RISKS-LIST: Risks-Forum Digest Friday 13 September 2019 Volume 31 : Issue 42

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/31.42>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents:
CIA source pulled from Russia had confirmed Putin ordered 2016 meddling
(Zack Budryk/The Hill)
Open Privacy discovers unencrypted patient medical information
broadcast across Vancouver (Open Privacy Research Society)
Blockchains and Cryptocurrency (Nick Weaver)
Bank of America less than charitable to charity that says it was hacked
(BostonGlobe)
Sysadmins Scramble to Secure 5M Exim Email Servers (Security Boulevard)
3-D Printers Could Help Spread Weapons of Mass Destruction
(Scientific American)
The Next Generation of Airbus Aircraft Will Track Your Bathroom Visits
(Time)
Why a cup of coffee forced a plane to make an unplanned landing (WashPost) Chinese police sniff out a fugitive —- literally -— in the case of the
telltale hot pot (WashPost)
Apple makes changes to kids app guidelines after criticism from developers
(WashPost)
Alabama is penalizing students for leaving football games early.
Is that normal? (WashPost)
Sorry, general AI is still a long, long way off (Mary Branscombe)
Re: Russia-Ukraine power-grid blackout (Gabe Goldberg)
Re: Robot hires human being in world first as AI conducts job interview
(Amos Shapir)
Re: Hackers short-change themselves; 21st century UK NHS (Chris Drewe)
Re: Tweet from Fridge: possible but probably not in this case
(Anthony Thorn)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Tue, 10 Sep 2019 14:52:01 PDT
From: "Peter G. Neumann" <neumann@csl.sri.com>
Subject: CIA source pulled from Russia had confirmed Putin ordered 2016
meddling (Zack Budryk/The Hill)

The Voting News Daily, a news service of Verified Voting

A CIA asset reportedly pulled from Russia in 2017 played a major role in the agency's determination that Russian President Vladimir Putin personally
ordered Moscow's meddling in the 2016 election, according to *The New York Times*. The informant, while not in Putin's inner circle, interacted with
him regularly and was privy to decision-making at high levels of the Russian government, according to The Times. Information on the informant's identity
was so carefully guarded that it was kept out of then-President Obama's
daily security briefings in 2016, instead transmitted in separate sealed envelopes. In 2016, high-level CIA officials ordered a full review of the source's record and grew suspicious he might have become a double agent
after he rejected an offer of exfiltration from the agency, according to the Times. Other officials said these concerns were alleviated when the source
was offered a second time and accepted.

[The original source is this:
Julian E. Barnes, Adam Goldman and David E. Sanger
CIA Informant Extracted From Russia Had Sent Secrets to U.S. for Decades
*The New York Times*, 10 Sep 2019 (updated from the previous day)
Also of related interest are op-ed pieces by Michelle Goldberg and Paul
Krugman in The NYT on 10 Sep 2019. PGN]

------------------------------

Date: Tue, 10 Sep 2019 08:08:08 -0400
From: José María /Chema/ Mateos <chema@rinzewind.org>
Subject: Open Privacy discovers unencrypted patient medical information
broadcast across Vancouver (Open Privacy Research Society)

https://openprivacy.ca/blog/2019/09/09/open-privacy-discovers-vancouver-patient-medical-data-breach/

The Open Privacy Research Society has discovered that the sensitive medical information of patients being admitted to certain hospitals across the
Greater Vancouver Area is being broadcast, unencrypted, by hospital paging systems, and that these broadcasts are trivially interceptable by anyone in
the Greater Vancouver Area.

The data being broadcast includes the patients name, age, gender marker, diagnosis, their attending doctor and room number. Other broadcasts
regarding medical tests such as x-rays are often associated with a patients last name or medical number, exposing their progression through hospital departments. Some broadcasts appear to contain freeform text, allowing other sensitive information to be entered as well. We have been able to confirm
the authenticity of this data by cross-referencing records with public obituaries.

------------------------------

Date: Tue, 10 Sep 2019 13:51:26 PDT
From: "Peter G. Neumann" <neumann@csl.sri.com>
Subject: Blockchains and Cryptocurrency (Nick Weaver)

Nick Weaver has been an occasional contributor to RISKS over the past 23
years, and is the author of the CACM Inside Risks article #244,

Risks of Cryptocurrencies, CACM June 2018
http://www.csl.sri.com/neumann/insiderisks.html -- or directly at
http://www.csl.sri.com/neumann/cacm244.pdf

This month's IEEE Computer Society *edge* magazine (September 2019, pp
23-26, www.computer.org/computingedge) condenses Nick's Silver Bullet
podcast interview with Gary McGraw, and succinctly updates the
above-mentioned Inside Risks article. I recommend the *edge* interview for anyone unclear about the RISKS-related issues are associated with
blockchains and cryptocurrencies.

PGN

------------------------------

Date: Tue, 10 Sep 2019 20:39:31 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Bank of America less than charitable to charity that says it was
hacked (BostonGlobe)

https://www.bostonglobe.com/business/2019/09/09/the-fine-print-bank-america-less-than-charitable-charity-that-says-was-hacked/IENfpHpEkjTf0rzvpzHbfJ/story.html

------------------------------

Date: Tue, 10 Sep 2019 20:14:17 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Sysadmins Scramble to Secure 5M Exim Email Servers
(Security Boulevard)

https://securityboulevard.com/2019/09/sysadmins-scramble-to-secure-5m-exim-email-servers/

------------------------------

Date: Wed, 11 Sep 2019 17:00:06 +0800
From: Richard Stein <rmstein@ieee.org>
Subject: 3-D Printers Could Help Spread Weapons of Mass Destruction
(Scientific American)

https://www.scientificamerican.com/article/3-d-printers-could-help-spread-weapons-of-mass-destruction/

``In the mid-1990s boy scout David Hahn used household objects and his scientific knowledge to start building a nuclear reactor in his
backyard. Police and the Environmental Protection Agency stopped him before
he could finish. Twenty years later, revolutions in manufacturing and
computing have made projects such as Hahn's a lot more feasible; if he had access to a 3-D printer, for example, he might have finished his reactor
before authorities intervened. Modern technologies also mean one does not
need to be as smart as Hahn to create at least some kinds of DIY
weapons. With the right machine and blueprints anyone can build a handgun in their living room -- and firearms are just the beginning. Researchers fear that artificial intelligence and 3-D printing might one day create, on
demand, weapons of mass destruction.''

The WMD Do-It-Yourself kit is a frightening possibility. Can a 3-D printer enable WMD deployment of a chemical or biological device?

Thanks to Graham Allison's efforts, and the Nunn-Lugar Cooperative Threat Reduction legislation of 1991, WMD material (enriched uranium and plutonium, biological/chemical) became more difficult to acquire as the Soviet Union disintegrated. Threat reduction implementation tapered substantially after Russia annexed Crimea. https://en.m.wikipedia.org/wiki/Nunn%E2%80%93Lugar_Cooperative_Threat_Reduction,

------------------------------

Date: Fri, 13 Sep 2019 21:42:13 +0800
From: Richard Stein <rmstein@ieee.org>
Subject: The Next Generation of Airbus Aircraft Will Track Your Bathroom
Visits (Time)

https://time.com/5675566/airbus-airplane-bathroom-tracker/

``The Airbus Connected Experience aims to give flight attendants a more detailed survey of the cabin, with sensors for such critical data as when bathroom soap is running low and how much toilet paper remains in each bathroom. But the rethinking of the passenger environment doesn't just stop with the lavatory. At each seat, your belt will signal red for unbuckled and green when fastened. The goal is faster boarding and departure, dispensing
with those lap-scrutinizing walk-throughs flight attendants must
perform. The crew will also have access to information on what's onboard and where, like which galley carts contain specific meals, such as pre-orders or vegetarian selections.''

What happens if there's a faulty or intermittent seat belt lock/unlock
sensor? Will each flier be required to wear an RFID tag that is scanned when entering and exiting the toilet? Will airlines compile a passenger
`compliance score' and use it to raise or lower ticket prices, or deny purchase, based on profiled compliance history?

------------------------------

From: Monty Solomon <monty@roscom.com>
Date: Fri, 13 Sep 2019 11:18:48 -0400
Subject: Why a cup of coffee forced a plane to make an unplanned landing
(WashPost)

A new safety bulletin from the British government shows that an unplanned landing in Ireland was caused by coffee that spilled on a control panel in
the cockpit. The airline says it is now providing lids for coffee.

https://www.washingtonpost.com/travel/2019/09/12/why-spilled-cup-coffee-forced-plane-make-an-unplanned-landing/

------------------------------

Date: Fri, 13 Sep 2019 11:35:07 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Chinese police sniff out a fugitive —- literally -— in the case of
the telltale hot pot (WashPost)

China leads the world in facial recognition tech but sometimes police just
use their noses as well.

https://www.washingtonpost.com/world/asia_pacific/chinese-police-sniff-out-a-fugitive--literally--in-the-case-of-the-telltale-hot-pot/2019/09/12/86db31a8-d521-11e9-ab26-e6dbebac45d3_story.html

------------------------------

Date: Fri, 13 Sep 2019 11:36:51 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Apple makes changes to kids app guidelines after criticism from
developers (WashPost)

https://www.washingtonpost.com/technology/2019/09/12/apple-makes-changes-kids-app-guidelines-following-criticism-developers/

------------------------------

Date: Fri, 13 Sep 2019 11:37:50 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Alabama is penalizing students for leaving football games early.
Is that normal? (WashPost)

Plenty of schools have incentive programs for students who attend games, but ones who give demerits for early exits are harder to find.

https://www.washingtonpost.com/sports/2019/09/13/alabama-is-penalizing-students-leaving-football-games-early-is-that-normal/

------------------------------

Date: Thu, 12 Sep 2019 10:09:19 -0700
From: Gene Wirchenko <gene@shaw.ca>
Subject: Sorry, general AI is still a long, long way off (Mary Branscombe)

[On the limits of computer searching:]

Mary Branscombe for 500 words into the future, ZDNet, 12 Sep 2019

Artificial intelligence might have passed a school science test but when everyday tasks are still well beyond it's ability, we can't even talk about building general purpose AI. https://www.zdnet.com/article/sorry-general-ai-is-still-a-long-long-way-off/

opening text:

For the last few weeks, we've been watching a plant grow on our windowsill.
A seed blew into the window box and took root, and started to shoot up.

There was nothing growing in that end-of-the-window box, so we left it until
we could see whether it was a weed or a nice plant.

The seed had been long and black, and the stem grew tall and spindly. Once
we could see a few leaves, I started searching the web for a plant with a
long, hairy stem and long, pointed leaves springing alternately from the
stem, that grow in the UK from long black seeds, that are pointy at one end
and round at the other.

If you described that to a botanist or a gardener, they would tell you immediately that it was probably a sunflower, but I didn't get any useful results from searching by the description. In fact, none of the lists of UK plants with hairy stems or alternate leaf-growth patterns that I did find included the sunflower.

It wasn't until we could see the flower forming and looking very like a sunflower that I could search for 'sunflower hairy stem' and get a
description telling me that sunflowers have long, hairy stems and leaves growing alternately from the stem. Once I knew what I wanted, the machine learning behind the search engine could tell me about it, but it couldn't
take my description and tell me what I was looking at.

------------------------------

Date: Thu, 12 Sep 2019 18:58:53 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Re: Russia-Ukraine power-grid blackout (WiReD)

A fresh look at the 2016 blackout in Ukraine suggests that the cyberattack behind it was intended to cause far more damage.

https://www.wired.com/story/russia-ukraine-cyberattack-power-grid-blackout-destruction/

------------------------------

Date: Tue, 10 Sep 2019 17:32:47 +0300
From: Amos Shapir <amos083@gmail.com>
Subject: Re: Robot hires human being in world first as AI conducts job
interview (RISKS-31.41)

For the past 20 years or so, many large companies have tried to match candidates with positions by automatic processes to scan CV's for keywords; this method may be faster, but may miss candidates who would do an excellent job, but whose CV does not contain *exactly* the same keywords a manager had
to come up with to describe the job.

Thus, much of the interview process is already done by robots; however the
new method misses an even more important aspect: getting a candidate
acquainted with the people s/he's going to be working with. (Though in this case, the job's description seems to indicate that the newly hired employee would be working mainly with robots anyway)

------------------------------

Date: Thu, 12 Sep 2019 22:21:47 +0100
From: Chris Drewe <e767pmk@yahoo.co.uk>
Subject: Re: Hackers short-change themselves; 21st century UK NHS (R 21 41)

1. The theft of British Airways's customer payment card details in 2018 was
widely reported, but it seems that the hackers also lost out due to the
sudden abundance of saleable information reducing the black-market value
of these details...

Summary follows. The full article [not included] gives typical black-market values for personal details; the title comes from a comment that ``the
typical profile of cyber-crime victims are well-off, middle-aged
professionals aged 35-44 with an income above 50,000 pounds [$65,000] in managerial positions.''

https://www.telegraph.co.uk/technology/2019/09/10/rich-smart-sensibly-grown-up-hackers-dream/

Rich, smart and sensibly grown-up? You're the hackers? dream
Harry de Quetteville, 10 Sep 2019

Poor hackers. British Airways?s aircraft may be grounded again, but at least this time the company knows why: its pilots are on strike. Too often in
recent years the company has stranded passengers because of mysterious IT foul-ups.

The cost of some of those failures was not always immediately apparent.
In 2018 half a million BA customers had their payment card details
stolen.

It was only later BA was hit was hit with a huge ?183m fine for the breach.
And it now turns out it wasn?t just BA and its passengers who suffered.
Hackers did too.

So many fraudulent cards hit the market after the data breach at BA (as well
as others at Marriott, and Ticketmaster) that black market prices collapsed.

2. RISKS often features the problems of the latest technology, but here's an
item on the problems of *not* using this. The UK's National Health
Service (`the envy of the world') still uses fax machines, pagers,
land-line telephones, etc. for communications, which are obviously not
ideal for a large organisation dealing with a huge throughput of
patients, especially as much information is time- and life-critical.
Some staff unofficially use social networking sites like WhatsApp, but
there are big RISKS here with patient confidentiality, possibility of
confusion between personal and work information, no way of sorting
incoming messages, and so forth.

Working in health is quite a high-pressure job in general of course, but if it's difficult to make contact with other people this just raises stress
levels and wastes valuable time. This article features a junior doctor,
Lydia Yarlott, who has come up with a fix (summary follows):

https://www.cityam.com/wp-content/uploads/2019/09/CITYAM_20190910_NEW.pdf

With WhatsApp being seen as a sort of sticking plaster to the
communication problem, in true doctor fashion, Yarlott started concocting
a cure. With the help of a team of technologists, she has built a secure instant messaging service called Forward Health designed for doctors,
nurses, midwives, and other clinicians. Through the app, NHS staff can search by name or role in a hospital or clinic, share patient notes and photos, with everyone working off the same list. On average, the app
saves each clinician 43 minutes per shift, which is time that would
usually wasted waiting for a colleague to call them back. It means that doctors can access the info they need anywhere in the hospital, ultimately allowing them to move away from paper notes. It?s a simple idea, and remarkable that nothing like this existed in the NHS already, which just
goes to show how far behind official hospital technology ? still heavily reliant on pagers ? really is. And it?s worrying that old-fashioned and counterintuitive tech is exacerbating existing issues in the NHS, making
the working lives of staff even harder. While bringing NHS tech into the modern era is vital, the organisation is such a vast and complex web that updating the system is painfully difficult ? not to mention the fact that [NHS] trusts tend to make standalone decisions, rather than learning from each other.

------------------------------

Date: Fri, 13 Sep 2019 00:33:35 +0800
From: Dan Jacobson <jidanni@jidanni.org>
Subject Re: *a seatbelt for the Internet* (Fortune, RISKS-31.41)

A serious issue is [that] your phone's precious single USB socket is rated
for only a limited amount of plugging in and out, after which it will start
to fail (bad connection, not all metal plates properly in contact).

Meaning you won't be able to charge your phone anymore -- spelling the
certain demise of your phone completely, as it would make more sense to get
a fast new phone rather than repair an old slow one.

Mom was right. See what happens after too much `phone s*x'.

``Avoid multiple partners'' they say. Well even to much plugging in and out 'action' with the same partner will lead to `terminal' illness, as was my experience with MicroUSB. And I'm not going to increase my `libido' and RISK
it with my new Type C phone. I'm just not in the mood, OK?

------------------------------

Date: Tue, 10 Sep 2019 10:06:21 +0200
From: Anthony Thorn <anthony.thorn@atss.ch>
Subject: Re: Tweet from Fridge: possible but probably not in this case
(RISKS-31.41)

Re: "Bright Idea --Can't stop..." (RISKS-31.41)

This raised some questions in my mind, so here is a little follow-up, from: https://www.theguardian.com/technology/2019/aug/13/teen-smart-fridge-twitter-grounded

"After reports emerged questioning Dorothy's account, LG confirmed that some
of its fridge models have social media capabilities, but the company could
not confirm whether Dorothy’s tweet was sent from one.

``We don't know if Dorothy actually used an LG smart refrigerator to tweet,
but yes – it is possible to access Twitter via the web browser on select LG smart refrigerator models,'' an LG spokeswoman, Taryn Brucha, said.

Igor Brigadir, a computer researcher at University College Dublin, reviewed
the tweets for the Guardian and said that the metadata for Dorothy's Wii U
and Nintendo tweets showed that the tweets were legitimate. He said others
had used the devices to post on Twitter in the past.

But the refrigerator tweet, Brigadir said, most likely did not come from the fridge. ``The LG fridge [tweet] was definitely manually created,'' he said.

Brigadir examined the metadata of the tweets and discovered that they were
sent through a custom Twitter app. If Dorothy had tweeted from the fridge, Brigadir continued, the metadata would probably have said the tweet was sent through a browser, not from a fridge.

Dorothy was able to make it look like she tweeted from the fridge because custom apps can be renamed on Twitter to make tweets appear as though they
were sent from different devices.

``For me, the think that seals it is the fact that nobody else ever made any other tweets from that fridge, whereas, for the Wii U and Nintendo clients, there's fresh tweets daily,'' Brigadir added.

[Amos Shapir notes that this is rather old news -- and probably fake: https://www.buzzfeednews.com/article/stephaniemcneal/dorothy-fridge-tweets
PGN]

------------------------------

Date: Mon, 14 Jan 2019 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)

The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.

SUBSCRIPTIONS: The mailman Web interface can be used directly to

subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks

SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that

includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.

SPAM challenge-responses will not be honored. Instead, use an alternative

address from which you never send mail where the address becomes public!

The complete INFO file (submissions, default disclaimers, archive sites,

copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!

OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's

searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.

Special Offer to Join ACM for readers of the ACM RISKS Forum:

<http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 31.42
************************

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)