RISKS-LIST: Risks-Forum Digest Friday 25 February 2022 Volume 33 : Issue 07
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/33.07> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: The radiation will never be higher in Chernobyl? oops! (danny burstein) 3G shutdown will affect a host of everyday devices (Gabe Goldberg) TurboTax Maker Intuit Faces Tens of Millions in Fees in a Groundbreaking Legal Battle Over Consumer Fraud (ProPublica) Ukraine, computer risks, and the Space Station (Lauren Weinstein PGN-ed) How NASA plans to destroy the International Space Station, and the dangers involved (phys.org) Man versus machine: Human beings losing out as AI coldly fires under-performing workers (Straits Times) Robots are increasing mortality among US adults (phys.org) Difficult situation on campus: robots blockaded (Sean Hecht) Facial recognition firm Clearview AI tells investors it's seeking massive expansion beyond law enforcement (WashPost) Power outages (PGN) New Bill Would Bring Mobile Voting To WashDC (DCist) SSL protocol mismatch (Cliff Kilby) Inside the Lab Where Intel Tries to Hack Its Own Chips (WiReD) The CDC Isn't Publishing Large Portions of the Covid Data It Collects (NYTimes) $1.7 million in NFTs stolen in apparent phishing attack on OpenSea users (The Verge) Digital Wallet cartoon in *The New Yorker* (Jan Wolitzky) Re: Really big electric power refund (Steve Bacher, Morten Welinder) Re: Some Mazda cars stuck on a Seattle Station (David Lesher) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Fri, 25 Feb 2022 15:02:20 +0000 () From: danny burstein <dan...@panix.com> Subject: The radiation will never be higher in Chernobyl? oops! Radiation meters in the extended Chernobyl area have been reading higher and higher, with many of them reporting numbers of 65500 nanosieverts/hr. Which is annoyingly high, but likely (hopefully...) simply a matter of (formerly) stable contaminated dirt and dust getting kicked up from tanks running over it and shelling, etc. But ... this led to the following observation, which does add a bit more concern: [Twitter] "An explanation for my non-IT followers is in order. "Digital devices often store numerical values in data cells called a "double" (two times 8 bits). "The largest number it can store is (2 to the 16th, minus 1, which comes out to) 65535... which rounded down to the nearest hundred is 65500..." more at: https://twitter.com/KirilsSolovjovs/status/1497001320015970310 https://twitter.com/DrEricDing/status/1497011166341599274 ------------------------------ Date: Thu, 17 Feb 2022 15:15:41 -0500 From: Gabe Goldberg <g...@gabegold.com> Subject: 3G shutdown will affect a host of everyday devices The looming shutdown of 3G networks won't impact just older phones. With AT&T's 3G network shutting down next week, and other carriers following suit later this year, a range of products require updates to continue working, including some home alarm systems, medical devices such as fall detectors, and in-car crash notification and roadside assistance systems such as General Motors' OnStar. Just as many mobile carriers have urged customers to swap their older 3G iPhones, Android phones, e-readers and other hand-held devices for newer models ahead of the shutdown, other businesses are urging customers to upgrade or replace some of the everyday products and services in their homes and cars before they drop connectivity. If left unaddressed, the stakes could be high in certain cases. Millions of cars, for example, may no longer have the ability to contact first responders after a collision or receive updates such as location or traffic alerts for built-in GPS systems. Some vehicles, including Chevrolet, Buick and Cadillac, have software upgrades for drivers to connect their systems to a 4G network, but other models will reportedly lose this feature for good. http://pge.libercus.net//.pf/showstory/202202170035/3 [Monty Solomon noted this addition to the above item: AT&T 3G shutdown on Feb. 22 to impact seniors with medical alert devices (CNBC) https://www.cnbc.com/2022/02/19/att-3g-shutdown-on-feb-22-to-impact-seniors-with-medical-alert-devices.html PGN] ------------------------------ Date: Thu, 24 Feb 2022 15:53:11 -0500 From: Gabe Goldberg <g...@gabegold.com> Subject: TurboTax Maker Intuit Faces Tens of Millions in Fees in a Groundbreaking Legal Battle Over Consumer Fraud (ProPublica) At a hearing before U.S. District Court Judge Charles Breyer, a lawyer for Intuit complained that “the Keller firm is able to threaten companies Intuit's not alone - into paying $3,000 in arbitration fees, for a $100 claim. Breyer questioned whether the proposed settlement was in the best interest of consumers. Breyer: ``I did think when I looked at this, and saw that, really, that this was a way to avoid or otherwise circumscribe arbitration, that it seemed to be that Intuit was, in Hamlet's words, hoisted by their own petard, I think arbitration is the petard that Intuit now faces.'' His comments were first reported by Reuters. Breyer rejected the settlement in March 2021. https://www.propublica.org/article/turbotax-maker-intuit-faces-tens-of-millions-in-fees-in-a-groundbreaking-legal-battle-over-consumer-fraud Poor Intuit, being forced to arbitrate claims... ------------------------------ Date: Fri, 25 Feb 2022 09:52:23 -0800 From: Lauren Weinstein <lau...@vortex.com> Subject: Ukraine, computer risks, and the Space Station [Retitled and repackaged: Sundry messages from Lauren. PGN] Social media platforms on the defensive as Russian-based disinformation about Ukraine spreads You will recall that recently Putin sent armed thugs into Google's Moscow offices when they tried to fight Putin's demand that content related to his political opponent be removed. We're not talking typical social media sanctions here -- we're talking Russian thugs with guns. https://www.politico.com/news/2022/02/24/social-media-platforms-russia-ukraine-disinformation-00011559 - - - - Russia retaliates on Facebook's restrictions on Russian propaganda and lies Russia Will Restrict Access to Facebook, State Media Reports https://www.vice.com/en/article/93bgq7/russia-will-restrict-access-to-facebook-state-media-reports - - - - Putin and Nazis Putin rants about Nazis controlling Ukraine. The president of Ukraine is Jewish. Apparently, Putin believes the population of Russia are morons. He's wrong. - - - - Google's actions in response to the Ukrainian situation Long thread from Google about actions being taken in response to the Ukrainian situation https://twitter.com/googleeurope/status/1497312445303513094 - - - - Russia is threatening to crash (since they control propulsion) the International Space Station in response to sanctions against Russia. This is assumed to be bluster, but shades of "2010: The Year We Make Contact" ('84). ------------------------------ Date: Sun, 20 Feb 2022 09:22:52 +0800 From: Richard Stein <rmst...@ieee.org> Subject: How NASA plans to destroy the International Space Station, and the dangers involved (phys.org) https://phys.org/news/2022-02-nasa-international-space-station-dangers.html "The ISS has been described as the most expensive single item ever constructed.[409] As of 2010, the total cost was US$150 billion. This includes NASA's budget of $58.7 billion ($89.73 billion in 2021 dollars) for the station from 1985 to 2015, Russia's $12 billion, Europe's $5 billion, Japan's $5 billion, Canada's $2 billion, and the cost of 36 shuttle flights to build the station, estimated at $1.4 billion each, or $50.4 billion in total. Assuming 20,000 person-days of use from 2000 to 2015 by two-to six-person crews, each person-day would cost $7.5 million, less than half the inflation-adjusted $19.6 million ($5.5 million before inflation) per person-day of Skylab." See https://en.wikipedia.org/wiki/International_Space_Station#Cost, retrieved on 20FEB2022. Assume construction and total operating costs aggregate to US$ 200B today. Compare that lump sum to the ~US$ 1B per year (estimated in 2015) of revenue generated from commercial spin-offs and license royalties. See "Testimony before the Subcommittee on Space, Committee on Science, Space, and Technology, U.S. House of Representatives Hearing on America's Human Presence in Low-Earth Orbit Dr. Bhavya Lal, IDA Science and Technology Policy Institute," May 17, page 5, retrieved on 20FEB2022. 2018https://docs.house.gov/meetings/SY/SY00/20180517/108302/HHRG-115-SY00-Wstate-LalB-20180517.pdf, "Space station dollars are spent on the ground!" (See https://www.nytimes.com/1991/05/26/weekinreview/the-nation-can-nasa-make-space-seem-worth-the-price.html, retrieved on 20FEB2022). Indeed. Space programs employ a lot of people. No boxcar-sized return on investment cited to date, unless you count von Karman Line tourism as a big win. There's some solid science on the ISS: The Alpha Magnetic Spectrometer, Bose-Einstein condensates, and some physiology experiments. The ISS will be "dumped into the drink" sometime in 2031. Plenty of time to plan how to dodge any de-orbited debris that misses the intended South Pacific ocean graveyard burial. ------------------------------ Date: Tue, 22 Feb 2022 10:19:03 +0800 From: Richard Stein <rmst...@ieee.org> Subject: Man versus machine: Human beings losing out as AI coldly fires under-performing workers (Straits Times) https://www.straitstimes.com/tech/tech-news/man-versus-machine-human-beings-losing-out-as-ai-coldly-fires-under-performing-workers "We measure humans by the standards that are appropriate for machines and then we tell them we need technology to make them more human. It's perverse," said Professor Shannon Vallor, the Baillie Gifford Chair in the Ethics of Data and Artificial Intelligence at the University of Edinburgh. Speaking at a recent panel discussion on AI, she said technology should be about enhancing people's capabilities and experiences. But, increasingly, she is seeing AI being designed to advance its performance, "and humans are being twisted into knots in order to make that possible".' A business corrects processes when public outrage exposes AI deployments that abuse employee capacities or cause physical harm. Proactive monitoring of mechanized work, such as snap inspections of highly-automated, AI-driven factories or warehouses will become impractical as technological solutions penetrate deeper into manual labor. Automated oversight of fair labor practices, as might be enforced by regulations, is problematic in that whomever (or whatever) controls the input regulatory specification determines compliance. ------------------------------ Date: Fri, 25 Feb 2022 10:41:42 +0800 From: Richard Stein <rmst...@ieee.org> Subject: Robots are increasing mortality among US adults (phys.org) https://phys.org/news/2022-02-robots-mortality-adults.html The automation of U.S. manufacturing robots replacing people on factory floors is fueling rising mortality rate among America's working-age adults, according to a new study by researchers at Yale and the University of Pennsylvania. Industrial automation accelerates labor dislocation while human despair accumulates. How will highly industrialized societies sustain economy without consumers of automatically produced goods and services? ------------------------------ Date: Thu, 17 Feb 2022 18:38:42 -1000 From: geoff goodfellow <ge...@iconia.com> Subject: Difficult situation on campus: robots blockaded (Sean Hecht) ... Traffic jam of automated food delivery robots, apparently all stuck behind a carelessly discarded scooter. I just observed a couple of students clearing a path out of pity for the robots. This is our future, I guess. https://twitter.com/seanhecht/status/1493432613628825600 ------------------------------ Date: Fri, 18 Feb 2022 09:33:49 -0500 From: Monty Solomon <mo...@roscom.com> Subject: Facial recognition firm Clearview AI tells investors it's seeking massive expansion beyond law enforcement (WashPost) It claims to be on track to have 100 billion facial photos in its database within a year, enough to ensure almost everyone in the world will be identifiable, according to a financial presentation from December obtained by *The Washington Post*. https://www.washingtonpost.com/technology/2022/02/16/clearview-expansion-facial-recognition/ ------------------------------ Date: Fri, 18 Feb 2022 15:33:07 PST From: Peter Neumann <neum...@csl.sri.com> Subject: Power outages To add to the long litany of outages reported in RISKS, my afternoon work was disrupted by a regional power outage affecting 4,500 customers in southeast Palo Alto -- due to a Mylar balloon on power wires, presumably near one of the retranmission sites. One of my neighbors suggested that mylar balloons are bad for the environment and bad for electrical transmission. ------------------------------ Date: Mon, 21 Feb 2022 19:25:24 -0500 From: Gabe Goldberg <g...@gabegold.com> Subject: New Bill Would Bring Mobile Voting To WashDC (DCist) As written, the bill would require that the Washington DC Board of Elections create a secure system to allow any voter to fill out and submit a ballot from their smartphone, tablet, or computer. [...] Still, the bill could face stiff opposition from experts who say that while online security options are improving, mobile voting would still be susceptible to hacking. ``There is currently no Internet technology available that allows for the secure transmission of voted ballots while also maintaining voter privacy and ballot verifiability,'' wrote Mark Lindeman, an expert on voting security and audits with Verified Voting, a nonpartisan group that focuses on elections and technology, in a recent letter to legislators in Rhode Island considering a bill to allow ballots to be returned over the Internet. https://dcist.com/story/22/02/21/new-bill-would-bring-mobile-voting-to-d-c/ ------------------------------ Date: Wed, 23 Feb 2022 17:34:18 -0500 From: Cliff Kilby <cliffjki...@gmail.com> Subject: SSL protocol mismatch Lots of security tools are based on Linux, and the Linux environment tends towards earlier adoption of updated security guidance. This has created a gap. Kali Linux is intentionally configured to allow older protocols, but has disabled SSLv3. https://www.kali.org/docs/general-use/openssl-configuration/ Windows as late as Windows 10 still has SSLv3 enabled. https://docs.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp-#pre-tls-standard-protocols-support It would be worthwhile to ensure your security tools have the older protocols available for pen-testing. ------------------------------ Date: Wed, 23 Feb 2022 20:40:25 -0500 From: Gabe Goldberg <g...@gabegold.com> Subject: Inside the Lab Where Intel Tries to Hack Its Own Chips (WiReD) Researchers at iSTARE have to think like the bad guys, finding critical flaws before processors go to production. https://www.wired.com/story/intel-lab-istare-hack-chips/ ------------------------------ Date: Mon, 21 Feb 2022 12:02:52 -0500 From: Monty Solomon <mo...@roscom.com> Subject: The CDC Isn't Publishing Large Portions of the Covid Data It Collects (NYTimes) The agency has withheld critical data on boosters, hospitalizations and, until recently, wastewater analyses. https://www.nytimes.com/2022/02/20/health/covid-cdc-data.html ------------------------------ Date: Mon, 21 Feb 2022 15:06:59 -0500 From: Monty Solomon <mo...@roscom.com> Subject: $1.7 million in NFTs stolen in apparent phishing attack on OpenSea users (The Verge) Two hundred and fifty-four tokens were stolen over roughly three hours https://www.theverge.com/2022/2/20/22943228/opensea-phishing-hack-smart-contract-bug-stolen-nft ------------------------------ Date: Mon, 21 Feb 2022 07:43:55 -0500 From: Jan Wolitzky <jan.wolit...@gmail.com> Subject: Digital Wallet cartoon in *The New Yorker* *"Our new digital wallet app is going to revolutionize the way people get robbed."* [I respect TNY's paywall, but recommend their caption contest. PGN] ------------------------------ Date: Sat, 19 Feb 2022 12:21:21 -0800 From: Steve Bacher <seb...@verizon.net> Subject: Re: Really big electric power refund (Epstein, RISKS-33.06) The ability to handle large numbers does not necessarily imply that those numbers are expected to occur normally.For instance, it could have been a prepackaged software routine that was general purpose enough to accommodate conceivably huge amounts. Common Lisp, for example, has the numeric-to-English-output feature built in to the standard format function.I wrote code to implement this in the Lisp system that I built for the IBM mainframe in the 1980s, so I know how it would work. Once you have established the algorithm to handle thousand, million and billion, it is fairly straightforward to extend that to trillion and up. My code was written to handle amounts up to a vigintillion [?], with little effort. (It is said that 80% of the code of a given program is designed to handle things that happen 20% of the time, or maybe 90%/10%. Whatever.) [Whatever? That seems irrelevant to RISKS. It might just be the one line that is never expected to be executed that saves the day when it does get executed. PGN] ------------------------------ Date: Fri, 18 Feb 2022 20:48:21 -0500 From: Morten Welinder <mwelin...@gmail.com> Subject: Re: Really big electric power refund (BBC) I am going to assume that someone just grabbed a library that may or may not have had anything to do with money. However, there's another risk here: just how big is a trillion? If you meant to write a check for "one trillion" in the 10^12 sense, it would be rather awkward to do so in a jurisdiction where "one trillion" means 10^18. Even in Zimbabwe that difference would have taken weeks to even out. https://en.wikipedia.org/wiki/Trillion ------------------------------ Date: Sat, 19 Feb 2022 10:16:46 -0500 From: David Lesher <wb8...@panix.com> Subject: Re: Some Mazda cars stuck on a Seattle Station (RISKS-33.06) In 2019 Github detailed a bug in the receivers; it's not clear if it is the same bug or its brother. In either case, Little Johnny Tables <https://xkcd.com/327/> came to mind. <https://github.com/Hamled/mazda-format-string-bug#readme> printf format string bug in Mazda Connect Infotainment System Bug Description The Infotainment System's UI (and possibly other software elements) crashes when a Bluetooth audio source sends track metadata wherein the track name (at least) includes a "%n" conversion specifier. Example Case When the track's title includes the string "99% Invisible" this triggers a crash. [...\ Perhaps the most unusual aspect of this from a coder's perspective (this kind of bug isn't all that uncommon, unfortunately), is actually the 'I' itself. This is a Microsoft-invented 'upgrade' to the ISO standard C format specifiers, but it's almost certainly the case that Mazda's Infotainment System does not use Windows as its operating system. It turns out that GCC and Clang (the two major compilers for open source software) have included the 'I' specifier as well, presumably for compatibility so people can easily move their code from Microsoft's VC++ compiler to them (and back). Talking about code using natural languages like English is really fraught with problems! The Reply All episode that discussed this bug involved the hosts speaking with some coders about using the phrase "percent I" -- but maybe everyone was assuming "%i" which is much more common. However for the computer, in its infinitely pedantic manner, "%i" and "%I" have nothing in common... which means we as coders have to be aware of that kind of difference. Without that key info, we wouldn't know to look past the 'I' and see that the 'n' is what was causing the crash. ... ------------------------------ Date: Mon, 1 Aug 2020 11:11:11 -0800 From: risks-requ...@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume/previous directories or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-33.00 ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 33.07 ************************