RISKS-LIST: Risks-Forum Digest Saturday 16 May 2020 Volume 31 : Issue 83

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/31.83>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents:
Massachusetts uses same license plate numbers for diff vehicle types (WHDH) Feds Suspect Vast Fraud Network Is Targeting U.S. Unemployment Systems
(NYTimes)
Australia's largest steel producer shut down by ransomware attack (ABC AU) China is capable of shutting down Europe's 5G network regardless
of whether Huawei equipment is included in it (UI.SE)
Meaningless "review" of Imperial COVID codebase (Wordpress)
Virginia Will No Longer Include Antibody Tests In Overall Test Data (DCist) Stimulus check delays when accounts were overdrawn! (Propublica)
App Shows Promise in Tracking New Coronavirus Cases, Study Finds (NYTimes) >From asymptomatic to lethal:- Coronavirus discrepancies puzzle scientists
(WashTimes)
Apple and Google clash with health officials over virus-tracking apps
(WashPost)
The Prophecies of Q (The Atlantic)
DHS to advise telecom firms on preventing 5G cell tower attacks linked to
coronavirus conspiracy theories (WashPost)
Poll -- US believers see message of change from God in virus (AP)
Re: COVID SW model is a steaming pile ... (Erling Kristiansen)
Re: Coronavirus New York Shock: Two-Thirds Of Recent Patients Infected
While Staying At Home (Jay Elinsky)
Re: Risks in signature verification for mail-in ballots (Paul Burke)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Wed, 13 May 2020 23:44:43 -0400 (EDT)
From: danny burstein <dannyb@panix.com>
Subject: Massachusetts uses same license plate numbers for diff vehicle
types (WHDH)

Massachusetts issues the same license plate number for different vehicles.
So as the news article ref'ed below states, "there could be Mass passenger 1234, but also commercial 1234, Cape and Island 1234, Red Sox, Purple Heart, and more."

The EZ Pass readers/back systems in Mass perform some sort of Arthur C.
Clarke Magic [*] to determine which vehicle should get charged, but when the license plate is scanned in other states, well...

A local couple was home, sheltering in place during the pandemic. So why
was their car was being charged for tolls in another state? Hank's
investigation gets answers and action.

Cynthia's red four-door sits in her Concord driveway. Exactly where it's
been for weeks. [...] So when Cynthia got her April EZ Pass bill she was baffled. It said her car went through tolls in New York, a COVID hot
spot. [...]

[It turned out that one of the local ambulances, with the same basic plate
number, was part of the FEMA mutual aid response in NYC, which went
through lots and lots of bridge and tunnel tollgates every day. Lots and
lots of bills.]

https://whdh.com/news/hank-investigates-incorrectly-charged-for-ezpass-tolls/

* Per the late science/science fiction author Arthur C. Clarke, "Any
sufficiently advanced technology is indistinguishable from magic."

------------------------------

Date: Sat, 16 May 2020 14:59:56 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Feds Suspect Vast Fraud Network Is Targeting U.S. Unemployment
Systems (NYTimes)

Investigators detected a sophisticated international attack they said could siphon hundreds of millions of dollars that were intended for the
unemployed.

https://www.nytimes.com/2020/05/16/us/coronavirus-unemployment-fraud-secret-service-washington.html

------------------------------

Date: Fri, 15 May 2020 09:17:33 +0000
From: John Colville <John.Colville@uts.edu.au>
Subject: Australia's largest steel producer shut down by ransomware attack
(ABC AU)

https://www.abc.net.au/news/2020-05-15/bluescope-steel-cyber-attack-shut-down-kembla-ransomware/12251316

------------------------------

Date: Fri, 15 May 2020 09:16:07 -1000
From: geoff goodfellow <geoff@iconia.com>
Subject: China is capable of shutting down Europe's 5G network regardless
of whether Huawei equipment is included in it (UI.SE)

Chinese cyber-espionage presents a huge challenge but almost all spying is carried out by means of applications and phishing, rather than through infrastructure...

https://www.ui.se/globalassets/butiken/ui-paper/2020/ui-paper-no.-5-2020.pdf

------------------------------

Date: Thu, 14 May 2020 21:25:30 +0930
From: William Brodie-Tyrrell <william.brodie.tyrrell@gmail.com>
Subject: Meaningless "review" of Imperial COVID codebase (Wordpress)

As is usually the case, a risk arises from people overestimating the applicability of their expertise. Specifically, commercial software
developers "reviewing" a COVID simulation numerical model without
understanding its requirements or how scientific software is applied. https://philbull.wordpress.com/2020/05/10/why-you-can-ignore-reviews-of-scientific-code-by-commercial-software-developers/amp/

The risk is that public trust in what was probably an excellent analysis
(I'm not an epidemiologist so I couldn't possibly say - and neither can
they) will be undermined by tech-bro egos.

------------------------------

Date: Thu, 14 May 2020 18:54:11 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Virginia Will No Longer Include Antibody Tests In Overall Test Data
(DCist)

This week, as Virginia has faced continuing criticism for its lag in
widespread coronavirus testing even as it gears up to reopen large swaths of the state, government officials are grappling with yet another backlash.

Media reports, including a story in the Richmond Times-Dispatch and a
scathing article in The Atlantic, highlighted that the state was including antibody testing in its overall coronavirus testing numbers, artificially boosting those numbers and driving down the percentage of positive cases.

Governor Northam has repeatedly cited increased testing capacity as the main reason that most of Virginia will begin to re-open starting this Friday.

On Thursday, the Virginia Department of Health announced they would no
longer include the results of antibody tests in their overall data, though officials stressed that its inclusion did not significantly alter the trends that aided the governor in making the decision to reopen. About 15,000 antibody tests had been included, making up about nine percent of the
overall testing number.

The commonwealth says the inclusion of this antibody testing data wasn't
done on purpose -- it was the fault of an automatic computer programming system.

https://dcist.com/story/20/05/14/virginia-will-no-longer-include-antibody-tests-in-overall-test-data/

Same as HAL 9000, Colossus the Forbin Project, etc. No human's fault...

------------------------------

Date: Mon, 27 Apr 2020 17:24:46 +0000
From: Lindsay Marshall <Lindsay.Marshall@newcastle.ac.uk>
Subject: Stimulus check delays when accounts were overdrawn! (Propublica)

Plenty in this article for RISKS lovers to chew on.

https://www.propublica.org/article/millions-of-people-face-stimulus-check-delays-for-a-strange-reason-they-are-poor

------------------------------

Date: Fri, 15 May 2020 13:28:58 -0400
From: Monty Solomon <monty@roscom.com>
Subject: App Shows Promise in Tracking New Coronavirus Cases, Study Finds
(NYTimes)

The app, which allows people to record their symptoms, was remarkably
effective in predicting infections. The most reliable indicators,
researchers found, were loss of smell and taste.

https://www.nytimes.com/2020/05/11/health/coronavirus-symptoms-app.html

------------------------------

Date: Fri, 15 May 2020 09:17:27 -1000
From: the keyboard of geoff goodfellow <geoff@iconia.com>
Subject: From asymptomatic to lethal:- Coronavirus discrepancies puzzle
scientists (WashTimes)

*COVID-19 lack of symptoms compared to Zika outbreaks*

EXCERPT:

The share of people who are infected with the coronavirus but never get sick varies widely from place to place, from less than 20% of cruise ship
passengers in Japan to a whopping 95% of inmates at an Ohio prison, underscoring the challenge in weeding out infections and isolating the virus
as parts of the world reopen.

During the mosquito-borne Zika outbreak in 2015 and 2016, scientists were confident that 75% of those infected would not develop symptoms.

But scientists are having a hard time pinpointing a global average for COVID-19, the disease caused by the new coronavirus, and are finding
different rates in different places.

A study in Iceland found that half of those who tested positive for the coronavirus infection showed no signs of illness. Nearly 1 in 5, or 17.9%,
of infected passengers on the Diamond Princess cruise ship off Japan were asymptomatic, according to a March study.

The Center for Evidence-Based Medicine at Oxford University said 50% to 70%
of people in an Italian village west of Venice were asymptomatic, compared
with 31% of Japanese nationals evacuated from Wuhan, China, where the
outbreak began in December. [...]

https://www.washingtontimes.com/news/2020/may/14/coronavirus-asymptomatic-discrepancies-compared-zi/

------------------------------

Date: Fri, 15 May 2020 16:13:22 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Apple and Google clash with health officials over virus-tracking
apps (WashPost)

The tech giants have refused officials' pleas to allow the collection of location data and to help contact-tracing teams learn where new infections
have spread.

https://www.washingtonpost.com/technology/2020/05/15/app-apple-google-virus/

------------------------------

Date: Thu, 14 May 2020 19:59:36 -0400
From: Monty Solomon <monty@roscom.com>
Subject: The Prophecies of Q (The Atlantic)

American conspiracy theories are entering a dangerous new phase.

https://www.theatlantic.com/magazine/archive/2020/06/qanon-nothing-can-stop-what-is-coming/610567/

------------------------------

Date: Wed, 13 May 2020 23:11:27 -0400
From: Monty Solomon <monty@roscom.com>
Subject: DHS to advise telecom firms on preventing 5G cell tower attacks
linked to coronavirus conspiracy theories (WashPost)

Disinformation has spurred sporadic attacks against cell towers in the
United States.

https://www.washingtonpost.com/national-security/dhs-to-advise-telecom-firms-on-preventing-5g-cell-tower-attacks-linked-to-coronavirus-conspiracy-theories/2020/05/13/6aa9eaa6-951f-11ea-82b4-c8db161ff6e5_story.html

------------------------------

Date: Fri, 15 May 2020 09:19:26 -1000
From: the keyboard of geoff goodfellow <geoff@iconia.com>
Subject: Poll -- US believers see message of change from God in virus (AP)

EXCERPT:

The coronavirus has prompted almost two-thirds of American believers of all faiths to feel that God is telling humanity to change how it lives, a new
poll finds.

While the virus rattles the globe, causing economic hardship for millions
and killing more than 80,000 Americans, the findings of the poll by the University of Chicago Divinity School and The Associated Press-NORC Center
for Public Affairs Research indicate that people may also be searching for deeper meaning in the devastating outbreak.

Even some who don't affiliate with organized religion, such as Lance Dejesus
of Dallastown, Pa., saw a possible bigger message in the virus. [...]

https://apnews.com/0bed79d024a56d2ac0b93bc51df80e9b

------------------------------

Date: Thu, 14 May 2020 18:57:29 +0200
From: Erling Kristiansen <erling.kristiansen@xs4all.nl>
Subject: Re: COVID SW model is a steaming pile ... (Wol, RISKS-31.82)

Wol missed the point of Baker's article: That running a computer program
twice with the same inputs (including PRNG seed, if relevant) should produce identical (not just similar) outputs. If not, something is VERY wrong, and output is essentially useless. You just don't know what you are doing.

Reproducibility in science is something different: Repeating an experiment
or observation, or doing a different experiment to determine the same parameters, gives you confidence in the results if they give similar (but
not strictly identical) results.

In astronomy, you do observe the same objects using different telescopes, different methods, etc. So also here, finding similar results helps you gain confidence in the results.

------------------------------

Date: Fri, 15 May 2020 13:54:43 -0400
From: Jay Elinsky <jay.m.elinsky@gmail.com>
Subject: Re: Coronavirus New York Shock: Two-Thirds Of Recent Patients
Infected While Staying At Home (RISKS-31.82)

I can think of a few reasons why a whole-building air handler in multiple dwelling buildings, posited by Geoff Goodfellow, would be impractical
besides its potential to distribute pathogens:

1) In case of fire, smoke and toxic fumes could be distributed throughout
the building;

2) Cooking odors could be distributed throughout the building;

3) Impractically large ductwork would be required to carry large quantities
of heat over long distances in the building via moving air.

I've lived in two high rise residential buildings with central air conditioning. In neither building is air from throughout the building mixed
in a central chamber. In one building, chilled water is distributed to fan
coil units located in each room. A fan, controlled by a thermostat in the
room, blows room air over the chilled coils. In the other building, central
A/C is provided by heat pumps in each unit, almost in the usual way, except that the heat pump transfers room heat to water that circulates throughout
the building, rather than to a refrigerant circuit. The circulating water passes through a rooftop cooling tower which transfers the heat to the outdoors.

------------------------------

Date: Thu, 14 May 2020 13:05:49 -0700
From: Paul Burke <box1320@gmail.com>
Subject: Risks in signature verification for mail-in ballots

RISKS Digest 31.82 reported a story that "All California voters will
receive mail-in ballots for November"

Far more than "all voters" will receive mail-in ballots. California will
mail to inactive addresses too: "over 458,000 likely dead or relocated
persons will be mailed ballots... Almost 178,000 have *never* voted...
Mass 'seeding' of unclaimed ballots, coupled with ballot 'harvesting' by unscrupulous operatives, is a significant risk to the integrity of the
November election." https://www.prnewswire.com/news-releases/hundreds-of-thousands-of-ineligible-persons-could-be-mailed-ballots-if-california-goes-all-mail-in-november-election-301055445.html

Accepting mailed ballots depends purely on comparing one signature on the outside of the envelope to one or more signatures on file. Comparisons are often automated. Successful computer matches are not always reviewed, and
false match rates are unknown. "[A]lgorithms that look for a certain number
of points of similarity between the compared signatures... different brands
of machines are used... ES&S, Olympus, Vantage, Pitney Bowes, Runbeck, and Bell & Howell... a wide range of algorithms and standards, each particular
to that machine's manufacturer, are used to verify signatures. In addition, counties have discretion in managing the settings and implementing manufacturers' guidelines... there are no statewide standards for automatic signature verification... most counties do not have a publicly available, written explanation of the signature verification criteria and processes
they use" https://www-cdn.law.stanford.edu/wp-content/uploads/2020/04/FINAL-Signature-Verification-Report-4-15-20.pdf

For manual signature reviews, that same Stanford study says, "Most counties review ballot signatures with a basic presumption in favor of counting each ballot... [Some] declare that just three or even one matching
characteristic between the ballot signature and the comparison signature
will be sufficient to find a match... many county officials expressed that evaluating ballot signatures is made substantially harder by the decline of cursive education and by the use of electronic signature pads during DMV registration, which often produce blurry signatures or flatten otherwise distinctive elements of a signature. Both issues disproportionately affect younger voters, who are more likely to have registered on an electronic signature pad and are less likely to have learned cursive in school. The registrar of one Bay Area county explained that she 'cannot compare a
printed name to a signature,' and that people printing rather than signing their names on their ballots is 'becoming more prevalent over time.' "
Stanford says that signatures also vary more from people who rarely use
Roman characters, such as some Asian-Americans.

"election officials with little or no training in verifying a person's signature are tasked with doing just that... it's unlikely that only one or two samples will show the spectrum of a person's normal variations... Even major treatises on handwriting analysis concede that it is extremely
difficult for anyone to be able to figure out if a signature or other very limited writing sample has been forged..." https://www.propublica.org/article/handwriting-disputes-cause-headaches-for-some-absentee-voters

California requires less than a week notice to voters to cure
discrepancies. Many states allow less time than that. (And Stanford says
they often still require a new signature to match a signature on file.) https://www.ncsl.org/research/elections-and-campaigns/verification-of-absentee-ballots.aspx

I fully support all-mail voting this year. We need to measure and minimize false-positive and false-negative signature verification. What levels will
be acceptable? There's scope to suppress young voters and Asian-American voters.

------------------------------

Date: Mon, 14 Jan 2019 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)

The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.

SUBSCRIPTIONS: The mailman Web interface can be used directly to

subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks

SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that

includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.

SPAM challenge-responses will not be honored. Instead, use an alternative

address from which you never send mail where the address becomes public!

The complete INFO file (submissions, default disclaimers, archive sites,

copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!

OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's

searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.

Special Offer to Join ACM for readers of the ACM RISKS Forum:

<http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 31.83
************************

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)