RISKS-LIST: Risks-Forum Digest Monday 27 April 2020 Volume 31 : Issue 74
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator
***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <
http://www.risks.org> as
<
http://catless.ncl.ac.uk/Risks/31.74>
The current issue can also be found at
<
http://www.csl.sri.com/users/risko/risks.txt>
Contents:
Why a Data-Security Expert Fears U.S. Voting Will Be Hacked
(Alexandra Wolfe WSJ)
Principle of the Day (Ray Dalio)
Emissions Are Way Down. No, That's Not All Good News for the Environment
(Mother Jones)
Coronavirus detected on particles of air pollution (NIH via geoff goodfellow) "Recommendation: Do Not Install or Use Centralized Server Coronavirus
COVID-19 Contact Tracing Apps" (Lauren Weinstein)
'No evidence' that recovering from Covid-19 gives people immunity, WHO says
(geoff goodfellow)
Re: Coronavirus Antibody Tests: Can You Trust the Results (Rich Klawiec)
Re: Spam filter censoring COVID content (Henry Baker)
Re: e-postage, Internet Usage update (Paul Edwards)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Sun, 26 Apr 2020 22:38:51 +0200
From: "Peter G. Neumann" <
neumann@csl.sri.com>
Subject: Why a Data-Security Expert Fears U.S. Voting Will Be Hacked
(Alexandra Wolfe, The Wall Street Journal)
<
https://www.wsj.com/articles/why-a-data-security-expert-fears-u-s-voting-will-be-hacked-11587747159>
In 2005, a concerned Florida election supervisor asked the Finnish data-security expert Harri Hursti to hack into one of the state's commonly
used voting machines to test its vulnerability. The verdict wasn't
reassuring. By modifying just a few lines of code on the machine's memory
card, Mr. Hursti says, he could change the results of a mock election. That same model, he adds, will be among those used in the 2020 elections. (A spokesperson for the machine's vendor, Dominion Voting, says that these weaknesses were fixed in 2012, but Mr. Hursti says that he has tested the
new version and found the updates insufficient.)
Mr. Hursti has spent the past 15 years trying to draw attention to the weaknesses in America's voting systems. Last month, he was featured in an
HBO documentary called ``Kill Chain: The Cyber War on America's Elections,'' about far-reaching security breaches in multiple U.S. elections that he says have gone unfixed. He warns that both the American political establishment
and the public are far too complacent. ``Once you understand how everything works, you understand how fragile everything is and how easy it is to lose
this all,'' Mr. Hursti says in the film.
In 2017, the Department of Homeland Security notified 21 states that they
had been targeted by Russian hackers in the previous year's voting. (Russia denies the allegations.) Mr. Hursti has worked with some of those states to stave off future attacks, he says, but past breaches are rarely
investigated. DHS has said that it found no evidence that votes were changed during the 2016 voting. A 2017 U.S. intelligence assessment <
https://www.dni.gov/files/documents/ICA_2017_01.pdf?mod''article_inline> -- whose findings were unanimously reaffirmed <
https://www.wsj.com/articles/senate-report-affirms-u-s-intelligence-findings-on-2016-russian-interference-11587483408?mod''article_inline>
Tuesday by the Republican-led Senate Intelligence Committee -- described a significant 2016 Russian ``influence campaign'' to ``undermine public
faith'' in American democracy and ``help President-elect Trump's election chances.''
Mr. Hursti focuses more on the hardware side of the voting process than information operations from hostile powers. He doesn't offer direct evidence
of vote tampering in 2016, but he warns that, given the security flaws he
has uncovered, it was certainly possible. For years, voting rights groups
have been suing states, alleging problems with voting machines. Last August,
a judge in Georgia ruled that the state needed new voting machines to
replace unsecure, outdated ones that had malfunctioned during the 2018 governor's race. [...]
After working in computer programming for most of his life, he is amused to hear critics calling him opposed to technology because of his calls for an old-school paper voting system. ``I'm against the irresponsible use of technology,'' he says, but ``I'm the last person I would ever think people would be calling a Luddite.''
[Excellent article. Read it in its entirety if you are concerned.
(You should be.) PGN]
------------------------------
Date: Sun, 26 Apr 2020 08:45:40 -1000
From: geoff goodfellow <
geoff@iconia.com>
Subject: Principle of the Day (Ray Dalio)
*"Because of the different ways that our brains are wired, we all experience reality in different ways and any single way is essentially distorted. This
is something that we need to acknowledge and deal with."*
*"So if you want to know what is true and what to do about it, you must understand your own brain."*
https://twitter.com/RayDalio/status/1254134881472438275
[image omitted for RISKS]
------------------------------
Date: Mon, 27 Apr 2020 15:13:35 -0400
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: Emissions Are Way Down. No, That's Not All Good News for the Environment
(Mother Jones)
Chaos in the oil sector could actually intensify climate change.
As the coronavirus cripples world economies, greenhouse gas emissions are plummeting: This year, they could drop by as much as 5.5 percen -- the
largest decrease ever recorded. On Monday, the price of oil went negative, meaning storing oil now costs more than the oil itself. Since we're burning less gas and fuel, air pollution has dropped 30 percent in northeastern
cities, and Los Angeles's notorious smoggy skyline has cleared.
[Editor's Note: The coronavirus likes to piggyback on smog (see the next
item from NIH). Nevertheless, at the moment, Los Angeles is far behind
the San Francisco Bay Area in coping with COVID-19 -- although for
unrelated reasons. PGN]
You might be thinking all this is great news for the environment. It's a
nice idea —- but the real story is more complicated. ``You don't want companies collapsing like this,'' says Andrew Logan, oil and gas director of Ceres, a think tank focused on sustainable investment. ``Even the most
ardent climate advocate shouldn't wish for a chaotic transition in this
sector. A chaotic transition brings all sort of pain to workers and also
the environment.''
https://www.motherjones.com/environment/2020/04/oil-prices-are-below-zero-no-thats-not-all-good-news-for-the-environment/
------------------------------
Date: Sun, 26 Apr 2020 08:47:20 -1000
From: geoff goodfellow <
geoff@iconia.com>
Subject: Coronavirus detected on particles of air pollution
Scientists examine whether this route enables infections at longer distances
EXCERPT:
Coronavirus has been detected on particles of air pollution by scientists investigating whether this could enable it to be carried over longer
distances and increase the number of people infected.
The work is preliminary and it is not yet known if the virus remains viable
on pollution particles and in sufficient quantity to cause disease.
The Italian scientists used standard techniques to collect outdoor air pollution samples at one urban and one industrial site in Bergamo province
and identified a gene highly specific to Covid-19 in multiple samples. The detection was confirmed by blind testing at an independent laboratory.
Leonardo Setti at the University of Bologna in Italy, who led the work <
https://www.medrxiv.org/content/10.1101/2020.04.15.20065995v1>, said it was important to investigate if the virus could be carried more widely by air pollution.
``I am a scientist and I am worried when I don't know,'' he said. ``If we
know, we can find a solution. But if we don't know, we can only suffer the consequences.''
Two other research groups have suggested particles could help coronavirus travel further in the air, piggybacking on air pollution pollution. <
https://www.ncbi.nlm.nih.gov/pmc/articles/PMC7151372/> <
https://www.ncbi.nlm.nih.gov/pmc/articles/PMC7156797/#CR6>
A statistical analysis by Setti's team suggests higher levels of particle pollution could explain higher rates of infection in parts of northern Italy before a lockdown was imposed, an idea supported by another preliminary analysis. The region is one of the most polluted in Europe. [...]
<
https://www.medrxiv.org/content/10.1101/2020.04.11.20061713v1> <
https://www.medrxiv.org/content/10.1101/2020.04.06.20055657v1> <
https://www.theguardian.com/environment/2020/apr/24/coronavirus-detected-particles-air-pollution>
------------------------------
Date: Mon, 27 Apr 2020 12:56:19 -0700
From: Lauren Weinstein <
lauren@vortex.com>
Subject: "Recommendation: Do Not Install or Use Centralized Server
Coronavirus COVID-19 Contact Tracing Apps"
Lauren's Blog:
https://lauren.vortex.com/2020/04/27/recommendation-do-not-install-or-use-centralized-server-coronavirus-covid-19-contact-tracing-apps
------------------------------
Date: Sun, 26 Apr 2020 08:48:14 -1000
From: geoff goodfellow <
geoff@iconia.com>
Subject: 'No evidence' that recovering from Covid-19 gives people immunity,
WHO says (
*The World Health Organization warned on Saturday that recovering from coronavirus may not protect people from reinfection as the death toll from
the pandemic approached 200,000 around the globe.*
EXCERPT:
Governments across the world are struggling to limit the economic
devastation unleashed by the virus, which has infected nearly 2.8 million people and left half of humanity under some form of lockdown.
The United Nations has joined world leaders in a push to speed up
development of a vaccine, but effective treatments for COVID-19 [...] are still far off.
<
https://www.france24.com/en/tag/united-nations/> <
https://www.france24.com/en/tag/coronavirus/>
But with signs the disease is peaking in the US and Europe, governments are starting to ease restrictions, weighing the need for economic recovery
against cautions that lifting them too soon risks a second wave of
infections.
The WHO <
https://www.france24.com/en/tag/who/> warned on Saturday that
there is still no evidence that people who test positive for the new coronavirus and recover are immunised and protected against reinfection.
Read more: 'Grave concerns' about Covid-19 immunity passports <https://www.france24.com/en/20200416-grave-concerns-about-covid-19-immunity-passports>
The warning came as some governments study measures such as "immunity passports" or documents for those who have recovered as one way to get
people back to work after weeks of economic shutdown.
"There is currently no evidence that people who have recovered from
#COVID19 and have antibodies are protected from a second infection," WHO
said in a statement. [...]
https://www.france24.com/en/20200425-no-evidence-that-recovering-from-covid-19-gives-people-immunity-who-says
------------------------------
Date: April 27, 2020 2:13:50 JST
From: Rich Kulawiec <
rsk@gsp.org>
Subject: Re: Coronavirus Antibody Tests: Can You Trust the Results
(RISKS-31.73)
[via Dave Farber]
About all those tests:
``There are three major problems with testing right now. One, we do not have the reagents. Our government is not working with private sector companies,
as all the other governments of the world are now seeking testing to
understand how to best ramp up these reagents that we do need. Number two is
we have the wild, wild west for testing right now. The FDA has all but given
up its oversight responsibility for the tests we have on the market. Many of them are nothing short of a disaster. And we got into that place because of
the fact -- once CDC had a problem, the FDA just opened the gate. And we
have a lot of bad tests on the market right now. The third thing is these
tests just do not perform well in low prevalent populations. Meaning that
right now, if you were to test for antibody in most places in the United States, over half of the tests would be false positives. So what we need is
a major, new initiative on testing that gets away from every day just saying how many people got tested. We're missing the mark in a big way right now.``
Dr. Michael Osterholm, the director of the Center for Infectious Disease Research and Policy at the University of Minnesota, 4/26/2020 on "Meet the Press"
------------------------------
From: Henry Baker <
hbaker1@pipeline.com>
Date: Mon, 27 Apr 2020 13:02:44 -0700
Subject: Re: Spam filter censoring COVID content (Levine, RISKS-31.73)
Hopefully, even bad encryption can defeat bad spam filtering.
Yes, you are correct, the spam filter almost certainly looked at the entire message, which contained links, etc.
I didn't mention it, but it is true that the spam filter of this particular domain operates *before* looking at the "From:" whitelist, hence my sister can't receive this email by simply whitelisting me.
I wasn't kidding when I said *censorship* is in operation here: a number of email providers have unilaterally taken upon themselves the task of "protecting" their snowflakes from "bad" advice re certain pandemic viruses
(I can't use the correct term else this email itself might get censored).
This problem is another variation on the "Scunthorpe problem" (Google it)
[or dig up RISKS-18.07,08. PGN], wherein emails were censored for nasty
words using simple character string searches which made certain perfectly
good non-nasty words unusable.
------------------------------
Date: Mon, 27 Apr 2020 09:27:19 +1000
From: Paul Edwards <
paule@cathicolla.com>
Subject: Re: e-postage, Internet Usage update (Levine, RISKS-31.73)
Thanks John; that's a well-written white paper and lays out the arguments
well. I agree with your conclusion that e-postage won't work across the
board. If this example was interpreted as advocating for e-postage more broadly then that wasn't my intent!
For this particular company, the problem they were trying to solve was email overload of their staff. They worked out what they *could* control: the
number of internal emails sent (especially given that a significant
proportion of addresses included on emails sent were purely for
arse-covering purposes).
I think the key differentiators between this specific example and that of broader e-postage are: the problem statement was well-defined and
understood; the scope of the exercise was similarly well-defined and limited solely to the one company (admittedly with 100K+ employees and contractors); implementation was simple and capable of being rolled back quickly; and the charging was all internal. I guess the key outcome is that they were happy
with the behavioural changes they got from the exercise.
[TNX. We all seem to agree here, so I theink this thread may now e-vanesce
or e-strange itself.*
(* NOTE: Long-time RISKS readers may remember my treatise on
hyphenation, which appeared on April Fool's Day in 1996, in
RISKS-17.95, and very slightly updated:
http://www.csl.sri.com/neumann/hyphen.html] PGN)]
------------------------------
Date: Mon, 14 Jan 2019 11:11:11 -0800
From:
RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
SPAM challenge-responses will not be honored. Instead, use an
alternative
address from which you never send mail where the address becomes public!
The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<
http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!
OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also,
ftp://ftp.sri.com/risks for the current volume
or
ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones:
http://catless.ncl.ac.uk/w/r
ALTERNATIVE ARCHIVES:
http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.
Special Offer to Join ACM for readers of the ACM RISKS Forum:
<
http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 31.74
************************
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)