RISKS-LIST: Risks-Forum Digest Monday 2 August 2021 Volume 32 : Issue 79 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator
***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/32.79> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: If you don't trust AI yet, you're not wrong. (NYTimes) Phantom Warships Are Courting Chaos in Conflict Zones (WiReD) Chair moved to clean in control room, bumps switch, shutting reactor in Taiwan (The Register) World's first re-progammable commercial satellite set to launch (phys.org) AirDropped Image Of AirSoft Weapon Leads to UAL Flight Evacuation (AVweb) On The Contours of Our Insecurity' & Related Obduracy... (Forbes) Hackers Turning to 'Exotic' Programming Languages for Malware Development (The Hacker News) As Cyberattacks Surge, Security Start-Ups Reap the Rewards (NYTimes) Albertans' personal information exposed after national health-care provider hacked, data put up for sale (Edmonton Journal) Human Risk Management is the FIX. (The Hacker News) Don't click links in text messages (Tom Van Vleck) Florida Sheriff's Office Now Notifying People It Will Be Inflicting Its Pre-Crime Program On Them (TexchDirt) Ancient Printer Security Bug Affects Millions of Devices Worldwide (Mayank Sharma) ML Technique Used to Pinpoint Quantum Errors (Q-CTRL and.Sydney) QR Codes Are Here to Stay. So Is the Tracking They Allow. (NYTimes) The Robocall Rebellion (NYTimes) Joint USTPC/CRA Comments to the White House's OSTP on Enhancing Scientific Integrity Policies (PGN) Re: Disinformation for Hire, a Shadow Industry, Is Quietly Booming, (Richard Thieme) Re: Some locals say a bitcoin mining operation is ruining one of the Finger Lakes. Here's how. (John Levine) Re: YouTube fined 100 000 Euros delaying court order to restore video (Thomas Koenig) Re: "Roundoff" (Eric Ferguson) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Fri, 30 Jul 2021 11:33:27 PDT From: Peter Neumann <neum...@csl.sri.com> Subject: If you don't trust AI yet, you're not wrong. (NYTimes) Frank Pasquale and Gianclaudio Malgieri, *The New York Times* (online on 30 Jul 2021, and in print on the opinion page, 2 Aug 2021) [Thanks to Prashanth Mundkur for spotting this one on Friday, when I first read it. It was not in print in the National Edition until Monday's paper -- with some nifty art work. I PGN-excerpted it on Saturday, and added the final paragraph after re-reading the article in print on Monday. PGN] https://www.nytimes.com/2021/07/30/opinion/artificial-intelligence-european-union.html Americans have good reason to be skeptical of artificial intelligence. Tesla crashes have dented the dream of self-driving cars. Mysterious algorithms predict job applicants' performance based on little more than video interviews. Similar technologies may soon be headed to the classroom, as administrators use “learning analytics platforms” to scrutinize students' written work and emotional states. Financial technology companies are using social media and other sensitive data to set interest rates and repayment terms. Even in areas where AI seems to be an unqualified good, like machine learning to better spot melanoma, researchers are worried that current data sets do not adequately represent all patients’ racial backgrounds. [...] In April, the European Union released a new proposal for a systematic regulation of artificial intelligence. If enacted, it will change the terms of the debate by forbidding some forms of AI, regardless of their ostensible benefits. Some forms of manipulative advertising will be banned, as will real-time indiscriminate facial recognition by public authorities for law enforcement purposes. The list of prohibited AI uses is not comprehensive enough -- for example, many forms of nonconsensual AI-driven emotion recognition, mental health diagnoses, ethnicity attribution and lie detection should also be banned. But the broader principle -- that some uses of technology are simply too harmful to be permitted -- should drive global debates on AI regulation. [...] The European Union is now laying the intellectual foundations for such protections, in a wide spectrum of areas where advanced computation is now (or will be) deployed to make life-or-death decisions about the allocation of public-assistance services, the targets of policing, and the cost of credit. While its regulation will never be adopted by the United States, there is much ot learn from its comprehensive approach. ------------------------------ Date: Fri, 30 Jul 2021 00:38:29 -0400 From: "Gabe Goldberg" <g...@gabegold.com> Subject: Phantom Warships Are Courting Chaos in Conflict Zones (WiReD) The latest weapons in the global information war are fake vessels behaving badly https://www.wired.com/story/fake-warships-ais-signals-russia-crimea/ ------------------------------ Date: Wed, 28 Jul 2021 20:18:30 -0700 From: "Rob Wilcox" <robwilco...@gmail.com> Subject: Chair moved to clean in control room, bumps switch, shutting reactor in Taiwan (The Register) We don't often think about basic house cleaning in mission critical facilities. Not cleaning is not an option for operator experience and other reasons. I wonder what the literature is on that in human factors engineering? The Guosheng Nuclear Power Plant in Taiwan is about 15 miles from Taipei and on the ocean. At 985MW, it provides about 3-4% of load this week that varies between about 26,000-38,000MW When cleaning the control room, a chair was moved, lifting an acrylic safety cover and activating the protected switch. The switch closed the main steam loop valve which caused the safety sequence to shut down the reactor without further incident. The Register tagged their article "Surprisingly a real-life scenario and not a plotline from The Simpsons" Preliminary report by the Taiwan Atomic Energy Council (Chinese, your browser may translate): https://www.aec.gov.tw/newsdetail/headline/5757.html Local coverage: https://en.rti.org.tw/news/view/id/2005816 More: https://www.theregister.com/2021/07/28/taiwan_nuclear_plant_shutdown/ [Also reported by Dan Jacobson: Surprisingly a real-life scenario and not a plotline from The Simpsons. PGN] ------------------------------ Date: Fri, 30 Jul 2021 18:25:43 +0800 From: "Richard Stein" <rmst...@ieee.org> Subject: World's first re-progammable commercial satellite set to launch (phys.org) https://phys.org/news/2021-07-world-re-progammable-commercial-satellite.html "The European Space Agency will on Friday launch the world's first commercial fully re-programmable satellite, paving the way for a new era of more flexible communications. "Unlike conventional models that are designed and 'hard-wired' on Earth and cannot be repurposed once in orbit, the Eutelsat Quantum is based on so-called software-defined technology that allows users to tailor the communications to their needs -- almost in real-time." A pre-launch bugathon/hackathon, in addition to qualification testing and acceptance sign-off, is a reasonable recommendation. ------------------------------ Date: Wed, 28 Jul 2021 12:30:51 -0400 From: "Gabe Goldberg" <g...@gabegold.com> Subject: AirDropped Image Of AirSoft Weapon Leads to UAL Flight Evacuation (AVweb) According to local news sources, a teenage airline passenger “virtually” triggered a security evacuation by AirDropping an electronic image of a replica AirSoft weapon to other passengers. The incident occurred before takeoff on a United Airlines flight from San Francisco to Orlando. Security officials ultimately determined that the image had been taken well before the time of the flight and the fake gun was not on board. They also determined that no malicious intent was involved. https://www.avweb.com/aviation-news/airdropped-image-of-airsoft-weapon-leads-to-ual-flight-evacuation/ ------------------------------ Date: Thu, 29 Jul 2021 22:31:33 -0400 From: "Robert Mathews (OSIA)" <math...@hawaii.edu> Subject: On The Contours of Our Insecurity' & Related Obduracy.... Thomas Brewster, Cybersecurity, FORBES, 29 Jul 2021 "Meet Paragon: An American-Funded, Super-Secretive Israeli Surveillance Startup That ‘Hacks WhatsApp And Signal’" https://www.forbes.com/sites/thomasbrewster/2021/07/29/paragon-is-an-nso-competitor-and-an-american-funded-israeli-surveillance-startup-that-hacks-encrypted-apps-like-whatsapp-and-signal "Paragon Solutions doesn’t have a website. There’s very little information at all about them online .... But it does have a cofounder, director and chief shareholder that will turn heads: Ehud Schneorson, the former commander of Israel’s NSA equivalent, known as Unit 8200. The other cofounders - CEO Idan Nurick, CTO Igor Bogudlov and vice president of research Liad Avraham - are ex-Israeli intelligence too. Also on the board is cofounding director and former Israeli prime minister Ehud Barak. They also have a significant American financial backer: Boston, Massachusetts-based Battery Ventures." ------------------------------ Date: Tue, 27 Jul 2021 12:33:46 -1000 From: geoff goodfellow" <ge...@iconia.com> Subject: Hackers Turning to 'Exotic' Programming Languages for Malware Development (The Hacker News) Threat actors are increasingly shifting to "exotic" programming languages such as Go, Rust, Nim, and Dlang that can better circumvent conventional security protections, evade analysis, and hamper reverse engineering efforts. "Malware authors are known for their ability to adapt and modify their skills and behaviors to take advantage of newer technologies," said <https://www.blackberry.com/us/en/forms/enterprise/report-old-dogs-new-tricks> Eric Milam, Vice President of threat research at BlackBerry. "That tactic has multiple benefits from the development cycle and inherent lack of coverage from protective products." On the one hand, languages like Rust are more secure as they offer guarantees like memory-safe programming <https://en.wikipedia.org/wiki/Rust_(programming_language)#Memory_safety>, but they can also be a double-edged sword when malware engineers abuse the same features designed to offer increased safeguards to their advantage, thereby making malware less susceptible to exploitation and thwart attempts to activate a kill-switch <https://thehackernews.com/2020/08/emotet-botnet-malware.html> and render them powerless. Noting that binaries written in these languages can appear more complex, convoluted, and tedious when disassembled, the researchers said the pivot adds additional layers of obfuscation, simply by virtue of them being relatively new, leading to a scenario where older malware developed using traditional languages like C++ and C# are being actively retooled with droppers and loaders written in uncommon alternatives to evade detection by endpoint security systems. [...] https://thehackernews.com/2021/07/hackers-turning-to-exotic-programming.html ------------------------------ Date: Tue, 27 Jul 2021 22:01:00 -0400 From: Monty Solomon <mo...@roscom.com> Subject: As Cyberattacks Surge, Security Start-Ups Reap the Rewards (NYTimes) Investors have poured $12.2 billion into cybersecurity companies so far this year, nearly $2 billion more than the total for all of 2020. https://www.nytimes.com/2021/07/26/technology/cyberattacks-security-investors.html ------------------------------ Date: Fri, 30 Jul 2021 06:46:49 -0600 From: "Matthew Kruk" <mkr...@gmail.com> Subject: Albertans' personal information exposed after national health-care provider hacked, data put up for sale (Edmonton Journal) A listing on Marketo, a self-described "leaked data marketplace," claimed to be selling more than 180 gigabytes of the company's data including a sample evidence package with documents referencing provincial and national organizations, including Workers' Compensation Board of Alberta, the City of Spruce Grove, Construction Labour Relations, Fortis Alberta, Alberta Motor Association, the University of Lethbridge and Bow Valley College https://edmontonjournal.com/news/local-news/albertans-personal-information-exposed-after-national-health-care-provider-hacked-data-put-up-for-sale ------------------------------ Date: Thu, 8 Jul 2021 11:01:15 -1000 From: geoff goodfellow <ge...@iconia.com> Subject: Human Risk Management is the FIX. (The Hacker News) Humans are an organization's strongest defence against evolving #cyber threats, but security awareness #training alone often isn't enough to transform user behaviour. Human Risk Management (HRM) is the FIX. Checkout this new guide from @getusecure: [...] https://thehackernews.com/2021/07/security-awareness-training-is-broken.html via https://twitter.com/TheHackersNews/status/1413158374057730052 ------------------------------ Date: Wed, 28 Jul 2021 08:48:46 -0400 From: "Tom Van Vleck" <t...@multicians.org> Subject: Don't click links in text messages Mobile phones have hundreds of options, but there's one important one missing. If iPhones had a Messages option named "disable links in Messages" I would set it and tell everyone to set it. The Bad Guys can send text messages that appear to be from anybody. I get a lot from banks I don't have an account at. If the Bad Guys hack somebody else's phone or email, they might get your mobile number and send you a fake text message with a link in it. If you click this link, a web browser on you phone will be sent to a fake page of theirs. That page can infect your phone with malware, spyware, ransomware. Spoil your day/week/month. Here is a web page that explains the problem. https://theintercept.com/2021/07/27/pegasus-nso-spyware-security/ (Are you about to click that link, without making sure the mail is really from me?) ------------------------------ Date: July 30, 2021 22:23:23 JST From: Richard Forno <rfo...@infowarrior.org> Subject: Florida Sheriff's Office Now Notifying People It Will Be Inflicting Its Pre-Crime Program On Them (TexchDirt) (the agency's letter, which you can read at the link, is some grade-A Orwellin nonsense.... --rick) [via Dave Farber] https://www.techdirt.com/articles/20210724/15223647236/florida-sheriffs-office -now-notifying-people-it-will-be-inflicting-pre-crime-program-them.shtml ------------------------------ Date: Wed, 28 Jul 2021 11:56:32 -0400 (EDT) From: ACM TechNews <technews-edi...@acm.org> Subject: Ancient Printer Security Bug Affects Millions of Devices Worldwide (Mayank Sharma) Mayank Sharma, TechRadar, 21 Jul 2021, via ACM TechNews, Wednesday, July 28, 2021 Cybersecurity researchers at SentinelOne have identified a highly severe privilege escalation vulnerability in HP, Samsung, and Xerox printer drivers. The vulnerability appears to have been present since 2005. The researchers said millions of devices and users worldwide likely have been impacted by the buffer overflow vulnerability, which can be exploited whether or not a printer is connected to a targeted device. SentinelOne's Asaf Amir said, "Successfully exploiting a driver vulnerability might allow attackers to potentially install programs; view, change, encrypt, or delete data, or create new accounts with full user rights." Hackers would need local user access to the system to access the affected driver and take advantage of the vulnerability. https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2c145x22c913x072638 ------------------------------ Date: Fri, 30 Jul 2021 12:59:24 -0400 (EDT) From: ACM TechNews <technews-edi...@acm.org> Subject: ML Technique Used to Pinpoint Quantum Errors (Q-CTRL and.Sydney) HPCwire, 29 Jul 2021, via ACM TechNews, Friday, July 30, 2021 Researchers at Australia's University of Sydney (USYD) and quantum control startup Q-CTRL have designed a method of pinpointing quantum computing errors via machine learning (ML). The USYD team devised a means of recognizing the smallest divergences from the conditions necessary for executing quantum algorithms with trapped ion and superconducting quantum computing equipment. Q-CTRL scientists assembled custom ML algorithms to process the measurement results, and minimized the impact of background interference using existing quantum controls. This yielded an easy distinction between sources of correctable "real" noise and phantom artifacts of the measurements themselves. USYD's Michael J. Biercuk said, "The ability to identify and suppress sources of performance degradation in quantum hardware is critical to both basic research and industrial efforts building quantum sensors and quantum computers." https://orange.hosting.lsoft.com/trk/click?ref=3Dznwrbbrs9_6-2c1c7x22c9a9x073991&; [``Who needs error-correcting codes when we have machine learning?'' PGN] ------------------------------ Date: Tue, 27 Jul 2021 21:51:21 -0400 From: Monty Solomon <mo...@roscom.com> Subject: QR Codes Are Here to Stay. So Is the Tracking They Allow. (NYTimes) Fueled by a desire for touchless transactions, QR codes popped up everywhere in the pandemic. Businesses don’t want to give them up. https://www.nytimes.com/2021/07/26/technology/qr-codes-tracking.html ------------------------------ Date: Fri, 30 Jul 2021 00:31:50 -0400 From: Monty Solomon <mo...@roscom.com> Subject: The Robocall Rebellion https://www.nytimes.com/2021/07/28/opinion/the-robocall-rebellion.html ------------------------------ Date: Wed, 28 Jul 2021 20:10:22 PDT From: Peter Neumann <neum...@csl.sri.com> Subject: Joint USTPC/CRA Comments to the White House's OSTP on Enhancing Scientific Integrity Policies The White House's Office of Science and Technology Policy (OSTP) made formal Request for Information To Improve Federal Scientific Integrity Policies in June 2021. https://www.federalregister.gov/documents/2021/06/28/2021-13640/request-for-information-to-improve-federal-scientific-integrity-policies A joint response has been submitted to OSTP from the Computing Research Association and USTPC. https://www.acm.org/binaries/content/assets/public-policy/cra-acm-comments-si-ftac-rfi.pdf. ------------------------------ Date: Thu, 29 Jul 2021 10:02:35 -0500 From: "Richard Thieme" <rthi...@thiemeworks.com> Subject: Re: Disinformation for Hire, a Shadow Industry, Is Quietly Booming, (Max Fisher, RISKS-32.78) Max Fisher writes of the disinformation industry as if his illumination is news. After I wrote an article about a cyber sleuth who worked online 25 years ago for an English magazine, Hill and Knowlton, the global PR firm, thought I lived in London (we had not acclimated yet to the global presence of everyone on the Internet) and asked me to come by for a talk. They wanted to do "brand defense" on the Internet, which meant impersonating multiple people in Usenet groups and the like, all forerunners of current practices. This is not new news. I wrote long ago that "truth and lies are Siamese twins, joined at the lips," and began with speech - or before, with deceptive gestures, as chimps have been seen to do. ------------------------------ Date: 28 Jul 2021 01:01:09 -0400 From: "John Levine" <jo...@iecc.com> Subject: Re: Some locals say a bitcoin mining operation is ruining one of the Finger Lakes. Here's how. (NBC News, RISKS-32.78) The bitcoin mining hardware is physically located at the power plant. The retail price I pay for power is about 5.4c/kwh for supply and 5.2c/kwh for delivery. While it's certainly cheaper for wholesale customers I think that the supply and delivery charges are about equal, so if the miners had to pay for delivery, it wouldn't be worth it. ------------------------------ Date: Wed, 28 Jul 2021 07:57:24 +0200 From: "Thomas Koenig" <tkoe...@netcologne.de> Subject: Re: YouTube fined 100 000 Euros delaying court order to restore video (RISKS-32-78) > It seems like hubris for the "Higher Regional Court at Dresden" > to expect that everyone in the world will recognize that title > and recognize the court's authority. They were served with court papers, and as I wrote, they had representation at court. You have to be qualified lawyer to appear before the "Oberlandesgericht", to give it its proper title, and the court order would be communicated to them. > It should take a reasonable time to investigate such a message for > authenticity. It is simply not credible that a company would confuse a court order communicated through their own lawyers with some random crackpot e-mail. ------------------------------ Date: Wed, 28 Jul 2021 12:54:11 +0200 From: Eric Ferguson <e.fergu...@antenna.nl> Subject: Re: "Roundoff" (RISKS-32.78) Whether the times are truncated to the lower number of decimals or correctly rounded makes no systematic difference when comparing results. The truncated values are on average exactly 0,5 part of the smallest digit value smaller than the rounded values. Both expand the smallest difference between the input values into a full one unit of the smallest digit value in the shortened number, but do so at different places in the continuum of input values. As long as you are only comparing results from the same data set, there will be no systematic bias. But if you compare truncated times with rounded times, or compare totals of added times, there can be systematic bias. ------------------------------ Date: Mon, 1 Aug 2020 11:11:11 -0800 From: risks-requ...@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume/previous directories or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00 ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 32.79 ************************
