RISKS-LIST: Risks-Forum Digest Tuesday 4 February 2020 Volume 31 : Issue 56

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/31.56>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents:
Iowa's Tally-by-App Experiment Fails (WSJ)
Risks in the Iowa Tally fiasco (Sundry)
Live frogs (Flyer Talk)
Computers threaten saffron harvest (Eric Sosman)
No smoke, no water, no waste. VR could train the next generation of
firefighters (cnn.com)
Artificial intelligence-created medicine to be used on humans for first time
(bbc.com)
Why asking an AI to explain itself can make things worse (MIT Tech Review)
AI License Plate Readers Are Cheaper: Drive Carefully (WiReD)
No more Punxsutawney Phil: It's long overdue for an AI groundhog
instead, PETA says. (The Washington Post)
Android Users Beware: this dangerous menace is already hiding on 43 million
phones (Forbes)
Why Google Backtracked on Its New Search Results Look (NYTimes)
Regis University's cyberattack was ``a crisis of the highest order,
But investigators couldn't trace its origin (Denver Post)
An artist wheeled 99 smartphones around in a wagon to create fake traffic
jams on Google Maps (Business Insider)
Very strange, still receiving security patches/updates for Windows 7
systems (Gabe Goldberg)
Seven Years Later, Scores of EAS Systems sit Un-patched, Vulnerable
(Security Ledger)
The Fractured Future of Browser Privacy (WiReD)
NYTimes: How Chaos at Chain Pharmacies Is Putting Patients at Risk (NYTimes) IKEA Promises New Data Controls for Consumers (WSJ)
Facebook shows you how it stalks you. Here are the privacy settings to
change. (WashPost)
Re: Boeing 737s can't land facing west (R. G. Newbury)
Re: Should Automakers Be Responsible for Accidents? (John Levine)
Re: Election Security At The Chip Level (John Levine, Gabe Goldberg)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Tue, 4 Feb 2020 12:27:23 -0500
From: Monty Solomon <monty@roscom.com>
Subject: Iowa's Tally-by-App Experiment Fails (WSJ)

https://www.wsj.com/articles/iowa-caucus-results-delayed-by-apparent-app-issue-11580801699

------------------------------

Date: Tue, 4 Feb 2020 13:38:15 -0800
From: "Peter G. Neumann" <peter.neumann@sri.com>
Subject: Risks in the Iowa Tally fiasco (Sundry)

https://go.ind.media/webmail/546932/550762215/0ed6efde19172f984587fb6624e= 4e481dc208bc0a3090465ab7fedfcc3c2b280=20

Shadow Inc reportedly sent out the caucus reporting app via TestFairy, which seemingly could enable lots of intruders to interpose themselves.

https://docs.testfairy.com/Testers/How_to_test_Android_apps.html https://www.vice.com/en_us/article/y3m33x/heres-the-shadow-inc-app-that-failed-in-iowa-last-night

[However, officials were quick to state that this was a "code error", not
a hacking episode. Nevertheless, the entire system seems rather flaky, as
do most of the other approaches to ensuring voting integrity. PGN]

------------------------------

Date: Sat, 1 Feb 2020 12:38:47 +0000
From: "Wendy M. Grossman" <wendyg@pelicancrossing.net>
Subject: Live frogs (Flyer Talk)

Here's a risk you won't have solved in the 1960s on Multics. From the
FlyerTalk American Airlines forum:

https://www.flyertalk.com/forum/american-airlines-aadvantage/2006995-delayed-due-live-frogs.html

Delayed due to... live frogs

Yep you read that correctly, live frogs. On 2559 yesterday from DFW>DTW, we were delayed a few minutes at the gate in DFW due to a load of live
frogs. According to the captain (who made two very nice, detailed
announcements about it), there was a load of live frogs in the aft cargo
hold and the computer just didn't like it and either wouldn't allow them
there or it couldn't compute them being there. So thankfully instead of
keeping us delayed, they offloaded them for a later flight.

The funniest part was that after we landed, and on the looooong taxi at DTW
to the gate, I heard what sounded like frogs. It was probably just somebody still asleep and snoring intermittently, but part of me wonders if there was
a load in the forward hold that did get to travel.

Just might be the funniest delay I've encountered.>>

------------------------------

Date: Tue, 4 Feb 2020 13:55:29 -0500
From: Eric Sosman <esosman@comcast.net>
Subject: Computers threaten saffron harvest

Over-reliance on technology may doom the United States' latest attempt to produce saffron in commercially significant quantities. The spice comes from the /crocus sativus/ flower, grown primarily in a region stretching from
Spain to Kashmir. From (admittedly fragmentary) reports it appears American farmers and entrepreneurs have been using computer- aided methods to attempt
to grow this crocus in the American Midwest, perhaps for fear of (or in
hopes of) higher tariffs against the import of foreign saffron.
Unfortunately, the effort has run into a snag: computer malfunctions are
said to have messed up the Iowa crocuses.

------------------------------

Date: Wed, 29 Jan 2020 16:02:10 -0800
From: Richard Stein <rmstein@ieee.org>
Subject: No smoke, no water, no waste. VR could train the next generation of
firefighters (cnn.com)

https://www.cnn.com/2020/01/29/tech/virtual-reality-firefighter-training/index.html

Conserving material resources during training, via computer simulation, is
an environmental gain, but can a simulator prepare superior fire-fighter capability for deployment during a city-wide conflagration, or during a catastrophic forest fire?

The essay describes mechanical fire-hose force feedback as a simulator
feature. The simulation effectively renders smoke, flame, foam application,
and other combustion effects. A thermal suit heats up the trainee when approaching a simulated flame wall. Is the simulation fidelity sufficiently meritorious to fully abandon hands-on training and fire suppression
equipment deployment?

I wonder if the simulator can train a firefighter how to use a PyroLance (http://money.cnn.com/2018/02/05/technology/business/pyrolance-firefighting-gun/index.html)?

Risk: VR training supplement versus traditional hands-on person-in-the-loop firefighter qualification effectiveness.

------------------------------

Date: Thu, 30 Jan 2020 20:10:57 -0800
From: Richard Stein <rmstein@ieee.org>
Subject: Artificial intelligence-created medicine to be used on humans for
first time (bbc.com)

https://www.bbc.com/news/technology-51315462

Historically, there's 1000 to 1 odds against a candidate drug succeeding in
the marketplace. See http://blogs.einstein.yu.edu/the-high-cost-of-and-uncertain-path-to-a-blockbuster-drug/.

"Typically, drug development takes about five years to get to trial, but the
AI drug took just 12 months.

"Exscienta chief executive Prof Andrew Hopkins described it as a 'key
milestone in drug discovery.'"

That AI drug design is applied to accelerate synthesis may improve these
odds. It would appear to reduce the human effort expended for development.

Whether or not patient outcome benefit materializes is to be shown (or not)
by clinical studies, and hopefully, a double-blind clinical study BEFORE
final regulatory approval is granted.

------------------------------

Date: February 3, 2020 4:06:02 JST
From: geoff goodfellow <geoff@iconia.com>
Subject: Why asking an AI to explain itself can make things worse
(MIT Tech Review)

Creating neural networks that are more transparent can lead us to over-trust them. The solution might be to change how they explain themselves.

Upol Ehsan once took a test ride in an Uber self-driving car <https://www.technologyreview.com/smart-cities/self-driving-cars/>. Instead
of fretting about the empty driver's seat, anxious passengers were
encouraged to watch a *pacifier* screen that showed a car's-eye view of the road: hazards picked out in orange and red, safe zones in cool blue.

For Ehsan, who studies the way humans interact with AI at the Georgia
Institute of Technology in Atlanta, the intended message was clear: ``Don't
get freaked out -- this is why the car is doing what it's doing.'' But something about the alien-looking street scene highlighted the strangeness
of the experience rather than reassuring. It got Ehsan thinking: what if the self-driving car could really explain itself?

The success of deep learning <https://www.technologyreview.com/g/deep-learning/> is due to tinkering:
the best neural networks are tweaked and adapted to make better ones, and practical results have outpaced theoretical understanding. As a result, the details of how a trained model works are typically unknown. We have come to think of them as black boxes <https://www.technologyreview.com/s/613440/ai-researchers-want-to-study-ai-the-same-way-social-scientists-study-humans/>
.

A lot of the time we're okay with that when it comes to things like playing
Go or translating text or picking the next Netflix show to binge on. But if
AI is to be used to help make decisions in law enforcement, medical
diagnosis, and driverless cars, then we need to understand how it reaches
those decisions -- and know when they are wrong.

People need the power to disagree with or reject an automated decision, says Iris Howley <http://www.cs.williams.edu/~iris/>, a computer scientist at Williams College in Williamstown, Massachusetts. Without this, people will
push back against the technology. ``You can see this playing out right now with the public response to facial recognition systems,'' she says.

Ehsan is part of a small but growing group of researchers trying to make AIs better at explaining themselves, to help us look inside the black box. The
aim of so-called interpretable or explainable AI (XAI) is to help people understand what features in the data a neural network is actually learning
-- and thus whether the resulting model is accurate and unbiased. [...]

https://www.techtelegraph.co.uk/why-asking-an-ai-to-explain-itself-can-make-things-worse/
https://www.technologyreview.com/s/615110/why-asking-an-ai-to-explain-itself-can-make-things-worse/

------------------------------

Date: Sat, 1 Feb 2020 00:43:26 -0500
From: Gabe Goldberg <gabe@gabegold.com>
Subject: AI License Plate Readers Are Cheaper: Drive Carefully (WiReD)

https://www.wired.com/story/ai-license-plate-readers-cheaper-drive-carefully/

------------------------------

Date: Thu, 30 Jan 2020 09:08:25 -0800
From: Richard Stein <rmstein@ieee.org>
Subject: No more Punxsutawney Phil: It's long overdue for an AI groundhog
instead, PETA says. (The Washington Post)

https://www.washingtonpost.com/nation/2020/01/29/groundhog-peta-punxsutawney/

PETA has a point: Groundhogs hibernate during Winter; that's what ectotherms do.

But Phil's celebrity status commands performance: he must also visit school children during the Winter, pose for magazine covers (Rat Mag, Rodent of The Year). He's part of a mandatory PR campaign that sustains Punxsutawney, PA tourism foot traffic.

But simulate Punxsutawney Phil with artificial intelligence to determine if Winter will extend by another 6 week? AI is overkill for this purpose.

Why not employ a Magic 8-ball or a coin-toss to prognosticate an extended winter? Granted, these choices lack glamor; they are not newsworthy, but
they are likely as accurate as the appearance (or not) of Phil's shadow.

------------------------------

Date: Wed, 29 Jan 2020 13:06:10 -1000
From: the keyboard of geoff goodfellow <geoff@iconia.com>
Subject: Android Users Beware: this dangerous menace is already hiding on 43
million phones (Forbes)

``This shows how hard it is for users to stay safe'', the CEO of mobile security firm Upstream warns. The company is about to publish a report into
the Android threat landscape. The data is staggering. The company has unearthed 98,000 malicious apps, which have infected 43 million devices. The worst five apps, Dimitris Maniatis tells me, have been downloaded 700
million times, ``this shows the scale of the issue.'' <https://www.secure-d.io/mobileadfraud2019report/>

*And that risk is accelerating. That number of malicious apps is up 50% in
the last year, and shows every sign of spiraling out of control.*

This can now be viewed as an endemic problem with mobile apps downloaded
from Google's Play Store -- despite Google Protect and the App Defense Alliance, Some 50% of the bad apps exposed by Upstream *were or are*, in the official Play Store. Countless stories have been written about the hundreds
of malicious apps with hundreds of millions of installs. The key question is what is the scale of the issue? <https://www.forbes.com/sites/zakdoffman/2019/11/10/google-confirms-play-store-security-threat-heres-the-fixbut-does-it-make-you-safer/#7557b2514337>.

Upstream has collated the data from its Secure-D security platform, data collected by 31 different network operators across 20 different countries,
data representing the devices 0f almost 700 million different users.

In its report <https://www.secure-d.io/mobileadfraud2019report/>, Upstream explains the methods by which users are enticed to install malicious malware and then grant a raft of permissions that goes way beyond what is required
for the app's claimed purpose. That malware then communicates with
its controllers, seeking instructions and content to operate. The apps are designed to remain hidden, not arousing suspicion, avoiding an uninstall.

The primary issue with mobile malware is advertising or click fraud.
Trivial apps that pull unwanted ads onto devices to run in the background or
as a foreground nuisance. For advertisers, this results in millions of
dollars of fraudulent charges. For users, the issue is degraded performance, drained batteries and huge data bills. There is also the issue that such
apps can lead to devices being infected with more dangerous malware. [...]

https://www.forbes.com/sites/zakdoffman/2020/01/29/android-users-beware-this-dangerous-menace-is-already-hiding-on-43-million-phones/

------------------------------

Date: Sat, 1 Feb 2020 19:52:51 -0500
From: Monty Solomon <monty@roscom.com>
Subject: Why Google Backtracked on Its New Search Results Look (NYTimes)

The Internet giant, which some lawmakers and regulators say has grown too powerful, tweaked the way it displayed ads on search results. It did not go over well.

https://www.nytimes.com/2020/01/31/technology/google-search-results.html

------------------------------

Date: Tue, 28 Jan 2020 19:39:45 -0700
From: Jim Reisert AD1C <jjreisert@alum.mit.edu>
Subject: Regis University's cyberattack was ``a crisis of the highest order,
But investigators couldn't trace its origin (Denver Post)

[Follow-up to RISKS-31.39 (29 August 2019)]

Elizabeth Hernandez, *The Denver Post*, 28 Jan 2020

Information-technology experts from across Colorado convened at Regis
University on Tuesday to learn never-before-shared details about last
year's crippling cyberattack -- an experience the private Jesuit college's
chief information officer called "a crisis of the highest order."

A few new details revealed during the presentation:

* Federal and third-party investigators were unable to determine a root
cause of the attack, meaning it's unclear how the attack originated

* The hacker -- determined to be from outside the country -- attacked
Regis's backups first

* When faced with the decision to rebuild the IT system or repair it,
officials decided to rebuild and update

https://www.denverpost.com/2020/01/28/regis-university-cyberattack-ransomware/

------------------------------

Date: Mon, 3 Feb 2020 16:44:05 -0500
From: Monty Solomon <monty@roscom.com>
Subject: An artist wheeled 99 smartphones around in a wagon to create
fake traffic jams on Google Maps (Business Insider)

https://www.businessinsider.com/google-maps-traffic-jam-99-smartphones-wagon-2020-2

[Also noted: "Performance artist generates virtual traffic jams in Google
Maps by pulling a wagon full of smartphones"

"99 second hand smartphones are transported in a handcart to generate
virtual traffic jam in Google Maps. Through this activity, it is
possible to turn a green street red which has an impact in the physical
world by navigating cars on another route to avoid being stuck in
traffic. " [...]

#googlemapshacks
http://www.simonweckert.com/googlemapshacks.html via
https://twitter.com/StevenJCrowley/status/1223977380794064897
PGN]

------------------------------

Date: Wed, 29 Jan 2020 15:57:14 -0500
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Very strange, still receiving security patches/updates for Windows
7 systems

One Windows 7 Ultimate system, one Windows Professional, have Windows
Security Essentials being updated daily. Was Microsoft kidding about no
updates after January 14? Or did I get the year wrong? (No, I didn't).
Plus, the Win 7 Ultimate system got Pop-Up of Doom on January 14. But
updates keep rolling along. No, I didn't jump through the hoops to purchase extended support and I didn't get a gift card saying that someone bought it
for me.

It'll be interesting seeing what happens next Patch Tuesday, but still this
is already puzzling.

------------------------------

From: Shawn Merdinger <shawnmer@gmail.com>
Date: Tue, 28 Jan 2020 19:38:30 -0500
Subject: Seven Years Later, Scores of EAS Systems sit Un-patched, Vulnerable
(Security Ledger)

https://securityledger.com/2020/01/seven-years-later-scores-of-eas-systems-sit-un-patched-vulnerable/

------------------------------

Date: Sat, 1 Feb 2020 00:24:11 -0500
From: Gabe Goldberg <gabe@gabegold.com>
Subject: The Fractured Future of Browser Privacy (WiReD)

https://www.wired.com/story/chrome-firefox-edge-browser-privacy/

------------------------------

Date: Sat, 1 Feb 2020 16:32:03 -0500
From: Gabe Goldberg <gabe@gabegold.com>
Subject: NYTimes: How Chaos at Chain Pharmacies Is Putting Patients at Risk
(NYTimes)

https://www.nytimes.com/2020/01/31/health/pharmacists-medication-errors.html

------------------------------

Date: Mon, 3 Feb 2020 09:52:36 -0500
From: Monty Solomon <monty@roscom.com>
Subject: IKEA Promises New Data Controls for Consumers (WSJ)

https://www.wsj.com/articles/ikea-promises-new-data-controls-for-consumers-11580383800

------------------------------

Date: Sat, 1 Feb 2020 11:28:10 -0500
From: Monty Solomon <monty@roscom.com>
Subject: Facebook shows you how it stalks you. Here are the privacy settings
to change. (WashPost)

The new ’Off-Facebook Activity' tool, available around the world Tuesday, reminds us we're living in a reality TV program where we forget the cameras
are always on. Here are the privacy settings to change right now.

https://www.washingtonpost.com/technology/2020/01/28/off-facebook-activity-page/

------------------------------

Date: Mon, 3 Feb 2020 22:29:39 -0500
From: "R. G. Newbury" <newbury@mandamus.org>
Subject: Re: Boeing 737s can't land facing west (RISKS-31.54)

As a first guess, I would suspect that somewhere in the code, there is a conversion from polar to rectangular reference frames (or vice versa) and
X=r * cos(theta) with theta=270 give zero and either a 'NAN' or divide by
zero error crashes the program.

You would need that sort of calculation to find the rhumb and distance,
knowing the lat/long of the present and destination positions. 'X' is the Difference of Latitude in miles (Y is the Departure).

Using GPS you know the present and destination positions, but the pilot
wants to know 'how far' and 'what direction'. The calculations will be done using true and then, if desired, corrected to magnetic bearings.

[John Stockton noted:
Tangent of 270 degrees (and of 90 degrees) is numerically dangerous, each
being, so to speak, +- infinity.
Perhaps, to the accuracy of the arithmetic, those 7 runways are EXACTLY 270
degrees true, and others are only *nearly* 270 degrees true.]

[PGN noted that this should remind some of us old-timers of the joke about
the plane that crashed because all the Poles in the Left Half (of the)
Plane. PGN]

------------------------------

Date: 4 Feb 2020 17:07:51 -0500
From: "John Levine" <johnl@iecc.com>
Subject: Re: Should Automakers Be Responsible for Accidents?

Automaker enterprise liability would have useful incentives that driver liability law misses. https://www.cato.org/sites/cato.org/files/serials/files/regulation/2019/3/regulation-v42n1-1.pdf

I can hardly wait:

"Sorry, sir, you've had three moving violations so we'll have to ask
you to leave the showroom now."

------------------------------

Date: 4 Feb 2020 17:15:43 -0500
From: "John Levine" <johnl@iecc.com>
Subject: Re: Election Security At The Chip Level (SemiEngineering via
Goldberg, RISKS-31.54)

The comments on this article are much better than the article. They say
that voting electronically is a well known bad idea, so stop.

Elections have a unique security model: You need a reliable list of who
voted, you need a reliable list of who or what they voted for, and you need
to be confident there's no way to link those two lists. Nothing else works that way.

That's why even though voting machines may look like ATMs, an ATM is a
dreadful model to use since with ATMs, the bank has full knowledge of all of the details of every transaction, e.g., when you were there, who you are,
what you did, how much money it dispensed, all linked together.

As has been pointed out too many times, paper ballots dropped into a box,
along with observers to ensure that only people on the voter list got to
vote, satisfy the model quite well. If you want to have machines scan and count the ballots, that's fine, but the paper ballots are the actual record.

------------------------------

Date: Tue, 4 Feb 2020 17:27:21 -0500
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Re: Election Security At The Chip Level (RISKS-31.54)

ATMs -- maybe only one "advantage": they have your PICTURE, proving
identity, thanks to ubiquitous security camera. Of course, voter ID laws
head in that direction introducing another gaggle of problems while solving
a non-problem.

------------------------------

Date: Mon, 14 Jan 2019 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)

The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.

SUBSCRIPTIONS: The mailman Web interface can be used directly to

subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks

SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that

includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.

SPAM challenge-responses will not be honored. Instead, use an alternative

address from which you never send mail where the address becomes public!

The complete INFO file (submissions, default disclaimers, archive sites,

copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!

OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's

searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.

Special Offer to Join ACM for readers of the ACM RISKS Forum:

<http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 31.56
************************

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)