spike-in-crime-leaves-cooper-young-residents-concerned/>,
Crump station officers said it was a new tool being used by the bad guys looking for items to steal.
They told the group it doesn't matter how dark the tint is on your windows; when you put a cell phone in camera mode up to the windows, you can see
right through them.
We put a cell up to a back window; sure enough, you could see everything in
the backseat. [...]
https://wreg.com/news/local/how-thieves-are-using-cell-phones-to-see-whats-inside-your-car/
------------------------------
Date: Sun, 14 Aug 2022 21:13:07 -0400
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: Sloppy Software Patches Are a Disturbing Trend (WiReD)
The Zero Day Initiative has found a concerning uptick in security updates
that fail to fix vulnerabilities.
ZDI researchers say that bad patches happen for a variety of reasons.
Figuring out how to fix software flaws can be a nuanced and delicate
process, and sometimes companies lack the expertise or haven't made the investment to generate elegant solutions to these important problems. Organizations may be rushing to close bug reports and clear their slate and
may not take the time needed to conduct "root cause" or "variant" analysis
and assess underlying issues so deeper problems can be comprehensively
fixed.
https://www.wired.com/story/software-patch-flaw-uptick-zdi
------------------------------
Date: Mon, 15 Aug 2022 16:05:58 -0400
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: Sloppy Use of Machine Learning Is Causing a Reproducibility
Crisis in Science (WiReD)
As Will Knight reports, when the Princeton researchers looked more closely, they realized the original researchers failed to properly separate the pools
of data used to train and test their codeâs performance. The mistake,
termed “data leakage, results in a system after being provided the
answers. When the Princeton researchers fixed those errors, they found that modern AI offered virtually no advantage over more conventional statistical methods. Further investigation showed that incorrect use of machine learning
in scientific research is a widespread problem.
https://link.wired.com/view/5be9ddd83f92a40469eae33ch3jjj.36b/abbd73d0
------------------------------
Date: Sat, 13 Aug 2022 23:04:33 +0200
From: Debora Weber-Wulff <
weberwu@HTW-Berlin.de>
Subject: You can lose health data de-centrally as well
A little story from Germany:
The German security research group "Zerforschung" (literally breaking
something with research, a made-up word) published an account in German on August 11, 2022 of how they in just one night session managed to pull over a million health files from the de-central health provider management system, "InSuite" from DocCirrus (in German):
https://zerforschung.org/posts/doczirkus/
I will try and summarize the gory details in English here:
One of the group got irritated at their doctor who refused to send them
results of blood work by email. It had to be sent to them by way of this portal. This person couldn't sleep and was chatting with another person from the group who was up late. They thought the site looked a bit fishy, so they fired up their browser development tools.
First thing they saw was Google Maps being loaded with every page. And the payloads that were being returned were JSON with minified JaveScript code.
And there it was, the SMTP access data for that person's doctor's office, in the minified code. They hoped this would be for an extra, external mailbox
so that they could only send emails as the office, but not read them. They
were wrong. They were able to access the entire email correspondence of the doctor's office.
Where there is smoke, there is fire.
The key point of this product is that the data is stored de-centrally in
each office in a "data safe". But: the patients log on to a central server
and see all the doctor's offices they are registered for. It turns out that
the list of document IDs and their links are end-to-end encrypted. But the files themselves are not.
Just for giggles they tried out requesting information via API endpoint
without putting in the name of the receiver of the information. They
expected an error message. Instead they were given the information, unencrypted.
They started tinkering with URL paths. Instead of
/1/document/:patientDocument
they tried
/1/document
And were given a list of all the documents the doctor's office had stored
about the first person, the one who kicked this off. All sick notes, prescriptions, diagnoses, consultations with other doctors, everything.
So they thought: Hmm. What else does a doctor's office have?
Right, patients! So they tried
/1/patient
And were rewarded with a long list of over a thousand records of patient
data from this doctor's office. With name, address, birth date, insurance, telephone number, email-address, medicine. ...
There was more, of course. Ah, an Audit-Log was also there. Fine, then at
least someone could see what was happening - except the requests from the evening had not been logged to the audit file.
They wondered if they could get data from other doctor's offices by guessing the office number. Since this was only a 4-digit number, they ran a small
brute force program. Then they found a list on the central server with all
the valid numbers.
They didn't download all the data, just requested the number of patients for all of the offices. Then they wrote up a report and early in the morning followed the protocol: sent the report to the company, the Berlin data
privacy office, the national CERT and the federal information security
office.
They were amazed that the company reacted quickly: They just turned off the system. Nationwide. Which was, indeed, necessary. However, it appears that
the legal obligation to inform all of the patients that their data had been potentially compromised was not fulfilled. One friend saw on their doctor's web page that there was a notice that the document server system was getting
an "security update" so that ePrescriptions can be written [that is a
disaster story for another day].
The company did put out a little press notice:
https://www.doc-cirrus.com/medien/newsroom/30-pressemeldungen/411-presse-und-medien
two weeks after they were informed of the security issues. The site was
offline for almost a month, now the company says that all the issues have
been dealt with.
The publication about the security issues was put online another 2 weeks
after the site was back online.
German media have reported on this:
https://www.tagesschau.de/investigativ/ndr-wdr/sicherheitsluecke-arztsoftware-101.html
https://www.ardmediathek.de/video/mittagsmagazin/sicherheitsluecken-bei-praxissoftware/das-erste/Y3JpZDovL2Rhc2Vyc3RlLmRlL2FyZC1taXR0YWdzbWFnYXppbi9iYTdhMjAyZC0yMzE0LTQ0OWItOTBlNy1lNmRkNzVhOWNlODk
(probably both only available in German)
They have formulated three demands:
1. All the patients need to be informed that their data was out in the clear.
2. The data privacy office should fine the company. According to the
European GDPR, this could be up to 20 million Euros.
3. Software producers need to take data security and IT security
seriously. If their product is storing personal data, it must be able to
keep this data private.
I would perhaps add: they need to learn cryptography, too. Minification is
not encryption. And end-to-end encryption must be done right!
------------------------------
Date: Wed, 10 Aug 2022 17:24:23 -0400
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: Buying real estate in the metaverse is 'dumbest' idea ever
(Mark Cuban)
In some cases, virtual real estate went for as much as a physical house. Republic Realm, an investment firm that owns and develops virtual real
estate, dropped a massive $4.3 million on a digital property located within
The Sandbox, one of the largest metaverse platforms, according to the Wall Street Journal.
A virtual plot next to Snoop Dogg's digital mansion within The Sandbox was purchased for $450,000 by an NFT collector who goes by the name "P-Ape" in 2021.
However, the virtual housing bubble may have popped.
https://www.cnbc.com/2022/08/10/mark-cuban-buying-real-estate-in-the-metaverse-is-dumbest-idea-ever.html
"investment firm that owns and develops virtual real estate" -- what can you say to that? Oh: That word ("investment") does not mean what you think it means.
------------------------------
Date: Tue, 16 Aug 2022 13:34:04 -0700
From: Lauren Weinstein <
lauren@vortex.com>
Subject: What do ordinary computer users NOT care about? Breaking up Big Tech
When I talk with ordinary computer users (not activists), they never
bring up an interest in "breaking up" Big Tech. They just say devices
are too confusing, there's too much malware and security concerns, and
so on. All things breaking up Big Tech would make worse. -L
[Congresscritters are clearly not "ordinary computer users". PGN]
------------------------------
Date: Wed, 10 Aug 2022 18:53:41 -0400
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: It's Potentially Illegal: As Crypto Crashed, Coinbase Stopped
Some Notifications (Mother Jones)
The exchange's emailed price alerts ended right when customers may have
needed them the most.
Coinbase's decision to stop email notifications in the middle of a dramatic cryptocurrency crash has not been previously reported. But academics who
spoke to Mother Jones note that Coinbase’s decision likely contributed to losses for retail crypto investors who may otherwise have sold their
holdings ahead of further devaluation. The change to price updates could run afoul of federal or state consumer protection laws, they said, particularly
if it hurt the wallets of any of the relatively inexperienced traders who flocked to crypto in droves during the pandemic
https://www.motherjones.com/politics/2022/08/its-potentially-illegal-as-crypto-crashed-coinbase-stopped-some-notifications
If Coinbase didn't promise updates, are they on the hook for stopping them?
A while ago I bought a pittance of Bitcoin/Eth and have occasionally checked their value. I don't expect Coinbase to notify me of changes -- that would
be annoying -- any more than I expect a broker to do that. Are cryptoheads
such snowflakes as to need hand-holding?
------------------------------
Date: Sat, 13 Aug 2022 00:08:52 -0400
From: Monty Solomon <
monty@roscom.com>
Subject: It Might Be Our Data, But It's Not Our Breach (Krebs on Security)
https://krebsonsecurity.com/2022/08/it-might-be-our-data-but-its-not-our-breach/
------------------------------
Date: Tue, 16 Aug 2022 14:59:51 -0400
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: How Russia Took Over Ukraine's Internet in Occupied Territories
(The New York Times)
Internet traffic in Kherson is being diverted through Russia. Internet
routing data for a service provider in Kherson shows traffic beginning to
flow through Russian networks in May before fully transitioning by early
June.
"Several weeks after taking over Ukraine’' southern port city of Kherson, Russian soldiers arrived at the offices of local Internet service providers
and ordered them to give up control of their networks. They came to them
and put guns to their head and just said, 'Do this,'" said Maxim Smelyanets, who owns an Internet provider that operates in the area and is based in
Kyiv. "They did that step by step for each company."
Russian authorities then rerouted mobile and Internet data from Kherson
through Russian networks, government and industry officials said. They
blocked access to Facebook, Instagram and Twitter, as well as to Ukrainian
news websites and other sources of independent information. Then they shut
off Ukrainian cellular networks, forcing Kherson's residents to use Russian mobile service providers instead.
https://www.nytimes.com/interactive/2022/08/09/technology/ukraine-internet-russia-censorship.html
------------------------------
Date: Sun, 14 Aug 2022 23:57:23 -0400
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: Why Is Web3 Security Such a Garbage Fire? Let Us Count the Ways
(PCMag)
A Black Hat talk unpacks how blockchain-based projects can break so easily
and inflict such catastrophic damage.
LAS VEGAS: o-called Web3 ventures have suffered enough meltdowns to keep an entire site ("Web3 is going just great") busy chronicling them in multiple posts per day. But what has made this category of sites providing cryptocurrency and other services based on blockchain technology seem so snakebit?
A briefing at the Black Hat information-security conference here outlined common aspects to recent high-profile Web3 hacks that have resulted in the theft of hundreds of millions of dollars' worth of cryptocurrencies. The
single biggest factor: how quickly an attacker can turn a vulnerability into money.
"Simple mistakes can have immediate and devastating consequences," said
Nathan Hamiel, senior director of research at Kudelski Security(Opens in a
new window). "Gone In 60 Seconds isn't just a terrible Nicolas Cage movie,
it's also what happens to all your money."
https://www.pcmag.com/news/why-is-web3-security-such-a-garbage-fire-let-us-count
-the-ways
...and the counting's just begun.
------------------------------
Date: Sun, 14 Aug 2022 20:28:24 -0400
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: The Danger of Posting Selfies (NowIKnow)
In September of 2019, a 20-year-old Japanese pop singer (whose name I'm omitting because almost all of the press reports similarly kept her
anonymous) was attacked outside her apartment. Her attacker was a stalker
named Hibiki Sato â a self-described fan whose obsession with the singer
took a very violent turn. Physically, she was okay after a short recovery period; mentally and emotionally, it's difficult to tell how she managed to move forward.
Unfortunately, many famous people have similar fears. Stalkers, particularly
in a world where you're expected to share the details of your lives
publicly, are a constant threat. Many celebrities take common-sense
precautions as a result, such as hiding their home address as much as
possible. That means not taking selfies in or near your home, and if you do, never showing any notable landmarks that a would-be attacker can use to
sleuth out your location. By all accounts, the Sato's victim had taken all
of these precautions, though. He, however, had seen this not as a barrier,
but as a challenge. All he needed to do was stare into his victim's eyes.
According to Japan Today, "Sato said he'd been able to determine where his target lived by looking at selfies she'd posted on social media,
specifically by looking at the reflection in her eyes of the surrounding scenery in outdoor shot." While those images were tiny and often not quite
in focus, Sato was undeterred. He took whatever limited information he could glean from her eyes and cross-referenced it with images from Google Street View. At some point, the singer's eyes reflected an image of a railway stop
and Sato was able to find that location; from there, he was able to increasingly narrow the radius around her apartment. Per CBS News, he "also told police he studied seemingly innocuous details in videos the woman shot
in her apartment, such as curtain placement and the direction of natural
light entering the window, to figure out which building she lived in." Ultimately, he had enough information to make a 30 km (18 miles) trip from
his home to where he correctly deduced she lived. Then, he just lay in wait
for her to return home, and finally, he attacked.
https://nowiknow.com/the-danger-of-posting-selfies/
------------------------------
Date: Mon, 15 Aug 2022 08:54:52 -0700
From: geoff goodfellow <
geoff@iconia.com>
Subject: Quote of The Day (Edward Snowden)
*"Look, I'm just going to say it:*
*At a certain point, our corrupt and moribund political culture has no hope
of solving humanity's problems. You either bet on science and technology, or you bet on extinction."*
https://twitter.com/Snowden/status/1550119405199118337
------------------------------
Date: Mon, 15 Aug 2022 07:32:46 +0000
From: Bruce.Schneier <
schneier@schneier.com>
Subject: CRYPTO-GRAM (where crypto means cryptography, not that other stuff)
Table of Contents from Bruce's latest CRYPTO-GRAM, 15 Aug 2022
[Your subscribing is recommended, because I cannot pick and choose just
one or a few! However, I recommend particularly Bruce's coverage of items
that have not been covered adequately already in RISKS. PGN]
[For back issues of CRYPTO-GRAM, or to subscribe, visit Crypto-Gram's web
page: <
https://www.schneier.com/crypto-gram/>]
1. San Francisco Police Want Real-Time Access to Private Surveillance
Cameras
2. Facebook Is Now Encrypting Links to Prevent URL Stripping
3. NSO Group's Pegasus Spyware Used against Thailand Pro-Democracy
Activists and Leaders
4. Russia Creates Malware False-Flag App
5. Critical Vulnerabilities in GPS Trackers
6. Apple's Lockdown Mode
7. Securing Open-Source Software
8. New UEFI Rootkit
9. Microsoft Zero-Days Sold and Then Used
10. Ring Gives Videos to Police without a Warrant or User Consent
11. Surveillance of Your Car
12. Drone Deliveries into Prisons
13. SIKE Broken
14. NIST's Post-Quantum Cryptography Standards
15. Hacking Starlink
16. A Taxonomy of Access Control
17. Twitter Exposes Personal Information for 5.4 Million Accounts
18. Upcoming Speaking Engagements
------------------------------
Date: Sat, 13 Aug 2022 06:25:55 -0700
From: Steve Lamont <
spl@tirebiter.org>
Subject: Re: "Dr. Birx ADMITS She 'Knew' COVID... (Lamont, RISKS-33.38)
[So who has the definitive data? Apparently no one? PGN]
For some reason my posting was truncated, leaving off important
reference material about VAERS and its use and *misuse*.
https://vaers.hhs.gov/about.html
About VAERS
Established in 1990, the Vaccine Adverse Event Reporting System (VAERS) is
a national early warning system to detect possible safety problems in
U.S.-licensed vaccines. VAERS is co-managed by the Centers for Disease
Control and Prevention (CDC) and the U.S. Food and Drug Administration
(FDA). VAERS accepts and analyzes reports of adverse events (possible side
effects) after a person has received a vaccination. Anyone can report an
adverse event to VAERS. Healthcare professionals are required to report
certain adverse events and vaccine manufacturers are required to report
all adverse events that come to their attention.
VAERS is a passive reporting system, meaning it relies on
individuals to send in reports of their experiences to CDC and
FDA. VAERS is not designed to determine if a vaccine caused a health
problem, but is especially useful for detecting unusual or
unexpected patterns of adverse event reporting that might indicate a
possible safety problem with a vaccine. This way, VAERS can provide
CDC and FDA with valuable information that additional work and
evaluation is necessary to further assess a possible safety concern.
To wit, an inclusion of a report in VAERS does not necessarily
establish a causal relationship. Sometimes coincidences happen. I can
speak for personal experience on that.
The RISK? Post-hoc, propter-hoc reasoning.
------------------------------
Date: Sat, 13 Aug 2022 09:17:04 -0700
From: Steve Bacher <
sebmb1@verizon.net>
Subject: Re: Tesla faces new probes into motorbike deaths, false advertising
(RISKS-33.38)
Someone forgot to include the link:
https://arstechnica.com/cars/2022/08/tesla-faces-new-probes-into-motorbike-deaths-false-advertising/
------------------------------
Date: 13 Aug 2022 15:27:44 -0400
From: "John Levine" <
johnl@iecc.com>
Subject: Re: What about Signal or Whatsapp, etc. vs. voice callsignal or
Whatsapp, etc. vs. voice calls privacy/security? (LW, RISKS-33.38)
[continued in next message]
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)