RISKS-LIST: Risks-Forum Digest Thursday 12 December 2019 Volume 31 : Issue 50
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <
http://www.risks.org> as
<
http://catless.ncl.ac.uk/Risks/31.50>
The current issue can also be found at
<
http://www.csl.sri.com/users/risko/risks.txt>
Contents:
If you think you voted in November in PA ... think again! (Rebecca Mercuri) Election Security regulations in the U.S (Fortune)
A banner day for truth, consequences, integrity, and privacy (PGN)
China to remove all foreign computer equipment from government
(The Guardian)
Chinese tech groups shaping UN facial recognition standards (FT)
China introduces mandatory face scans for phone users (AFP)
TikTok Reverses Ban on Teen Who Slammed China's Muslim Crackdown (NYT) Deepfakes (YouTube via Lauren Weinstein)
Fake news probe in Brazil exposes "Office of Hate" within government
(Angelica Mari)
BBB warns about fake shipping emails (KGW)
Exposed: Elaborate plot including fake email from an art expert designed to
prove Dali painting that belonged to James Stunt and hung on Prince
Charles's wall was real (Daily Mail)
Learn lessons from this $1 million email scam (ITWorld)
Professor by day, scambuster by night: Business professor helps scam victims
(Mustang News)
Bogus Emails Give Spirit Airlines Passengers Temporary Headache
(TravelPulse)
AI Is Not Similar To Human Intelligence. Thinking So Could Be Dangerous
(Forbes)
SSD drive with critical failure at 32768 hours of operation (HPE)
This might be a genuine Y2K problem -- are there more? (Martyn Thomas) Plundervault (Ars Technica)
Medicare needs to be flexible with Seniors! (KHN)
I lost my 193,000-pound inheritance with one-digit-wrong sort code
(The Guardian)
WSJ discovers that phone systems are hard (danny burstein)
Uber's 'Dirty Little Secret': Shared Driver Accounts WSJ)
Nearly $50 Million of Ether Swiped From South Korean Cryptocurrency Exchange
(WSJ)
Fiber-optic cables pinpoint California tectonic fault zone
(National Geographic)
Dexcom Software Outage Draws Fury from Diabetes Patients and Their Parents
(Fortune)
Facebook Experiences Sporadic Outages (WSJ)
Microsoft OAuth whitelisted unregistered subdomains allowing azure account
takeovers (ThreatPost)
Re: AI future or follies? (Amos Shapir)
Re: Train door safety interlock based on hanger not actual door position
(John Murrell)
Re: What happens if your mind lives for ever on the Internet?
(Chris Drewe, Amos Shapir)
Re: DMVs profit by selling PII (Kelly Bert Manning)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Sat, 30 Nov 2019 11:56:45 -0500
From: Rebecca Mercuri <
notable@mindspring.com>
Subject: If you think you voted in November in PA ... think again!
Today's NYT article covers many of the points in my recent lectures (vote flipping, obsolete standards, etc.) and alludes to why this isn't
accidental.
See:
https://www.nytimes.com/2019/11/30/us/politics/pennsylvania-voting-machines.htm <
https://www.nytimes.com/2019/11/30/us/politics/pennsylvania-voting-machines.html?>
and the eye-opening details at:
https://3og1cv1uvq3u3skase2jhb69-wpengine.netdna-ssl.com/wp-content/uploads/2019/09/VOTING-TECHNOLOGY-PROCUREMENT-INVESTIGATION-PUBLIC.pdf
For Philly, $425,000 in lobbying money yielded a $29M contract to ES&S.
Less the 10% penalty (the entire purchase should have been rescinded). The $29M may not include the long-term maintenance contract, which gives them
even more city funds with access to the devices. And now these machines are
in place for maybe 20 years? Sweet deal.
It's not just PA. This voting system replacement scam is going on all over
the country where DREs are being upgraded to include the now-required
paper. As long as the election officials can hide behind the electronic
totals and risk limiting audits they'll continue to avoid hand-counting the ballots. There may be new machines, but the M.O. has not changed. Keep your
eye on the swing states (like PA). And spread the word.
Early and often,
[Also, see Nick Corasanti,
A Pennsylvania Candidate had 26,142 Votes. The Machine Counted 164.
*The New York Times* National edition, p.20 (Sunday).
Fortunately, The ExpressVoteXL (Election Systems & Software) had a paper
trail, which many other touch-screen voting systems do not. PGN]
------------------------------
Date: Wed, 4 Dec 2019 15:51:22 PST
From: "Peter G. Neumann" <
neumann@csl.sri.com>
Subject: Election Security regulations in the U.S (Fortune)
https://fortune.com/2019/12/04/election-security-regulations-united-states/
``The problem is that the federal certification itself is weak from a
security standpoint and that not all states require it,'' says J. Alex Halderman, a professor of computer science and engineering at the University
of Michigan. ``There are more federal requirements that apply to plastic
water bottles or whiskey than apply to electronic voting security, which is absolutely incredible to me.''
------------------------------
Date: Wed, 11 Dec 2019 15:41:03 PST
From: "Peter G. Neumann" <
neumann@csl.sri.com>
Subject: A banner day for truth, consequences, integrity, and privacy
In Britain, Fake News Muddies Election Run-Up,
Adam Satariano, *The New York Times* National edition A12, 11 Dec 2019.
In Britain, Disinformation Ahead of a Vote Comes Largely from Within. Adam Satariano and Amie Tsang, *The New York Times* National edition A13, 11 Dec 2019. ``We're seeing anyone and everyone picking up these tactics.''
China Jailed the Most Journalists, Rick Gladstone, *The New York Times* National edition A13, 11 Dec 2019.
In Iran, a Security Breach Exposes 15M Bank Customers, Farnaz Fassihi and
Ronan Bergman, NYTimes National edition A14, 11 Dec 2019.
------------------------------
Date: Mon, 9 Dec 2019 11:36:33 PST
From: "Peter G. Neumann" <
neumann@csl.sri.com>
Subject: China to remove all foreign computer equipment from government
(The Guardian)
https://www.theguardian.com/world/2019/dec/09/china-tells-government-offices-to-remove-all-foreign-computer-equipment
China tells government offices to remove all foreign computer equipment
Directive is likely to be a blow to US multinational companies like HP,
Dell and Microsoft
Chinese president Xi Jinping has ordered that all foreign hardware
be removed from government offices and agencies.
China has ordered that all foreign computer equipment and software be
removed from government offices and public institutions within three
years, the Financial Times reports. The government directive is likely to
be a blow to US multinational companies like HP, Dell and Microsoft and
mirrors attempts by Washington to limit the use of Chinese technology, as
the trade war between the countries turns into a tech cold war.
The Trump administration banned US companies from doing business with
Chinese Chinese telecommunications company Huawei earlier this year and in
May, Google, Intel and Qualcomm [104]announced they would freeze
cooperation with Huawei.
By excluding China from western know-how, the Trump administration has
made it clear that the real battle is about which of the two economic
superpowers has the technological edge for the next two decades.
This is the first known public directive from Beijing setting specific
targets limiting China's use of foreign technology, though it is part a
wider move within China to increase its reliance on domestic technology.
The FT reported that the directive would result in an estimated 20m- to
30m pieces of hardware needing to be replaced and that this work would
begin in 2020. Analysts told the FT that 30% of substitutions would take
place in 2020, 50% in 2021 and 20% in 2022.
The order had come from the Chinese Communist party's central office
earlier this year, the analysts said. Two employees from cyber security
firms told the paper that government clients had described the policy.
Replacing all the devices and software in this timeframe will be
challenging, given that many products developed for US operating systems
like Windows for Microsoft. Chinese government offices tend to use desktop
computers from the Chinese-owned company Lenovo, but components of the
computers, including its processor chips and hard drives are made by
American companies.
In May, Hu Xijin, editor of the Global Times newspaper in China, said the
withdrawal of sharing by US tech companies with Huawei would not be fatal
for the company because the Chinese firm has been planning for this
conflict "for years" and would prompt the company to develop its own
microchip industry to rival America's.
"Cutting off technical services to Huawei will be a real turning point in
China's overall research and development and use of domestic chips," he
said in a social media post. "Chinese people will no longer have any
illusions about the steady use of US technology."
------------------------------
Date: Sun, 1 Dec 2019 10:12:41 -1000
From: geoff goodfellow <
geoff@iconia.com>
Subject: Chinese tech groups shaping UN facial recognition standards (FT)
*Companies hope to gain an edge by laying the groundwork for global rules*
EXCERPT:
Chinese technology companies are shaping new facial recognition and surveillance standards at the UN, according to leaked documents obtained by
the Financial Times, as they try to open up new markets in the developing
world for their cutting-edge technologies.
Companies such as ZTE, Dahua and China Telecom are among those proposing new international standards -- specifications aimed at creating universally consistent technology -- in the UN's International Telecommunication Union (ITU) for facial recognition, video monitoring, city and vehicle
surveillance.
Standards ratified in the ITU, which comprises nearly 200 member states, are commonly adopted as policy by developing nations in Africa, the Middle East
and Asia, where the Chinese government has agreed to supply infrastructure
and surveillance tech under its *Belt and Road Initiative*, according to experts.
``African states tend to go along with what is being put forward by China
and the ITU as they don't have the resources to develop standards
themselves,'' said Richard Wingfield, Head of Legal at Global Partners
Digital, a company working on human rights on the Internet.
Europe and North America have their own regional standards setting bodies,
such as the IETF, IEEE and 3GPP, which are dominated by domestic industry players. The ITU, on the other hand, is a space where companies outside of North America and Europe tend to shape and drive standard development.
Standard writing gives companies an edge in the market by aligning global
rules with the specifications of their own proprietary technology, say
experts.
Over the past few years, Chinese surveillance infrastructure has swept
across regions from Angola to Zimbabwe. For example, earlier this year South African company Vumacam installed 15,000 surveillance cameras with facial recognition capabilities in Johannesburg, supplied by Hikvision.
In August, Uganda confirmed the nationwide installation of Huawei
surveillance cameras with face recognition capabilities. Similarly, the Singapore government plans to install facial recognition cameras on its lampposts, a contract that Chinese start-up Yitu has bid for, according to local reports. ...
https://www.ft.com/content/c3555a3c-0d3e-11ea-b2d6-9bf4d1957a67
------------------------------
Date: Sun, 1 Dec 2019 10:14:22 -1000
From: the keyboard of geoff goodfellow <
geoff@iconia.com>
Subject: China introduces mandatory face scans for phone users (AFP)
EXCERPT:
China will require telecom operators to collect face scans when registering
new phone users at offline outlets starting Sunday, according to the
country's information technology authority, as Beijing continues to tighten cyberspace controls.
In September, China's industry and information technology ministry issued a notice on "safeguarding the legitimate rights and interests of citizens online", which laid out rules for enforcing real-name registration.
The notice said telecom operators should use "artificial intelligence and
other technical means" to verify people's identities when they take a new
phone number.
A China Unicom customer service representative told AFP that the December 1 "portrait matching" requirement means customers registering for a new phone number may have to record themselves turning their head and blinking.
"In next steps, our ministry will continue to...increase supervision and inspection...and strictly promote the management of real-name registration
for phone users," said the September notice.
Though the Chinese government has pushed for real-name registration for
phone users since at least 2013 -- meaning ID cards are linked to new phone numbers -- the move to leverage AI comes as facial recognition technology
gains traction across China where the tech is used for everything from supermarket checkouts to surveillance. ...
https://news.yahoo.com/china-introduces-mandatory-face-scans-phone-users-091042257.html
------------------------------
Date: Thu, 28 Nov 2019 09:38:44 -0500
From: Monty Solomon <
monty@roscom.com>
Subject: TikTok Reverses Ban on Teen Who Slammed China's Muslim Crackdown
https://www.nytimes.com/2019/11/27/technology/tiktok-censorship-apology.html
The video app said it would review its policies after a 17-year-old in New Jersey who discussed Chinese detention camps was locked out of her account.
------------------------------
Date: Fri, 29 Nov 2019 13:23:10 -0800
From: Lauren Weinstein <
lauren@vortex.com>
Subject: Deepfakes
Deepfakes can be deep trouble, especially when the alterations are comparatively subtle:
https://www.youtube.com/watch?v=5nDnlA1pv5U
------------------------------
Date: Mon, 09 Dec 2019 16:22:05 -0800
From: Gene Wirchenko <
gene@shaw.ca>
Subject: Fake news probe in Brazil exposes "Office of Hate" within government
(Angelica Mari)
Angelica Mari for Brazil Tech | 9 Dec 2019
Access will be requested to computers that were allegedly used to spread misinformation with taxpayer money.
https://www.zdnet.com/article/fake-news-probe-in-brazil-exposes-office-of-hate-within-government/
selected text:
The investigations into the dissemination of fake news have advanced in
Brazil as details of the government's online communication strategy have
been unveiled.
According to a ten-hour session involving a former government leader in the Congress, Joice Hasselmann, a group of presidential staff routinely spreads fake news and defames the opposition across social networks as part of their day job.
With federal elections scheduled for late September in Germany, momentum is building behind using anti-botnet laws against automated social-media
accounts that churn out disinformation.
Hasselmann's statement describe the inner workings of a cluster operating
right next to the presidential office in Brasília, charged with the
development and execution of the online communication with the supporter
base.
------------------------------
Date: Mon, 9 Dec 2019 11:52:03 -0500
From: Monty Solomon <
monty@roscom.com>
Subject: BBB warns about fake shipping emails (KGW)
https://www.kgw.com/article/money/consumer/bbb-warns-about-fake-shipping-emails/283-60363104-f82f-4609-ab01-47ddf2f7198b
------------------------------
Date: Mon, 9 Dec 2019 11:53:49 -0500
From: Monty Solomon <
monty@roscom.com>
Subject: Exposed: Elaborate plot including fake email from an art expert
designed to prove Dali painting that belonged to James Stunt and hung on
Prince Charles's wall was real.
https://www.dailymail.co.uk/news/article-7668579/Elaborate-plot-prove-Dali-painting-belonged-James-Stunt-real.html
------------------------------
Date: Mon, 9 Dec 2019 13:58:02 -0500
From: Monty Solomon <
monty@roscom.com>
Subject: Learn lessons from this $1 million email scam (ITWorld)
https://www.itworldcanada.com/article/cyber-security-today-learn-lessons-from-this-1-million-email-scam/424863
------------------------------
Date: Mon, 9 Dec 2019 11:52:55 -0500
From: Monty Solomon <
monty@roscom.com>
Subject: Professor by day, scambuster by night: Business professor helps
scam victims
https://mustangnews.net/professor-by-day-scambuster-by-night-business-professor-helps-scam-victims/
------------------------------
Date: Mon, 9 Dec 2019 11:47:25 -0500
From: Monty Solomon <
monty@roscom.com>
Subject: Bogus Emails Give Spirit Airlines Passengers Temporary Headache
https://www.travelpulse.com/news/airlines/bogus-emails-give-spirit-airlines-passengers-temporary-headache.html
------------------------------
Date: Sun, 1 Dec 2019 10:08:18 -1000
From: the keyboard of geoff goodfellow <
geoff@iconia.com>
Subject: AI Is Not Similar To Human Intelligence. Thinking So Could Be
Dangerous (Forbes)
EXCERPT:
It's easy to anthropomorphize artificial intelligence. We imagine
befriending Siri, or that our self-driving car has our best interests at
heart. When we paint a picture of an advanced AI, we might imagine machines that *learn*, similar to the ways a toddler might learn. We imagine them *thinking* or *coming to conclusions* similar to how we do. Even the term *neural networks* -- an algorithm modeled after the human brain -- brings up images of a brain-like machine, making decisions. However, thinking an artificial intelligence works in the same way as a human brain can be misleading and even dangerous, says a recent paper <
https://link.springer.com/article/10.1007/s11023-019-09506-6> in Minds and Machines <
https://link.springer.com/journal/11023> by David Watson <
https://www.oii.ox.ac.uk/people/david-watson/> of the Oxford Internet Institute and the Alan Touring Institute...
https://www.forbes.com/sites/fernandezelizabeth/2019/11/30/ai-is-not-similar-to-human-intelligence-thinking-so-could-be-dangerous/
------------------------------
Date: Thu, 28 Nov 2019 02:22:02 -0500 (EST)
From: Eli the Bearded <*@eli.users.panix.com>
Subject: SSD drive with critical failure at 32768 hours of operation (HPE)
https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-a00092491en_us
IMPORTANT: This HPD8 firmware is considered a critical fix and is required
to address the issue detailed below. HPE strongly recommends immediate
application of this critical fix. Neglecting to update to SSD Firmware
Version HPD8 will result in drive failure and data loss at 32,768 hours of
operation and require restoration of data from backup in non-fault
tolerance, such as RAID 0 and in fault tolerance RAID mode if more drives
fail than what is supported by the fault tolerance RAID mode logical
drive. By disregarding this notification and not performing the
recommended resolution, the customer accepts the risk of incurring future
related errors.
32768 hours is strongly suggestive of a very naive bug. In a RAID where all
the drives were new originally, this could very quickly destroy the volume. [TWO TO THE FIFTEENTH! strikes again. PGN]
------------------------------
Date: Thu, 28 Nov 2019 08:39:04 +0000
From: Martyn Thomas <
martyn@thomas-associates.co.uk>
Subject: This might be a genuine Y2K problem -- are there more?
In the run-up to Y2K, one of the fixes was "windowing", where two digit
years below 20 (for example) were treated as in the 21st century and years above 20 were in the 20th. There was some speculation that there might be problems when the end of the window arrived.
This might just be an example:
https://nakedsecurity.sophos.com/2019/11/27/splunk-customers-should-update-now-to-dodge-y2k-style-bug/
even though the product was written after 2000, if a pre-existing library
was used. If it is a Y2K end-of-window problem, there may be similar
problems about to appear.
People who weren't involved in solving the Y2K problem seem to think is
wasn't a serious issue. But it was and despite the billions of dollars spent and the tens of thousands of people who worked to identify and fix the problems, 15 nuclear reactors shut down on January 1st 2000. I led the Y2K service line for Deloitte Consulting for a few years and I have described
what really happened. See:
https://s3-eu-west-1.amazonaws.com/content.gresham.ac.uk/data/binary/2773/2017-04-04-MartynThomas_Y2K-T.pdf
------------------------------
Date: Wed, 11 Dec 2019 14:55:05 PST
From: "Peter G. Neumann" <
neumann@csl.sri.com>
Subject: Plundervault
[spotted by Phil Porras]
"By subtly increasing or decreasing the current delivered to a CPU -- operations known as "overvolting" and "undervolting" -- a team of scientists has figured out how to induce SGX faults that leak cryptographic keys, break integrity assurances, and potentially induce memory errors that could be
used in other types of attacks."
https://arstechnica.com/information-technology/2019/12/scientists-pluck-crypto-keys-from-intels-sgx-by-tweaking-cpu-voltage/
------------------------------
Date: Tue, 10 Dec 2019 17:29:25 -0500
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: Medicare needs to be flexible with Seniors! (KHN)
https://khn.org/news/website-errors-raise-calls-for-medicare-to-be-flexible-with-seniors-enrollment/
------------------------------
Date: Sat, 7 Dec 2019 10:11:46 -0500
From: Monty Solomon <
monty@roscom.com>
Subject: I lost my 193,000-pound inheritance with one-digit-wrong sort code
(The Guardian)
https://www.theguardian.com/money/2019/dec/07/i-lost-my-193000-inheritance-with-one-wrong-digit-on-my-sort-code
------------------------------
Date: Thu, 5 Dec 2019 22:18:07 -0500 (EST)
From: danny burstein <
dannyb@panix.com>
Subject: WSJ discovers that phone systems are hard
Ok, who here would *ever* trust basic caller ID, and triply so in a Major
Issue like the impeachment hearings?
Regarding those phone logs, displayed in the impeachment process, that
seemed to show that Rudy spoke with OMB numerous times:
[Wall Street Journal]
That number, along with the other references in the report to a number associated with OMB, all correspond to a placeholder number that shows up
when officials in several White House departments make calls, according to people familiar with the matter. The people said the number shows up on the caller ID of individuals outside the White House when some White House officials call them from a landline.
https://www.wsj.com/articles/doubts-surface-over-giuliani-white-house-budget-office-calls-11575588060
dannyb recalls getting phone calls from the NYTimes phone network with
caller ID of "111-111-1111", and about five years ago when the NYT actually
ran a story saying there were going to end that nonsense.
------------------------------
Date: Thu, 28 Nov 2019 09:45:53 -0500
From: Monty Solomon <
monty@roscom.com>
Subject: Uber's 'Dirty Little Secret': Shared Driver Accounts (WSJ)
https://www.wsj.com/articles/ubers-dirty-little-secret-shared-driver-accounts-11574883278
------------------------------
Date: Thu, 28 Nov 2019 10:18:21 -0500
From: Monty Solomon <
monty@roscom.com>
Subject: Nearly $50 Million of Ether Swiped From South Korean Cryptocurrency
Exchange (WSJ)
https://www.wsj.com/articles/nearly-50-million-of-ether-swiped-from-south-korean-cryptocurrency-exchange-11574918838
------------------------------
Date: Sat, 30 Nov 2019 11:58:04 -1000
From: the keyboard of geoff goodfellow <
geoff@iconia.com>
Subject: Fiber-optic cables pinpoint California tectonic fault zone
(National Geographic)
*A new method using fiber-optic cables pinpointed the previously hidden
system -- and it may reveal more seismic surprises around the globe*
EXCERPT:
Beneath The Cerulean waters of Monterey Bay, just a few miles southeast of Santa Cruz, California, a never-before-seen cluster of faults has been
found lurking on the ocean floor.
These newly spotted wrinkles in Earth's crust <
https://science.sciencemag.org/cgi/doi/10.1126/science.aay5881>, described
in a paper published today in *Science*, are still largely a mystery. We
can't say much about their size, shape, or how active they are. Still, the findings show that even in one of the most seismically studied corners of
the planet, fault maps of the ocean floor contain gaping holes. That's a big problem, because if we don't know where sea-floor faults are, coastal communities are going to be in the dark about any earthquake or tsunami
threats they might present.
The new research also offers a solution to our tectonic blindspot: We can harness the hundreds of thousands of miles of fiber optic cables <
https://www.nytimes.com/interactive/2019/03/10/technology/internet-cables-oceans.html>
that send emails, Tweets, and video messages ping-ponging across Earth every day. Scientists discovered California's newest known offshore faults by borrowing a garden hose-size fiber optic cable that spans the sea-floor of Monterey Bay and turning it into an ad-hoc seismic array. (Also find out how researchers used ancient Aztec records to find a previously unknown seismic risk in Mexico .) <
https://www.nationalgeographic.com/science/2019/10/ancient-aztec-records-reveal-hidden-earthquake-risk-in-mexico/>
Researchers hope this new method might one day be used to collect treasure troves of seismic data in major cities that are already undergirded by
networks of fiber optic telecommunications cables but don't have the budget
or physical space to install thousands of seismometers. Cables located
directly offshore of major population centers, meanwhile, might be slightly retooled to serve as the backbone for new early warning systems. <
https://earther.gizmodo.com/inside-the-plan-to-prepare-the-pacific-northwest-for-a-1832591821>
``The possibilities are pretty large,'' says study coauthor Craig Dawe <
https://www.mbari.org/dawe-craig/> of the Monterey Bay Aquarium Research Institute. ``Worldwide, there's lots of fiber optic cable deployed.''
Illuminating the sea-floor...
https://www.nationalgeographic.com/science/2019/11/mysterious-tectonic-fault-zone-found-off-california-using-fiber-optics/
------------------------------
Date: Tue, 3 Dec 2019 01:52:34 -0500
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: Dexcom Software Outage Draws Fury from Diabetes Patients and Their
Parents (Fortune)
Dexcom's continuous glucose monitoring technology has been a quiet
revolution for diabetes patients. The wearable patch keeps tabs on
diabetics' blood sugar levels in real time. What's more, the Dexcom G5 and
G6 devices can transmit information to a smartphone app through a service called Dexcom Follow -- critical for the parents and caregivers of
diabetics, who can receive instant notifications of dangerous oscillations
in blood glucose for those who may not be capable of monitoring such data themselves.
But, at some point late Friday evening, the Dexcom Follow service went
dark. And it still hadn't been fully restored as of Monday afternoon,
according to an update on the company's Facebook account.
https://fortune.com/2019/12/02/dexcom-outage-blackout-diabetes-patients-blood-sugar-monitor/
------------------------------
Date: Thu, 28 Nov 2019 14:43:44 -0500
From: Monty Solomon <
monty@roscom.com>
Subject: Facebook Experiences Sporadic Outages (WSJ)
https://www.wsj.com/articles/facebook-experiences-sporadic-outages-11574963022
------------------------------
Date: Tue, 3 Dec 2019 07:27:57 +0000
From: J Coe <
spendday@gmail.com>
Subject: Microsoft OAuth whitelisted unregistered subdomains allowing azure
account takeovers
A vulnerability in the way Microsoft applications use OAuth for third-party authentication could allow an attacker to take over Azure cloud accounts.
At least 54 sub-domains with with whitelisted URL endings were not
registered in the Azure portal.
Attackers can take advantage of this by taking over these domains and then registering them, meaning that they would be approved by default and could request users' `access_tokens', which would then allow them to take actions using users' permissions. If a victim is an Azure admin, for instance, an attacker could access high-level permissions, like adding unwanted members
to a Microsoft Active Directory role, resetting other users' passwords or adding users to groups,
https://threatpost.com/microsoft-oauth-flaw-azure-takeover/150737/
------------------------------
Date: Thu, 28 Nov 2019 10:29:57 +0200
From: Amos Shapir <
amos083@gmail.com>
Subject: Re: AI future or follies? (RISKS-31.48)
The earliest compiled high-level languages were considered "self-programming computers" and "the end of programming by humans". In a way, that was
correct -- since programming until then was mostly done in assembly
languages; indeed not many assembly programmers are still around by now.
But what such "end of programming" predictions miss, is that while coding is
a rote activity that may be replaced by automation, programming is not. The role of a programmer is to expect the unexpected, and tell machines what to
do in such unforeseen circumstances; even with AI, humans will always be
needed to mediate the real world to mechanical entities.
------------------------------
Date: Tue, 3 Dec 2019 21:23:48 -0000
From: "John Murrell" <
mail@JohnMurrell.org.uk>
Subject: Re: Train door safety interlock based on hanger not
actual door position (RISKS-31.49)
I contacted the RAIB about this poor design having read their safety digest
https://www.gov.uk/government/publications/safety-digest-102019-hockley
My concerns were that the FMEA should have picked the non-detection of the failure of the fasteners up as well as a lot of other faults including:
1: The brackets attached to the door.
2: The bolts that attach to the 'orange drive pieces'.
3: The attachment of the orange drive pieces to the drive belt
4: The drive belt
5: The pulleys in the drive system
6: The pulley pivots , mountings etc.
7: Using a single microswitch in a safety critical application
The reply from the RAIB is as follows:
Thank you for your email. The diagram shows only components relevant to
the incident and the omitted components include a second micro switch
which detects the position of the right hand (non-incident) door. This is
an old but widely used design. The methods used in the design were
unlikely to be as now, so our safety digest concentrated on the need for
effective fastener retention, a message which applies well beyond the door
arrangement involved in the incident.
Without a detailed design analysis it is difficult to know which of the
first 7 items on my list above are mitigated by a second microswitch.
------------------------------
Date: Thu, 28 Nov 2019 22:12:34 +0000
From: Chris Drewe <
e767pmk@yahoo.co.uk>
Subject: Re: What happens if your mind lives for ever on the Internet?
(RISKS-31.49)
My concern here is that there are newspaper articles almost daily (at least
in the UK) saying "AI is going to make huge changes to everybody's jobs real soon, so what are politicians going to do about it *now*?!?", the RISK being that governments will try to figure out what's going to happen and plan for exactly this, while real life goes off in a different direction. Example analogy is civil aviation when I was a kid in the 1960s; the Brits and
French saw the future as supersonic travel and developed Concorde at great
cost to taxpayers, while Boeing looked to slow but bigger aircraft and developed the 747 'jumbo jet'. Not sure of the precise figures, but there
were only 16 Concordes and they last flew about 15 years ago, while 1,500
747s have been built and about 500 are still in service.
------------------------------
Date: Sat, 30 Nov 2019 10:41:04 +0200
[continued in next message]
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)