• Risks Digest 31.61 (1/2)

    From RISKS List Owner@21:1/5 to All on Sun Mar 15 22:20:34 2020
    RISKS-LIST: Risks-Forum Digest Sunday 15 March 2020 Volume 31 : Issue 61

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator

    ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as
    <http://catless.ncl.ac.uk/Risks/31.61>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents: [WAY BACKLOGGED!!!]
    A lawsuit against ICE reveals the danger of government-by-algorithm
    (WashPost)
    This Unpatchable Flaw Affects All Intel CPUs Released in Last 5 Years
    (PTSecurity)
    How the Cloud Has Opened Doors for Hackers (WashPost)
    Hackers Can Clone Millions of Toyota, Hyundai, and Kia Keys (WiReD)
    Before Clearview Became a Police Tool, It Was a Secret Plaything of the Rich
    (The New York Times)
    How Hackers and Spies Could Sabotage the Coronavirus Fight
    (Bruce Schneier and Margaret Bourdeaux, Foreign Policy)
    Cybersecurity label for smart home devices (The Straits Times)
    South Korea warns when potential virus carriers are near (BBC)
    COVID-19, toilet paper, hoarding, and emergency preparedness (Rob Slade)
    U.S. Treasury Sanctions Individuals Laundering Cryptocurrency for Lazarus
    Group (Treasury via geoff goodfellow)
    Black Market White Washing- Why You Shouldn't Take Legal Advice From
    Criminals (Disruptive Labs)
    Can YouTube Quiet Its Conspiracy Theorists? (NYTimes)
    Risks of publishing web browser screenshots (MarketWatch)
    China's Geely invests $326M to build satellites for autonomous cars
    (Reuters)
    Congress Must Stop the Graham-Blumenthal Anti-Security Bill (Gabe Goldberg) Empty Promises Won't Save the .ORG Takeover (EFF)
    How to clean up the mess we've made that's orbiting the Earth (The Hill)
    How fake audio, such as deepfakes, could plague business, politics
    (Bakersfield)
    Ransomware Attacks Prompt Tough Question for Local Officials:: To Pay or
    Not to Pay? (Pew)
    Through apps, not warrants, Locate X allows federal law enforcement to track
    phones (Protocol)
    A hybrid AI model lets it reason about the world's physics like a child
    (MIT Tech Review)
    This Satellite Startup Raised $110 Million To Make Your Cellphone Work
    Everywhere (Forbes)
    Your smartphone is dirtier than a toilet seat. Here's how to disinfect it.
    (Mashable)
    PCI Fireside Chat: Vint Cerf and Ian Bremmer (The Unstable Globe)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Fri, 6 Mar 2020 15:07:46 +0800
    From: Richard Stein <rmstein@ieee.org>
    Subject: A lawsuit against ICE reveals the danger of
    government-by-algorithm (The Washington Post)

    https://www.washingtonpost.com/outlook/2020/03/05/lawsuit-against-ice-reveals-danger-government-by-algorithm/

    ``The immigration agency's New York office tweaked risk-evaluation software
    to keep thousands in jail, watchdog groups say.''

    ------------------------------

    Date: Fri, 6 Mar 2020 11:45:14 -1000
    From: geoff goodfellow <geoff@iconia.com>
    Subject: This Unpatchable Flaw Affects All Intel CPUs Released in Last 5 Years
    (PTSecurity)

    All Intel processors released in the past 5 years contain an unpatchable vulnerability that could allow hackers to compromise almost every hardware-enabled security technology that are otherwise designed to shield sensitive data of users even when a system gets compromised.

    The vulnerability, tracked as CVE-2019-0090, resides in the hard-coded
    firmware running on the ROM (read-only memory) of the Intel's Converged Security and Management Engine (CSME), which can't be patched without
    replacing the silicon.

    Intel CSME is a separate security micro-controller incorporated into the processors that provides an isolated execution environment protected from
    the host opening system running on the main CPU.

    It is responsible for the initial authentication of Intel-based systems by loading and verifying firmware components, root of trust based secure boot,
    and also cryptographically authenticates the BIOS, Microsoft System Guard, BitLocker, and other security features.

    Although this insufficient access control vulnerability is not new and was previously patched by Intel last year when the company described it just as
    a privilege escalation and arbitrary code execution in Intel CSME firmware modules, the extent of the flaw remained undervalued.

    Researchers at Positive Technologies have now found that the issue can also
    be exploited to recover the Chipset Key, a root cryptographic key or sort of
    a master password that could help unlock and compromise a chain of trust for other security technologies, including digital rights management (DRM), firmware Trusted Platform Module (TPM), and Identity Protection Technology (IPT). <https://blog.ptsecurity.com/2020/03/intelx86-root-of-trust-loss-of-trust.html#more>

    That means the flaw could be exploited to extract data from encrypted hard-drives and to bypass DRM protections and access copyright-protected digital content. [...]

    https://thehackernews.com/2020/03/intel-csme-vulnerability.html

    ------------------------------

    Date: Wed, 4 Mar 2020 11:53:53 -0500 (EST)
    From: ACM TechNews <technews-editor@acm.org>
    Subject: How the Cloud Has Opened Doors for Hackers (WashPost)

    Craig S. Smith, *The Washington Post*, 2 Mar 2020
    via ACM TechNews; Wednesday, March 4, 2020

    Corporate transfers of operations to the cloud have elevated the threat of hacking, as the cloud can be accessed remotely with ease. Manav Mital, co-founder of cloud security startup Cryal, said cloud companies manage the upkeep and security of physical servers, but client requirements for ease of access have spawned new apps and databases, and increasingly complex
    services that are difficult to manage and monitor. Although companies still shield private data behind firewalls and other security measures, more
    people and programs require access to data in the cloud, making it easier
    for bad actors to find potential vulnerabilities. The Ponemon Institute estimated that cloud breaches cost each individual company $3.92 million on average. https://orange.hosting.lsoft.com/trk/click?ref=3Dznwrbbrs9_6-24260x220c61x069057&

    ------------------------------

    Date: Fri, 6 Mar 2020 11:19:24 -0500
    From: Gabe Goldberg <ggoldberg@apcug.org>
    Subject: Hackers Can Clone Millions of Toyota, Hyundai, and Kia Keys (WiReD)

    Encryption flaws in a common anti-theft feature expose vehicles from major manufacturers.

    Even so, the researchers say that they decided to publish their findings to reveal the real state of immobilizer security and allow car owners to decide for themselves if it's enough. Protective car owners with hackable
    immobilizers might decide, for instance, to use a steering wheel lock.
    ``It's better to be in a place where we know what kind of security we're getting from our security devices. Otherwise, only the criminals know.'' [Garcia quoted]

    https://www.wired.com/story/hackers-can-clone-millions-of-toyota-hyundai-kia-keys/

    That paragraph -- last in article -- is ridiculous. I once put steering
    wheel lock on a borrowed car, then realized owner hadn't given me key for
    it. Locksmith took about two minutes to pick the lock -- not needing to cut
    it off -- saying that with practice anyone can do that.

    ------------------------------

    Date: Fri, 6 Mar 2020 11:39:15 -0500
    From: Gabe Goldberg <ggoldberg@apcug.org>
    Subject: Before Clearview Became a Police Tool, It Was a Secret
    Plaything of the Rich (The New York Times)

    Investors and clients of the facial recognition start-up freely used the
    app on dates and at parties œôòô and to spy on the public.

    https://www.nytimes.com/2020/03/05/technology/clearview-investors.html

    ------------------------------

    Date: Fri, 06 Mar 2020 17:57:30 +0100
    From: "Diego.Latella" <diego.latella@isti.cnr.it>
    Subject: How Hackers and Spies Could Sabotage the Coronavirus Fight
    (Bruce Schneier and Margaret Bourdeaux, Foreign Policy)

    https://foreignpolicy.com/2020/02/28/hackers-spies-coronavirus-espionage/

    ------------------------------

    Date: Fri, 6 Mar 2020 15:23:10 +0800
    From: Richard Stein <rmstein@ieee.org>
    Subject: Cybersecurity label for smart home devices (The Straits Times)

    https://www.straitstimes.com/singapore/cyber-security-label-for-smart-home-devices

    ``Market research firm Gartner has estimated that the number of IoT devices
    in use globally will grow from 8.4 billion in 2017 to 20.4 billion this
    year, with twice as many consumer installations as industrial ones. But the rules surrounding how IoT devices are designed for cybersecurity are lax, raising concerns about major privacy and security risks as such devices proliferate.''

    The `cybersecurity' label might grow larger than the device package. When,
    or if, it does switch to an alternate rating indicator: 'Stars' or
    'Smileys'?

    There's always `human error' when testing for product release readiness characteristics: performance, reliability, function, ease of use, or device security/safety for example. Latent defect escape potential elevates
    deployment exploitation risk.

    What about correlating IoT software (or hardware) component integration
    against CVEs (https://cve.mitre.org/), and using this outcome to establish a `security' or `defect' escape risk rating? Given their perfect operational record, a HAL-9000 would be ideal for this exercise.

    Risk: Inaccurate `cybersecurity label' indicators misguide consumer IoT
    product purchase decisions.

    ------------------------------

    Date: Thu, 5 Mar 2020 11:42:24 -0800
    From: Mark Thorson <eee@dialup4less.com>
    Subject: South Korea warns when potential virus carriers are near (BBC)

    And where they've been, like bars, love motels, etc. Deanonymization of the data is sometimes a trivial exercise for social media users.

    https://www.bbc.com/news/world-asia-51733145

    ``He was at his work in Mapo district attending a sexual harassment class. He contracted the virus from the instructor of the class.''

    ------------------------------

    Date: Fri, 6 Mar 2020 11:55:31 -0800
    From: Rob Slade <rmslade@shaw.ca>
    Subject: COVID-19, toilet paper, hoarding, and emergency preparedness

    Toilet paper? *Really*?

    Of course, I've seen the news stories showing streams of shoppers with carts full of toilet paper. The news stories all showed Costco, so I was hoping
    that maybe it was only Costco members who were that stupid. But, no. On my
    way home last night I stopped for some groceries and the toilet paper aisle
    in my local Save-On was pretty bare. (Not, fortunately, completely denuded,
    so my neighbours aren't completely deluded.) (And, if you're looking, the Safeway had a decent stock, albeit with some bare sections.)

    Hoarding is a particularly insidious threat. It's hard to protect against. Unless you're going to ration, how do you tell people what (and how much)
    they can and cannot buy? (Yes, I know. Rationing smacks of socialism, or
    some other type of non-or-anti-capitalist system. But hoarding is the
    inherent weakness of capitalism: unrestricted, capitalism tends to
    concentrate capital, which then becomes useless.) Now, we are not only
    faced with the coronavirus, but with the COVID-19 toilet paper meme virus. People see that there is a run on, or shortage of, toilet paper, so they run out and drive around (wasting gas) trying to buy toilet paper. Creating a shortage of toilet paper.

    (It's particularly galling here in BC. We have trees. We make toilet
    paper. By the ton.)

    Why toilet paper? I mean, I defer to no one in my admiration for the stuff.
    It is one of the marvels of the modern age. (Toilet paper, and the
    Internet.) It has lots of uses besides that originally intended. But it
    has no magical medicinal properties.

    Yes, I know. We, in the emergency management field, have been trying, for years, to get people to build emergency prep kids. Have enough supplies to tide you over for three days. Or seven days. Or, in this case, two weeks. Fine. I get it. But do you know how much toilet paper you use in two
    weeks? You don't need to clear out stores.

    (I have noticed gaps in the canned beans section, and also in the soup
    aisle. Although, for some reason, Campbell's Chunky soups are completely stocked. Personally, I *like* chunky soups ...)

    And, if you are going to build an emergency prep kit, *during* an emergency
    is not the time to do it. You have to put some thought into it. How much toilet paper do you use in a week? How much soup do you eat in a week?
    *Do* you eat soup? Yes, I advise you to build an emergency prep kit. But *build* one. Don't just rush out and buy toilet paper.

    Besides, COVID-19 is not going to be the type of `stock up on water and
    canned beans' type of regional disaster. You will still be able to get
    Amazon to deliver toilet paper to you if you get sick and have absolutely no friends in all the world to take care of you. (They may want to drop it and run, and you may have to keep watch on your Ring-camera-that-is-insecure- because-you-haven't-changed-the-default-password-have-you to prevent
    doorstep thieves from stealing your toilet paper, but they will deliver.)
    (So, by the way, will Save-On.) Travel is going to be a problem, and stocks may be a problem, and there may be lots of other problems. But toilet paper
    is not going to be a problem. Unless people hoard it.

    ------------------------------

    Date: Tue, 3 Mar 2020 13:36:10 -1000
    From: geoff goodfellow <geoff@iconia.com>
    Subject: U.S. Treasury Sanctions Individuals Laundering Cryptocurrency for
    Lazarus Group

    EXCERPT:

    The U.S. Department of the Treasury's Office of Foreign Assets Control
    (OFAC) today sanctioned two Chinese nationals involved in laundering stolen cryptocurrency from a 2018 cyber-intrusion against a cryptocurrency
    exchange. This cyber-intrusion is linked to Lazarus Group, a U.S.-designated North Korean state-sponsored malicious cybergroup. Specifically, OFAC is designating Tian Yinyin (Tian) and Li Jiadong (Li), for having materially assisted, sponsored, or provided financial, material, or technological
    support for, or goods or services to or in support of, a malicious cyber-enabled activity. Tian and Li are also being designated for having materially assisted, sponsored or provided financial, material, or technological support for, or goods or services to or in support of, Lazarus Group.

    ``The North Korean regime has continued its widespread campaign of extensive cyber-attacks on financial institutions to steal funds. The United States
    will continue to protect the global financial system by holding accountable those who help North Korea engage in cybercrime.'' (Secretary Steven
    T. Mnuchin)

    *Tian and Li's Activities*

    The Democratic People's Republic of Korea (DPRK) trains cyber-actors to
    target and launder stolen funds from financial institutions. Tian and Li received from DPRK-controlled accounts approximately $91 million stolen in
    an April 2018 hack of a cryptocurrency exchange (referred to hereinafter as *the exchange*D), as well as an additional $9.5 million from a hack of
    another exchange. Tian and Li transferred the currency among addresses they held, obfuscating the origin of the funds.

    In April 2018, an employee of the exchange unwittingly downloaded DPRK-attributed malware through an email, which gave malicious cyber-actors remote access to the exchange and unauthorized access to customers' personal information, such as private keys used to access virtual currency wallets stored on the exchange's servers. Lazarus Group cyber-actors used the
    private keys to steal virtual currencies ($250 million dollar equivalent at date of theft) from this exchange, accounting for nearly half of the DPRK's estimated virtual currency heists that year.

    Tian ultimately moved the equivalent of more than $34 million of these
    illicit funds through a newly added bank account linked to his exchange account. Tian also transferred nearly $1.4 million dollars' worth of
    Bitcoin into prepaid Apple iTunes gift cards, which at certain exchanges
    can be used for the purchase of additional Bitcoin. [...]

    https://home.treasury.gov/news/press-releases/sm924

    ------------------------------

    Date: Tue, 3 Mar 2020 13:35:36 -1000
    From: geoff goodfellow <geoff@iconia.com>
    Subject: Black Market White Washing- Why You Shouldn't Take Legal
    Advice From Criminals (Disruptive Labs)

    Fraudsters who operate shops in criminal marketplaces are constantly
    massaging their marketing pitches to assure prospective customers (and
    lurking law enforcement) that their service is legal. It's become clear recently that some infosec professionals can't seem to identify these
    services as bad, so these marketing efforts may have succeeded for one audience.

    That is what happened recently when WeLeakInfo was taken down and a number
    of infosec people expressed shock and dismay that their favorite OSINT tool
    was gone. This isn't the first time a password shop was taken down, but this one was unusually successful at whitewashing its origins in fraud and, disturbingly, some professionals seemed either unaware of this or did not
    care. Some even recommended the site, or a competitor, to their industry
    peers. Those professionals risk financing the same criminal gangs they are
    paid to stop.

    A number of other cybercrime tools have attempted to make their way into mainstream use, with mixed success.

    DDOS-FOR-HIRE AND THE TOS FIGLEAF

    One example is *booter* AKA *network stresser* services. These services were sold on criminal marketplaces as a way to knock video game opponents offline with DDoS attacks. Despite a business model obviously centered around abuse
    -- shown both in advertisements and target demographic, booter owners
    believed they had an ace up their sleeve. Their ToS informed users that the booter was ``for legal purposes only'', as a sort of legal figleaf. Under
    this speculative legal theory which was copied by nearly every vendor,
    booter owners assured their customers that the service was entirely legal
    and safe to use.

    To quote the FBI in a 2018 indictment against a booter service named *Downthem*. [...]

    https://labs.unit221b.com/2020/03/03/black-market/

    ------------------------------

    Date: Wed, 4 Mar 2020 11:53:53 -0500 (EST)
    From: ACM TechNews <technews-editor@acm.org>
    Subject: Can YouTube Quiet Its Conspiracy Theorists? (NYTimes)

    Jack Nicas, *The New York Times*, 2 Mar 2020
    via ACM TechNews; Wednesday, March 4, 2020

    University of California, Berkeley (UC Berkeley) researchers found that
    while YouTube has reduced how often its algorithm recommends conspiracy theory-related videos, its progress in dealing with conspiracy theories has been uneven, and the service still promotes certain types of fictional
    stories. The study examined 8 million recommendations by the video-sharing platform over a 15-month period and found that while YouTube has almost completely removed some conspiracy theories from its recommendations, other falsehoods continue to flourish. Said UC Berkeley's Hany Farid, ``It is a technological problem, but it is really at the end of the day also a policy problem. ... If you have the ability to essentially drive some of the particularly problematic content close to zero, well then you can do more on lots of things.'' https://orange.hosting.lsoft.com/trk/click?ref=3Dznwrbbrs9_6-24260x220c68x069057&

    ------------------------------

    Date: Thu, 5 Mar 2020 13:39:53 -0500
    From: David Tarabar <dtarabar@acm.org>
    Subject: Risks of publishing web browser screenshots (MarketWatch)

    A Fox News analyst posted a web browser screenshot on Twitter. The
    screenshot displayed the intended political info. It also displayed browser tabs of websites that had been previously visited - including
    *Sexy Vixen Vinyl*.

    https://www.marketwatch.com/story/fox-news-analyst-brit-humes-morning-inter= net-session-politics-stock-market-coronavirus-and-uh-sexy-vixen-vinyl-2020-= 03-03

    ------------------------------

    Date: Tue, 3 Mar 2020 13:38:06 -1000
    From: geoff goodfellow <geoff@iconia.com>
    Subject: China's Geely invests $326M to build satellites for autonomous
    cars (Reuters)

    China's Zhejiang Geely Holding Group said on Tuesday it was investing 2.27 billion yuan ($326 million) in a new satellite manufacturing plant, where it plans to build low-orbit satellites to provide more accurate data for self-driving cars.

    Geely, one of China's most internationally-known companies due to its investments in Daimler, Volvo and Proton, is building the facilities in Taizhou, where it has car plants. *It aims to produce 500 satellites a year
    by around 2025*, with around 300 highly-skilled staff, it said in a
    statement.

    Geely's technology development arm, Geely Technology Group, launched
    Geespace to research, launch, and operate low-orbit satellites in 2018.
    [...]

    https://www.reuters.com/article/geely-china-satellite-autonomous/chinas-geely-invests-326-mln-to-build-satellites-for-autonomous-cars-idUSL4N2AV45H

    ------------------------------

    Date: Wed, 04 Mar 2020 04:58:21 +0000 (UTC)
    From: Gabe Goldberg <gabe@gabegold.com>
    Subject: Congress Must Stop the Graham-Blumenthal Anti-Security Bill

    There's a new and serious threat to both free speech and security
    online. Under a draft bill that Bloomberg recently leaked, the Attorney
    General could unilaterally dictate how online platforms and services must operate. If those companies don't follow the Attorney General's rules, they could be on the hook for millions of dollars in civil damages and even state criminal penalties.

    The bill, known as the Eliminating Abusive and Rampant Neglect of
    Interactive Technologies (EARN IT) Act, grants sweeping powers to the
    Executive Branch. It opens the door for the government to require new
    measures to screen users' speech and even backdoors to read your private communications -- a stated goal of one of the bill's authors.

    Senators Lindsey Graham (R-SC) and Richard Blumenthal (D-CT) have been
    quietly circulating a draft version of EARN IT. Congress must forcefully
    reject this dangerous bill before it is introduced.

    https://u15235517.ct.sendgrid.net/

    ------------------------------


    Date: Wed, 04 Mar 2020 04:57:29 +0000 (UTC)
    From: Gabe Goldberg <gabe@gabegold.com>
    Subject: Empty Promises Won't Save the .ORG Takeover
    (Electronic Frontier Foundation)

    The Internet Society's (ISOC) November announcement that it intended to sell the Public Interest Registry (PIR, the organization that oversees the .ORG domain name registry) to a private equity firm sent shockwaves through the global NGO sector. The announcement came just after a change to the .ORG registry agreement -- the agreement that outlines how the registry operator must run the domain - that gives PIR significantly more power to raise registration fees and implement new measures to censor organizations'
    speech.

    It didn't take long for the global NGO sector to put two and two together:
    take a new agreement that gives the registry owner power to hurt NGOs;
    combine it with a new owner whose primary obligation is to its investors,
    not its users; and you have a recipe for danger for nonprofits and NGOs all over the world that rely on .ORG. Since November, over 800 organizations and 24,000 individuals from all over the world have signed an open letter urging ISOC to stop the sale of PIR. Members of Congress, UN Special Rapporteurs,
    and US state charity regulators [pdf] have raised warning flags about the
    sale.

    ------------------------------

    Date: Tue, 3 Mar 2020 13:39:08 -1000
    From: geoff goodfellow <geoff@iconia.com>
    Subject: How to clean up the mess we've made that's orbiting the Earth
    (The Hill)

    *One company is building a space garbage truck. But experts say it will take more than that to rid our outer atmosphere of decades of floating debris.*

    We've been shooting large metal objects into space since 1957. Satellites, rockets, space stations, missiles. So it's no wonder that a garbage truck is set to launch in 2025 to start cleaning up the mess.

    The pioneering ClearSpace <https://clearspace.today/> device is designed to locate, capture and remove large items that threaten to crash into the satellites orbiting the planet. The problem, experts say, is that there's probably more than 34,000 pieces of space junk larger that 10 centimeters -- and all of it is a hazard. <https://www.esa.int/Safety_Security/Space_Debris/Space_debris_by_the_numbers>

    Orbiting at 17,000 miles per hour, these bits of metal can pierce anything
    they hit with the velocity of a bullet.

    Sure, there's a lot of space in space. Our atmosphere starts at about 62
    miles above sea level and items can continue orbiting as high as 150 miles.
    But experts agree that we must think ahead. Every year, countries and
    private companies launch a steadily increasing number of satellites and
    other equipment skyward on a collective arsenal of more than 100 rockets
    every year. [...] https://thehill.com/changing-america/sustainability/infrastructure/482336-how-do-you-take-out-the-trash-when-youre-in

    ------------------------------

    Date: Wed, 4 Mar 2020 10:21:58 -1000
    From: geoff goodfellow <geoff@iconia.com>
    Subject: How fake audio, such as deepfakes, could plague business, politics
    (Bakersfield)

    Fake voices generated by artificial intelligence tools may be the next
    frontier in scams that could trick companies into forking over cash or fool voters into believing a politician said something he or she didn't.

    Computer-synthesized voices are not new. Anyone familiar with Amazon's Echo
    and Google's Home devices, or Apple's Siri, already knows the soothing
    female voice that answers queries.

    But that same technology can be adapted for devious means, said Vijay Balasubramaniyan, co-founder and CEO of Pindrop, a technology company that
    uses machine-learning techniques to identify voice fraud.

    Criminals can use publicly available video and audio of top corporate executives to analyze and create a fake voice of a CEO and use that in combination with an email hack to trick the company's executives into
    sending money. Or they can apply similar tactics to make politicians appear
    to say something they never did.

    At a brief demonstration during the RSA Conference in San Francisco, Balasubramaniyan logged on to a secure company computer network that held artificial intelligence algorithms able to analyze publicly available
    YouTube video and audio of major political and business leaders and produce
    a voice file of a person saying something they had never uttered.

    Balasubramaniyan chose President Donald Trump from a drop-down menu and
    typed in the words ``This morning American forces gave North Korea the
    bloody nose they deserve.'' into a box and hit enter. [...] https://www.bakersfield.com/ap/news/how-fake-audio-such-as-deepfakes-could-plague-business-politics/article_bc6b7a55-8a15-57df-90d2-5352d3980b00.html

    ------------------------------

    Date: Thu, 5 Mar 2020 12:25:16 -1000
    From: geoff goodfellow <geoff@iconia.com>
    Subject: Ransomware Attacks Prompt Tough Question for Local Officials: To
    Pay or Not to Pay? (Pew)

    When cybercriminals struck Lake City, Florida, last June, city officials had
    to make a tough choice: Pay the hackers or restore systems on their own.

    A ransomware attack had hijacked the government's computer network and held
    it hostage for several weeks. While the attack didn't affect the police,
    fire or financial departments, it wreaked havoc on phone lines, email,
    utility records and many other services.

    The hackers first demanded about $750,000 in bitcoin, a cryptocurrency, from the small, rural city to give it back control of its network.

    The city tried to recover the data on its own, City Manager Joseph
    Helfenberger recalled, but that failed. Its insurance company negotiated
    with the hackers and got the ransom down to about $470,000. It recommended paying, and officials figured that was the best option because the city
    would have to cover only the $10,000 deductible. ``This is not a rich community. They can't afford to spend money they don't have. You have to
    look at what is going to serve the community the best.''

    There were at least 113 successful ransomware attacks on state and local governments last year, according to global cybersecurity company Emsisoft,
    and in each case, officials had to figure out how to respond. <https://blog.emsisoft.com/en/34822/the-state-of-ransomware-in-the-us-report-and-statistics-2019/>

    Some states have passed laws to target cybercriminals who deploy ransomware, but prosecutors have rarely used them. And local officials often are left vulnerable.

    In Baltimore last May, hackers crippled thousands of computers, then
    demanded a ransom of about $76,000 in bitcoin. Democratic Mayor Bernard C. `Jack' Young refused to pay. Workers were unable to access online accounts
    and payment systems for weeks.

    The attack ended up costing the city at least $18 million -- a combination
    of lost or delayed revenue and the expense of restoring systems. Young said
    in a statement last June that the FBI advised the city not to pay, and that
    it was ``just not the way we operate. ... We won't reward criminal
    behavior.'' The mayor's office did not respond to *Stateline* requests for comment. <https://twitter.com/mayorbcyoung/status/1136377418325864448>

    Baltimore and Lake City aren't alone. The majority of publicized ransomware attacks in the United States last year targeted local governments, according
    to a recent report by the National Governors Association and the National Association of State Chief Information Officers. <https://www.nga.org/center/publications/hsps-publications/stronger-together-state-and-local-cybersecurity-collaboration/>

    Yet no one knows how many local and state governments have been hit by a ransomware attack. There is no national clearinghouse that collects all that information. Nor is every attack publicly reported. The FBI, which tracks national crime data, couldn't be reached for comment before publication.
    [...]

    https://www.pewtrusts.org/en/research-and-analysis/blogs/stateline/2020/03/03/ransomware-attacks-prompt-tough-question-for-local-officials-to-pay-or-not-to-pay

    ------------------------------

    Date: Thu, 5 Mar 2020 12:26:12 -1000
    From: geoff goodfellow <geoff@iconia.com>
    Subject: Through apps, not warrants, Locate X allows federal law enforcement
    to track phones (Protocol)

    *Federal agencies have big contracts with Virginia-based Babel Street. Depending on where you've traveled, your movements may be in the company's data.*

    U.S. law enforcement agencies signed millions of dollars worth of contracts with a Virginia company after it rolled out a powerful tool that uses data
    from popular mobile apps to track the movement of people's cell phones, according to federal contracting records and six people familiar with the software.

    The product, called Locate X and sold by Babel Street <https://www.babelstreet.com/>, allows investigators to draw a digital
    fence around an address or area, pinpoint mobile devices that were within
    that area, and see where else those devices have traveled, going back
    months, the sources told Protocol.

    They said the tool tracks the location of devices anonymously, using data
    that popular cell phone apps collect to enable features like mapping or targeted ads, or simply to sell it on to data brokers.

    Babel Street has kept Locate X a secret, not mentioning it in public-facing marketing materials and stipulating in federal contracts that even the existence of the data is *confidential information*. Locate X must be
    ``used for internal research purposes only,'' according to terms of use distributed to agencies, and law enforcement authorities are forbidden from using the technology as evidence -- or mentioning it at all -- in legal proceedings. <https://www.gsaadvantage.gov/ref_text/47QTCA18D0081/0V3LLR.3QTYM6_47QTCA18D0081_EISGSA2TERMS.PDF>

    Federal records show that U.S. Customs and Border Protection purchased

    [continued in next message]

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)