RISKS-LIST: Risks-Forum Digest  Friday 11 December 2020  Volume 32 : Issue 40

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/32.40>
The current issue can also be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
GE puts default password in radiology devices, leaving healthcare networks
  exposed (Ars Technica)
COVID data manager investigated, raided for using publicly available
  password (Ars Technica)
Having one password makes it easier in Florida (Ars Technica)
Amnesia: Critical TCP/IP Flaws Affect Millions of IoT Devices
  (The Hacker News)
Russian SVR intel service hacks FireEye, obtaining "red team" tools (PGN)
Former Israeli space security chief says aliens exist, humanity not ready
  (The Jerusalem Post)
CDC Call for Data on Vaccine Recipients Raises Alarm Over Privacy (DNYUZ)
How to steal photos off someone's iPhone from across the street
  (Naked Security)
Global losses from cybercrime skyrocketed to nearly $1 trillion in 2020, new
  report finds (The Washington Post)
Digital stethoscope uses artificial intelligence for diagnosing lung
  abnormalities (medicalxpress.com)
Police Drones Starting to Think for Themselves (Cade Metz)
AI Can Run Your Work Meetings Now (WiReD)
The coming war on the hidden algorithms that trap people in poverty
  (Tech Review))
HP Ends 'Free Ink for Life' Subscription Plan (Consumer Reports)
Waymo Terms of Service (waymo.com)
Amazon Wants to Get Even Closer. Skintight (The New York Times)
Designed A Smartwatch App To Help Stop His Dad's Nightmares (npr.org)
Differential Privacy for Ordinary Security Mavens (Rob Slade)
Re: Looking for ways to prevent price collusion with AI systems (Wol)
Re: How 30 Lines of Code Blew Up a 27-Ton Generator (Martin Ward)
Re: Utah monolith: Internet sleuths got there, but its origins are still a
  mystery (Amos Shapir)
Re: Is Alexa Becoming Anti-semitic (John Wunderlich)
Re: Rashida Tlaib takes on stablecoins, not cryptocurrency (John Levine)
Re: Keyhole wasps may threaten aviation safety (Richard Stein,
  Carlos Villalpando)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Wed, 9 Dec 2020 01:21:54 -0500
From: Gabe Goldberg <g...@gabegold.com>
Subject: GE puts default password in radiology devices, leaving healthcare
  networks exposed (Ars Technica)

Fixing the critical vulnerability isn't s straightforward and com with its
own risks.

Dozens of radiology products from GE Healthcare contain a critical
vulnerability that threatens the networks of hospitals and other health
providers that use the devices, officials from the US government and a
private security firm said on Tuesday.

The devices—used for CT scans, MRIs, X-Rays, mammograms,
ultrasounds, and positron emission tomography—use a default
password to receive regular maintenance. The passwords are available to
anyone who knows where on the Internet to look. A lack of proper access
restrictions allows the devices to connect to malicious servers rather than
only those designated by GE Healthcare. Attackers can exploit these
shortcomings by abusing the maintenance protocols to access the devices.
>From there, the attackers can execute malicious code or view or modify
patient data stored on the device or the hospital or healthcare provider
servers.

Aggravating matters, customers can’t fix the vulnerability
themselves.  Instead, they must request that the GE Healthcare support team
change the credentials. Customers who don’t make such a request
will continue to rely on the default password. Eventually, the device
manufacturer will provide patches and additional information.

https://arstechnica.com/information-technology/2020/12/default-password-in-radiology-devices-leaves-healthcare-networks-open-to-attack/

------------------------------

Date: Thu, 10 Dec 2020 19:28:50 -0500
From: Gabe Goldberg <g...@gabegold.com>
Subject: COVID data manager investigated, raided for using publicly
  available password (Ars Technica)

Not only does the whole state share one password, but it's posted publicly.

Florida police said a raid they conducted Monday
<https://arstechnica.com/tech-policy/2020/12/florida-police-raid-home-of-former-state-coronavirus-data-manager/>
on the Tallahassee home of Rebekah Jones, a data scientist the state fired
from her job in May, was part of an investigation into an unauthorized
access of a state emergency-responder system. It turns out, however, that
not only do all state employees with access to that system share a single
username and password, but also those credentials are publicly available on
the Internet for anyone to read.

https://arstechnica.com/tech-policy/2020/12/florida-posted-the-password-to-a-key-disaster-system-on-its-website/

------------------------------

Date: Wed, 9 Dec 2020 14:35:23 -0500
From: wb8foz <wb8...@panix.com>
Subject: Having one password makes it easier in Florida (Ars Technica)

So Rebekah Jones was a state data scientist [in] Florida until she got fired
from her Dept. of Health job in May for posting COVID stats that made
Governer Ronald DeSantis mad.

She had further upset deSantis by privately continuing to post COVID stats
for FL.

She got raided by Florida Dept of Law Enforcement agents a few days ago.
The basis for the warrant was the allegation she had posted a message to the
DOH mailing list.

Now ARS has reported that not only does the DOH system with the list have
only one login & password for all 1700 users, but it's also posted on-line.

So besides the question of if she did post that message, one wonders if is
it [il]legal to use a system with published login/PW data?

<https://arstechnica.com/tech-policy/2020/12/florida-posted-the-password-to-a-key-disaster-system-on-its-website/>

------------------------------

Date: Thu, 10 Dec 2020 09:41:03 -1000
From: geoff goodfellow <ge...@iconia.com>
Subject: Amnesia: Critical TCP/IP Flaws Affect Millions of IoT Devices
  ()

Cybersecurity researchers disclosed a dozen new flaws in multiple
widely-used embedded TCP/IP stacks impacting millions of devices ranging
from networking equipment and medical devices to industrial control systems
that could be exploited by an attacker to take control of a vulnerable
system.

Collectively called "AMNESIA:33
<https://www.forescout.com/research-labs/amnesia33/>" by Forescout
researchers, it is a set of 33 vulnerabilities that impact four open-source
TCP/IP protocol stacks -- uIP, FNET, picoTCP, and Nut/Net -- that are
commonly used in Internet-of-Things (IoT) and embedded devices.

As a consequence of improper memory management,* successful exploitation
<https://kb.cert.org/vuls/id/815128>* of these flaws could cause memory
corruption, allowing attackers to compromise devices, execute malicious
code, performing denial-of-service (DoS) attacks, steal sensitive
information, and even poison DNS cache.

In the real world, these attacks could play out in various ways: disrupting
the functioning of a power station to result in a blackout or taking smoke
alarm and temperature monitor systems offline by using any of the DoS
vulnerabilities.

The flaws, which will be detailed today at the *Black Hat Europe Security
Conference*
<https://www.blackhat.com/eu-20/briefings/schedule/index.html#how-embedded-tcpip-stacks-breed-critical-vulnerabilities-21503>,
were discovered as part of Forescout's Project Memoria initiative to study
the security of TCP/IP stacks.  [...]
https://thehackernews.com/2020/12/amnesia33-critical-tcpip-flaws-affect.html

------------------------------

Date: Tue, 8 Dec 2020 16:19:33 -0500
From: Peter G Neumann <neum...@csl.sri.com.
Subject: Russian SVR intel service hacks FireEye, obtaining "red team" tools
  (Sundry)

https://www.nytimes.com/2020/12/08/technology/fireeye-hacked-russians.html
https://www.washingtonpost.com/national-security/leading-cybersecurity-firm-fireeye-hacked/2020/12/08/a3369aaa-3988-11eb-98c4-25dc9f4987e8_story.html

------------------------------

Date: Mon, 7 Dec 2020 16:10:41 -1000
From: geoff goodfellow <ge...@iconia.com>
Subject: Former Israeli space security chief says aliens exist, humanity not
  ready (The Jerusalem Post)

*This "Galactic Federation" has supposedly been in contact with Israel and
the US for years, but are keeping themselves a secret to prevent hysteria
until humanity is ready.*

Has the State of Israel made contact with aliens?

According to retired Israeli general and current professor Haim Eshed, the
answer is yes, but this has been kept a secret because "humanity isn't
ready."

Speaking in an interview to *Yediot Aharonot*, Eshed -- who served as the
head of Israel's space security program for nearly 30 years and is a
three-time recipient of the Israel Security Award -- explained that Israel
and the US have both been dealing with aliens for years.

And this by no means refers to immigrants, with Eshed clarifying the
existence of a "Galactic Federation."

The 87-year-old former space security chief gave further descriptions about
exactly what sort of agreements have been made between the aliens and the
US, which ostensibly have been made because they wish to research and
understand "the fabric of the universe." This cooperation includes a secret
underground base on Mars, where there are American and alien
representatives.  [...]
https://www.jpost.com/omg/former-israeli-space-security-chief-says-aliens-exist-humanity-not-ready-651405

------------------------------

Date: Wed, 9 Dec 2020 08:21:26 -1000
From: geoff goodfellow <ge...@iconia.com>
Subject: CDC Call for Data on Vaccine Recipients Raises Alarm Over Privacy
  (DNYUZ)

The Trump administration is requiring states to submit personal information
of people vaccinated against Covid-19 -- including names, birth dates,
ethnicities and addresses -- raising alarms among state officials who fear
that a federal vaccine registry could be misused.

The Centers for Disease Control and Prevention is instructing states to sign
so-called *data use agreements* that commit them for the first time to
sharing personal information in existing registries with the federal
government. Some states, such as New York, are pushing back, either refusing
to sign or signing while refusing to share the information.
<https://www.cdc.gov/vaccines/covid-19/reporting/downloads/vaccine-administration-data-agreement.pdf>

Gov. Andrew M. Cuomo of New York warned that the collection of personal data
could dissuade undocumented people from participating in the vaccination
program. He called it ``another example of them trying to extort the State
of New York to get information that they can use at the Department of
Homeland Security and ICE that they'll use to deport people.''

Administration officials say that the information will not be shared with
other federal agencies and that it is needed for several reasons: to ensure
that people who move across state lines receive their follow-up doses; to
track adverse reactions and address safety issues; and to assess the
effectiveness of the vaccine among different demographic groups.  [...]
https://dnyuz.com/2020/12/08/c-d-c-call-for-data-on-vaccine-recipients-raises-alarm-over-privacy/

------------------------------

Date: Sat, 5 Dec 2020 13:14:36 PST
From: Peter Neumann <neum...@csl.sri.com>
Subject: How to steal photos off someone's iPhone from across the street
  (Naked Security)

For your amusement (?), from someone in our lab.

Hollywood version:

Imagine that Ethan Hunt (or Ilsa Faust) walked up to chat with you, and the
conversation lasted for several minutes.  (to satisfy covid-safety reqt, all
people involved worn a mask in this scene) he (or she) thanked you and
walked away. you might think that this was your lucky day, but then you
remembered this Ian Beer's ios attack, and you hadn't had time to patch your
iphone ... needless to say, the secrets stored in your phone were now in the
hands of Hunt (or Faust).

geek version:

https://nakedsecurity.sophos.com/2020/12/02/how-to-steal-photos-off-someones-iphone-from-across-the-street/

if you'd like to challenge yourselves with hardcore details,
here's Ian Beer's blog post:
https://googleprojectzero.blogspot.com/2020/12/an-ios-zero-click-radio-proximity.html

------------------------------

Date: Tue, 8 Dec 2020 09:39:38 +0800
From: Richard Stein <rmst...@ieee.org>
Subject: Global losses from cybercrime skyrocketed to nearly $1
  trillion in 2020, new report finds (The Washington Post)

https://www.washingtonpost.com/politics/2020/12/07/cybersecurity-202-global-losses-cybercrime-skyrocketed-nearly-1-trillion-2020/

"Estimated global losses from cybercrime are projected to hit just under a
record $1 trillion for 2020 as the coronavirus pandemic provided new
opportunities for hackers to target consumers and businesses.

"The projection of $945 billion in losses, from a new report out today from
the Center for Strategic and International Studies and computer security
company McAfee, is almost double the monetary loss from cybercrime than the
$500 billion in 2018.

"The report underscores the growing dangers that ransomware attacks by
foreign criminal enterprises posed to American industries. Lawmakers have
been deeply concerned about the impact of such attacks, including on the
financial and health-care sectors, in the pandemic."

https://en.wikipedia.org/wiki/World_economy#World_economy_by_country_groups
(retrieved on 08DEC2020) estimates annual global economic output @ ~US$
87.5T. US$ 0.945T/US$ 87T ~= 1.1% of output skimmed via cybertheft of
various flavors.

Cyberinsurance premiums will rise. Businesses that cannot afford the expense
for insurance and proactive measures to secure their personnel, processes,
and infrastructure might close or be bought out by competitors.

"Cybercrime-whackamole-control" is impossible without coordinated
international and transnational law enforcement agencies. Significant
engagement appears missing. Some countries enable and encourage
cybertheft/extortion to harass enemies and boost their own economies.

Risk: Global economic destabilization.

------------------------------

Date: Tue, 8 Dec 2020 18:20:18 +0800
From: Richard Stein <rmst...@ieee.org>
Subject: Digital stethoscope uses artificial intelligence for diagnosing
  lung abnormalities (medicalxpress.com)

https://medicalxpress.com/news/2020-12-digital-stethoscope-artificial-intelligence-lung.html

"'Because it can take recordings and telemeter them to physicians, clinical
support can be provided for hard-to-reach areas or areas requiring increased
medical support,' said West.

"The digital stethoscope also features noise suppression to enhance the
auditory signal from the lungs, simplifying the diagnosis process.

"'The noise suppression is a critical aspect that allows it to be used in
even challenging clinics, like we see popping up with increased COVID
hospitalizations,' West said. 'No training is required. Noise suppression
runs automatically on the device and provides clear body sounds.

"'In tests of the device, physicians were found to favor it over 95% of the
time compared to traditional techniques. Once the algorithm is further
improved, the digital stethoscope can be distributed to the field.'"

One expects an AI stethoscope to correctly distinguish and discriminate
respiratory sounds from lungs afflicted by pneumonia, chronic obstructive
pulmonary disorder, silicosis, emphysema, or bronchitis.

Whatever an AI stethoscope detects and diagnoses requires additional
clinical assessment to confirm initial diagnosis: blood chemistry, x-ray,
lung capacity, biopsy, CAT/MRI, etc. Trust but verify.

Noise suppression mechanisms, if not applied carefully, can erroneously
modify (damp or amplify) respiratory harmonics which might render an
inaccurate diagnosis. The AI stethoscope's diagnostic capabilities will
ideally demonstrate diagnosis based on low false positive/negative outcomes
with high-fidelity receiver operating characteristics.

Risk: Inappropriately indicated treatment protocols based on AI-stethoscope
diagnosis.

------------------------------

Date: Mon, 7 Dec 2020 11:56:01 -0500 (EST)
From: ACM TechNews <technews-edi...@acm.org>
Subject: Police Drones Starting to Think for Themselves (Cade Metz)

Cade Metz, *The New York Times*, 5 Dec 2020, via ACM TechNews, 7 Dec 2020

Police agencies in four U.S. cities are participating in the Drone as First
Responder program, launching unmanned aerial vehicles in response to
emergency calls. The Chula Vista, CA, police dispatches drones, with a
certified pilot federally on the roof of the Police Department to oversee
launches and pilot the drones upon their return; a special drone from
Silicon Valley's Skydio avoids obstacles on its own and can follow a
particular person or vehicle. The latest drone technology would allow police
to operate autonomous drones relatively inexpensively, although civil
liberties proponents are concerned. Greater police use of drones could
eliminate any expectation of privacy outside the home, as the drones collect
and store more video footage. The American Civil Liberties Union's Jay
Stanley said, "It could allow law enforcement to enforce any area of the law
against anyone they want."
https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-28602x226c2ax068361&;

------------------------------

Date: Mon, 7 Dec 2020 18:01:08 -0500
From: Gabe Goldberg <g...@gabegold.com>
Subject: AI Can Run Your Work Meetings Now (WiReD)

  [Of special interest to organization secretaries! ;-)]

A new wave of startups is trying to optimize meetings, from automated
scheduling tools to facial recognition that measures who's paying attention.

Headroom aims to tackle the social distance of virtual meetings in a few
ways. First, it uses computer vision to translate approving gestures into
digital icons, amplifying each thumbs up or head nod with little emojis that
the speaker can see. Those emojis also get added to the official transcript,
which is automatically generated by software to spare someone the task of
taking notes. Green and Rabinovich say this type of monitoring is made clear
to all participants at the start of every meeting, and teams can opt out of
features if they choose.

More uniquely, Headroom's software uses emotion recognition to take the
temperature of the room periodically, and to gauge how much attention
participants are paying to whomever is speaking. Those metrics a displayed
in a window on-screen, designed mostly to give the speaker real-time
feedback that can sometimes disappear in the virtual context.  ``If five
minutes ago everyone was super into what I'm saying and now they're not,
maybe I should think about shutting up,'' says Green.

https://www.wired.com/story/ai-can-run-work-meetings-now-headroom-clockwise/

For those of us who hate being on camera, I hope the software enjoys looking
at my profile picture.

More seriously, there's not a word about how this AI has been trained.
What could go wrong?

------------------------------

Date: Tue, 8 Dec 2020 20:25:32 -0700
From: "Matthew Kruk" <mkr...@gmail.com>
Subject: The coming war on the hidden algorithms that trap people in poverty
  (Tech Review)

A growing group of lawyers are uncovering, navigating, and fighting the
automated systems that deny the poor housing, jobs, and basic services.

https://www.technologyreview.com/2020/12/04/1013068/algorithms-create-a-poverty-trap-lawyers-fight-back/

------------------------------

Date: Thu, 10 Dec 2020 20:31:20 -0500
From: Gabe Goldberg <g...@gabegold.com>
Subject: HP Ends 'Free Ink for Life' Subscription Plan (Consumer Reports)

Rescinding the lifetime deal is already sparking criticism from Instant
Ink subscribers

``HP Regularly reviews pricing and makes adjustments based on a variety of
factors. Our updated Instant Ink subscription pricing plans include ending
the free printing plan option while allowing for more roll-over flexibility,
options, and benefits.''

https://www.consumerreports.org/printers/hp-ends-free-ink-for-life/

Just like limiting unlimited bandwidth, terminating free-for-life.

------------------------------

Date: Mon, 7 Dec 2020 12:00:03 +0800
From: Richard Stein <rmst...@ieee.org>
Subject: Waymo Terms of Service (waymo.com)

https://waymo.com/terms/ retrieved on 07DEC2020 (Pearl Harbor Day!)

NOTE: Capitalized words used selectively for emphasis.

"9. Indemnification

"To the fullest extent permitted by applicable law, YOU will INDEMNIFY,
DEFEND, and HOLD HARMLESS Waymo and its affiliates, and each of their
respective officers, directors, agents, partners and employees (individually
and collectively, the 'Waymo Parties') FROM AND AGAINST ANY loss, liability,
claim, demand, damages, expenses or costs ('Claims') arising out of or
related to (a) your ACCESS to or USE of our Services; (b) your User Content
or Feedback; (c) your violation of these Terms; (d) your violation,
misappropriation or infringement of any rights of another (including
intellectual property rights or privacy rights); and (e) your conduct in
connection with our Services. You agree to promptly notify Waymo Parties of
any third-party Claims, cooperate with Waymo Parties in defending such
Claims and pay all fees, costs and expenses associated with defending such
Claims (including, but not limited to, attorneys' fees).  You also agree
that the Waymo Parties will have control of the defense or settlement, at
Waymo's sole option, of any third-party Claims. This indemnity is in
addition to, and not in lieu of, any other indemnities set forth in a
written agreement between you and Waymo or the other Waymo Parties."

Ironclad indemnification protects Waymo Parties arising from Service
incidents, mishaps, or injuries.

"11. Limitation of Liability

"To the fullest extent permitted by applicable law, Waymo and the other
Waymo Parties will not be liable to you under any theory of liability --
whether based in contract, tort, negligence, strict liability, warranty, or
otherwise -- for any indirect, consequential, exemplary, incidental,
punitive or special damages or lost profits, even if Waymo or the other
Waymo Parties have been advised of the possibility of such damages.

"The total liability of Waymo and the other Waymo Parties, for any claim
arising out of or relating to these Terms or our Services, regardless of the
form of the action, is limited to the amount paid, if any, by you to use our
Services."

If Waymo's liability is miraculously established, the cost of the Service
will be reimbursed.

Given these service terms, is it any wonder why the DV industry is poised
for "blastoff"?

The National Safety Council publishes
https://injuryfacts.nsc.org/all-injuries/preventable-death-overview/odds-of-dying/
(retrieved on 07DEC2020).

The odds of dying in a motor vehicle accident are 1 in 106. The DV industry
is betting that their services can beat these odds. Is their bet a
beneficial "risk shift" (public risk for private profit) or will it become
yet another example of "Profit Without Honor"
(https://www.amazon.com/Profit-Without-Honor-Looting-Criminal/dp/0134871421)?

------------------------------

Date: Mon, 7 Dec 2020 00:06:38 -0500
From: Gabe Goldberg <g...@gabegold.com>
Subject: Amazon Wants to Get Even Closer. Skintight (The New York Times)

In the pursuit of surveillance as a service, Jeff Bezos is intent on
recording even our moods. How much personal data is too much to give to
Amazon?

https://www.nytimes.com/2020/11/27/opinion/amazon-halo-surveillance.html

------------------------------

Date: Mon, 7 Dec 2020 14:12:08 +0800
From: Richard Stein <rmst...@ieee.org>
Subject: Designed A Smartwatch App To Help Stop His Dad's Nightmares
  (npr.org)

https://www.npr.org/2020/12/06/943647610/he-designed-a-smartwatch-app-to-help-stop-his-dads-nightmares
retrieved on 07DEC2020.

There is an urgent public health need to treat post traumatic stress
disorder (PTSD) in military service veterans, especially those exposed to
combat conditions. I do hope this app is effective.

Consulting the QuickSearch option of FDA's Product Classification
Database @
https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfPCD/pcdsimplesearch.cfm
(type in "PTSD") yields:

https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfPCD/classification.cfm?IDMZ.

To learn a bit more, access
https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfTPLC/tplc.cfm?id=3909.

The FDA's Total Product Lifecycle (TPLC) linkage on Product Code QMZ reveals
no published MAUDE medical device report (MDR) submissions to date for
injury, malfunction, death or other event types. The TPLC platform
aggregates device problems and patient problem categories.  Patient problems
are traced to injury, malfunction, death or other MDR event labels. Revisit
TPLC Product Code QMZ in a year or so to observe the net public health
benefit or deployment effectiveness of the app.

Attempting to determine benefit or harm from historical medical device use
can be challenging. There appears to be no federal regulation requiring the
device manufacturer or supplier to periodically disclose use volumes.

Device manufacturer financial reports document revenue and percentage change
in revenue; no tables disclose product inventory counts sold or returned for
inspection/failure analysis. See "Medtronic FY20 Irish Financial Report" @
https://investorrelations.medtronic.com/static-files/5b588fc9-9447-427d-9d51-6ff7b73370aa
table on pg. 4/pdf pg. 6, retrieved on 07DEC2020.

The FDA's systems do not publish totalized counts of device
implants/explants or use/disuse. MDR narratives must be searched to discover
language stating 'device was returned for analysis', 'implanted',
'explanted', 'removed', or 'replaced'.

Further, every patient is different (pre-existing morbidities, genetics,
gender, age, etc.) As a result, it is sometimes challenging to conclude if
the device initiated the MDR event, or if the patient's underlying
condition(s) contributed/caused the event. For this reason, focusing
exclusively on MDR death events can be misleading as a predictive indicator
of future therapeutic prescription outcome. Device malfunctions and injuries
arising from their use are more tightly correlated.

The FDA's disclaimer is VERY CLEAR about attempting to project outcomes
based solely on the TPLC and MAUDE historical device/patient problem
counts. See
https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfMAUDE/TextSearch.cfm#disclaimer
retrieved on 07DEC2020.

The rate of device use by healthcare professionals/systems (hospitals) can
be determined from historical procedure billing found in the United States
Center for Medicare and Medicaid Services (CMS.gov). With that information,
one can estimate probabilities for future patient or device problems based
on historical procedure billing counts and population statistics.  --

------------------------------

Date: Wed, 9 Dec 2020 10:09:03 -0800
From: Rob Slade <rmsl...@shaw.ca>
Subject: Differential Privacy for Ordinary Security Mavens

A friend, and NYIT, have asked me to do a CISSP review seminar.  Since I've
taught the seminars for two decades, first for ISC2 and then for various
other commercial training companies, this is not hard.  I'm about 70%
through my first draft.  At the same time, I'm going to be giving the
differential privacy presentation on Friday.
https://infosecbc.org/2020/11/27/december-11th-2020-meeting/
https://community.isc2.org/t5/P/D/m-p/41128 So Gloria asked me if I was
going to be putting any differential privacy content into the review
seminar.

I had to think about that.  For one thing, knowing what I know about the
CISSP exam question process, I very much doubt that anyone (other than
myself) has yet created any questions about differential privacy in the
CISSP exam question style.  (There is *plenty* of trivia in regard to
differential privacy that can be used to make up questions to prove how
smart *you* are in comparison to the other guy, but that isn't the CISSP
question style.)
https://community.isc2.org/t5/Exams/CISSP-questions/m-p/18626

But the next problem is, where would I put it within the domains?  Would it
go in Law, Investigation, and Ethics, which is where we usually talk about
privacy?  But differential privacy isn't really about privacy.  At least not
*your* privacy.  It's not something you can do, but something that
enterprises, developers, and whole infrastructures of the IT universe have
to put in place in order to protect privacy on a much larger scale.  Do I
put it in crypto?  There's lots of math involved, some of it similar to a
lot of work in various corners of crypto (although not exactly the same).
Or should it go into Applications Security, since most of it primarily
applies to databases and queries and it has to be baked in to database
design at a pretty structural level in order to actually work.

Part of the problem is that differential privacy isn't actually a single
"thing."  It's an amalgam of a number of ideas and technologies, none of
them actually new, trying to address some interesting, and long-term,
problems of privacy and disclosure.  Trying to see whether these approaches
actually work has raised some new issues and concepts, and differential
privacy probably will provide some important and interesting approaches to
some aspects of privacy and database design in the years to come.  But it's
kind of like Public Key Infrastructure (PKI) in crypto: you've got a lot of
moving parts, and you have to make sure they are all properly in place in
order to have the system work properly and not be in danger of some kind of
attack on your implementation.  It's also kind of the quantitative risk
analysis of privacy and database design: there are a lot of details, and
it's a lot of work, and most people are going to be too lazy to try to make
it work properly.

------------------------------

Date: Sat, 5 Dec 2020 09:01:31 +0000
From: Wols Lists <antli...@youngman.org.uk>
Subject: Re: Looking for ways to prevent price collusion with AI systems
  (RISKS-32.39)

And how is this different from what already happens today?

It is now recognised that certain market dynamics (mainly customer inertia
in switching suppliers) ALREADY gives rise to the appearance of collusion
when there is none.

This is why utility prices rise quickly when raw costs go up, but fall
slowly when they go down.

This is why brands invest heavily in brand loyalty.

And the fix needs to be the same -- keep humans in the loop, looking for the
opportunity to steal a march on their opponents by intervening and cutting
prices to steal customers.

------------------------------

Date: Sat, 5 Dec 2020 10:23:04 +0000
From: Martin Ward <mar...@gkc.org.uk>
Subject: Re: How 30 Lines of Code Blew Up a 27-Ton Generator
  (Goldberg, RISKS-32.39)

> 30 lines of code = 140KB?

On my machine a two-line "Hello world" compiles to 20kB.  So with static
linking of more libraries, 30 lines could easily compile to 140kB.

But it might also mean 30 lines of code were changed in a larger file.

------------------------------

Date: Sat, 5 Dec 2020 14:12:19 +0200
From: Amos Shapir <amos...@gmail.com>
Subject: Re: Utah monolith: Internet sleuths got there, but its
  origins are still a mystery (RISKS-32.39)

Actually, the Mystery of the Monolith had been solved.

The Article: The Mystery Of The Utah Monolith May Have Been Solved By
Internet Sleuths details how the monolith was found; the last paragraph also
details who had created it.
<https://www.iflscience.com/editors-blog/the-mystery-of-the-utah-monolith-may-have-been-solved-by-internet-sleuths/>

------------------------------

Date: Sun, 6 Dec 2020 08:45:16 -0500
From: John Wunderlich <j...@wunderlich.ca>
Subject: Re: Is Alexa Becoming Anti-semitic (RISKS-32.39)

I should note the the piece on anti-semitism and AI contains assertions that
are politically contested.  I'm particularly referring to the notion that
criticisms of the state of Israel are inherently anti-Semitic.

The framing of the piece conflated anti-semitism -- a real and pernicious
type of racism -- with political criticism of Israel -- a legitimate form of
free speech.

In affect, this highlights just how wicked hard applying AI to
news/speech/politics is.

------------------------------

Date: 5 Dec 2020 17:23:44 -0500
From: "John Levine" <jo...@iecc.com>
Subject: Re: Rashida Tlaib takes on stablecoins, not cryptocurrency (R-32.39)

> cosponsored a bill requiring stablecoins like Facebook's Libra to be
> issued by banks.

The important word is "stablecoins"; this is quite reasonable.

A stablecoin promises that you can redeem it for some amount of real
money. That means that each coin is in effect a demand loan of the
underlying value to whomever holds the money, and it makes sense to regulate
them like other organizations that accept demand loans and give you an
IOU. These organizations are generally called banks.

The best known stablecoin, Tether, claims you can redeem every tether for $1
but outside the crypto bubble it is widely considered to be a fraud. There
have been over 18 billion tether issued and there is no evidence that tether
has anything close to $18 billion in assets. Last year in a lawsuit their
lawyer asserted that they had 74c for each tether but there's not much
evidence of that either.

The usual risk is that as soon as someone says BLOCKCHAIN! a certain number
of people check their common sense at the door.

------------------------------

Date: Sun, 6 Dec 2020 09:36:34 +0800
From: Richard Stein <rmst...@ieee.org>
Subject: Re: Keyhole wasps may threaten aviation safety (RISKS-32.39)

Ben -- Thank you for this informed response to my post. I am forwarding
your response as follow up on this thread.

On 5/12/20 12:05 pm, Ben Kamen wrote:

> As a private pilot that owns a small 2 seater (and we talk about blocked
> pitot tubes a lot) - the problem isn't new as mud daubers have been doing
> this for a long time. (if this is the same species)

> In areas where they are prolific or to be safe, any time the plane is
> parked outside, pitot covers are recommended.

> The bigger problem isn't completely blocked tubes because a dead airspeed
> indicator would be obvious on rollout for takeoff.

> What most of us worry about more is partially blocked tubes that give
> faulty readings.

> Also being an EE, I could image some interesting tests for startup, but
> the FAA does like simplicity and fiber could be a problem because pitot
> tubes have heaters built into them to melt off any ice-buildup in incing
> conditions. Even my 2-seater that's not certified for flying into known
> icing conditions has a pitot heater. So a remote visual sensing system
> would have to deal with that.

------------------------------

Date: Sat, 5 Dec 2020 13:01:34 -0800
From: Carlos Villalpando <unbel...@gmail.com>
Subject: Re: Keyhole wasps may threaten aviation safety (RISKS-32.39)

> Would a power-on-self-test be able to discern if the inlet is bugged
> via fiber optic signal and sensor?

Wasps nests in pitot tubes are a long-known issue in aviation.  In North
America, at least, the offending species is the Mud Dauber Wasp.  As the
linked article points out pitot tube covers are the current method of
controlling such issues.

How is it detected? A thorough pre-flight is key, but daubers can get pretty
deep into the tube, beyond inspection ability.  So issues with the Air Speed
Indicator (ASI) are detected procedurally.  Small aircraft crews, during the
takeoff roll, are supposed to note that the ASI "comes alive" and is
behaving consistent with the expected takeoff performance roll early enough
to abort if necessary.  Professional airline crews do the same, but also
cross-check between the Captain's and First Officers' ASIs.

But as it is a human procedure, humans can fail at it.  Birgenair Flight 301
is an example of a pitot tube blocked by a wasp nest, with the pilots
noticing, but ignoring the warnings, with all occupants perishing.

https://en.wikipedia.org/wiki/Birgenair_Flight_301

------------------------------

Date: Mon, 1 Aug 2020 11:11:11 -0800
From: risks-requ...@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest.  Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
 subscribe and unsubscribe:
   http://mls.csl.sri.com/mailman/listinfo/risks

=> SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
   includes the string `notsp'.  Otherwise your message may not be read.
 *** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 *** Contributors are assumed to have read the full info file for guidelines!

=> OFFICIAL ARCHIVES:  http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
  http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
  Also, ftp://ftp.sri.com/risks for the current volume/previous directories
     or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
  If none of those work for you, the most recent issue is always at
     http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00
  ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
  Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 32.40
************************

Reply via email to