• Risks Digest 31.79

    From RISKS List Owner@21:1/5 to All on Mon May 4 19:19:26 2020
    RISKS-LIST: Risks-Forum Digest Monday 4 May 2020 Volume 31 : Issue 79

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator

    ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as
    <http://catless.ncl.ac.uk/Risks/31.79>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    Tesla Data Leak- Old Components With Personal Info Find Their Way
    (geoff goodfellow)
    Apple, Google announce new privacy protection rules for contact tracing apps
    (Steven Overly)
    macOS Image Capture Bug More Pervasive Than Originally Thought (MacRumors)
    Life Inside the Extinction (Scientific American)
    A Prophet of Scientific Rigor -- and a Covid Contrarian (WiReD)
    Quote of The Day (John Adams)
    Why the Coronavirus Is So Confusing (The Atlantic)
    What the Coronavirus Crisis Reveals About American Medicine (The New Yorker) Re: Online voting is too vulnerable (Dick Mills)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Sun, 3 May 2020 15:53:07 -1000
    From: geoff goodfellow <geoff@iconia.com>
    Subject: Tesla Data Leak- Old Components With Personal Info Find Their Way
    on eBay

    Evidence emerges Tesla doesn't erase personal data from replaced
    components and they're winding up for sale online

    EXCERPT:

    Tesla's retrofitting service for media control units (MCU) and Autopilot hardware <https://insideevs.com/tag/tesla-mcu-emmc-issue/> <https://insideevs.com/tag/tesla-hw-2.5-or-hw-3.0/> may not go far enough in protecting owners' personal data. That's according to white hat hacker GreenTheOnly <https://twitter.com/greentheonly>. He obtained four units of these Tesla <https://insideevs.com/tesla/> computers off eBay and found the previous owners' personal data still on them. More worrying, though, was Tesla's response, or lack thereof, when Green confronted the company with
    the data.

    According to Green, he informed Tesla of his findings before coming to *InsideEVs*. The Palo Alto, California-based company refused to notify all
    of its customers that might be affected in a timely manner, although a week before this article was published Tesla did say it would notify one of the affected customers. As of publication, it still hasn't.

    Speaking to *InsideEVs*, Green said each of the modules he bought had
    owner's home and work location, all saved wi-fi passwords, calendar entries from the phone, call lists and address books from paired phones, Netflix and other stored session cookies. Netflix session cookies allow hackers to take control of these accounts.

    Thus, if you own a Tesla and have had your car retrofitted with new computer hardware, your personal information may be for sale right now on eBay or elsewhere. [...]

    https://insideevs.com/news/419525/tesla-data-leak-personal-info-ebay/

    ------------------------------

    Date: Mon, 4 May 2020 15:11:29 PDT
    From: "Peter G. Neumann" <neumann@csl.sri.com>
    Subject: Apple, Google announce new privacy protection rules for contact
    tracing apps (Steven Overly)

    Steven Overly, Politico, 4 May 2020

    Apple and Google will prohibit state public health agencies that use their coronavirus contact tracing technology from monitoring the exact location of smartphone users or using their information for other purposes, such as targeted advertising.

    The Silicon Valley giants outlined their rules for public health officials today as they prepare to release technology later this month that would
    allow authorities to trace interactions between coronavirus patients and the public using the Bluetooth technology built into smartphones.

    Apple and Google plan to only support one contact tracing app per country in
    an effort to drive people to a single app, which health experts say is
    crucial for the technology to be effective. In countries like the U.S. that have pursued a state-level approach, the companies will work with
    governments to support multiple apps, representatives said.

    As they have previously pledged, Apple and Google will also require users to consent to having the app track their contacts. They must also give it
    approval to notify their recent contacts if they test positive for the coronavirus, and the app will not disclose their name or other personal information.

    The company-imposed restrictions come as Senate Commerce Republicans look to
    establish rules of their own, putting forth a coronavirus-specific privacy
    bill that would require user consent to collect data and require personal
    information be deleted or anonymized once the pandemic ebbs.

    ------------------------------

    Date: Sun, 3 May 2020 11:38:45 -0400
    From: Monty Solomon <monty@roscom.com>
    Subject: macOS Image Capture Bug More Pervasive Than Originally Thought
    (MacRumors)

    Earlier this week we reported on a bug in Apple's macOS Image Capture app
    that adds empty data to photos when imported from iOS devices, potentially eating up gigabytes of disk storage needlessly. Today, we're hearing that
    the bug in macOS 10.14.6 and later is a lot more extensive than was
    initially believed.

    https://www.macrumors.com/2020/05/01/macos-jpg-truncation-bug-widespread/

    ------------------------------

    Date: Mon, 4 May 2020 12:11:51 +0800
    From: Richard Stein <rmstein@ieee.org>
    Subject: Life Inside the Extinction (Scientific American)

    https://blogs.scientificamerican.com/life-unbounded/life-inside-the-extinction/

    "No other species, to our knowledge, has ever had the capacity to decode the history of life and see the evidence of past extinctions. Nor has any other species had the capacity to recognize that it may be living within a major extinction event. That is a big deal. There is no rule book that says what happens if, in the middle of global extinction, a species emerges that tries
    to do something about it. In other words, there is no reason to imagine that
    it can't be changed, or at very least diminished. In that sense we are extraordinarily lucky."

    In 1946, Betrand Russell wrote, "The question is how to persuade humanity to consent in its own survival." (see https://quoteinvestigator.com/2018/12/15/survival/).

    Caleb Scharf's Earth Day essay reaffirms the question Russell raised after atomic-bomb deployment. Given there's only one Earth ecosystem, mitigation plans require geo-political alignment to succeed.

    Existential risk relevance grows without effective mitigation plan implementation.

    ------------------------------

    Date: Sun, 3 May 2020 12:41:49 -0400
    From: Gabe Goldberg <gabe@gabegold.com>
    Subject: A Prophet of Scientific Rigor -- and a Covid Contrarian (WiReD)

    If anyone should understand how the pressure to contribute to the science of the crisis might lead to flawed work and exaggerated claims, it ought to be Ioannidis, arguably the world's most famous epidemiologist. Who knows?
    Perhaps like so many of us, he's just stressed out by the whole damned
    thing. Maybe he's just off his game.

    On the other hand, Ioannidis's track record is such that it may not be wise
    to dismiss his claims too quickly. There really aren't any solid studies out there that can help settle the question of Covid-19 fatality rates, and what data we do have remains all over the place. Yes, Ioannidis's results look to
    be an outlier -- but they may be an outlier in the right direction,
    suggesting a need to revise the infection fatality rate downwards, even if
    not all the way to 0.1 percent. [...]

    If Ioannidis's claims even slightly alter the conversation toward a more balanced, thoughtful view of what we really gain, and what we might lose,
    from the lockdown, then maybe it's mission accomplished. If he's even partly right that we're too biased toward staying at home, and the disease isn't as deadly as we thought, the resulting shift could ultimately save tens of thousands of lives. [...]

    The prevailing take now is that Ioannidis has fallen prey to the very sorts
    of biases and distortions that he became revered for exposing in others. If that's what happened, it will be a twist that Ioannidis himself had
    prophesied to me 10 years ago in Greece. “If I did a study and the results showed that in fact there wasn't really much bias in research, would I be willing to publish it?” he said then. “That would create a real psychological conflict for me.” Ioannidis was acknowledging that he's invested in showing that other scientists tend to get it wrong, and that he might end up being skeptical of data suggesting they are, in fact, getting
    it right.

    Now Ioannidis' claims about Covid-19 may be pulled by the gravity of his commitment to being the one who sees where everyone else went wrong.
    There's a meta-meta-science lesson in there, too, and one we've sometimes
    seen before. Bias is so powerful a force in scientific research that even a grandmaster of research into bias can eventually trip over it. <https://slate.com/technology/2016/12/kahneman-and-tversky-researched-the-science-of-error-and-still-made-errors.html>
    https://www.wired.com/story/prophet-of-scientific-rigor-and-a-covid-contrarian/

    Also, a related item:

    Extremists on both sides: stay home forever, open everything NOW.
    The Covid-19 Riddle: Why Does the Virus Wallop Some Places and Spare Others?

    Experts are trying to figure out why the coronavirus is so capricious. The answers could determine how to best protect ourselves and how long we have
    to.

    ------------------------------

    Date: Sat, 2 May 2020 18:33:52 -1000
    From: geoff goodfellow <geoff@iconia.com>
    Subject: Quote of The Day (John Adams)

    "The dignity and stability of government in all its branches, the morals
    of the people, and every blessing of society depend so much upon an upright
    and skillful administration of justice"

    https://www.foundingfatherquotes.com/quote/98

    ------------------------------

    Date: Sun, 3 May 2020 15:51:20 -1000
    From: geoff goodfellow <geoff@iconia.com>
    Subject: Why the Coronavirus Is So Confusing (The Atlantic)

    *A guide to making sense of a problem that is now too big for any one person
    to fully comprehend*

    On 27 Mar, as the U.S. topped 100,000 confirmed cases of COVID-19, Donald
    Trump stood at the lectern of the White House press-briefing room and was
    asked what he'd say about the pandemic to a child. Amid a meandering answer, Trump remarked <https://www.whitehouse.gov/briefings-statements/remarks-president-trump-vice-president-pence-members-coronavirus-task-force-press-briefing-13/>,
    ``You can call it a germ, you can call it a flu, you can call it a virus.
    You know, you can call it many different names. I'm not sure anybody even
    knows what it is.''

    That was neither the most consequential statement from the White House, nor
    the most egregious. But it was perhaps the most ironic. In a pandemic characterized by extreme uncertainty, one of the few things experts know for sure is the identity of the pathogen responsible: a virus called SARS-CoV-2 that is closely related to the original SARS virus. Both are members of the coronavirus family, which is entirely distinct from the family that includes influenza viruses. Scientists know the shape of proteins on the new coronavirus's surface down to the position of individual atoms. Give me two hours, and I can do a dramatic reading of its entire genome.

    But much else about the pandemic is still maddeningly unclear. Why do some people get really sick <https://www.theatlantic.com/health/archive/2020/04/coronavirus-immune-response/610228/>,
    but others do not? Are the models <https://www.theatlantic.com/technology/archive/2020/04/coronavirus-models-arent-supposed-be-right/609271/>
    too
    optimistic or too pessimistic? Exactly how transmissible <https://www.theatlantic.com/science/archive/2020/01/how-fast-and-far-will-new-coronavirus-spread/605632/>
    and
    deadly is the virus? How many people have actually been infected <https://www.theatlantic.com/health/archive/2020/03/coronavirus-testing-numbers/607714/>?
    How long must social restrictions go on for <https://www.theatlantic.com/health/archive/2020/03/how-will-coronavirus-end/608719/>?
    Why are so many questions <https://www.nytimes.com/2020/04/13/opinion/coronavirus-what-we-know.html> still
    unanswered?

    The confusion partly arises from the pandemic's scale and pace. Worldwide,
    at least 3.1 million people have been infected in less than four months. Economies have nose-dived. Societies have paused. In most people's living memory, no crisis has caused so much upheaval so broadly and so quickly. ``We've never faced a pandemic like this before, so we don't know what is likely to happen or what would have happened, says Zo=C3=AB McLaren, a health-policy professor at the University of Maryland at Baltimore County. ``That makes it even more difficult in terms of the uncertainty.''

    But beyond its vast scope and sui generis nature, there are other reasons
    the pandemic continues to be so befuddling -- a slew of forces scientific
    and societal, epidemiological and epistemological. What follows is an
    analysis of those forces, and a guide to making sense of a problem that is
    now too big for any one person to fully comprehend.

    *I. The Virus*. [...]

    https://www.theatlantic.com/health/archive/2020/04/pandemic-confusing-uncertainty/610819/

    ------------------------------

    Date: Sun, 3 May 2020 15:50:30 -1000
    From: geoff goodfellow <geoff@iconia.com>
    Subject: What the Coronavirus Crisis Reveals About American Medicine
    (The New Yorker)

    Medicine is a system for delivering care and support; it's also a system of information, quality control, and lab science. All need fixing.

    At 4:18 a.m. on February 1, 1997, a fire broke out in the Aisin Seiki
    company's Factory No. 1, in Kariya, a hundred and sixty miles southwest of Tokyo. Soon, flames had engulfed the plant and incinerated the production
    line that made a part called a P-valve -- a device used in vehicles to
    modulate brake pressure and prevent skidding. The valve was small and cheap
    -- about the size of a fist, and roughly ten dollars apiece -- but indispensable. The Aisin factory normally produced almost thirty-three
    thousand valves a day, and was, at the time, the exclusive supplier of the
    part for the Toyota Motor Corporation.

    Within hours, the magnitude of the loss was evident to Toyota. The company
    had adopted *just in time* (J.I.T.) production: parts, such as P-valves,
    were produced according to immediate needs -- to precisely match the number
    of vehicles ready for assembly -- rather than sitting around in
    stockpiles. But the fire had now put the whole enterprise at risk: with no inventory in the warehouse, there were only enough valves to last a single
    day. The production of all Toyota vehicles was about to grind to a
    halt. ``Such is the fragility of JIT: a surprise event can paralyze entire networks and even industries,'' the management scholars Toshihiro Nishiguchi and Alexandre Beaudet observed the following year, in a case study of the episode.

    Toyota'9s response was extraordinary: by six-thirty that morning,
    while the factory was still smoldering, executives huddled to organize the production of P-valves at other factories. It was a *war room*, one official recalled. The next day, a Sunday, small and large factories, some with no direct connection to Toyota, or even to the automotive industry, received detailed instructions for manufacturing the P-valves. By February 4th, three days after the fire, many of these factories had repurposed their machines
    to make the valves. Brother Industries, a Japanese company best known for
    its sewing machines and typewriters, adapted a computerized milling device
    that made typewriter parts to start making P-valves. The ad-hoc work-around
    was inefficient -- it took fifteen minutes to complete each valve, its
    general manager admitted -- but the country's largest company was in
    trouble, and so the crisis had become a test of national solidarity. All in all, Toyota lost some seventy thousand vehicles -- an astonishingly small number, given the millions of orders it fulfilled that year. By the end of
    the week, it had increased shifts and lengthened hours. Within the month,
    the company had rebounded.

    Every enterprise learns its strengths and weaknesses from an Aisin-fire
    moment -- from a disaster that spirals out of control. What those of u s in
    the medical profession have learned from the covid-19 crisis <https://www.newyorker.com/tag/coronavirus> has been dismaying, and on
    several fronts. Medicine isn't a doctor with a black bag, after all; it's a complex web of systems and processes. It is a health-care delivery system -- providing antibiotics to a child with strep throat or a new kidney to a
    patient with renal failure. It is a research program, guiding discoveries
    from the lab bench to the bedside. It is a set of protocols for quality
    control -- from clinical-practice guidelines to drug and device
    approvals. And it is a forum for exchanging information, allowing for continuous improvement in patient care. In each arena, the pandemic has revealed some strengths -- including frank heroism and ingenuity -- but it
    has also exposed hidden fractures, silent aneurysms, points of fragility. Systems that we thought were homeostatic -- self-regulating,
    self-correcting, like a human body in good health -- turned out to be exquisitely sensitive to turbulence, like the body during critical
    illness. Everyone now asks: When will things get back to normal? But, as a physician and researcher, I fear that the resumption of normality would
    signal a failure to learn. We need to think not about resumption but about revision. [...] https://www.newyorker.com/magazine/2020/05/04/what-the-coronavirus-crisis-reveals-about-american-medicine

    ------------------------------

    Date: Sat, 2 May 2020 20:49:11 -0400
    From: Dick Mills <dickandlibbymills@gmail.com>
    Subject: Re: Online voting is too vulnerable (RISKS-31.76-77)

    Here's a scary thought offered 50% tongue in cheek. The U.S. Constitution requires that we have electors, not elections. in fact initially, state legislatures chose the electors in many of the states. As far as the federal constitution is concerned, we could skip the 2020 election and still elect a President.

    Given all the anxiety about conducting elections, the no election option
    sounds a bit less scary in comparison. There is no guarantee that the
    outcome of who gets elected would be different if we had no election.

    Then we would have another 4 years to get our house in order before holding another Presidential election. We would also have a powerful motivation for everyone to rethink the whole process seriously. We could even amend The Constitution.

    ------------------------------

    Date: Mon, 14 Jan 2019 11:11:11 -0800
    From: RISKS-request@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 31.79
    ************************

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)