RISKS-LIST: Risks-Forum Digest Thursday 1 April 2021 Volume 32 : Issue 58
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/32.58> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: April No-Fools' Day? No fooling! (PGN) Post-vaccine guidance (Rob Slade) Errors ruin 15 million doses of Johnson & Johnson's COVID-19 vaccine (NYTimes) Dark web bursting with COVID-19 vaccines, vaccine passports (Ars Technica) New York launches nation's first vaccine passports (USA Today) Vaccine passports (Lauren Weinstein) New Covid vaccines needed globally within a year, say scientists (The Guardian) Child tweets gibberish from U.S. nuclear-agency account (BBC News) Fooling facial recognition (The Register) Biometrics instead of passwords (The Register via Arthur T.) The Antiscience Movement Is Escalating, Going Global and Killing Thousands (Peter J. Hotez) Nine requests assistance from government after major cyber-attack (John Colville) How the Nine cyber-attack is affecting the Herald (John Colville) How a Software Error Made Spain's Child COVID-19 Mortality Rate Skyrocket (Slate) The Underground Nuclear Test That Didn't Stay Underground (Atlas Obscura) Solar Geoengineering Should be Investigated, Scientists Say (Scientific American) PHP's Git Server Hacked to Insert Secret Backdoor to Its Source Code (The Hacker News) New wave of hacktivism adds twist to cybersecurity woes (reuters.com) Blockchain is causing female green sea turtles (Rob Slade) Your right to repair: COVID-19 is sending businesses, hospitals, and consumers to the breaking point (ZDNet) Wetware data retrieval: Forensic analysis and data recovery from water-submerged hard drives (Techxplore) Scientists can implant false memories -- and reverse them... (Inverse) Suez Canal Blocked After Giant Container Ship Gets Stuck (NY Times) Suez Canal from Space (Geoff Kuenning) 'Agile' F-35 fighter software dev techniques failed to speed up supersonic jet deliveries (The Register) F-35 vs. bird (Gabe Goldberg with PGN comments) Radiation Upset confused computers and caused false alarm on International Space Station (The Register) Vote-by-mail fraud in Australia (Vanessa Teague) How Facebook got addicted to spreading misinformation (TechReview) No security on Website intended to prove that Swiss are vaccinated (Anthony Thorn) Volkswagen apparently changing their name in U.S. (Lauren Weinstein) Remote Work Is Here to Stay. Manhattan May Never Be the Same (NYTimes) Where Are Those Shoes You Ordered? Check the Ocean Floor (David Lesher) Cautionary story about cryptocurrencies, apps, security... (Gabe Goldberg) Energy-harvesting card treats 5G networks as wireless power grids (NewAtlas) Yet another 5G attack vector (Rob Slade) Re: No good evidence that 5G harms humans, new studies find (Douglas Lucas) Re: Cybersecurity in retrospect: not good! (Dick Mills) Re: How far should humans go to help species adapt? (Bob Wilson) Re: Too much choice is hurting America (Sam Steingold) Re: Risk transfer and Doordash (John Levine) TikTok Does Not Pose Overt Threat to U.S. National Security (Eva Xiao) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Tue, 30 Mar 2021 10:47:11 PDT From: Peter Neumann <neum...@csl.sri.com> Subject: April No-Fools' Day? No fooling! With all the worldwide rampant disinformation, this year RISKS is attempting to eschew intentional foolishness on April Fools' Day. However, this issue is full of unintentional folly -- which is normally our standard fare. Walt Kelly's Pogo might once have said about April Fools' Day, "We have met the fools, and they are us." There are of course still a lot of fools believing wild conspiracy theories. But might the fools be many people who do not read RISKS? I would like to believe that after more than 36 years, our readership is continually becoming more enlightened. However, please read the next item carefully. It starts out (a) as an April Fools piece, but (b) then changes its mind and is not. ------------------------------ Date: Sun, 28 Mar 2021 10:51:04 -0800 From: Rob Slade <rmsl...@shaw.ca> Subject: Post-vaccine guidance Many people are concerned that health authorities, while working diligently to ensure vaccine rollout is as fast and as smooth as possible, have not given clear and specific guidance to those who *have* been vaccinated as to when they can resume normal activities, and which activities are permitted, at which point, once they have received vaccinations. The following is a chapter that was somehow missed from the printed edition of "Cybersecurity Lessons from CoVID-19," and is an attempt to fill that gap. As many will know, receipt of the vaccine shot does not immediately confer full immunity or protection. There is a delay while the body reacts to the vaccine, and builds up antibody defences. In the case of most vaccines, this build-up of protection takes between three weeks and a month. Most of the vaccine candidates also benefit from, but do not necessarily require, a booster shot. This second shot can slightly increase the level of protection against the infection, and tends to make the protection last for a longer period of time. There are few changes in routine and protective behaviour, therefore, immediately following receipt of the shot. Those vaccinated are, however, cautioned against celebrating receipt of the vaccine with breakdancing, since medical staff will be watching closely, in the first fifteen minutes after vaccine administration, for signs of Adverse Effects From Immunization (AEFIs), and may falsely report high levels of seizures. Also be advised that referring to a large vaccination facility as a "mass shooting site" will not be appreciated by staff. You may have heard of variants of concern. For those who have not yet been vaccinated, you should also be aware that there are also vaccines of concern. Do be cautious in terms of the vaccine that you are offered. "Sputnick," "Phiser," or "Modern" brand vaccine is unlikely to be effective, nor is anything manufactured by "Joe's Vaccines-Backwards-R-Us and Autobody." If someone offers you P.1, note that this is not a vaccine, but either the virus itself, or a fictional computer virus from a book by Thomas J. Ryan. Since protection does take time to build, please do not immediately discard your facemask on the floor of the facility with loud exclamations of "Well thank [deity of your choice] *THAT'S* over with!" as you leave. Please continue masking, as usual, for a least a month after receipt of the vaccine. (Between weeks three and four it *is* permissible to wear your mask under your nose.) If you wish to ceremonially burn your facemask after the full month has passed, please ensure you do so in a well-ventilated area away from dry vegetation, and remove all plastic and rubber components first and discard in appropriate recycling bins. Currently, for unvaccinated individuals, gatherings are restricted to households or a designated "safe six." Three weeks after initial vaccination, you may introduce a seventh person, but only someone that none of you really like. After four weeks, you may introduce one additional vaccinated person per week, as long as they sit more than six feet or two metres away, which distancing can be reduced by one foot (thirty centimetres) per week. (If that additional person has received a different vaccine from the one you received, please add an additional four inches [ten centimetres] of distance.) Once you have received your second vaccine shot, you may engage in board games with people who have received only their first shot, but only if the board and all pieces are sprayed with disinfectant after each move. As vaccines have been priorized for those in older age categories, there will be situations where grandparents have been vaccinated, but their children and grandchildren have not. If the grandparents have had both shots, then they may visit if their children (parents of the grandchildren) have had at least one shot, and may have some contact with grandchildren, but should avoid "lifting" games, especially if the grandchildren weigh more than fifty pounds. As most vaccines are not yet approved for children under the age of sixteen, contact with the grandchildren should be limited to a gentle pinch on the cheek and the comment, "My, aren't you getting big!" (Both cheek and fingers should be sanitized immediately after.) Children may attend school, as studies show that transmission rates within schools are lower than in the general community. (Parents and grandparents are warned that they will not be allowed to live in schools until full vaccination is achieved.) In terms of intimate relationships, you may engage in short affairs between the receipt of your initial shot and your booster shot, but do not enter into any relationship likely to extend beyond the date for your second shot. Weddings and other large gatherings may slowly resume, with restrictions. If both bride and groom are unvaccinated, the ceremony is limited to ten people, outdoors. If both bride and groom have had their first vaccination, the ceremony is limited to ten people, indoors. If the bride and groom have had vaccinations from different manufacturers, the ceremony may be held indoors, but the centre aisle must be a least three metres wide. If all guests have had both shots, the ceremony may be held with 50 guests. Any guests who have had only one vaccine are limited to no more than 15, and must be at least four rows back from those who have had both shots. If the groom and the groom have both had their shots from the same manufacturer, and all the guests have as well, and there is at least one Catholic in the guest list who has had both shots *and* has been sprinkled with holy water, please contact the Vatican medical office for the proper protocol. Children's birthday parties with large numbers of children and all parents in attendance should only be planned if you do not intend to hold a similar party with the same guests next year. Medical guidance is that handwashing should continue after receipt of the first vaccine, but you can reduce the time taken by leaving off the last line of the second repetition of the "Happy Birthday" song. After receipt of the booster shot, you should continue handwashing, but you don't have to scrub under your finger-nails. Two weeks after receipt of the second shot, you may eat chili with your bare hands and rub them dry on your pants. Two weeks after receipt of the second vaccine shot, decisions about being in enclosed spaces are best left to you and your claustrophobia therapist. In terms of travel, road trips in the family car are seen as safer than air travel or other forms of mass transit. Leaving the car for meals, recreation, or nightly housing increases the risk, so it is recommended that you just drive to the various locations you want to visit, and not leave the car for any reason until you return home. Note that the kids continually asking "Are we there yet?" will not be accepted as a valid excuse for killing them. In regard to travel, as well as other activities, some may wish to obtain a "vaccine passport." Well, you can't. At least not one that will be recognized as a passport at pretty much any border control. Many people will be willing to sell you a vaccine passport, or a vaccine certificate, sometimes even if you haven't been vaccinated! Almost nobody will be willing to accept such a passport or certificate. A true vaccine certificate will include the date and time of your vaccination, the maker of your vaccine, the batch number, your name, medical history, and medical insurance information, the name, phone number, and digital signature of the person who registered you for the vaccine certificate, the name, phone number, medical certificate, and proof of non-membership in an anti-vaxxer organization of the person who reconstituted your shot, and the name, number, and a decent picture with the eyes not *too* squidged shut of the person who gave you the shot. Note that non-Chinese vaccine certificates will not be accepted in China. Remember that no vaccine provides 100% protection. Two weeks after the second dose, with a month between first and second doses, Pfizer provides 95%, Moderna provides 94%, and AstraZeneca provides 60%, 69%, 76%, 79%, 89%, or 100%, depending upon how many AstraZeneca press releases you have read. Reading AstraZeneca press releases increases protection, but at the expense of a risk of increased anxiety. Those taking the AstraZeneca vaccine following a full regime of AstraZeneca press releases are advised to combine it with Xanax, and one low-dose or "baby" aspirin. (Medical guidance is that AstraZeneca press releases are not recommended for children under the age of five.) In terms of other activities, pleased be advised that, following administration of the vaccine, you will *not* be able to play the bagpipes unless you could play them before you were vaccinated. For further details or clarification of these recommendations, please see https://xkcd.com/2434/ The foregoing is, of course, an "April Fools" piece, and not actual medical advice. (If it *had* been medical advice, of course, you would have been charged more.) However, yesterday, as I wrote this, and a few days ago, as you read this, events forced me to reconsider and add a little bit. I had no sooner sent this off to Peter for RISKS than I started on my, pretty much daily, trip to the library and the mall. I never got to the library because it was surrounded by police. Someone had gone on a rampage, stabbing at least six people and sending them to hospital. At least one has died. The municipality where I live is part of the fairly cosmopolitan city of Vancouver, but has the feel of a small town. The neighbourhood where I reside is even more protected. It is in a kind of pocket on the side of the mountain, and even wind storms seem to pass over it, so it is very much the type of place where people would say, "yeah, we see things like that on the news, but they never happen *here*." The suspect is, apparently, "known to police" and has a record. Nobody has yet mentioned "mental issues," but you can almost hear the reporters keeping themselves from saying it. (Which is not, of course, a reason for attacks: I've fought my own "mental issues" for fifty years. But that's another topic.) We probably won't ever know the real reason for the attack, but I have to suspect that media reports of mass shootings over the past weeks contributed. We have all been in a pandemic, and under various restrictions, from handwashing to lockdowns, for over a year now. CoVID fatigue is real, and it seems to be encouraging us do some pretty awful things. I have been extremely disappointed by the move of racism from covert and pernicious to overt, vociferous, and even demanding. The almost complete collapse of any kind of civility in American political discourse is terrifying. The economy seems to have, almost automatically, made the rich richer, and the poor poorer, widening the inequity gap. The pandemic seems to have magnified all that is worst about our society. I hope that the beginning of this piece was, at least, amusing, and possibly provides a bit of a break for you in these dark times. The vaccines do provide us with a "light at the end of the tunnel" (which is a phrase I most often associate with the lights of an oncoming train). While even the vaccines, as a limited resource, have created tensions and problems, I hope that, within months, they will make a significant difference to the over-arching pandemic problems. In the meantime, keep to the precautions for a little longer. Wash your hands, wear a mask, maintain distance, don't have or go to parties or events. When you can, without jumping any queues, get vaccinated. See you all on Zoom when there is an opportunity, and in person, hopefully, by the fall. Oh, one more thing. The day before April Fools day, 31 Mar, is apparently World Backup Day. http://www.worldbackupday.com/en/ I'm very big on backups. We give them lip service, but we don't do them as often as we should. I wrote the first part of this piece over several days, keeping it up on the system I was using to write it. As is often the case with something I'm working on, I made a separate backup. And, as blind, random chance would have it, the system I was writing it on had a hiccup and collapsed, taking the piece with it. But, I recovered the backup, and all was well. Now go make a backup. And, while it's completing, wash your hands. ------------------------------ Date: Thu, 1 Apr 2021 08:41:04 -0400 From: Monty Solomon <mo...@roscom.com> Subject: Errors ruin 15 million doses of Johnson & Johnson's COVID-19 vaccine (The Verge + NYTimes) Johnson & Johnson Covid-19 vaccine is delayed by a U.S. factory mixup. A manufacturer in Baltimore accidentally conflated the ingredients for two different coronavirus vaccines, officials say. https://www.theverge.com/coronavirus/2021/3/31/22361028/johnson-covid-vaccine-error-ruin-doses https://www.nytimes.com/2021/03/31/world/johnson-and-johnson-vaccine-mixup.html ------------------------------ Date: Tue, 30 Mar 2021 07:24:30 -0700 From: Lauren Weinstein <lau...@vortex.com> Subject: Dark web bursting with COVID-19 vaccines, vaccine passports (Ars Technica) [Fake vaccines. Unrefrigerated vaccines. Fake vaccination cards. Train wreck. LW] https://arstechnica.com/tech-policy/2021/03/dark-web-bursting-with-covid-19-vaccines-vaccine-passports/ ------------------------------ Date: Sun, 28 Mar 2021 09:53:05 -1000 From: Geoff goodfellow <ge...@iconia.com> Subject: New York launches nation's first 'vaccine passports' Others are working on similar ideas, but many details must be worked out. Starting Friday, New Yorkers will be able to pull up a code on their cell phone or a printout to prove they've been vaccinated against COVID-19 or recently tested negative for the virus that causes it. The first-in-the-nation certification, called the Excelsior Pass, will be useful first at large-scale venues like Madison Square Garden, but next week will be accepted at dozens of event, arts and entertainment venues statewide. It already enables people to increase the size of a wedding party, or other catered event. The app, championed by Gov. Andrew Cuomo to support the recovery of industries most affected by the pandemic, is funded by the state and available for free to businesses and anyone with vaccination records or test results in New York. Like an airline boarding pass, people will be able to prove their health status with a digital QR code -- or "quick response" machine-readable label. They'll need to download the Excelsior Pass app, enter their name, date of birth, zip code and answer a series of personal questions to confirm their identity. The data will come from the state's vaccine registry and also will be linked to testing data from a number of pre-approved testing companies. The New York system, built on IBM's digital health pass platform <https://www.ibm.com/products/digital-health-pass>, is provided via blockchain technology, so neither IBM nor any business will have access to private medical information. An entertainment venue will simply scan the QR code and get a green check or a red X. The new pass is part of a growing but disjointed effort to provide vaccine "passports" or certifications, so people won't have to hang onto a dog-eared piece of paper, worry about privacy issues or forgeries, or fork over extra cash to prove they're not contagious. [...] https://www.usatoday.com/story/news/health/2021/03/26/covid-vaccine-passports-new-york-first-vaccination-proof-system/6976009002/ ------------------------------ Date: Tue, 30 Mar 2021 09:15:12 -0700 From: Lauren Weinstein <lau...@vortex.com> Subject: Vaccine passports Unfortunately, the probability that the array of proposed "vaccine passport" systems could lead to massive new government and private tracking of individuals, and a de facto "national ID" system, is substantial. So far I do not see an obvious path that is not ripe for abuses. And one way or another, the odds of complex litigation on this topic seem very high. ------------------------------ Date: Tue, 30 Mar 2021 13:27:39 -1000 From: geoff goodfellow <ge...@iconia.com> Subject: New Covid vaccines needed globally within a year, say scientists (The Guardian) *Survey of experts in relevant fields concludes that new variants could arise in countries with low vaccine coverage* [...] https://www.theguardian.com/world/2021/mar/30/new-covid-vaccines-needed-within-year-say-scientists ------------------------------ Date: Tue, 30 Mar 2021 14:03:52 -0400 From: Gabe Goldberg <g...@gabegold.com> Subject: Child tweets gibberish from U.S. nuclear-agency account (BBC News) A young child inadvertently sparked confusion over the weekend by posting an unintelligible tweet to the official account of US Strategic Command. https://www.bbc.com/news/technology-56578544 Risks? Technology + children ------------------------------ Date: Wed, 31 Mar 2021 11:11:28 -0700 From: Rob Slade <rmsl...@shaw.ca> Subject: Fooling facial recognition (The Register) Two tricksters in China have fooled the state's massive facial recognition system. Temporarily, anyway. https://www.theregister.com/2021/03/31/tax_scammers_fool_ai_facial_recognition It's really interesting to look at this story and see the implications behind it.� One of the first things people ask about face recognition is, "Can't you just fool it with a picture?"� Apparently the Chinese thought of that.� Your image, seemingly, has to be "live," so the attackers used a simple deepfake app to animate the picture. And that was enough to fool the system ... ------------------------------ Date: Wed, 31 Mar 2021 06:17:10 -0400 From: "Arthur T." <risks202103.6.ats...@xoxy.net> Subject: Biometrics instead of passwords When your face is your password, you'd best never let anyone take your picture. Conversely, if anyone has ever taken your picture, you probably shouldn't use your face as a password. Unfortunately, some people don't have either option. https://www.theregister.com/2021/03/31/tax_scammers_fool_ai_facial_recognition/ ------------------------------ Date: March 31, 2021 6:44:25 JST From: Dewayne Hendricks <dewa...@warpspeed.com> Subject: The Antiscience Movement Is Escalating, Going Global and Killing Thousands (Peter J. Hotez) Peter J. Hotez, *Scientific American*, 29 Mar 2021 [Via Dave Farber] Rejection of mainstream science and medicine has become a key feature of the political right in the U.S. and increasingly around the world <https://www.scientificamerican.com/article/the-antiscience-movement-is-escalating-going-global-and-killing-thousands/> Antiscience has emerged as a dominant and highly lethal force, and one that threatens global security, as much as do terrorism and nuclear proliferation. We must mount a counteroffensive and build new infrastructure to combat antiscience, just as we have for these other more widely recognized and established threats. Antiscience is the rejection of mainstream scientific views and methods or their replacement with unproven or deliberately misleading theories, often for nefarious and political gains. It targets prominent scientists and attempts to discredit them. The destructive potential of antiscience was fully realized in the USSR under Joseph Stalin. Millions of Russian peasants died from starvation and famine during the 1930s and 1940s because Stalin embraced the pseudoscientific views of Trofim Lysenko that promoted catastrophic wheat and other harvest failures. Soviet scientists who did not share Lysenko's *vernalization* theories lost their positions or, like the plant geneticist, Nikolai Vavilov, starved to death in a gulag. Now antiscience is causing mass deaths once again in this Covid-19 pandemic. Beginning in the spring of 2020, the Trump White House launched a coordinated disinformation campaign that dismissed the severity of the epidemic in the United States, attributed Covid deaths to other causes, claimed hospital admissions were due to a catch-up in elective surgeries, and asserted that ultimately that the epidemic would spontaneously evaporate. It also promoted hydroxychloroquine as a spectacular cure, while downplaying the importance of masks. Other authoritarian or populist regimes in Brazil, Mexico, Nicaragua, Philippines and Tanzania adopted some or all of these elements. [Long item truncated for RISKS. PGN] ------------------------------ Date: Sun, 28 Mar 2021 20:29:23 +0000 From: John Colville <john.colvi...@uts.edu.au> Subject: Nine requests assistance from government after major cyber-attack Channel 9 is one of the three commercial TV networks in Sydney Australia. https://www.smh.com.au/business/companies/nine-s-weekend-today-fails-to-air-due-serious-technical-issues-20210328-p57ep5.html Media giant Nine Entertainment Co has requested the assistance of the Australian Signals Directorate after a major cyber-attack hit its broadcast systems in the early hours of Sunday morning. As Nine worked to resolve the issue, Australian Parliament was also investigating a potential cyber attack in Canberra on Sunday evening, which is affecting government-issued smartphones and tablets. ------------------------------ Date: Wed, 31 Mar 2021 03:32:06 +0000 From: John Colville <john.colvi...@uts.edu.au> Subject: How the Nine cyber-attack is affecting the Herald This is related to the Channel Nine cyber-attack, which was previously reported because Nine Entertainment Co. also owns the *Sydney Morning Herald* newspaper, and *The Age* from Melbourne. https://www.smh.com.au/national/how-the-nine-cyber-attack-is-affecting-the-herald-20210330-p57fc3.html ------------------------------ Date: Fri, 26 Mar 2021 03:04:07 -0600 From: Jim Reisert AD1C <jjreis...@alum.mit.edu> Subject: How a Software Error Made Spain's Child COVID-19 Mortality Rate Skyrocket (Slate) Elena DeBréSlate, 25 Mar 2021 https://slate.com/technology/2021/03/excel-error-spain-child-covid-death-rate.html ``Even though I didn't know what the problem was, I knew it wasn't the right data,'' Soler realized once he got his hands on the Lancet paper. ``Our data is not worse than other countries. I would say it is even better,'' he says. Pediatricians across the nation contacted Spain's main research institutes, as well as hospitals and regional governments. Eventually, they discovered that the national government somehow misreported the data. It's hard to pinpoint exactly what went wrong, but Soler says the main issue is that patient deaths for those over 100 were recorded as children. He believes that the system couldn't record three-digit numbers, and so instead registered them as one-digit. For example, a 102-year-old was registered as a 2-year-old in the system. Soler notes that not all centenarian deaths were misreported as children, but at least 47 were. This inflated the child mortality rate so much, Soler explains, because the number of children who had died was so small. Any tiny mistake causes a huge change in the data. ------------------------------ Date: Fri, 26 Mar 2021 12:35:18 -0400 From: Gabe Goldberg <g...@gabegold.com> Subject: The Underground Nuclear Test That Didn't Stay Underground (Atlas Obscura) The fallout cloud from the Baneberry test was never supposed to exist. https://www.atlasobscura.com/articles/do-underground-nuclear-tests-have-fallout ------------------------------ Date: Sat, 27 Mar 2021 08:42:20 +0800 From: Richard Stein <rmst...@ieee.org> Subject: Solar Geoengineering Should be Investigated, Scientists Say (Scientific American) [These musings are whole cloth fiction and satire!] I wonder when someone will cook the Internet-startup equivalent of Mel Brook's movie "The Producers" featuring a song and dance act entitled "Springtime for Terms of Service."] https://www.scientificamerican.com/article/solar-geoengineering-should-be-investigated-scientists-say/ "A controversial policy to address climate change by artificially cooling the planet deserves more research, according to a panel of leading U.S. scientists. "But only if it is carefully governed." Careful governance, an epic oxymoron encapsulates both modern corporate behaviors and political institutional effectiveness, is the watch-word defining the environmental oversight and mitigation measures that protect all life forms, especially but not exclusively homo sapiens, against anthropogenic disaster. "What, me worry?" Solargeoengineering.com's IPO was a blockbuster of a blockbuster. Influencers begged to shill for it. They gleefully acknowledged the fiction that "doing climate good, especially via a technological fix" is a win-win grift to exploit. Rumors that the Chortootolliator's intellectual property for design and operation -- solargeoengineering.com's crown jewels for its self-promoted "climate-saving miracle product of our generation" -- was exfiltrated via an Elbonian phish campaign were categorically rejected as distorted. "A failed, but deceitfully conducted effort to scuttle the IPO attributed to disgruntled industrial competitors and agents of foreign disruption," said CEO Carbon Dioxide III. They added, "'Strong minds discuss ideas, average minds discuss events, and weak minds discuss people.' What's on your mind?" The public was sold. Temporarily dopamine-burst-jerked via their cellphone doom-scrolls, quick endorsement via stock purchase followed the idea: a gizmo that extracts climate changing effluence from the Earth's atmosphere, thereby excusing all personal sacrifice for its causation, then it must, above all, be convenient! Profitable? Is the day long? Solargeoengineering.com's corporate charter, and their product "terms of service" express a refreshingly honest and bold statement of fact, fiction, and software: a) The founding charter concludes, "Money is earned, tax-sheltered, and carefully funneled under the rubric of 'campaign finance' contributions, to preserve the fiction that this corporation is a public service, like Standard Oil, the old telephone monopoly, Enron, and local fire department. Our motto: We put the air in your lungs." b) Solargeoengineering.com's "About Us" summarizes its raison d'etat: "To preserve the welfare of nations, and by extension, the Earth's Gaia, our mission is to extract climate changing gases and aerosols from the atmosphere to curtail ecosystem erosion and accelerate its historic recovery. Deployed Chortootolliator's beneficially restore the ozone layer." [For GPT-3's sake: Noble, very noble. The lie is the truth turning fact into fiction. This statement is false.] c) Each country is licensed to operate solargeoengineering.com's "Chortootolliator" installation according to local, prioritized regulation thus ensuring that climate-change atmospheric gas reduction targets, per IPCC agreement, are realized according to globally optimized, time-dependent ecosystem disruption. When IPCC compliance deviates, see "terms of service" for sanctions. Licenses are granted subject to local taxation agreements based on population estimates. d) Solargeoengineering.com's use terms assert indemnification claims protecting it's employees, and especially CxOs, against a 'perp walk' into financial history envied by Linus Van Pelt's security blanket. ------------------------------ Date: Mon, 29 Mar 2021 08:56:22 -1000 From: geoff goodfellow <ge...@iconia.com> Subject: PHP's Git Server Hacked to Insert Secret Backdoor to Its Source Code https://thehackernews.com/2021/03/phps-git-server-hacked-to-insert-secret.html ------------------------------ Date: Sat, 27 Mar 2021 11:51:09 +0800 From: Richard Stein <rmst...@ieee.org> Subject: New wave of hacktivism adds twist to cybersecurity woes (reuters.com) https://www.reuters.com/article/idUSKBN2BH3HJ "Wrapping oneself in an allegedly altruistic motive does not remove the criminal stench from such intrusion, theft and fraud," Seattle-based Acting U.S. Attorney Tessa Gorman said. According to a U.S. counter-intelligence strategy released a year ago, "ideologically motivated entities such as hacktivists, leaktivists, and public disclosure organizations," are now viewed as "significant threats," alongside five countries, three terrorist groups, and transnational criminal organizations." Corporate "terms of service" exempt business and government from accountability. They serve a free-pass when "intrusion, theft, and fraud" arise from Internet-enabled products and services. The question of the Internet's viability as an enabling economic vehicle and transformative agent is specious. Freelancers and advanced persistent threats stealing or liberating monetized or classified information expose the sadly ironic, asymmetric nature of infosec practice. To plan/initiate/execute intrusion/exfiltration action is substantially less expensive than fielding an effective defense that prevents occurrence. If governments and businesses cannot safely operate, and consistently defend and protect information against Internet theft, fraud, or intrusion, why do they persist at the attempt? Do they expect to achieve a different result, as Einstein's definition of insanity suggests? Internet vulnerability to intrusion and exfiltration reveals the "elephant on the table," visible since at least the Morris worm some 32 years ago (see https://en.wikipedia.org/wiki/Morris_worm). Why aren't the employees or brands that build, sell, and use the products that enable intrusion, theft, and fraud subject to greater accountability? Don't they have some hand in this gyre of breach? If no one is above the law, and "corporations are people too," one would expect more prosecutions for product liability and negligence arising from these incidents. Sadly, there's more lip service than public accountability. If the hypothesized prosecutions materialized, would the infosec-theater industry fold up? Would technology-heavy entities rethink their product engineering and deployment efforts, and be suitably motivated to tighten their practices against intrusion, theft, and fraud? Would these prosecutions initiate an economic upheaval that effectively required a nationalized technology industry (imagine google.gov or amazon.gov) to prevent future mushroom cloud-size liability insurance premiums from bankrupting startups as a precaution to "go-live parties?" Internet-facing entities are repeatedly assaulted with impunity. They are slow to learn and embrace history. And, there's always feckless private sector governance to demand profit over probity. Each incident speaks volumes about organizational governance competence. Accountability must be enforced to teach lessons when porous Internet defenses are deployed and information tumbles out undetected for months. Unless governments and businesses are held to strict account for ineffective Internet defenses, there will be no end to pleas for bigger checks written to fund infosec budgets. Procurement standards for Internet-facing and enabling technologies must elevate and be rigidly enforced for compliance with strict, standardized digital security measures. Competent and fair enforcement will require an army of skilled engineers. Can labor.com supply the talent without breach? 18APR1999 comp.risks identifies 'hacktivist' for the first time. The 'leaktivist' label is not used. Other references: http://catless.ncl.ac.uk/Risks/20/31#subj3.1 http://catless.ncl.ac.uk/Risks/21/7#subj9.1 http://catless.ncl.ac.uk/Risks/21/75#subj8.1 http://catless.ncl.ac.uk/Risks/22/54#subj16.1 http://catless.ncl.ac.uk/Risks/29/9#subj11.1 ------------------------------ Date: Mon, 29 Mar 2021 18:02:23 -0700 From: Rob Slade <rmsl...@shaw.ca> Subject: Blockchain is causing female green sea turtles When green sea turtles lay their eggs, the gender is not yet determined. If the sand is above thirty degrees celsius, the hatchlings turn out to be female. If the sand is cooler than thirty degrees, the hatchlings turn out to be male. Global warming is driving an imbalance in sea turtle gender. Blockchain is driving global warming. I used to say that Flash was causing global warming. I mean, when you went to a news media Website (and they used a *lot* of Flash to run videos, video ads, and animations) and you were using a MacBook or similar, you could actually *see* the battery life cut in half. Flash used a *lot* of power, and, multiplied by all the visitors to news Websites, it must have been a huge use of power resources. However, now I think that blockchain is to blame. First off, blockchain is not a thing. It's a collection of technologies. Part digital signature, part distributed database, and extremely variable in implementation. It's also heavily tied to cryptocurrencies. Most of the cryptocurrencies use blockchain of some type. Part of the power drain is not actually blockchain's fault, since so many people are chasing the elusive lure of cryptocurrency "mining." To create a new cryptocurrency "coin," you have to find a number with certain cryptographic (and therefore numerical) characteristics. It takes a lot of computing power to find such numbers, particularly as the "easy" ones are found first, and the later ones get harder and harder to calculate. But after the mining, it's all blockchain. Part of the blockchain is digitally signing a transaction. There a little bit of a power drain there, every time you use part of a cryptocoin to buy a pizza. But that's minor. The thing is, the other part of blockchain is a distributed database. Everybody who is using a cryptocurrency is a portion of the distributed database. They don't just keep track of their *own* transactions, but also a certain proportion of *all* the transactions made with that cryptocurrency. So, even if *you* aren't buying silly things with your cryptocurrency, *other* people who are using the same cryptocurrency for trivial transactions are causing transactions to be recorded, and digitally signed, on your computer. And on thousands, or even millions, of other computers, all over the world. For each and every transaction. And, as they say, a few million milli-amp-hour milliseconds here, a few million milli-amp-hour milliseconds there, pretty soon it adds up to a real power drain. We should be developing actual digital cash, if we want that, rather than this kludge of cryptocurrency that is backed up by a rather weak blockchain backstop. Now, in addition to cryptocurrency, there are Non-Fungible Transactions, or NFTs. Cryptocurrency is based on a belief in the value of the scarcity of numbers with certain properties. NFTs are based on the belief that people will speculate on anything. Or even nothing. NFTs are pretty close to nothing. Some of them are possibly valid artworks. Others are simply based on the promise that they are the only one in the world. Since digital art can be endlessly copied, and the copies, to any generation you want, are completely identical to the original, the promise of singularity is attested by a digital signature. Backed up by a blockchain. And each time you trade or speculate on a Non-Fungible Transaction, all kinds of computers, all over the world, are adding their contribution to global warming. The law of unintended consequences. Blockchain is causing female green sea turtles. ------------------------------ Date: Mon, 29 Mar 2021 01:02:21 -0400 From: Gabe Goldberg <g...@gabegold.com> Subject: Your right to repair: COVID-19 is sending businesses, hospitals, and consumers to the breaking point (ZDNet) People are spending a lot more time at home, using their products, and stuff is breaking down. Right now, when the speaker in your iPhone stops working or a memory stick in your laptop malfunctions, you're often left with one option: Take it to an authorized service center and pay for someone else to repair it for you. It's costly, expensive, and something that needs to change. But as right to repair legislation is gaining popularity across the country, that change may happen sooner than later. https://www.zdnet.com/article/the-right-to-repair-covid-19-sending-businesses-hospitals-and-consumers-to-the-tipping-point/ This is similar to a long-ago controversy when IBM crippled customers' ability to understand/improve/repair mainframe operating systems, by withdrawing their source code. Doing that doesn't seem to have benefited customers or IBM but the people who did it aren't around to own the consequences. ------------------------------ Date: Mon, 29 Mar 2021 21:32:05 +0800 From: Richard Stein <rmst...@ieee.org> Subject: Wetware data retrieval: Forensic analysis and data recovery from water-submerged hard drives (Techxplore) https://techxplore.com/news/2021-03-wetware-forensic-analysis-recovery-water-submerged.html "However, if the device has been submerged in saltwater, then irreparable damage can occur within 30 minutes. The situation is worse for a solid-state drive which will essentially be destroyed within a minute of saltwater ingress. The research provides a useful guide for forensic investigators retrieving hard drives that have been submerged in water." Anyone possessing indictable data? Predisposed to juggle hard disks or thumb drives near the ocean? ------------------------------ Date: March 24, 2021 4:02:31 JST From: geoff goodfellow <ge...@iconia.com> Subject: Scientists can implant false memories -- and reverse them... Scientists figure out two new ways to root out false memories. Memories are tricky and can comprise much more than our actual recollections. Our minds can make memories out of stories we've heard, or photographs we've seen, even when the actual recollections are long forgotten. And, new research suggests, this can happen even when the stories aren't true. ``I find it so interesting, but also scary, that we base our entire identity and what we think about our past on something that's so malleable and fallible,'' psychologist Aileen Oeberst at the University of Hagen in Germany tells Inverse. Oeberst is the first author of a study released Monday in the Proceedings of the National Academy of Sciences that examines false memories and what can be done to reverse them. False memories, the study suggests, are more than unsettling. When they take root, they can disrupt a courtroom -- and the fate of the individuals there. [...] https://www.inverse.com/mind-body/how-to-reverse-false-memories-study ------------------------------ Date: Wed, 24 Mar 2021 19:21:40 -0400 From: Gabe Goldberg <g...@gabegold.com> Subject: Suez Canal Blocked After Giant Container Ship Gets Stuck (NY Times) The ship, stretching more than 1,300 feet, ran aground and blocked one of the world's most vital shipping lanes, leaving more than 100 ships stuck at each end of the canal. https://www.nytimes.com/2021/03/24/world/middleeast/suez-canal-blocked-ship.html [A little digging, tugging, and high tide on Monday/Tuesday apparently loosened the ship, after enormous queueueueueueing up in both directions. But this massive blockage was just another event for RISKS that was waiting to happen. PGN] ------------------------------ Date: Thu, Mar 25, 2021 at 11:26 AM From: Geoff Kuenning <ge...@cs.hmc.edu> Subject: Suez Canal from Space What's fascinating about this photo (which seems to be aerial, not space) is the comments. I didn't bother using a translator on the ones in Dutch, but the ones in English show significant ignorance of the way the world works. The ship has a capacity of 20,000 TEU, which translates to 10,000 containers if we assume that they're all 40-footers. A commenter suggested using helicopters to offload the ship. Let's assume optimistically that two choppers can simultaneously pick up containers, one at the bow and one amidships, working backwards. Thinking *very* optimistically, it might take five minutes for a chopper to hover over a container, workers below to attach cables, the aircraft to lift the container to the nearby shore and set it down, workers there to free it, and the helicopter to fly back to the ship. That translates to 416 hours, or 17 days, of continuous helicopter use. And of course five minutes is absurd, and the work probably can't continue at night (or at least it can't continue as fast). And you'd have to refuel the choppers or have spares, etc., etc. To be fair, you might be able to free the ship after offloading only half the cargo, so maybe it'd only take 9 days. Or more realistically, a month. Oh, and although an empty container weighs about 8000-9000 pounds, a loaded one can be up to 67K pounds. The world's biggest heavy-lift helicopter, the M-26, can only handle 44K pounds. So at least some of those containers aren't going to be lifted by air. It looks like there are land-based cranes that can reach and lift at least some of the containers, but again it would be a slow process since you'd have to account for things like boom swing. It would probably take at least 15 minutes per container, and it's not clear to me (a complete non-expert) whether you could have more than one crane working at the same time. BTW, researching all of the above took me about ten minutes. > https://twitter.com/wmiddelkoop/status/1375150101581160456 ------------------------------ Date: Fri, 26 Mar 2021 08:18:02 -0700 From: Tom Van Vleck <t...@multicians.org> Subject: 'Agile' F-35 fighter software dev techniques failed to speed up supersonic jet deliveries (The Register) https://www.theregister.com/2021/03/25/f35_gao_report_fy2020_software_woes/ They used "C2D2, or Continuous Capability Development and Delivery." Don't get me started... ------------------------------ Date: Fri, 26 Mar 2021 17:25:59 -0400 From: Gabe Goldberg <g...@gabegold.com> Subject: F-35 vs. bird $100M airplane vulnerable to small birds. Brilliant. https://www.youtube.com/watch?v=EFo-5TBIRPI Too bad they skimped on this one. [EGULLite' or EAGLEite'? FraTERNite'? LiBERTe'? (and what do we do with Bert's friend Rubber Duckie? Canard en caoutchouc? Unfortunately, airplanes susceptible to birds are another old story in RISKS -- sucked into jet engines, shattering the pilot's window, and more, such as these: * Bird strikes cause crash of Ethiopian Airlines 737, killing 31 (ACM SIGSOFT Software Engineering Notes 14 2) * Migratory birds jam FAA radar in Midwest (R 17 44) * It's A Bird... It's A Plane... It's NonLethalDrone (R 28 93) ] ------------------------------ Date: Fri, 26 Mar 2021 08:18:02 -0700 From: Tom Van Vleck <t...@multicians.org> Subject: Radiation Upset confused computers and caused false alarm on International Space Station (The Register) https://www.theregister.com/2021/03/26/iss_radiation_false_alarm/ They fixed it by switching power supplies and rebooting. ------------------------------ Date: Tue, 30 Mar 2021 22:23:38 +0000 From: Vanessa Teague <vanessa.tea...@anu.edu.au> Subject: Vote-by-mail fraud in Australia Some somewhat-interesting news from Melbourne: one of our local councillors (in the adjacent council to my place) has recently been arrested for vote-by-mail fraud. https://www.theage.com.au/politics/victoria/labor-councillor-arrested-in-moreland-council-fraud-probe-20210325-p57e1r.html The allegations relate to an apparent spate of double-voting during recent local government elections, which are conducted exclusively by mail. The Victorian Electoral Commission became suspicious when a larger-than-usual number of voters called up to say they hadn't received a ballot, despite the VEC having already received a returned vote from them. The allegation is that someone fished blank ballots out of people's mail boxes, filled them in, and fraudulently returned them. However, the clarity of the case is complicated by strange behaviour from the electoral commission. The commission refuses to publish the votes, and declined a FoI request from me: https://www.righttoknow.org.au/request/request_for_full_preference_data#incoming-19850 so it's not possible for anyone outside the VEC to examine the voting patterns they allege are suspicious. (Indeed, it's not possible for anyone else to even check that they counted properly.) On the bright side, this makes me even gladder for the support of the Victorian League of Women Voters in opposing a legislative proposal from a few years ago which would have allowed the entire election to be conducted over the Internet. At least this way, we have a fair idea that fraud occurred and some chance of successfully prosecuting an (alleged) perpetrator. [Included in RISKS from a non-public list, with permission. PGN] ------------------------------ Date: Thu, 25 Mar 2021 10:41:50 -0400 From: Monty Solomon <mo...@roscom.com> Subject: How Facebook got addicted to spreading misinformation (TechReview) The company's AI algorithms gave it an insatiable habit for lies and hate speech. Now the man who built them can't fix the problem. https://www.technologyreview.com/2021/03/11/1020600/facebook-responsible-ai-misinformation/ ------------------------------ Date: Wed, 24 Mar 2021 09:36:16 +0100 From: Anthony Thorn <t...@thorns.ch> Subject: No security on Website intended to prove that Swiss are vaccinated The Swiss Covid-Vaccination website (https://www.meineimpfungen.ch/) was taken offline after the Federal Data Protection registrar opened formal proceedings against the operator of the platform after a report castigating its security in the magazine Republik. The website is operated by a foundation, but sponsored by the Federal Department of health, and 9 Cantons. The report in German: https://www.republik.ch/2021/03/23/wollen-sie-wissen-womit-viola-amherd-geimpft-ist The problems identified: Comprehensive access rights: * Every medical professional who is registered on the platform has comprehensive access to the vaccination and health data of all recorded private individuals. For example, they could easily manipulate anybody's covid-relevant vaccination data. * Inadequate verification: When registering as a medical specialist for the first time, there is no actual identity verification. The verification is based solely on the information provided by the applicant. That means: It is easy to pretend to be a "doctor". * Security gaps: Hackers can steal the Covid-19 vaccination cards of all previously vaccinated people on the platform relatively easily. With a little technical knowledge, they can also manipulate vaccination data and other health data. Worrying about the security of health data may be paranoid, but it's evidently justified. ------------------------------ Date: Mon, 29 Mar 2021 11:03:47 -0700 From: Lauren Weinstein <lau...@vortex.com> Subject: Volkswagen apparently changing their name in U.S. Volkswagen is apparently (I'm not kidding) changing name of U.S. ops to "Voltswagen" to emphasize electric cars. Dunno where all these people forced to use electric cars are going to charge them, especially on a power grid that collapses in many areas when you add a light bulb. [Is that known as re-volting? PGN] ------------------------------ Date: Mon, 29 Mar 2021 22:17:16 +0900 From: Dave Farber <far...@keio.jp> Subject: Remote Work Is Here to Stay. Manhattan May Never Be the Same (NYTimes) Jonah Markowitz, *The New York Times*, 29 Mar 2021 Remote Work Is Here to Stay. Manhattan May Never Be the Same. https://www.nytimes.com/2021/03/29/nyregion/remote-work-coronavirus-pandemic.html New York City, long buoyed by the flow of commuters into its towering off= ice buildings, faces a cataclysmic challenge, even when the pandemic ends. ------------------------------ Date: Thu, 25 Mar 2021 23:23:35 -0400 From: David Lesher <wb8...@panix.com> Subject: Where Are Those Shoes You Ordered? Check the Ocean Floor (RISKS-32.57) There is another RISK of containers lost overboard. A sailor friend noted because the contents, especially electronics, are well-packed in urethane foam. As a result, rather than rapidly sinking to the sea floor, the escaping containers submerge only a few feet. A passing sailboat hitting such an invisible obstacle gets its bottom ripped open and goes down quickly. ------------------------------ Date: Wed, 31 Mar 2021 00:47:17 -0400 From: Gabe Goldberg <g...@gabegold.com> Subject: Cautionary story about cryptocurrencies, apps, security... He downloaded the Trezor app on iOS. It was a scam and stole $1 million in bitcoin. *The Washington Post* https://www.washingtonpost.com/technology/2021/03/30/trezor-scam-bitcoin-1-million/ Be careful out there... ------------------------------ Date: Tue, 30 Mar 2021 13:40:22 -1000 From: geoff goodfellow <ge...@iconia.com> Subject: Energy-harvesting card treats 5G networks as wireless power grids A team from Georgia Tech has just announced a world-first: a 3D-printed rectifying antenna the size of a playing card that can harvest electromagnetic energy from 5G signals and use it to power devices, turning 5G networks into wireless power grids. Wireless communications put a lot of energy into the air, and over the years we've covered a number of efforts to harvest that energy. Short-range Wi-Fi signals have been the target of several projects, TV broadcasts and radio signals have been the focus of others. One device even hopes to increase the life of a smartphone's battery by 30 percent just by harvesting some of the radio waves the phone itself is generating. But 5G communications offer a whole new opportunity. "5G has been designed for blazing fast and low-latency communications," reads the Georgia Tech team's latest study, published in the peer-reviewed journal *Scientific Reports*. "To do so, mm-wave frequencies were adopted and allowed unprecedently high radiated power densities by the FCC. Unknowingly, the architects of 5G have, thereby, created a wireless power grid capable of powering devices at ranges far exceeding the capabilities of any existing technologies." Millimeter-wave energy harvesting has been possible for some time, says the team, but hasn't been practical in many cases because long-range power harvesting tends to require large rectifying antennas, and the larger these rectennae get, the narrower their field of view becomes; you have to keep the rectenna pointed right at the wave energy source to make them work... [...] https://newatlas.com/energy/5g-energy-harvesting-wireless-power/ ------------------------------ Date: Tue, 30 Mar 2021 12:05:54 -0700 From: Rob Slade <rmsl...@shaw.ca> Subject: Yet another 5G attack vector OK, 5G is definitely going to be a problem. https://community.isc2.org/t5/I/5/m-p/19525/ But usually the problem parts are kind of unintended consequences, the "gee, we didn't think that allowing other people to run stuff on your phone could be *misused*" type of thing. But this time, it seems to be something that might have been originally intended to be a form of security.� 5G has provisions for a sort of virtual LAN type of operation.� And, almost inevitably, somebody has found out how to use it to attack. https://therecord.media/new-5g-protocol-vulnerabilities-allow-location-tracking/ You can crash system segments, and also extract user data. Granted, you have to be in a situation where 5G is being used with older technology, but how many people will be in a "pure" 5G environment?� And a fix is being worked on, but that, of course, inevitably leads to situations where you are going to have a mix of "old" 5G and "patched" 5G, so ... ------------------------------ Date: Mon, 29 Mar 2021 04:00:09 +0000 From: Douglas Lucas <d...@riseup.net> Subject: Re: No good evidence that 5G harms humans, new studies find (RISKS-32.57) RISKS-32.57 includes a post from geoff goodfellow that links several Gizmodo articles about 5G and two studies published this month in the Journal of Exposure Science and Environmental Epidemiology suggesting little to no adverse health effects from such radiation. For a lengthy list of 1000+ peer-reviewed studies to the contrary, consult Powerwatch at: https://www.powerwatch.org.uk/science/studies.asp For a 3-minute video warning of EMF dangers by Columbia University scientist Dr Martin Blank, see here: https://www.youtube.com/watch?v=2Ijs5lrebac Despite this contrary evidence, those against EMF dangers are lumped in with various disreputable groups and then dismissed, without the contrary evidence actually being addressed. ------------------------------ Date: Wed, 24 Mar 2021 11:16:56 -0400 From: Dick Mills <dickandlibbymi...@gmail.com> Subject: Re: Cybersecurity in retrospect: not good! (RISKS-32:57) New laws, new government powers are not needed. But we just need to apply strict procurement practices to the software supply chain. If the Solar WInds company had to pass meet the same qualifications and quality audits as a vendor of F35 fighter planes, this probably never would have happened. Remember, that the goat of terrorism is to make the victims change their society. If every cyber attack or otherwise scary new story pushes us into giving the government more powers and more laws, we are being driven to self destruction. (As I write, the news of a mass shooting is causing the President to call for new powers, new laws.) See Bruce Schneier's essay on the economics of companies like Solar Winds. The surprise is that selling low quality software is perfectly rational economic behavior. https://www.schneier.com/essays/archives/2021/02/why-was-solarwinds-so-vulnerable-to-a-hack.html ------------------------------ Date: Wed, 24 Mar 2021 11:30:20 -0500 From: Bob Wilson <wil...@math.wisc.edu> Subject: Re: How far should humans go to help species adapt? (RISKS-32.57) This is a very valid question, and I am glad to see it being discussed. But as written it repeats what I think is a very common mistake. Everywhere we look people are objecting to "gene editing". They mean gene editing using recently created tools, but they do not demonstrate understanding of that. Humans have been editing genes for millennia! Only the methods have changed. Selecting animal or plant offspring with desired characteristics, and arranging for them to breed true, is certainly gene editing. If there had not been genetic change, the results would not have been passed along to subsequent generations. This was gene editing long before people had any idea what a gene or chromosome was. The people who say they won't eat foods raised using edited genes would be very hard to find any foods that are not! ------------------------------ Date: Wed, 24 Mar 2021 17:14:58 -0400 From: Sam Steingold <s...@gnu.org> Subject: Re: Too much choice is hurting America (Baker, RISKS-32.55) I am afraid you misunderstood Krugman. He is uncomfortable with too much choice for *others*, not for *himself*. In his ideal world the Government (run by people like him) will be making most choices for the hoi polloi/deplorables (i.e., people not like him) because the latter are making the choices he does not like. Risk: thinking that people like you will make choices that you like. E.g.: Stalin and his top-ranking victims (Trotsky, Zinoviev et al) were very similar, but Stalin's choices of who to execute were not very beneficial to his victims. ------------------------------ Date: 25 Mar 2021 15:21:08 -0400 From: John Levine <jo...@iecc.com> Subject: Re: Risk transfer and Doordash (Slade, RISKS-32.57) > In terms of risk management, there are our four basic strategies: risk > avoidance, risk acceptance, risk mitigation, and risk transfer. Nicely put. > [Food delivery] is a big part of the "gig economy," and the gig economy is > a massive "race to the bottom" in terms of wages and working standards. The entire point of the gig economy is risk transfer away from the businesses that have historically managed the risk and priced it into the product, to the not-employees and the customers who are rarely aware of the new risks they've accepted until they learn the hard way. Look at taxis vs. gig drivers. A lot of taxi regulation is about risk mitigation. Drivers need commercial licenses, taxis need special plates with extra inspections, taxi companies are part of the workers comp pool, and so forth. There are also regulations that are about protecting the income of incumbent drivers, fixed fares and medallions that limit entry, but when Uber and Lyft ignored all the rules, there was quite a lot of baby in that bathwater. Passengers take on more risk that the driver is unqualified, the car is unsafe, and that if there is an accident, there's no insurance. (Lyft's innovation was insurance fraud, drivers taking paying passengers in private cars that their insurance didn't cover.) Drivers took on the risk that if they got injured in an accident, there's no workers' comp to pay the bills while they recover. The risk parts and the income parts are quite separable; New York city made the gig companies comply with existing car service laws requiring inspection and insurance. There's even an argument to be made for some limits on the number of gig drivers. When Uber and Lyft came to NYC, it added 100,000 new vehicles driving around midtown waiting for fares and clogging traffic, five times the number of taxis, which made traffic much slower for everyone and smog worse. It was always possible to set up pirate taxis, and in some areas fairly common, e.g., gypsy cabs working in the outer boroughs of NYC where taxis are hard to find. Mobile phones and apps made it a lot easier for pirate dispatchers to connect with pirate taxis, and the disruption techobabble blinded people to the fact that the main innovation was risk shifting onto the unwary. ------------------------------ Date: Mon, 29 Mar 2021 12:14:35 -0400 (EDT) From: ACM TechNews <technews-edi...@acm.org> Subject: TikTok Does Not Pose Overt Threat to U.S. National Security, Researchers Say (Eva Xiao) Eva Xiao, *The Wall Street Journal*, 22 Mar 2021 via ACM TechNews, Monday, March 29, 2021 Cybersecurity researchers at the University of Toronto's Citizen Lab in Canada said TikTok's underlying computer code does not pose a national security threat to the U.S. The researchers said a technical analysis of the app, owned by China's ByteDance Ltd., found no evidence of "overtly malicious behavior." Although they determined that TikTok's data collection practices are no more intrusive than Facebook's, the researchers acknowledged there could be security issues they did not uncover. Further, ByteDance could be forced to turn data over to the Chinese government under the country's national security laws. ByteDance said it was committed to working with authorities to resolve their concerns. https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2a309x229bd1x070963&; ------------------------------ Date: Mon, 1 Aug 2020 11:11:11 -0800 From: risks-requ...@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume/previous directories or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00 ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 32.58 ************************
