RISKS-LIST: Risks-Forum Digest Wednesday 1 December 2021 Volume 32 : Issue 94
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/32.94> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: The End of Trust (The Atlantic) The makers of EyeDetect promise a new era of truth-detection, but many experts are skeptical (WashPost) Apple sues NSO Group over Pegasus spyware (WashPost) The Car Key of the Future -- is still in your pocket (NYTimes) Locked Out of God Mode, Runners Are Hacking Their Treadmills (WiReD) Sorry I'm late, my car had a 500 error. (twitter) Israel and Iran Broaden Cyberwar to Attack Civilian Targets (NYTimes) India to ban almost all private cryptocurrencies including Bitcoin in new clampdown (Euronews) Dutch Tax Office algorithm targeted low-income households (Kees Huyser) Crowd-Sourced Suspicion Apps Are Out of Control (EFF) GoDaddy says data breach exposed over a million user accounts (TechCrunch) He Leaked U.S. Missile Secrets. It Turned Into ‘a Dark Comedy of Errors.’ (DailyBeast) Amazon's Dark Secret: It Has Failed to Protect Your Data (WiReD) The Zelle Fraud Scam: How it Works, How to Fight Back (Krebs on Security) Wikipedia Tests AI for Spotting Contradictory Claims in Articles (New Scientist) Apple, Facebook, privacy, voter turnout efforts, and differential privacy (Rob Slade) Google hacking (Wikipedia) Devious *Tardigrade* Malware Hits Biomanufacturing Facilities (WiReD) The unbearable fussiness of the smart home (staceyoniot) YANCV: Yet Another New CoVID Variant (Rob Slade) Re: Unconsidered automatic filtering creates damaging side-effects (John Levine) Re: Scammers impersonate guest editors to get sham papers published (Martin Ward) CISA Should Assess the Effectiveness of its Actions to Support the Communications Sector (GAO Critical Infrastructure Protection) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Sat, 27 Nov 2021 10:14:14 +0800 From: "Richard Stein" <rmst...@ieee.org> Subject: The End of Trust (The Atlantic) https://www.theatlantic.com/magazine/archive/2021/12/trust-recession-economy/620522/ "Trust. Without it, Adam Smith’s invisible hand stays in its pocket; Keynes’s 'animal spirits' are muted. 'Virtually every commercial transaction has within itself an element of trust,' the Nobel Prize–winning economist Kenneth Arrow wrote in 1972. "But trust is less quantifiable than other forms of capital. Its decline is vaguely felt before it’s plainly seen. As companies have gone virtual during the coronavirus pandemic, supervisors wonder whether their remote workers are in fact working. New colleagues arrive and leave without ever having met. Direct reports ask if they could have that casual understanding put down in writing. No one knows whether the boss’s cryptic closing remark was ironic or hostile." Businesses deserve to fail, and governments convulse, when public trust continues to be abused for selective advantage without accountability for preventable technological maintenance and operational errors. Proactive and effective Internet safeguards -- regulatory enforcement of cybersecurity standards with strict oversight accountability for non-compliance -- is essential to rebuild public trust, an essential social virtue sensitized to spontaneously erode via multiple tipping points. Every data breach, ransomware incident, and critical infrastructure assault dilutes public trust in the Internet's utility. Without stern incentives to comply, diminished accountability for these abuses and outrages, attributed to both businesses and governments, feed a sense of popular futility. Egregious and repeat oversight failures reveal their audacious impunity. As long as professional and business ethics remain trivialized by profit, convenience, ignorance, and lassitude, organizational effectiveness and accountability -- pillars of public trust resilience -- will remain vulnerable to nefarious exploitation. ------------------------------ Date: Sat, 27 Nov 2021 15:17:52 -0500 From: "Gabe Goldberg" <g...@gabegold.com> Subject: The makers of EyeDetect promise a new era of truth-detection, but many experts are skeptical (WashPost) Is the ocular product EyeDetect a leap ahead of the polygraph? Or just the same dubiousness in a more high-tech box? EyeDetect is the product of the Utah company Converus. “Imagine if you could exonerate the innocent and identify the liars . . . just by looking into their eyes,” the company’s YouTube channel promises. “Well, now you can!” Its chief executive, Todd Mickelsen, says they’ve built a better truth-detection mousetrap. He believes eye movements reflect their bearer far better than the much older and mostly discredited polygraph. Its popularity may be growing: The company says EyeDetect has gone from 500 customers in 2019 to 600 now. Its critics, however, say the EyeDetect is just the polygraph in more algorithmic clothing. The machine is fundamentally unable to deliver on its claims, they argue, because human truth-telling is too subtle for any data set. And they worry that relying on it can lead to tragic outcomes, like punishing the innocent or providing a cloak for the guilty. EyeDetect raises a question that draws all the way back to the Garden of Eden: Are humans so wired to tell the truth we’ll give ourselves away when we don’t? https://www.washingtonpost.com/technology/2021/11/15/lie-detector-eye-movements-converus/ ------------------------------ Date: Tue, 23 Nov 2021 14:44:46 -0500 From: "Gabe Goldberg" <g...@gabegold.com> Subject: Apple sues NSO Group over Pegasus spyware (WashPost) The lawsuit comes just weeks after the U.S. Commerce Department added NSO to its list of entities barred from doing business with American companies. ... “State-sponsored actors like the NSO Group spend millions of dollars on sophisticated surveillance technologies without effective accountability. That needs to change,” said Craig Federighi, Apple’s senior vice president of Software Engineering, in a blog post announcing the lawsuit. “Apple devices are the most secure consumer hardware on the market — but private companies developing state-sponsored spyware have become even more dangerous,” he wrote. “While these cybersecurity threats only impact a very small number of our customers, we take any attack on our users very seriously, and we’re constantly working to strengthen the security and privacy protections in iOS to keep all our users safe.” https://www.washingtonpost.com/technology/2021/11/23/apple-pegasus-lawsuit-spyware-nso/ ------------------------------ Date: Sun, 28 Nov 2021 16:22:32 -0500 From: "Gabe Goldberg" <g...@gabegold.com> Subject: The Car Key of the Future -- is still in your pocket (NYTimes) They’re in fobs or on phones, and digital or “smart,” and they can do far more than just open doors and start the engine. Sometimes, however, one might wish for a real key; the alternatives are not bulletproof. Tesla drivers recently punched up the smartphone app they use to unlock and start their cars. The app was not responding, as a server had gone down. The Tesla key “card” would work — Tesla’s version of a fob — but drivers who depended on their phones were stuck. The problem was sorted out fairly quickly, and Elon Musk, the company’s chief, tweeted apologies. ... Several vehicle operating functions have already been outsourced to smartphones. For example, an app for some BMWs can remotely start the auto; it will run for 15 minutes, heating or cooling the cabin, before automatically shutting off. But some type of hardware — a wireless fob, round or square, with tiny buttons to open and close doors, hatches, windows and sunroofs, and perhaps a “panic” function to set off the car’s alarm system — will most likely remain until mobile devices “eliminate the need for a physical piece of hardware altogether,” said Todd Parker, director of global design for General Motors. https://www.nytimes.com/2021/11/25/business/car-keys-fobs.html Eliminate need for hardware? Mobile devices look to me like pieces of "hardware", just more prone to failure or compromise than a key or fob. ------------------------------ Date: Sun, 21 Nov 2021 15:36:57 -0500 From: Gabe Goldberg <g...@gabegold.com> Subject: Locked Out of God Mode, Runners Are Hacking Their Treadmills (WiReD) NordicTrack customers were watching Netflix using a simple trick—until the company blocked their access. https://www.wired.com/story/nordictrack-ifit-treadmill-privilege-mode/ What next? Fox (or MSNBC)-only TV sets? Cell phones only able to call people on same network? ------------------------------ Date: Tue, 23 Nov 2021 10:22:16 -1000 From: geoff goodfellow <ge...@iconia.com> Subject: Sorry I'm late, my car had a 500 error. Tesla servers throwing 500 errors. People unable to unlock their cars. https://twitter.com/switch_d/status/1461823823695777797 via https://twitter.com/internetofshit/status/1463159474961760273 ------------------------------ Date: Sun, 28 Nov 2021 05:50:48 -0500 From: Jan Wolitzky <jan.wolit...@gmail.com> Subject: Israel and Iran Broaden Cyberwar to Attack Civilian Targets (NYTimes) Millions of ordinary people in Iran and Israel recently found themselves caught in the crossfire of a cyberwar between their countries. In Tehran, a dentist drove around for hours in search of gasoline, waiting in long lines at four gas stations only to come away empty. In Tel Aviv, a well-known broadcaster panicked as the intimate details of his sex life, and those of hundreds of thousands of others stolen from an LGBTQ dating site, were uploaded on social media. For years, Israel and Iran have engaged in a covert war, by land, sea, air and computer, but the targets have usually been military or government related. Now, the cyberwar has widened to target civilians on a large scale. https://www.nytimes.com/2021/11/27/world/middleeast/iran-israel-cyber-hack.html ------------------------------ Date: Tue, 23 Nov 2021 14:41:50 -0500 From: "Gabe Goldberg" <g...@gabegold.com> Subject: India to ban almost all private cryptocurrencies including Bitcoin in new clampdown (Euronews) India is on track to ban all but a few private cryptocurrencies after the government announced on Tuesday it was introducing a new financial regulation bill. The 'Cryptocurrency and Regulation of Official Digital Currency' bill will create a facilitative framework for an official digital currency to be issued by the Reserve Bank of India, and ban all private cryptocurrencies, such as Bitcoin and Ethereum. Earlier this month, Prime Minister Narendra Modi said all democratic nations must work together to ensure cryptocurrency "does not end up in wrong hands, which can spoil our youth" - his first public comments on the subject. ... The new rules are also likely to discourage marketing and advertising of cryptocurrencies, to dull their allure for retail investors, said an industry source who was part of a separate parliamentary panel discussion held on Monday. https://www.euronews.com/next/2021/11/23/india-is-planning-to-tighten-crypto-regulation-to-deter-trading-in-a-new-clampdown-sources But ... banning cigarette ads on TV didn't ban smoking. Cryptocurrency "spoiling youth"? Ah, this is for the children... ------------------------------ Date: Tue, 23 Nov 2021 13:19:03 +0100 From: "Kees Huyser" <k...@huyser.net> Subject: Dutch Tax Office algorithm targeted low-income households The tax office specifically targeted people with low incomes when checking for potential fraud involving childcare benefits. Between 2013 and July 2020, the tax office used a self-learning algorithm based on a risk classification system to decide who should face extra checks. The system was scrapped last year following a damning report. https://www.dutchnews.nl/news/2021/11/tax-office-singled-out-low-income-households-for-extra-fraud-checks/ ------------------------------ Date: Wed, 24 Nov 2021 00:08:47 -0500 From: "Gabe Goldberg" <g...@gabegold.com> Subject: Crowd-Sourced Suspicion Apps Are Out of Control (Electronic Frontier Foundation) Technology rarely invents new societal problems. Instead, it digitizes them, supersizes them, and allows them to balloon and duplicate at the speed of light. That’s exactly the problem we’ve seen with location-based, crowd-sourced “public safety” apps like Citizen. These apps come in a wide spectrum—some let users connect with those around them by posting pictures, items for sale, or local tips. Others, however, focus exclusively on things and people that users see as “suspicious” or potentially hazardous. These alerts run the gamut from active crimes, or the aftermath of crimes, to generally anything a person interprets as helping to keep their community safe and informed about the dangers around them. https://www.eff.org/deeplinks/2021/10/crowd-sourced-suspicion-apps-are-out-control That's sure NextDoor here -- Fairfax County, VA -- which is pretty safe and yet people exaggerate/amplify incidents to bogus catastrophic statistics and trends. ------------------------------ Date: Mon, 22 Nov 2021 10:19:17 -0800 From: Lauren Weinstein <lau...@vortex.com> Subject: GoDaddy says data breach exposed over a million user accounts (TechCrunch) GoDaddy says data breach exposed over a million user accounts https://techcrunch.com/2021/11/22/godaddy-breach-million-accounts/ ------------------------------ Date: Thu, 25 Nov 2021 10:16:06 -1000 From: geoff goodfellow <ge...@iconia.com> Subject: He Leaked U.S. Missile Secrets. It Turned Into ‘a Dark Comedy of Errors.’ (DailyBeast) A former Raytheon missile defense engineer <https://www.thedailybeast.com/former-raytheon-missile-engineer-james-robert-schweitzer-accused-of-leaking-classified-info> who recently pleaded guilty to leaking U.S. military secrets claims he did so only because his desperate attempts to correct a potentially deadly software error he accidentally made went completely unheeded by authorities. “My approach and code were not adequately reviewed,” James Robert Schweitzer told The Daily Beast in his first public comments since his arrest. “I was told to ignore the anomaly that I introduced.” The federal government, however, saw things quite differently. At the time, Schweitzer was at loggerheads with the Pentagon over his use of medical marijuana, which caused him to be stripped of his top secret security clearance. Unable to continue working in his chosen field, Schweitzer, who had hoped to stay at Raytheon until he retired, decided instead to exact revenge on the company by exposing classified information he believed he shouldn’t have had access to in the first place, according to prosecutors <https://www.documentcloud.org/documents/21112618-schweitzer-dod-ig-hotline>. The government’s court filings assert that Schweitzer’s motive was simply to get back at Raytheon for shunting him aside. To that end, Schweitzer told investigators he wanted to bring his supervisors down with him for “illegally” demanding he work on a classified project. A Missile Engineer’s ‘Dark Fantasy’ and Alleged Revenge Plot <https://www.thedailybeast.com/former-raytheon-missile-engineer-james-robert-schweitzer-accused-of-leaking-classified-info?via=rss&source=articles_fancylink> Today, Schweitzer, who says he sees himself not as a traitor but a whistleblower, is still reeling from being hauled in by the feds last year, describing the nightmarish experience as “a comedy of errors, as far as I’m concerned—a dark comedy of errors.” As The Daily Beast exclusively reported at the time <https://www.thedailybeast.com/former-raytheon-missile-engineer-james-robert-schweitzer-accused-of-leaking-classified-info>, Schweitzer, 58, was arrested and charged in December 2020 with malicious mischief and destruction of government property for sharing “national defense information” regarding U.S. missile sensors. Prosecutors said Schweitzer knew some of what he exposed <https://www.documentcloud.org/documents/21112436-usa-v-schweitzer> “could result in American casualties abroad or in the United States,” which Schweitzer freely admits, insisting that’s why he was so eager to sound the alarm. Schweitzer, a California resident, claims he reported the alleged software bug to the DoD hotline, the Army, the FBI, and every single member of Congress to no avail. According to him, authorities said they would take care of it, but never did in order to save face after deploying a supposedly broken system that was being used to, among other things, protect the airspace in the Washington, D.C., area, and could have cost thousands of lives. Court filings by investigators and prosecutors, who would not comment on the case, do not mention anything about this supposed anomaly. [...] https://www.yahoo.com/news/leaked-u-missile-secrets-turned-225131446.html ------------------------------ Date: Wed, 24 Nov 2021 00:11:18 -0500 From: "Gabe Goldberg" <g...@gabegold.com> Subject: Amazon's Dark Secret: It Has Failed to Protect Your Data (WiReD) Voyeurs. Sabotaged accounts. Backdoor schemes. For years, the retail giant has handled your information less carefully than it handles your packages. At that very moment inside Amazon, the division charged with keeping customer data safe for the company's retail operation was in a state of turmoil: understaffed, demoralized, worn down from frequent changes in leadership, and—by its own leaders' accounts—severely handicapped in its ability to do its job. That year and the one before it, the team had been warning Amazon's executives that the retailer's information was at risk. And the company's own practices were fanning the danger. According to internal documents reviewed by Reveal from the Center for Investigative Reporting and WIRED, Amazon's vast empire of customer data—its metastasizing record of what you search for, what you buy, what shows you watch, what pills you take, what you say to Alexa, and who's at your front door—had become so sprawling, fragmented, and promiscuously shared within the company that the security division couldn't even map all of it, much less adequately defend its borders. https://www.wired.com/story/amazon-failed-to-protect-your-data-investigation/ ------------------------------ Date: Sat, 20 Nov 2021 07:24:34 -0800 From: Tom Van Vleck <t...@multicians.org> Subject: The Zelle Fraud Scam: How it Works, How to Fight Back (Krebs on Security) Another damn thing to worry about. Faked text messages and phone calls "from your bank." https://krebsonsecurity.com/2021/11/the-zelle-fraud-scam-how-it-works-how-to-fight-back/ ------------------------------ Date: Wed, 24 Nov 2021 12:05:30 -0500 (EST) From: ACM TechNews <technews-edi...@acm.org> Subject: Wikipedia Tests AI for Spotting Contradictory Claims in Articles (New Scientist) Matthew Sparkes, *New Scientist*, 19 Nov 2021 via ACM TechNews, Wednesday, November 24, 2021 Researchers at Taiwan's National Cheng Kung University, in conjunction with the Wikimedia Foundation, have developed artificial intelligence technology which they say can identify contradictory claims in Wikipedia articles and flag them for human review. The researchers found 2,321 contradiction warnings in all English Wikipedia articles posted by March 2020. They used 80% of 1,105 examples of contradictions and solutions by human editors to train the neural network to detect contradictions on its own. The remaining 20% of the data then was used to test the neural network, which was found to have an accuracy rate of up to 65%. https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2d791x22fa56x074532& [65%??? For anyone weak in math, That means the INACCURACY rate is *at least* 35%, and probably much more, based on the lacunae of the approach. Wow! No surprise there. PGN] ------------------------------ Date: Mon, 22 Nov 2021 11:42:59 -0800 From: Rob Slade <rmsl...@shaw.ca> Subject: Apple, Facebook, privacy, voter turnout efforts, and differential privacy Apple is trying to position itself as "the privacy company." One of the ways it is doing that is, purportedly, by using differential privacy in a big way. However, what Apple is *mostly* doing is making trouble for other companies (like Facebook) trying to get user data. Recently, Apple's iOS devices started *not* sending click-through and other data to Facebook. Facebook seems to have responded by *not* presenting click-thorough type ads to iOS devices. Which has created a problem for various advertisers, including both political parties and social activists. https://www.protocol.com/policy/apple-facebook-voter-turnout The thing is, if Apple truly *were* using differential privacy, it would be easy to resolve this fight by using "privacy by randomized response," a protocol long used by social scientists. Local differential privacy would add noise to the data, but it could be mathematically removed by companies to provide user privacy, while still allowing a lot of useful overall consumer data to be collected. The bottom line is, Apple, while pushing its use of differential privacy, doesn't seem to understand it or use it effectively. (And Facebook still doesn't care about your privacy at all ...) ------------------------------ Date: Mon, 22 Nov 2021 15:01:50 -0500 From: Gabe Goldberg <g...@gabegold.com> Subject: Google hacking (Wikipedia) Google hacking, also named Google dorking,[1][2] is a hacker technique that uses Google Search and other Google applications to find security holes in the configuration and computer code that websites are using.[3] Google dorking could also be used for OSINT. "Google hacking" involves using advanced operators in the Google search engine to locate specific errors of text within search results. Some of the more popular examples are finding specific versions of vulnerable Web applications. A search query with intitle:admbook intitle:Fversion filetype:php would locate all web pages that have that particular text contained within them. It is normal for default installations of applications to include their running version in every page they serve, for example, "Powered by XOOPS 2.2.3 Final". Devices connected to the Internet can be found. A search string such as inurl:"ViewerFrame?Mode=" will find public web cameras. Another useful search is following intitle:index.of followed by a search keyword. This can give a list of files on the servers. For example, intitle:index.of mp3 will give all the MP3 files available on various types of servers. https://en.wikipedia.org/wiki/Google_hacking ------------------------------ Date: Mon, 22 Nov 2021 19:42:47 -0500 From: Gabe Goldberg <g...@gabegold.com> Subject: Devious *Tardigrade* Malware Hits Biomanufacturing Facilities (WiReD) The surprisingly sophisticated attack is “actively spreading” throughout the industry. When ransomware hit a biomanufacturing facility this spring, something didn't sit right with the response team. The attackers left only a halfhearted ransom note, and didn't seem all that interested in actually collecting a payment. Then there was the malware they had used: a shockingly sophisticated strain dubbed Tardigrade. As the researchers at biomedical and cybersecurity firm BioBright dug further, they discovered that Tardigrade did more than simply lock down computers throughout the facility. The found that the malware could adapt to its environment, conceal itself, and even operate autonomously when cut off from its command and control server. This was something new. https://www.wired.com/story/tardigrade-malware-biomanufacturing/ ------------------------------ Date: Tue, 23 Nov 2021 10:40:17 -1000 From: geoff goodfellow <ge...@iconia.com> Subject: The unbearable fussiness of the smart home (staceyoniot) As we head into another gifting season and more and more connected devices make their way onto gift guides, I want to offer a cautionary note. The smart home is like a cat — mostly self-sufficient and nice to have, but also possessing a mind of its own that can lead to frustration and confusion for its owner. Indeed, when you gift or get a connected device, ownership turns into active participation with the device and various other ecosystems. What do I mean? Three weeks ago, three of my devices stopped working — all for different reasons — and required different steps to fix them. This week, one device suddenly start working again, another connected after some initial struggles, and a third became so intrusive I had to move it to another room. This isn’t a device or brand problem. It’s an industry problem. Smart home products look like hardware but are really software, subject to updates and changes that will break integrations, contain bugs, and add new, unwanted features. For most consumers, there’s a gap between what they expect from hardware and what they get with smart home devices that leads to dissatisfaction, returns, and poor user experiences. For the manufacturers, there’s a lack of tools and/or research to ensure that software updates don’t cause problems or that new features don’t frustrate users. I’ll offer up a few examples of fussy devices to illustrate these issues. Let me be your cautionary tale before purchasing a smart bulb or speaker. [...] https://staceyoniot.com/the-unbearable-fussiness-of-the-smart-home/ ------------------------------ Date: Fri, 26 Nov 2021 11:24:56 -0800 From: Rob Slade <rsl...@gmail.com> Subject: YANCV: Yet Another New CoVID Variant A new CoVID variant (B.1.1.529) (and named omicron, possibly to avoid "nu" jokes) has arisen. It *may* be more transmissible. It *may* be that the existing vaccines are somewhat less effective at protecting against it. World stock markets are tumbling, and the end of the world is upon us. Just like last time. Look, we know how to deal with this. I tend to use the ransomware example: it doesn't matter who is trying to hit you with what new version of ransomware: if you've got a backup, you're good. The existing vaccines may be slightly less effective. But they will be somewhat effective, and you should get them. Although I would add defence in depth or layered defence. Vaccines aren't perfect, so wash your hands. Handwashing isn't perfect so wear a mask. Masks aren't perfect so avoid crowds. It isn't *one* of the Five Heroic Acts, it's *all* of them. https://www.who.int/campaigns/connecting-the-world-to-combat-coronavirus/safehands-challenge/5-heroic-acts And remember the "Hitchhiker's Guide to the Galaxy": DON'T PANIC! [I have eschewed another rather less RISKS-relevant item from Rob on the naming of the COVID variants. Who's "xi"? What's "nu"? omic<h>ron didn't show up with my NYTimes last Thursday? PGN] ------------------------------ Date: 23 Nov 2021 15:41:27 -0500 From: "John Levine" <jo...@iecc.com> Subject: Re: Unconsidered automatic filtering creates damaging side-effects (RISKS-32.93) >have the sequence "ass" removed, yielding "pion", "ociation", and "ume", >among others. This is generally known as the Scunthorpe problem, after a town in England which is chronically blocked by badly written obscenity filters. It has has two Wikipedia pages, one for the town, one for the filtering errors which date from 1996: https://en.wikipedia.org/wiki/Scunthorpe https://en.wikipedia.org/wiki/Scunthorpe_problem [Similar comment from Craig S. Cottingham. Of course, the S***thorpe problem cropped up in RISKS-15.13, RISKS-18.07, RISKS-18.08, RISKS-20.68, RISKS-26.89, RISKS-31.74, and RISKS-32.54. PGN] ------------------------------ Date: Thu, 25 Nov 2021 14:38:42 +0000 From: "Martin Ward" <mar...@gkc.org.uk> Subject: Re: Scammers impersonate guest editors to get sham papers published (RISKS-32.93) A related article ("Predatory publishers’ latest scam: bootlegged and rebranded papers") suggests: "Instead of repeatedly severing heads for new ones to regrow, policy that combats predatory publishing should focus on starving the Hydra of resources." An article published in "Nature" cannot, of course, suggest the simplest and most effective solution to the problem: completely starve the Hydra by taking money out of the article publishing enterprise altogether. Authors and reviewers already provide their work for free: this is then "monetized" by predatory journals, such as Nature, who charge exorbitant amounts for copies of papers and make substantial profits out of other people's work without adding any value. (For example, one of the referenced papers listed in this paper is available as a downloadable PDF for a mere £29.95 including VAT). Make all journals free to access and free to publish in, and take the pressure off academics to continually publish ("publish or perish"). The costs of providing access can be met via small charitable foundations supported by donations from University libraries. The libraries can easily afford these donations since they will no longer have to pay exorbitant subscription fees to journals. The rest of the money that they save can go to fund more research, instead of publisher's profits. With money taken out of the equation, the main incentive to produce sham papers and sham publications disappears. Until then, we will have the "legitimate" publishers wringing their hands and complaining about all these "predatory" publishers. They sound to me like so many "legitimate" protection racketeers complaining about all the "predatory" protection racketeers that keep cropping up on their turf! ------------------------------ Date: Mon, 29 Nov 2021 09:19:48 +0100 From: "Diego.Latella" <diego.late...@isti.cnr.it> Subject: CISA Should Assess the Effectiveness of its Actions to Support the Communications Sector (GAO Critical Infrastructure Protection) https://www.gao.gov/products/gao-22-104462?utm_campaign=usgao_email&utm_content=topic_homelandsecurity&utm_medium=email&utm_source=govdelivery ------------------------------ Date: Mon, 1 Aug 2020 11:11:11 -0800 From: risks-requ...@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume/previous directories or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00 ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 32.94 ************************