1. Forum
  2. Usenet
  3. COMP.RISKS

  • Risks Digest 31.72

    From RISKS List Owner@21:1/5 to All on Sat Apr 25 16:38:55 2020
    RISKS-LIST: Risks-Forum Digest Saturday 25 April 2020 Volume 31 : Issue 72

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator

    ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as
    <http://catless.ncl.ac.uk/Risks/31.72>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    Zoom 5.0 update will bring much-needed security upgrades (Engadget)
    A critical iPhone and iPad bug that lurked for 8 years may be under
    active attack (Ars Technica)
    Security Vulnerability Discovered in iOS Mail App (LifeWire)
    Facebook agreed to censor posts after Vietnam slowed traffic (Reuters)
    Cox email creation policy change I'd missed! (Gabe Goldberg)
    An ESPN Commercial Hints at Advertising's Deepfake Future (NYTimes)
    Twitter Bans 5G Conspiracy Theorists From Sharing Harmful Misinformation
    (TechCrunch)
    Israel stops using phone tracking to enforce COVID-19 quarantines (Engadget) Internet online voting, once again (WashPost editorial)
    New York payments startup exposed millions of credit-card numbers
    (TechCrunch)
    To Understand the Medical Supply Shortage, It Helps to Know How the U.S.
    lost the lithium battery (Propublica)
    'Pandemic drone' test flights are monitoring social distancing
    (The Boston Globe)
    Coronavirus Antibody Tests: Can You Trust the Results? (NYTimes)
    Nearly 50% of Twitter Accounts Talking about Coronavirus Might Be Bots
    (Vice)
    Re: asymptomatic coronavirus (Dmitri Maziuk)
    Re: Computer Fraud and Abuse Act (Kelly Bert Manning)
    Re: Internet Usage update (Chris Drewe, Paul Edwards)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Wed, 22 Apr 2020 18:45:27 -0400
    From: Monty Solomon <monty@roscom.com>
    Subject: Zoom 5.0 update will bring much-needed security upgrades (Engadget)

    https://www.engadget.com/zoom-5-update-security-privacy-154453587.html

    ------------------------------

    Date: Wed, 22 Apr 2020 19:02:21 -0400
    From: Monty Solomon <monty@roscom.com>
    Subject: A critical iPhone and iPad bug that lurked for 8 years may be under
    active attack (Ars Technica)

    https://arstechnica.com/information-technology/2020/04/a-critical-iphone-and-ipad-bug-that-lurked-for-8-years-is-under-active-attack/

    ------------------------------

    Date: Thu, 23 Apr 2020 12:12:04 -0400
    From: Gabe Goldberg <gabe@gabegold.com>
    Subject: Security Vulnerability Discovered in iOS Mail App (LifeWire)

    A patch from Apple is forthcoming.

    A security researcher at ZecOps discovered a vulnerability in the iOS Mail
    app that he claims has been exploited since 2018. Apple confirmed the
    exploit with Reuters, and said a patch to address the issue was forthcoming.

    The details: According to the researcher, the attack starts with an email
    made to overwhelm the Mail app. Once the email is received (iOS 13) or
    clicked (iOS 12), it could allow a remote hacker access to your device. The attack does not require a large email, either, according to the researcher.

    Since when? The vulnerability has reportedly existed since iOS 6 and the
    iPhone 5, though the researcher only claims 2018 as the earliest examples
    found "in the wild."

    https://www.lifewire.com/security-vulnerability-discovered-in-ios-mail-app-4843022

    ------------------------------

    Date: Fri, 24 Apr 2020 08:05:21 -1000
    From: the keyboard of geoff goodfellow <geoff@iconia.com>
    Subject: Facebook agreed to censor posts after Vietnam slowed traffic
    (Reuters)

    EXCERPT:

    Facebook's local servers in Vietnam were taken offline early this year,
    slowing local traffic to a crawl until it agreed to significantly increase
    the censorship of anti-state posts for local users, two sources at the
    company told Reuters on Tuesday.

    The restrictions, which the sources said were carried out by state-owned telecommunications companies, knocked the servers offline for around seven weeks, meaning the website became unusable at times.

    ``We believe the action was taken to place significant pressure on us to increase our compliance with legal takedown orders when it comes to content that our users in Vietnam see,'' the first of the two Facebook sources told Reuters.

    In an emailed statement, Facebook confirmed it had reluctantly complied with the government's request to ``restrict access to content which it has deemed
    to be illegal.'' [...]

    https://www.reuters.com/article/us-vietnam-facebook-exclusive/exclusive-facebook-agreed-to-censor-posts-after-vietnam-slowed-traffic-sources-idUSKCN2232JX

    ------------------------------

    Date: Sat, 25 Apr 2020 11:26:57 -0400
    From: Gabe Goldberg <gabe@gabegold.com>
    Subject: Cox email creation policy change I'd missed!

    In recent years, fewer customers have taken advantage of a Cox Email
    account, so we decided to modify our email service to better serve our customers. As of August 15, 2019, Cox no longer offers the ability for new
    and existing Cox Internet customers to create new Cox Email accounts.

    Customers with Cox Email accounts created prior to 15 Aug 2019 will continue
    to receive support for those email accounts.

    https://www.cox.com/residential/support/cox-email-creation-policy.html

    Exactly how does this better serve customers?!

    Commentary:
    https://www.edhat.com/news/cox-announces-cutback-of-email-service

    ------------------------------

    Date: Fri, 24 Apr 2020 08:07:23 -1000
    From: the keyboard of geoff goodfellow <geoff@iconia.com>
    Subject: An ESPN Commercial Hints at Advertising's Deepfake Future (NYTimes)

    EXCERPT:

    Unable to film new commercials during the coronavirus pandemic, advertising agencies are turning to technologies that can seamlessly alter old footage, sometimes putting viewers in a position of doubting what they are seeing.

    During Sunday's episodes of The Last Dance, <https://www.nytimes.com/2020/04/17/sports/basketball/michael-jordan-bulls-documentary.html>
    the ESPN documentary series about Michael Jordan and the Chicago Bulls <https://www.nytimes.com/article/the-last-dance-jordan.html>, State Farm ran
    a commercial <https://twitter.com/NBA/status/1251556094960234496?s=3D20> featuring expertly doctored footage of the longtime SportsCenter anchor
    Kenny Mayne.

    In the ad, a much younger Mr. Mayne is seated at the SportsCenter desk in
    1998. He reports on the Bulls' sixth championship title -- before taking a
    turn toward the prophetic.

    ``This is the kind of stuff that ESPN will eventually make a documentary
    about. They'll call it something like The Last Dance. They'll make it a 10-part series and release it in the year 2020. It's going to be lit. You
    don't even know what that means yet.'' As a vintage State Farm logo appears
    in the background, he adds, ``And this clip will be used to promote the documentary in a State Farm commercial.'' [...] https://dnyuz.com/2020/04/22/an-espn-commercial-hints-at-advertisings-deepfake-future/

    ------------------------------

    Date: Fri, 24 Apr 2020 08:06:20 -1000
    From: the keyboard of geoff goodfellow <geoff@iconia.com>
    Subject: Twitter Bans 5G Conspiracy Theorists From Sharing Harmful
    Misinformation (TechCrunch)

    EXCERPT:

    Twitter has updated its coronavirus guidelines, stating it will remove unverified claims that cause widespread panic or encourage people to act on conspiracy theories, after phone masts across the U.K. were set alight following bogus claims about 5G.

    KEY FACTS

    The social media platform said on Wednesday that content such as ``5G causes coronavirus! Go destroy the cell towers in your neighborhood!'' would
    violate their policy and be removed.

    Tweets that also violate the policy by causing widespread panic, including content such as ``The National Guard just announced that no more shipments
    of food will be arriving for two months! Run to the grocery store and buy everything!'' will also be deleted.

    However, the platform stopped short of saying it would take down coronavirus misinformation altogether.

    ``As we've said previously, we will not take enforcement action on every
    Tweet that contains incomplete or disputed information about COVID-19'',
    a spokesperson told *TechCrunch*. <https://techcrunch.com/2020/04/22/twitter-will-remove-dubious-5g-tweets-that-could-potentially-cause-harm/>

    CRUCIAL QUOTE

    ``We have broadened our guidance on unverified claims that incite people to engage in harmful activity, could lead to the destruction or damage of
    critical 5G infrastructure, or could lead to widespread panic, social
    unrest, or large-scale disorder,'' Twitter TWTR said on Wednesday. <https://www.forbes.com/companies/twitter>

    BIG NUMBER 2,230. That's how many tweets taken down by Twitter that contain misleading and potentially harmful content, since March 18.

    https://www.forbes.com/sites/isabeltogoh/2020/04/23/twitter-bans-5g-conspiracy-theorists-from-sharing-harmful-misinformation/

    ------------------------------

    Date: Wed, 22 Apr 2020 18:43:52 -0400
    From: Monty Solomon <monty@roscom.com>
    Subject: Israel stops using phone tracking to enforce COVID-19 quarantines
    (Engadget)

    https://www.engadget.com/israel-halts-phone-tracking-for-covid-19-quarantine-184622314.html

    ------------------------------

    Date: Fri, 24 Apr 2020 13:20:15 PDT
    From: "Peter G. Neumann" <neumann@csl.sri.com>
    Subject: Internet online voting, once again (WashPost editorial)

    https://www.washingtonpost.com/opinions/why-cant-we-just-vote-online-let-us-count-the-ways/2020/04/24/68ecea92-7850-11ea-9bee-c5bf9d2e3288_story.html

    [Let me count the ways? Russian hacking? Foreign interference? Insider
    misuse and vendor malware? Compromised servers? Internet disinformation?
    Voter coercion, vote selling, vote buying, loss of privacy? Network and
    access "failures" (intentional or accidental), and lots more. The
    WashPost editorial barely scratches the surface. PGN]

    ------------------------------

    Date: Wed, 22 Apr 2020 19:28:14 -0400
    From: Monty Solomon <monty@roscom.com>
    Subject: New York payments startup exposed millions of credit-card numbers
    (TechCrunch)

    https://techcrunch.com/2020/04/22/paay-unencrypted-credit-card-data/

    ------------------------------

    Date: Wed, 22 Apr 2020 19:27:53 -0400
    From: Gabe Goldberg <gabe@gabegold.com>
    Subject: To Understand the Medical Supply Shortage, It Helps to Know How the
    U.S. lost the lithium battery (Propublica)

    The failed U.S. effort to dominate global production of the lithium ion
    battery -— which is key to energy independence, automobile innovation and more -— holds lessons for leaders grappling with the U.S.’s reliance on China for emergency medical supplies.

    https://www.propublica.org/article/to-understand-the-medical-supply-shortage-it-helps-to-know-how-the-us-lost-the-lithium-ion-battery-to-china

    Too long, but interesting.

    ------------------------------

    Date: Fri, 24 Apr 2020 08:04:32 -1000
    From: the keyboard of geoff goodfellow <geoff@iconia.com>
    Subject: 'Pandemic drone' test flights are monitoring social distancing
    (The Boston Globe)

    The flights taking place in a COVID-19 hotspot in Connecticut use sensors
    to detect the virus' symptoms from afar.

    EXCERPT:

    A series of "pandemic drones <https://www.cnet.com/topics/drones/>" is
    taking part in a test flight in a COVID-19 hotspot in Connecticut with the
    goal of monitoring social distancing efforts and detecting the virus'
    symptoms. <https://www.cbsnews.com/feature/coronavirus/>

    Drone manufacturer Draganfly is working with the police department in
    Westport, Connecticut, to test the drones. Located in Fairfield County -- adjacent to New York City -- Westport was the first town in the state to
    report several coronavirus infections, according to a Wednesday press
    release from Draganfly. <https://www.globenewswire.com/news-release/2020/04/21/2019221/0/en/Draganfly-s-Pandemic-Drone-technology-Conducts-Initial-Flights-Near-New-York-City-to-Detect-COVID-19-Symptoms-and-Identify-Social-Distancing.html>

    The drones include specialized sensor and computer vision systems that can display a person's temperature, heart and respiratory rates, as well as
    detect people sneezing or coughing in a crowd, the release said. The
    technology can accurately detect infectious conditions from 190 feet away,
    as well as measure social distancing efforts, according to Draganfly. [...] https://www.cnet.com/news/pandemic-drone-test-flights-will-monitor-social-distancing/

    ------------------------------

    Date: Thu, 23 Apr 2020 19:59:32 -0400
    From: =?iso-8859-1?Q?Jos=E9_Mar=EDa?= Mateos <chema@rinzewind.org>
    Subject: Free online threat blocker launched in Canada as successful
    COVID-19 scams multiply (CBC News)

    Yet another DNS blocker:

    https://www.cbc.ca/news/politics/free-cyber-blocker-cse-1.5542888

    The Canadian Internet Registration Authority (CIRA, the not-for-profit
    agency that manages the .CA Internet domain) and the Communications
    Security Establishment, Canada's foreign signals intelligence agency,
    teamed up on the CIRA Canadian Shield — a protected domain name system (DNS) service that prevents Canadians from connecting to malicious
    websites that might infect their devices and steal their personal information.

    More information about this: https://www.cira.ca/cybersecurity-services/canadian-shield

    José María (Chema) Mateos

    ------------------------------

    Date: Fri, 24 Apr 2020 22:35:06 -0400
    From: Monty Solomon <monty@roscom.com>
    Subject: Coronavirus Antibody Tests: Can You Trust the Results? (NYTimes)

    A team of scientists worked around the clock to evaluate 14 antibody tests.
    A few worked as advertised. Most did not.

    https://www.nytimes.com/2020/04/24/health/coronavirus-antibody-tests.html

    ------------------------------

    Date: Sat, 25 Apr 2020 09:57:11 -0400
    From: Monty Solomon <monty@roscom.com>
    Subject: Nearly 50% of Twitter Accounts Talking about Coronavirus Might Be Bots
    (Vice)

    Twitter is dealing with a pandemic of bots jamming the platform with misinformation about COVID-19.

    https://www.vice.com/en_asia/article/dygnwz/if-youre-talking-about-coronavirus-on-twitter-youre-probably-a-bot

    ------------------------------

    Date: Wed, 22 Apr 2020 18:42:41 -0500
    From: Dmitrik Maziuk <dmaziuk@bmrb.wisc.edu>
    Subject: Re: asymptomatic coronavirus [RISKS-31.71]

    What you really want to do is forget the headline and scroll down to
    "Testing" part. It's worth reading.

    ------------------------------

    Date: Fri, 24 Apr 2020 16:19:02 -0400 (EDT)
    From: Kelly Bert Manning <bo774@freenet.carleton.ca>
    Subject: Re: Computer Fraud and Abuse Act

    Misuse of access to Personally Identifiable Data by police has been
    showing up in comp.risks for at least a quarter of a century.

    https://catless.ncl.ac.uk/Risks/17/21#subj5

    Delta BC Constable Steve Parker misused his access to the CPIC computer
    network to retrieve home addresses of cars parked near a Vancouver BC
    abortion clinic. The only penalty he received was being suspended with pay.

    BC Information and Privacy Commissioner Dr. David Flaherty seemed frustrated about that, but speculated that if Constable Parker chose to remain as a
    police officer his career would be remarkably undistinguished. Parker's 20
    year police career ended with him still at the rank of constable,so that
    seems to have happened.

    Without meaningful consequences we are unlikely to see an end to this type
    of abuse by police, or by other trusted insiders. Regular reviews of access policy with staff are also important to reinforce staff understanding of
    what is appropriate access and what would be improper access.

    Digital record access is easier to log and audit. A BC Medical Services
    Plan employee convicted of Breach of Trust in the 1970s for using BC
    Medical Services Plan paper account files to pull addresses for skip tracers and do on was only caught because they boasted to a relative of earning extra income doing that.

    The largest Data Breach in Canadian History involved an oath sworn Revenue Canada employee who had been hired as a Junior Assessor in 1984 despite
    having 17 criminal convictions. His name was Andreas Hackner (not Hacker -).

    https://www.orlandosentinel.com/news/os-xpm-1987-12-17-0170010297-story.html

    https://archive.macleans.ca/article/1986/12/1/the-case-of-the-missing-microfiche#!&pid=30

    ------------------------------

    Date: Thu, 23 Apr 2020 22:01:31 +0100
    From: Chris Drewe <e767pmk@yahoo.co.uk>
    Subject: Re: Internet Usage update (Fist, RISKS-31.70)

    As stated by me in RISKS-29:12, one thing that I found when I worked in telecomms was how billing for services in traditional ways is a mighty
    costly activity. Telecomms and other utility businesses have to sign up customers (and probably do creditworthiness checks) for a contract
    initially, then measure their usage, periodically compile a bill to notify
    them of what they owe, get the money off them, chase up late/non-payers,
    handle any disputes, deal with taxes if applicable, etc. as well as
    capturing and storing the required information, which all make a big administrative overhead. As I understand it, with e-mail the traffic goes
    in and out of multiple servers in various countries so there's the
    complication of different legislatures' taxation and accounting
    requirements, not forgetting data protection laws of course. Just
    identifying the bill payer could be problematic. Who gets the revenues?
    And getting agreement on doing this on a global scale..?

    The idea of billing e-mail traffic has been around for a long time, but
    adding an insignificant charge to an existing service would likely be a not-insignificant cost.

    ------------------------------

    Date: Thu, 23 Apr 2020 12:53:19 +1000
    From: Paul Edwards <paule@cathicolla.com>
    Subject: Re: Internet Usage update (Fist, RISKS-31.70)

    Would the Information Technology Community promote the idea that we should all pay a low fee for sending each email.

    I once consulted for a large organization in east Asia where they did just that.

    In an effort to reduce the amount of time their workers spent on email, they somehow hacked their Exchange server to produce the following effects:

    1. Every email that was sent to an internal address (To:, CC:, or BCC:)
    was charged a low fee per recipient (it was about AUD0.03 in the local
    currency per email per recipient);
    2. Emails to distributions lists would be unpacked and charged at the
    same rate (e.g., sending an email to 100 internal people would cost
    AUD3.00);
    3. Emails to external addresses were not charged;
    4. Charging came out of the sender's opex cost centre;
    5. Monies raised by the initiative were put to acquiring more storage
    for email.

    They did shadow charging for the first month, and then went live. The first month caused some real issues for opex budgets, and angst for the P&L
    owners!

    I came in a couple of months after it went live, and email volumes were
    down 66% compared with the same period in the previous year. Quite
    remarkable.

    (The same company also changed the default times for meetings to start at 5 past the hour (e.g., 10:05) and end at five to the hour (e.g., 10:55). This gave people a chance to actually get to meetings on time, and if a meeting
    ran over by a couple of minutes it didn't impact on the following meeting starting).

    ------------------------------

    Date: Mon, 14 Jan 2019 11:11:11 -0800
    From: RISKS-request@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 31.72
    ************************

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)