1. Forum
  2. Usenet
  3. COMP.RISKS

  • Risks Digest 31.62 (2/2)

    From RISKS List Owner@21:1/5 to All on Sat Mar 21 17:42:39 2020
    [continued from previous message]

    From: Richard Stein <rmstein@ieee.org>
    Subject: H.R. 5680, Cybersecurity Vulnerability Identification and
    Notification Act of 2020 (Congressional Budget Office)

    https://www.cbo.gov/publication/56198

    The pending legislation would impose fines on businesses that do not satisfy CISA (Cyber Infrastructure Security Agency) hygiene criteria.

    "ISPs that do not comply with subpoenas could be subject to civil and
    criminal penalties; therefore, the government might collect additional fines under the legislation."

    Let's see...~122M Internet domains registered in the U.S. currently (https://www.registrarowl.com/report_domains_by_country.php). Suppose a US $1000 penalty per violation? Might wipe out the U.S. budget deficit
    eventually.

    ------------------------------

    Date: Tue, 10 Mar 2020 18:20:04 +0100
    From: Peter Houppermans <not.for.spam@houppermans.net>
    Subject: Whisper left sensitive user data exposed online (WashPost)

    https://www.washingtonpost.com/technology/2020/03/10/secret-sharing-app-whisper-left-users-locations-fetishes-exposed-web/

    "Whisper, the secret-sharing app that called itself the *safest place on the Internet*, left years of users' most intimate confessions exposed on the Web tied to their age, location and other details, raising alarm among cybersecurity researchers that users could have been unmasked or
    blackmailed. The data exposure, discovered by independent researchers and shown to *The Washington Post*, allowed anyone to access all of the location data and other information tied to anonymous *whispers* posted to the
    popular social app, which has claimed hundreds of millions of users. The records were viewable on a non-password-protected database open to the
    public Web. A Post reporter was able to freely browse and search through the records, many of which involved children: A search of users who had listed their age as 15 returned 1.3 million results."

    It apparently took until *The Washington Post* contacted them for this to go offline, but that could just be a matter of parallel events as specialists
    had already given them a heads up. However, being contacted by the PRESS
    that you're busy leaking secrets strikes me as a near worst case scenario
    for such a company.

    ------------------------------

    Date: Fri, 06 Mar 2020 22:08:38 -0500
    From: David Lesher <wb8foz@8es.com>
    Subject: As the U.S. spied on the world, the CIA and NSA bickered (WashPost)

    [Re: The Intelligence Coup of the Century (RISKS-31.58)]

    Greg Miller, *The Washington Post*, 6 Mar 2020

    As the U.S. spied on the world, the CIA and NSA bickered <https://www.washingtonpost.com/national-security/as-the-us-spied-on-the-world-the-cia-and-nsa-bickered/2020/03/06/630a4e72-5365-11ea-b119-4faabac6674f_story.html>

    U.S. spy agencies were on the verge of an espionage breakthrough, closing in
    on the clandestine purchase of a Swiss company that could give American intelligence the ability to crack much of the world's encrypted
    communications.

    But the deal fell apart, done in by one of many behind-the-scenes battles between the CIA and the National Security Agency detailed in classified documents tracing one of the most remarkable intelligence operations in American history. [...]

    ------------------------------

    Date: Fri, 6 Mar 2020 16:39:01 -0600
    From: Dmitri Maziuk <dmaziuk@bmrb.wisc.edu>
    Subject: Re: Mysterious GPS outages are wracking the shipping industry
    (RISKS-31.60)

    I'm not saying that losing your GPS-based navigation is trivial, but any ocean-going vessel and its crew should already be equipped to at least have
    a reasonable chance of avoiding a navigation-related catastrophe.

    Gotta wonder what's "reasonable" for a supertanker size of three WWII
    aircraft carriers, with a crew of six.

    ------------------------------

    Date: 6 Mar 2020 21:24:56 -0500
    From: "John Levine" <johnl@iecc.com>
    Subject: Re: ElectionGuard (Lite via Rob Slade)

    The paper record goes into a ballot box, so they can count the paper ballots
    to check the software count. You can't let people take home a record of how they voted, since that enables vote buying.*

    Other than the buzzword factor, I'm trying to figure out what advantage this very complex scheme has over an off the shelf system where voters hand mark paper ballots and drop them in a ballot box. You can get computerized
    ballot boxes that count the ballots as they're dropped in the box if for
    some reason you believe it would be a problem to wait for the result while people hand-count them. That's what we use here in N.Y.

    * - We leave as an exercise for the reader whether it's really a good
    idea to do all absentee voting as Oregon does.

    [It seems like a lesser of weevils, as everything else may be worse. PGN]

    ------------------------------

    Date: Tue, 10 Mar 2020 09:20:42 +0200
    From: Amos Shapir <amos083@gmail.com>
    Subject: Re: What to do about artificially intelligent government (RISKS-31.60)

    The main risk is that instead of using AI just to flag special cases, to be decided by a human being later, decision makers would incorporate such AI systems into the process and (as usually happens) rely on them blindly.
    It's the old "Our computer says this must be so!" -- except that now, it's
    an *intelligent* computer...

    ------------------------------

    Date: 6 Mar 2020 21:32:17 -0500
    From: "John Levine" <johnl@iecc.com>
    Subject: Re: 911 operators couldn't trace the location of a dying student's
    phone. (Stein, RISKS-31.60)

    Subsequent reports said that the student had a Chinese phone roaming from
    his Chinese carrier, and the phone probably didn't have the location
    hardware that US phones do.

    https://www.timesunion.com/news/article/RPI-student-killed-by-flu-called-911-but-rescuers-15068290.php

    [Roger that, John. Wonder if there should be a standardized 'soft'
    GSM/CDMA emulation of h/w location discovery? If there was, it'd probably
    be full of holes. Nothing like a keyed and registered GPS locater to
    enable surveillance, I guess. RS]

    ------------------------------

    Date: Tue, 10 Mar 2020 09:29:40 +0200
    From: Amos Shapir <amos083@gmail.com>
    Subject: Re: Risks of Leap Years and Dumb Digital Watches (RISKS-31.60)

    It's most likely that the `smarter' watch types that track the year, insert
    29 Feb on years divisible by 4 (which in the simplest form, requires just looking at the lower 2 bits of the year number). These are going to fail on
    1 Mar 2100 (and 2200, 2300)! [Just another reminder. This shows up in
    RISKS more often then every now and then. PGN]

    ------------------------------

    Date: Mon, 9 Mar 2020 11:59:45 +0100
    From: Terje Mathisen <terje.mathisen@tmsw.no>
    Subject: Re: Risks of Leap Years and Dumb Digital Watches (RISKS-31.60)

    [3] have the kind that needs to be set back a day because (unlike the
    smarter types that track the year or receive information from external sources) it went directly from February 28 to March 1;

    nope:

    I've been part of the NTP Hackers team for ~25 years and for the last 10+ of those I have exclusively used Garmin Forerunner watches which have enough intelligence to do this right, as well as using the GPS network to keep the local time near-perfect.

    and [4] *hadn't realized it yet*?'

    That did use to happen in the old days, with the Casio watches we used to record split times, yes. :-)

    ------------------------------

    Date: Mon, 9 Mar 2020 15:00:35 -0500
    From: Bob Wilson <wilson@math.wisc.edu>
    Subject: Re: Risks of Leap Years ...., and depending on WWVB

    Last Saturday night (for most practical purposes) I checked my digital watch (which listens to WWVB for accurate time/date information) at what was still eight minutes after midnight at my house. The watch had, at midnight,
    checked in and apparently got a good signal. But it had already "leaped" forward, so it said 1:08 and had the date (which was correct) as 8 Mar. But
    of course the time was not legally supposed to go forward until 2:00 AM by
    my local time (CST, becoming CDT).

    I am wondering if that is a defect in the watch's firmware, or did WWVB send out an incorrect time signal? I have trusted WWV, with or without the B, for almost seven decades now, and I think I would rather blame the watch manufacturer than NIST. (Which I will probably be still calling NBS for as
    long as I am listening!)

    ------------------------------

    Date: Mon, 14 Jan 2019 11:11:11 -0800
    From: RISKS-request@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 31.62
    ************************

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)