[continued from previous message]
From: Richard Stein <
rmstein@ieee.org>
Subject: H.R. 5680, Cybersecurity Vulnerability Identification and
Notification Act of 2020 (Congressional Budget Office)
https://www.cbo.gov/publication/56198
The pending legislation would impose fines on businesses that do not satisfy CISA (Cyber Infrastructure Security Agency) hygiene criteria.
"ISPs that do not comply with subpoenas could be subject to civil and
criminal penalties; therefore, the government might collect additional fines under the legislation."
Let's see...~122M Internet domains registered in the U.S. currently (
https://www.registrarowl.com/report_domains_by_country.php). Suppose a US $1000 penalty per violation? Might wipe out the U.S. budget deficit
eventually.
------------------------------
Date: Tue, 10 Mar 2020 18:20:04 +0100
From: Peter Houppermans <
not.for.spam@houppermans.net>
Subject: Whisper left sensitive user data exposed online (WashPost)
https://www.washingtonpost.com/technology/2020/03/10/secret-sharing-app-whisper-left-users-locations-fetishes-exposed-web/
"Whisper, the secret-sharing app that called itself the *safest place on the Internet*, left years of users' most intimate confessions exposed on the Web tied to their age, location and other details, raising alarm among cybersecurity researchers that users could have been unmasked or
blackmailed. The data exposure, discovered by independent researchers and shown to *The Washington Post*, allowed anyone to access all of the location data and other information tied to anonymous *whispers* posted to the
popular social app, which has claimed hundreds of millions of users. The records were viewable on a non-password-protected database open to the
public Web. A Post reporter was able to freely browse and search through the records, many of which involved children: A search of users who had listed their age as 15 returned 1.3 million results."
It apparently took until *The Washington Post* contacted them for this to go offline, but that could just be a matter of parallel events as specialists
had already given them a heads up. However, being contacted by the PRESS
that you're busy leaking secrets strikes me as a near worst case scenario
for such a company.
------------------------------
Date: Fri, 06 Mar 2020 22:08:38 -0500
From: David Lesher <
wb8foz@8es.com>
Subject: As the U.S. spied on the world, the CIA and NSA bickered (WashPost)
[Re: The Intelligence Coup of the Century (RISKS-31.58)]
Greg Miller, *The Washington Post*, 6 Mar 2020
As the U.S. spied on the world, the CIA and NSA bickered <
https://www.washingtonpost.com/national-security/as-the-us-spied-on-the-world-the-cia-and-nsa-bickered/2020/03/06/630a4e72-5365-11ea-b119-4faabac6674f_story.html>
U.S. spy agencies were on the verge of an espionage breakthrough, closing in
on the clandestine purchase of a Swiss company that could give American intelligence the ability to crack much of the world's encrypted
communications.
But the deal fell apart, done in by one of many behind-the-scenes battles between the CIA and the National Security Agency detailed in classified documents tracing one of the most remarkable intelligence operations in American history. [...]
------------------------------
Date: Fri, 6 Mar 2020 16:39:01 -0600
From: Dmitri Maziuk <
dmaziuk@bmrb.wisc.edu>
Subject: Re: Mysterious GPS outages are wracking the shipping industry
(RISKS-31.60)
I'm not saying that losing your GPS-based navigation is trivial, but any ocean-going vessel and its crew should already be equipped to at least have
a reasonable chance of avoiding a navigation-related catastrophe.
Gotta wonder what's "reasonable" for a supertanker size of three WWII
aircraft carriers, with a crew of six.
------------------------------
Date: 6 Mar 2020 21:24:56 -0500
From: "John Levine" <
johnl@iecc.com>
Subject: Re: ElectionGuard (Lite via Rob Slade)
The paper record goes into a ballot box, so they can count the paper ballots
to check the software count. You can't let people take home a record of how they voted, since that enables vote buying.*
Other than the buzzword factor, I'm trying to figure out what advantage this very complex scheme has over an off the shelf system where voters hand mark paper ballots and drop them in a ballot box. You can get computerized
ballot boxes that count the ballots as they're dropped in the box if for
some reason you believe it would be a problem to wait for the result while people hand-count them. That's what we use here in N.Y.
* - We leave as an exercise for the reader whether it's really a good
idea to do all absentee voting as Oregon does.
[It seems like a lesser of weevils, as everything else may be worse. PGN]
------------------------------
Date: Tue, 10 Mar 2020 09:20:42 +0200
From: Amos Shapir <
amos083@gmail.com>
Subject: Re: What to do about artificially intelligent government (RISKS-31.60)
The main risk is that instead of using AI just to flag special cases, to be decided by a human being later, decision makers would incorporate such AI systems into the process and (as usually happens) rely on them blindly.
It's the old "Our computer says this must be so!" -- except that now, it's
an *intelligent* computer...
------------------------------
Date: 6 Mar 2020 21:32:17 -0500
From: "John Levine" <
johnl@iecc.com>
Subject: Re: 911 operators couldn't trace the location of a dying student's
phone. (Stein, RISKS-31.60)
Subsequent reports said that the student had a Chinese phone roaming from
his Chinese carrier, and the phone probably didn't have the location
hardware that US phones do.
https://www.timesunion.com/news/article/RPI-student-killed-by-flu-called-911-but-rescuers-15068290.php
[Roger that, John. Wonder if there should be a standardized 'soft'
GSM/CDMA emulation of h/w location discovery? If there was, it'd probably
be full of holes. Nothing like a keyed and registered GPS locater to
enable surveillance, I guess. RS]
------------------------------
Date: Tue, 10 Mar 2020 09:29:40 +0200
From: Amos Shapir <
amos083@gmail.com>
Subject: Re: Risks of Leap Years and Dumb Digital Watches (RISKS-31.60)
It's most likely that the `smarter' watch types that track the year, insert
29 Feb on years divisible by 4 (which in the simplest form, requires just looking at the lower 2 bits of the year number). These are going to fail on
1 Mar 2100 (and 2200, 2300)! [Just another reminder. This shows up in
RISKS more often then every now and then. PGN]
------------------------------
Date: Mon, 9 Mar 2020 11:59:45 +0100
From: Terje Mathisen <
terje.mathisen@tmsw.no>
Subject: Re: Risks of Leap Years and Dumb Digital Watches (RISKS-31.60)
[3] have the kind that needs to be set back a day because (unlike the
smarter types that track the year or receive information from external sources) it went directly from February 28 to March 1;
nope:
I've been part of the NTP Hackers team for ~25 years and for the last 10+ of those I have exclusively used Garmin Forerunner watches which have enough intelligence to do this right, as well as using the GPS network to keep the local time near-perfect.
and [4] *hadn't realized it yet*?'
That did use to happen in the old days, with the Casio watches we used to record split times, yes. :-)
------------------------------
Date: Mon, 9 Mar 2020 15:00:35 -0500
From: Bob Wilson <
wilson@math.wisc.edu>
Subject: Re: Risks of Leap Years ...., and depending on WWVB
Last Saturday night (for most practical purposes) I checked my digital watch (which listens to WWVB for accurate time/date information) at what was still eight minutes after midnight at my house. The watch had, at midnight,
checked in and apparently got a good signal. But it had already "leaped" forward, so it said 1:08 and had the date (which was correct) as 8 Mar. But
of course the time was not legally supposed to go forward until 2:00 AM by
my local time (CST, becoming CDT).
I am wondering if that is a defect in the watch's firmware, or did WWVB send out an incorrect time signal? I have trusted WWV, with or without the B, for almost seven decades now, and I think I would rather blame the watch manufacturer than NIST. (Which I will probably be still calling NBS for as
long as I am listening!)
------------------------------
Date: Mon, 14 Jan 2019 11:11:11 -0800
From:
RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<
http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!
OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also,
ftp://ftp.sri.com/risks for the current volume
or
ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones:
http://catless.ncl.ac.uk/w/r
ALTERNATIVE ARCHIVES:
http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.
Special Offer to Join ACM for readers of the ACM RISKS Forum:
<
http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 31.62
************************
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)