RISKS-LIST: Risks-Forum Digest Sunday 4 April 2021 Volume 32 : Issue 59 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator
***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/32.59> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Safe and affordable electricity supply in danger (German finance watchdog) Weather Service Internet systems are crumbling as key platforms are taxed and failing (WashPost) 533 million Facebook users' phone numbers and personal data have been leaked online (Business Insider) An Accidental Disclosure Exposes a $1 Billion Tax Fight With Bristol Myers (NYTimes) No vehicle inspections in Mass. for second straight day due to malware attack on vendor (The Boston Globe) Feds say hackers are likely exploiting critical Fortinet VPN vulnerabilities (Ars Technica) 7% of Americans don't use the Internet. Who are they? (Pew Research) 5G is not just a radio (Bob Frankston) Scientists Collected Human DNA From the Air In a Breakthrough (Science News for Students) NFTs built on sand? (The Atlantic via Bob Frankston) Google and "pink noise" (Lauren Weinstein) It’s Easy - and Legal - to Bet on Sports. Do Young Adults Know the Risks? (NYTimes) Another water system hacked (KSNT) Re: Energy-harvesting card treats 5G networks as wireless power grids (Martin Cooper) Re: Antiscience Movement Is ... Killing Thousands (Henry Baker) Re: Scientists can implant false memories-and reverse them (Stephen E. Bacher) Re: Volkswagen apparently changing their name in U.S. (John Levine) Re: New York launches nation's first 'vaccine passports' (John Levine) Re: Vintage technology: 'It sounds so much cleaner' (Terje Mathisen) Re: Too much choice is hurting America (John Levine, Andrew Pam) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Thu, 1 Apr 2021 21:32:18 +0200 From: Thomas Koenig <tkoe...@netcologne.de> Subject: Safe and affordable electricity supply in danger (German finance watchdog) The Bundesrechnungshof, Germany's federal financial watchdog, has stated that the "safe and affordable supply of electricity is in increasing danger" due to Germany's "Energiewende" (energy transition). https://www.bundesrechnungshof.de/de/presse-service/pressemitteilungen/sammlung/bund-steuert-energiewende-weiterhin-unzureichend (there is not yet an English version as I write this). To quote its president: "Affordability is still not measurably determined; security of supply is incompletely assessed. Whether citizens and the economy will be reliably supplied with electricity in the future is subject to risks that the German government is not fully aware of. I am concerned about the high electricity prices for private households and small and medium-sized enterprises. This puts the acceptance of the generation project at risk." The risk? To push through policies without looking at risks and potential consequences. ------------------------------ Date: Sat, 3 Apr 2021 08:39:41 -0700 From: Lauren Weinstein <lau...@vortex.com> Subject: Weather Service Internet systems are crumbling as key platforms are taxed and failing (WashPost) [Most of their online systems crashed Tuesday.] https://www.washingtonpost.com/weather/2021/03/30/nws-internet-infrastructure-outages/ [That's quite a tax to put on the weather! PGN] ------------------------------ Date: Sat, 3 Apr 2021 09:31:04 -0700 From: Lauren Weinstein <lau...@vortex.com> Subject: 533 million Facebook users' phone numbers and personal data have been leaked online (Business Insider) https://www.businessinsider.com/stolen-data-of-533-million-facebook-users-leaked-online-2021-4 ------------------------------ Date: Fri, 2 Apr 2021 15:35:45 -0400 From: Gabe Goldberg <g...@gabegold.com> Subject: An Accidental Disclosure Exposes a $1 Billion Tax Fight With Bristol Myers (NYTimes) The IRS believes the American drugmaker used an abusive offshore scheme to avoid federal taxes. The Botched Redaction It is not clear when IRS agents first learned about the arrangement. But by last spring, the IRS chief counsel's office had determined that it violated a provision of the tax law that targets abusive profit-shifting arrangements. In a 20-page legal analysis, the IRS calculated that the offshore setup was likely to save Bristol Myers up to $1.38 billion in federal taxes. After a complex audit, the IRS often circulates its analyses to agents nationwide in case they encounter similar situations. A redacted version of the report is also made public on the IRS website, cleansed of basic information like the name of the company. But when the IRS posted its Bristol Myers report last April, it was not properly redacted. With tools available on most laptops, the redacted portions could be made visible. https://www.nytimes.com/2021/04/01/business/bristol-myers-taxes-irs.html Tricky technology. Long ago I saw content on foils (projected via overhead projector, remember those?) redacted with black magic marker. Oops -- heat of projector boiled off marker, so forbidden content slowly appeared for audience. First/only multimedia presentation using foils. ------------------------------ Date: Thu, 1 Apr 2021 21:52:34 -0400 From: Monty Solomon <mo...@roscom.com> Subject: No vehicle inspections in Mass. for second straight day due to malware attack on vendor (The Boston Globe) https://www.boston.com/news/local-news/2021/04/01/no-vehicle-inspections-in-= mass-for-second-straight-day-due-to-malware-attack-on-vendor ------------------------------ Date: Sat, 3 Apr 2021 12:30:57 -0400 From: Monty Solomon <mo...@roscom.com> Subject: Feds say hackers are likely exploiting critical Fortinet VPN vulnerabilities (Ars Technica) Exploits allow hackers to log into VPNs and then access other network resources. https://arstechnica.com/gadgets/2021/04/feds-say-hackers-are-likely-exploiting-critical-fortinet-vpn-vulnerabilities/ ------------------------------ Date: Sun, 4 Apr 2021 09:47:13 -1000 From: geoff goodfellow <ge...@iconia.com> Subject: 7% of Americans don't use the Internet. Who are they? For many Americans, going online is an important way to connect with friends and family, shop, get news and search for information. Yet today, 7% of U.S. adults say they do not use the Internet, according to a Pew Research Center survey conducted 25 Jan -- 8 Feb 2021. Internet non-adoption is linked to a number of demographic variables, but is strongly connected to age -- with older Americans continuing to b= e one of the least likely groups to use the Internet. Today, 25% of adults ages 65 and older report never going online, compared with much smaller shares of adults under the age of 65. Educational attainment and household income are also indicators of a person's likelihood to be offline. Some 14% of adults with a high-school education or less do not use the Internet, but that share falls as the level of educational attainment increases. Adults living in households earning less than $30,000 a year are far more likely than those whose annual household income is $75,000 or more to report not using the Internet (14% vs. 1%). [...] https://www.pewresearch.org/fact-tank/2021/04/02/7-of-americans-dont-use-the-internet-who-are-they/ [There are many facilities that now are enabled with relatively easy online Internet access, but without other convenient routes -- e.g., certain vaccine appointments, food services that take only online orders, remote voter registration even in states where it is part of automobile registration (which usually requires in-presence appearance), and lots more. Even Internet voting (which we know opens up serious security vulnerabilities) would still be inaccessible to many people who might need other alternatives. If diversity and equal opportunity are to be achieved in reality, then more alternative paths that are widely available need to exist. PGN] ------------------------------ Date: 1 Apr 2021 19:32:41 -0400 From: "Bob Frankston" <bob20...@bob.ma> Subject: 5G is not just a radio 5G continues to generate headlines. All the talk about 5G radios is interesting, but those radios are only part of the 5G story. As I dig deeper, the story becomes stranger and stranger, with the radios distracting us from the issues of 5G networking protocols and policies. I'm concerned about the risks of accepting the idea that we need a 1970s style telecommunications network. It's the triumph of marketecture over architecture. Why isn't that story being covered? There is a risk in treating the Internet as just another telecommunications service (relegated to the slow lane). It's just the opposite -- or should be. A phone call is just an app and not a network service. What happened to all we've learned about best-efforts packet connectivity? Why is our policy at odds with reality? The consequence is to limit our ability to communicate and innovate. Another risk is expertise creep. I respect the expertise of radio engineers. But that doesn't mean that they are experts in the software and business protocols for connected devices and applications. Remember that telecom engineers told us we needed a special network for voice until VoIP happened. Today we're again being told that we need a special network for applications such as video and connected devices even though we're doing just fine without one. More to the point, we're doing just fine because we can innovate outside of the network, and that's a problem for the legacy business model. Requiring a SIM cheap creates unnecessary dependencies and opportunities for failure. I could go on, but there is so much weirdness that I wrote a whole column asking why the IEEE has fixated on 5G as the one future. For the deep dive into 5G https://rmf.vc/IEEE5GPast. ------------------------------ Date: Thu, 1 Apr 2021 11:13:04 -1000 From: geoff goodfellow <ge...@iconia.com> Subject: Scientists Collected Human DNA From the Air In a Breakthrough (Science News for Students) *The first reported collection of human and animal DNA from ambient air is a boon for researchers in forensic archeology, ecology, and population studies* In a first, scientists have revealed that animal and human DNA can be plucked straight out of thin air. The development heralds a promising new scientific technique with possible applications for ecology, forensics, and medicine, according to a new study. Because animals shed cells into their environments, researchers can use water or soil samples to hunt for environmental DNA (eDNA), which provides a novel source of information about the lifeforms that inhabit any given area even if they are not present for DNA collection. The collection of eDNA has been pioneered in aquatic and underground environments, offering a data-rich and non-invasive way to examine species and their habitats. Now, a team led by Elizabeth Clare, senior lecturer at Queen Mary University of London (QMUL), has provided the ``first proof of concept demonstration that air samples are a viable source of DNA for the identification of species in the environment,'' according to a study published on Wednesday <https://dx.doi.org/10.7717/peerj.11030> in the journal *PeerJ*. Plant and fungal eDNA has been snatched from the air before, but Clare was surprised to find that there were no analogous studies for animals in the scientific literature. She noted, though, that a pair of high school students from Japan presented a bird-focused eDNA concept at a science fair. [...] <https://www.sciencenewsforstudents.org/blog/eureka-lab/isef-2019-two-teens-pull-dna-birds-out-air> https://www.vice.com/en/article/88awgb/scientists-collected-human-dna-from-the-air-in-a-breakthrough ------------------------------ Date: 4 Apr 2021 14:50:20 -0400 From: Bob Frankston <bob20...@bob.ma> Subject: NFTs built on sand? (The Atlantic) https://medium.com/the-atlantic/nfts-werent-supposed-to-end-like-this-14f14aff42e1 "... the NFT prototype we created in a one-night hackathon had some shortcomings. You couldn't store the actual digital artwork in a blockchain; because of technical limits, records in most blockchains are too small to hold an entire image. Many people suggested that rather than trying to shoehorn the whole artwork into the blockchain, one could just include the web address of an image, or perhaps a mathematical compression of the work, and use it to reference the artwork elsewhere." "We took that shortcut because we were running out of time. Seven years later, all of today's popular NFT platforms still use the same shortcut. This means that when someone buys an NFT,..." Given that the DNS entries expire every year, there is a real problem. We must remove the semantics from the DNS though this approach is still dependent upon ephemeral websites. ------------------------------ Date: Sat, 3 Apr 2021 22:02:49 -0700 From: Lauren Weinstein <lau...@vortex.com> Subject: Google and "pink noise" While running an experiment here today, I told Google Assistant/Google Home to "Play pink noise" -- and without a word it seemed to comply. I also told it to "play white noise" -- and it also complied without a word. But -- hmmm -- I couldn't seem to hear a difference between the two. Well, hell, my hearing can't be what it used to be, let's pull out the spectrum analyzer. And ... uh ... the spectrums for both look identical. And it's the spectrum for white noise. And in fact, someone with a Hub (which I don't have) checking my results says, yes, Google is playing white noise when you ask it for either white noise or pink noise. Does this matter? Well, yeah, it does. You can find articles around the Net saying that "play pink noise" actually does play pink noise through these Google devices, and there are generally believed to be physiological differences in our reactions to pink noise vis-a-vis white noise. In general, pink noise is viewed as being easier on the ears and more useful for sound masking and relaxation purposes than white noise. There are some alternate ways to get genuine pink noise from these devices, but they require calling up third party apps, videos, or sound files. And really, this shouldn't be necessary. If you tell Google to play pink noise, it should either play pink noise or admit that it can't ... OK Google? Thanks. ------------------------------ Date: Thu, 1 Apr 2021 17:31:40 -0400 From: Gabe Goldberg <g...@gabegold.com> Subject: It’s Easy - and Legal - to Bet on Sports. Do Young Adults Know the Risks? (NYTimes) https://www.nytimes.com/2021/04/01/sports/sports-betting-addiction.html Risks? Yeah, who knew. What could go wrong? ------------------------------ Date: Thu, 1 Apr 2021 13:36:08 PDT From: Peter G Neumann <neum...@csl.sri.com> Subject: Another Water system hacked (KSNT) Yet another one. No surprise to RISKSers. www.ksnt.com/news/kansas/kansas-man-faces-charges-for-shutting-down-water-supply-cleaning-systems/ ------------------------------ Date: Wed, Mar 31, 2021 at 6:50 PM From: Martin Cooper <mcoo...@dynallc.com> Subject: Re: Energy-harvesting card treats 5G networks as wireless power grids (RISKS-32.58) [via geoff goodfellow] The second paragraph is a description of a perpetual-motion process. If you harvest 30% of the output power, that harvested power is not transmitted. Now imagine that you use that 30% to replace input electrical power. You are now producing the original power output with only about 85% of the original power (assuming a reasonable 50% efficiency of the transmitter). Now do that again, and again and again, and pretty soon the transmitted power remains the same, but the input power is equal to the output power. 100% efficiency. Wow! Now, do it again and you are actually (or should I say, virtually), creating new power. Very exciting! Forget about wind and solar power. Let's do an IPO! Of course, this logic is flawed, but so is the idea that millimeter wave frequencies can radiate at higher densities and farther than lower frequencies. [This was in response to another message in response to the original one: PGN] > Date: Wed, Mar 31, 2021 at 7:36 AM > From: *Andy Poggio* <pog...@csl.sri.com> They are talking about single digit microwatts -- truly tiny amounts of power. This won't be charging up your electric car with this. There are some types of very low power sensors that can use this and avoid batteries -- but this is a very limited use. Andy Poggio ------------------------------ Date: Thu, 01 Apr 2021 14:38:11 -0700 From: Henry Baker <hbak...@pipeline.com> Subject: Re: Antiscience Movement Is ... Killing Thousands (RISKS-32.58) "Antiscience has emerged as a ... force ... that threatens global security" IMHO, 'antiscience', per se, isn't the issue, but 'anti-elite' is. Anti-elite is the equal and opposite reaction to the condescension dripping from the collegiate classes. Ever since ~1960, when JFK started preferring 'the best and brightest' to run everything, the underlying assumption has been that higher IQ's and higher degrees would lead to the greatest good for the greatest number. Indeed, the Chinese Communist Party (CCP) has taken this theory to the reductio ad absurdum, with its technocratic wet dream that "All animals are equal, but some animals [with higher IQ's and better breeding] are more equal than others". This theory was never itself based upon 'science', nor was it ever subjected to a double-blind test. Indeed, the only real research tests of this theory came in the form of the 'Milgram Experiments' which proved that elite university students were capable of the most Nazi-like behavior given the slightest provocation. Embarrassingly, very public counterexamples to this thesis started showing up almost immediately, with the disastrous Vietnam War being only the largest and most obvious, and certainly the most expensive. Nevertheless, most in the U.S. were willing to continue tolerating this new "trickle down from the PhD's" theory (National Lampoon cover, December, 1975), so long as a few drops made it all the way down to the proles. However, the elites forgot their noblesse oblige, and in their noble search for economic efficiency, they decided to offshore as many prole jobs as possible, as quickly as possible. More education was advised for the proles, and 'retraining' for out-of-work coal miners to become web designers became fashionable. Student loan debts became nondischargeable in bankruptcy, and student loan interest rates soared from less than the Fed rate to far more than the Fed rate. Oops, no jobs after graduation. Gotcha! The best and brightest physicians decided that prole pain was being 'undertreated', so a generation of medicine created more *legal* drug addiction than any Columbian druglord could ever dream of. Houston, we have an opioid crisis. Not content with allowing the proles to own their own modest lead-poisoned homes, the elites invented 'derivatives' in which prole pensions were invested, so that when the derivatives exploded, both the prole homes *and* their pensions were gone, while the elite billionaire funds bought these homes out of bankruptcy, re-renting them to those same proles at higher rents than they had previously paid in mortgages. The proles and rubes have recently been found guilty of using the wrong forks; they have violated the 'norms' of civilized (aka collegiate) society by questioning everything their betters have been advocating for the past 60 years; they have forgotten 'their place'. Tut-tut. Peter Hotez is right; this story will probably not end well. But IMHO it is highly unlikely that readers of Scientific American will be able to solve this problem, becuz... [*Animal Farm* and *1984* are both more relevant today than ever. But the absence of an "Orwell's AllsWell That EndsWell" for balance should be a strong indication of the pervasive depth of the problems worldwide. PGN] ------------------------------ Date: Fri, 2 Apr 2021 09:27:12 -0700 From: "Stephen E. Bacher" <seb...@verizon.net> Subject: Re: Scientists can implant false memories-and reverse them (RISKS-32.58) > https://www.inverse.com/mind-body/how-to-reverse-false-memories-study But the article neglects to address the question of whether true memories could be reversed using the same approach. ------------------------------ Date: 1 Apr 2021 18:08:54 -0400 From: "John Levine" <jo...@iecc.com> Subject: Re: Volkswagen apparently changing their name in U.S. (RISKS-32.58) They later admitted it was a lame April Fool's joke. Uh, haha. [Indeed. A few days later Volkswagen said they were "just kidding" and that it was an early April's fool joke. Indeed Re-Volting! However, I am not unhappy that I somehow missed Lauren's following post to that effect -- because VW actually thought it was worthy of being their own April Fool's post. Lauren later shared this with me: https://www.cnn.com/2021/03/31/cars/volkswagen-voltswagen-securities-law/index.html PGN] ------------------------------ Date: 1 Apr 2021 20:44:01 -0400 From: "John Levine" <jo...@iecc.com> Subject: Re: New York launches nation's first 'vaccine passports' >Others are working on similar ideas, but many details must be worked out. I have one. You log into the state's web site and give them your name, DOB, and zip code to show who you are, and the date and county where you got the shot and what kind it was. It gives you a barcode which appears to include a cryptographic signature that you can load into the app. They also have a pass scanner app which looks at the barcode and says whether it's valid and unexpired. You don't even need a phone. If you have access to any computer with a web browser you can log into the site and print out a wallet card with the bar code. ------------------------------ Date: Fri, 2 Apr 2021 14:59:43 +0200 From: Terje Mathisen <terje.mathi...@tmsw.no> Subject: Re: Vintage technology: 'It sounds so much cleaner' (Ward, RISKS-32.54) Re: Porting Kermit Back around 1983 I started to write my own PC Kermit (in Turbo Pascal of course). After I had implemented the full "SuperKermit" set of extensions, with sliding windows, selective packet retransmission, larger packet sizes (with improved integrity checking), I made a version for the company IBM mainframe: IBM already had a baseline Kermit, written in Pascal, so it was relatively easy to add those SuperKermit extensions, the result was file transfers that worked across 3270 protocol emulators with the same effective speed as we got from an IBM 3270 PC (or PC/AT), but at a small fraction of the cost. At the time I wondered if the abysmally slow performance of IBM's Kermit was due to their perceived need to not compete with "proper IBM end points running SNA". ------------------------------ Date: 1 Apr 2021 18:23:47 -0400 From: "John Levine" <jo...@iecc.com> Subject: Re: Too much choice is hurting America (Steingold, RISKS-32.58) It must be fun to attribute stupid condescending motives to people you don't know and, in this case, whose writing you apparently have never read. What Paul said in that column was that too much choice can be a problem for *everyone* since it generally means that what claims to be "choice" is in fact shifting risk onto the unwary. (See my note in a recent Risks.) He doesn't want a thousand Medigap plans with secret loopholes or power suppliers whose prices can suddenly jump from 4c to $9.00/kwh for himself any more than he wants them for anyone else. ------------------------------ Date: Fri, 2 Apr 2021 18:10:11 +1100 From: Andrew Pam <and...@sericyb.com.au> Subject: Re: Too much choice is hurting America (Recent RISKS) I for one am finding the ongoing reporting of people's personal dislike and willful misunderstanding of Paul Krugman below the usual standards of the RISKS journal. [Me too. However, the positive items in response show that there are some very careful RISKS readers. And that is an important aspect of RISKS. The truth should always out. I cannot be the sole arbiter. PGN] ------------------------------ Date: Mon, 1 Aug 2020 11:11:11 -0800 From: risks-requ...@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume/previous directories or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00 ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 32.59 ************************