RISKS-LIST: Risks-Forum Digest Sunday 7 August 2022 Volume 33 : Issue 37 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator
***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/33.37> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: U.S. Air Force To Test Single-Pilot C-130 Flight Crews (FLYING Magazine) How a Trash-Talking Crypto Bro Caused a $40 Billion Crash (NYTimes) Nuclear Fusion Is Already Facing a Fuel Crisis (WiReD) Fighting Around Zaporizhzhia Nuclear Power Plant Is 'Out of Control' (Matthew Gault via Henry Baker) Nomad offers 10% bounty in $190M cryptocurrency hack (WashPost) WashDC Metrorail Routinely Skipped Safety Protocols, Putting Workers At Risk (DC Patch) Former T-Mobile store owner netted $25 million from 5-year scheme, which included tricking employees into resetting passwords (Fortune) California Regulator Accuses Tesla of Falsely Advertising Autopilot (NYTimes) North Korea-Backed Hackers Have Clever Way to Read Gmail (Dan Goodin) AI Does Not Have Thoughts, No Matter What You Think (Cade Metz) Algorithm Aces University Math Course Questions (Adam Zewe) Big Tech breakup legislation on hold (Lauren Weinstein) Class-action suit filed against Equifax after millions of scores were affected by glitch (NBC news) 'Horrible', 'Chaos': Former Oracle Employees Describe Recent Layoffs (Slashdot) Robinhood Lays Off 23 Percent of Its Staff, Blaming Crypto Meltdown (NYTimes) Bitcoin mining in the crypto crash -- mining companies' creative accounting (Amy Castor) Pearson says NFT textbooks will let it profit off secondhand sales (The Verge) The Bad Times Are Coming for Startups (WiReD) The Microsoft Team Racing to Catch Bugs Before They Happen (WiReD) French Scientist, distant star, and chorizo (People via Steve Greenwald) Rats deserve equal presence with Squirrels in RISKS (T.M. Brown via PGN) Robotic Surgery (Dr. Bob Fenichel) Re: Who is at fault when medical software gets it wrong? (Richard Marlon Stein) Re: Tech giants, including Meta, Google, and Amazon, want to put an end to leap-seconds (John Levine) Re: BMW's Heated as a Service Model Has Drivers Seeking Hacks (San Steingold, Gabe Goldberg, Gabe Goldberg) Re: Study finds Wikipedia influences judicial behavior (John Levine) Kids Are Back in Classrooms and Laptops Are Still Spying on Them (Gabe Goldberg) Re: School Surveillance Will Never Protect Kids From Shootings (Gabe Goldberg) Re: Dr. Birx ADMITS She 'Knew' COVID-19 Vaccines 'Were Not Going to Going to Protect Against Infection' (Lars-Henrik Eriksson, Steve Lamont) Book Review: America's Biggest Lottery Scam by Bob Sand (Douglas W. Jones) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Sun, 7 Aug 2022 15:02:38 -0400 To: Risks Digest <risks@csl.sri.com> From: Gabe Goldberg <g...@gabegold.com> Subject: U.S. Air Force To Test Single-Pilot C-130 Flight Crews (FLYING Magazine)o USAF and Merlin Labs plan to flight test Lockheed Martinâs C-130J Hercules with autonomous software as a co-pilot. Can a Lockheed Martin (NYSE: LMT) C-130J Hercules fly with just one pilot? It' a scenario the U.S. Air Force is exploring through a new partnership with Merlin Labs, a Boston-based autonomous flight company that's gearing up to test autonomous operations in the Air Force' venerable cargo workhorse. Under the collaboration, Merlin Labs will retrofit a C-130 with software and technology that will slim down the number of onboard crew, from two pilots to one. The C-130, built at Lockheed Martin's factory in Marietta, Georgia, holds the record for the longest continuous production run of any military aircraft, according to the manufacturer. The Hercules first flew in 1954. https://www.flyingmag.com/u-s-air-force-to-test-single-pilot-c-130-flight-crews/ ------------------------------ Date: Wed, 18 May 2022 10:48:50 -0400 From: "Gabe Goldberg" <g...@gabegold.com> Subject: How a Trash-Talking Crypto Bro Caused a $40 Billion Crash (NYTimes) Do Kwon, a South Korean entrepreneur, hyped the Luna and TerraUSD cryptocurrencies. Their failures have devastated some traders, though not the investment firms that cashed out early. https://www.nytimes.com/2022/05/18/technology/terra-luna-cryptocurrency-do-kwon.html ------------------------------ Date: Sat, 21 May 2022 00:16:57 -0400 From: Gabe Goldberg <g...@gabegold.com> Subject: Nuclear Fusion Is Already Facing a Fuel Crisis (WiReD) It doesn't even work yet, but nuclear fusion has encountered a shortage of tritium, the key fuel source for the most prominent experimental reactors. In the south of France, ITER is inching towards completion. When it's finally fully switched on in 2035, the International Thermonuclear Experimental Reactor will be the largest device of its kind ever built, and the flag-bearer for nuclear fusion. Inside a donut-shaped reaction chamber called a tokamak, two types of hydrogen, called deuterium and tritium, will be smashed together until they fuse in a roiling plasma hotter than the surface of the sun, releasing enough clean energy to power tens of thousands of homes -- a limitless source of electricity lifted straight from science fiction. Or at least, that's the plan. The problem -- the white elephant in the room -- is that by the time ITER is ready, there might not be enough fuel left to run it. Like many of the most prominent experimental nuclear fusion reactors, ITER relies on a steady supply of both deuterium and tritium for its experiments. Deuterium can be extracted from seawater, but tritium—a radioactive isotope of hydrogen—is incredibly rare. https://www.wired.com/story/nuclear-fusion-is-already-facing-a-fuel-crisis ------------------------------ Date: Thu, 04 Aug 2022 16:05:40 +0000 From: Henry Baker <hbak...@pipeline.com> Subject: Fighting Around Zaporizhzhia Nuclear Power Plant Is 'Out of Control' Nuclear power plants were designed to defend against certain foreseeable risks, but not wars! I don't think we all want to be Zaporized... https://www.vice.com/en/article/7k88mg/fighting-around-europes-largest-power-plant-is-out-of-control-uns-nuke-chief-warns Fighting Around Europe's Largest Power Plant Is 'Out of Control,' UN's Nuke Chief WarnsRussia is using a Ukrainian power plant as a fortress to launch attacks. by Matthew Gault August 3, 2022, 3:13pm The head of the UN's nuclear regulatory watchdog is warning the world that Europe's largest nuclear power plant "is completely out of control," Rafael Grossi, the director general of the International Atomic Energy Agency (IAEA), told the Associated Press about the risk in an interview. The Zaporizhzhia nuclear power plant is in Southeast Ukraine along the Dnipro river. The plant has been a central part of the war since Russia invaded Ukraine at the end of February. Russian troops besieged it in early March, firing artillery shells at it before taking it over. The firefight between Russian and Ukrainian soldiers was watched by 95,000 people online through the plant's live streamed CCTV cameras. An administrative building caught fire during the fight but the plant didn't melt down. ------------------------------ Date: Sat, 6 Aug 2022 12:53:06 -0400 From: Gabe Goldberg <g...@gabegold.com> Subject: Nomad offers 10% bounty in $190M cryptocurrency hack (WashPost) More than $20 million has been recovered since the âfree-for-allâ. Crypto Giant Froze Their Accounts. Now Customers Are Begging a Judge for Their Money Back. "My life savings were in Celsius," one depositor wrote last month. "I pray and hope everyday you are doing everything in your power to rightfully return deposits back to customers. I canât tell my wife and kids our retirement and dreams have been stolen from us. Life is stale, we need updates and silence is not the answer." https://www.motherjones.com/politics/2022/08/celsius-bankruptcy-crypto ------------------------------ Date: Wed, 18 May 2022 10:50:39 -0400 From: "Gabe Goldberg" <g...@gabegold.com> Subject: WashDC Metrorail Routinely Skipped Safety Protocols, Putting Workers At Risk (DC Patch) [Earlier items on this in RISKS-33.06 and 33.13. PGN] Washington Metrorail Safety Commission says Metrorail routinely skipped steps in restoring lethal electrical power to tracks in work zones. WMSC determined the Power Desk assistant superintendent had skipped three safety protocols when directing that power be restored to the College Park Station work zone. In addition, the Power Desk controller restored power even though they knew two safety confirmations had not been completed. WMSC also investigated similar lapses in safety that occurred on April 3, May 1, May 6 and May 14, across multiple departments. "Fatigue modeling indicates that the Power Desk controller's performance effectiveness on April 26 was impaired due to sleep debt, short sleep duration and the circadian effects of night work," WMSC's report says. "The Power Desk Controller also told investigators that they have difficulty sleeping." Further investigation revealed that Metrorail was assigning 12-hours shifts and not filling some shifts due to staffing shortages. https://patch.com/district-columbia/washingtondc/metrorail-routinely-skipped-safety-protocols-putting-workers-risk ------------------------------ Date: Thu, 4 Aug 2022 11:02:16 -0700 From: geoff goodfellow <ge...@iconia.com> Subject: Former T-Mobile store owner netted $25 million from 5-year scheme, which included tricking employees into resetting passwords (Fortune) A former T-Mobile store owner has been found guilty of using stolen credentials to hack into “hundreds of thousands of cellphones” in a multiyear scheme that netted him roughly $25 million that he spent on cars: Argishti Khudaverdyan, 44, who owned an Eagle Rock retail outlet in Los Angeles, used several dishonest methods to acquire the credentials needed to unlock phones or bypass carrier blocks, enabling customers to change network providers before their contract ended. He used phishing emails and social engineering, and tricked those working at the T-Mobile IT Help Desk into resetting employee passwords, allowing him access to the internal system. The scheme, which he ran from August 2014 to June 2019, also involved unlocking phones that had been reported lost or stolen, allowing them to be sold on the black market. [...] https://finance.yahoo.com/news/former-t-mobile-store-owner-110731584.html ------------------------------ Date: Sat, 6 Aug 2022 12:48:28 -0400 From: Gabe Goldberg <g...@gabegold.com> Subject: California Regulator Accuses Tesla of Falsely Advertising Autopilot (NYTimes) A state agency said the electric carmaker had misled the public in describing its driver-assistance service as autonomous. Its name is borrowed from aviation systems that allow planes to fly themselves in ideal conditions with limited pilot input. With the current system, the car will disengage Autopilot if drivers do not consistently keep a hand on the wheel. For an additional fee, which may be as high as $12,000, car owners can buy Full Self-Driving, a system that expands the abilities of Autopilot. https://www.nytimes.com/2022/08/05/business/tesla-california-dmv-complaint.html Believing marketing, then not even following instructions... ------------------------------ Date: Fri, 5 Aug 2022 13:12:37 -0400 (EDT) From: ACM TechNews <technews-edi...@acm.org> Subject: North Korea-Backed Hackers Have Clever Way to Read Gmail (Dan Goodin) Dan Goodin, Ars Technica, 03 Aug 2022, via ACM TechNews, 5 Aug 2022 Researchers at security company Volexity have discovered malware dubbed SHARPEXT that the North Korea-sponsored SharpTongue hacker gang is using to read and download email and attachments from victims' Gmail and AOL accounts. Volexity's Steven Adair said SHARPEXT installs an extension for Chrome and Edge browsers "by way of spear phishing and social engineering where the victim is fooled into opening a malicious document." Email services cannot detect the extension, and since the browser will already have been authenticated, the compromise cannot be simply identified and neutralized. Volexity said SHARPEXT has been in use for "well over a year," allowing hackers to compile lists of email addresses to ignore, and to monitor already compromised emails or attachments. https://orange.hosting.lsoft.com/trk/click?ref=3Dznwrbbrs9_6-2f009x235171x069070& ------------------------------ Date: Sat, 6 Aug 2022 12:55:02 -0400 From: Gabe Goldberg <g...@gabegold.com> Subject War Thunder fans leaked classified docs to get more realistic tanks (WashPost) Fans wanted a war game to be more real, so they leaked classified docs Video games have long led to fights: controllers thrown, unsubstantiated accusations of cheating, insults hurled at mothers and even dogs. But no one has ever leaked classified documents related to national security in a public forum to win an argument â until last year, twice. And then again this year. Beginning in 2021, players of "War Thunder," a popular, free-to-play vehicular combat video game, have thrice posted classified documents related to three tanks of British, French, and Chinese origin, in an online forum dedicated to the game. The posting of the documents was reported first by UK Defence Journal, which wrote that one poster, who uploaded the manual to a British Challenger 2 tank, said he was motivated by a desire to get a "War Thunder" developer to make the tank more accurate in the game. Another poster, who claimed to be part of a French tank unit, uploaded a Leclerc S2 manual while engaged in an online debate about its turret rotation speed. The motivations of the user who posted allegedly classified information about Chinaâs DTC10-125 tank, and a piece of materiel, was not clear. https://www.washingtonpost.com/video-games/2022/08/05/tank-plan-leaks-war-thunder/ ------------------------------ Date: Sun, 7 Aug 2022 10:44:54 PDT From: Peter Neumann <neum...@csl.sri.com> Subject: AI Does Not Have Thoughts, No Matter What You Think (Cade Metz) Some researchers believe there are sentient computers. Sorry, but there's no evidence. [Nice follow-up on this topic in RISKS-33.29 and RISKS-33.34. PGN] Cade Metz, *The New York Times* National Edition Sunday Business centerfold , 7 Aug 2022: two-page (6-7) spread, with Frank Rosenblatt and his Perceptron, an inset of a conversation with Joe Weizenbaum's ELIZA, and other more recent players. The alluring robot "Desdemona" is also on the cover of the section. [Gabe Goldberg saw this item online: https://www.nytimes.com/2022/08/05/technology/ai-sentient-google.html PGN] ------------------------------ Date: Fri, 5 Aug 2022 13:12:37 -0400 (EDT) From: ACM TechNews <technews-edi...@acm.org> Subject: Algorithm Aces University Math Course Questions (Adam Zewe) Adam Zewe, MIT News, 3 Aug 2022, via ACM TechNews, 5 Aug 2022 A multi-institutional team of researchers led by the Massachusetts Institute of Technology's Iddo Drori utilized a neural network model to solve university-level math problems in seconds. The researchers used OpenAI's Codex model, which was pretrained on text and "fine-tuned" on code, to learn how pieces of text and code relate to each other. The model can render text questions into code, given a few question-code examples, then run the code to solve the problem. The model also automatically explains its solutions, and can produce new problems in university math subjects which university students were unable to distinguish from human-generated questions. "This work opens the field for people to start solving harder and harder questions with machine learning," Drori said. https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2f009x235172x069070& [It also opens the field for open-source software for open-book exams. PGN] ------------------------------ Date: Sun, 7 Aug 2022 08:56:43 -0700 From: Lauren Weinstein <lau...@vortex.com> Subject: Big Tech breakup legislation on hold Big Tech breakup legislation on hold It appears that the wholly misguided attempts to "break up" Big Tech are at least on hold until later in the year, if then. And consumers should be thankful, because the plans would only have made their tech lives more complex and subject to even more fraud. ------------------------------ Date: Thu, 04 Aug 2022 22:35:16 +0000 From: "Richard Marlon Stein" <rmst...@protonmail.com> Subject: Class-action suit filed against Equifax after millions of scores were affected by glitch (NBC news) https://www.nbcnews.com/business/consumer/equifax-credit-score-glitch-lawsuit-class-action-rcna41538 "The credit bureau said it had unintentionally sent faulty scores to lenders, resulting in higher interest rates and application denials for some consumers." "*The Wall Street Journal* reported Tuesday that, as Equifax was transitioning to a new technology system, it unintentionally provided inaccurate credit scores on millions of U.S. consumers seeking various types of credit. In a statement on its website, Equifax acknowledged that as many as 300,000 people experienced a score shift of 25 points or more, enough to swing a borrower's credit rating from good to fair, or fair to poor." A glitch? It appears Equifax didn't apply UAT before go-live? Or did they know about the credit score discrepancy -- should be evident in their qualification test reports for pass/fail on "legacy v. go-forward" comparator output of credit scores. Perhaps the governance team was too eager to go-live because of schedule commitments and didn't bother to read the test results? Very tiresome to watch reruns of the consumer crash test dummy show. ------------------------------ Date: Sun, 7 Aug 2022 10:57:31 -0700 From: Lauren Weinstein <lau...@vortex.com> Subject: 'Horrible', 'Chaos': Former Oracle Employees Describe Recent Layoffs (Slashdot) https://developers.slashdot.org/story/22/08/07/1537222/horrible-chaos-former-oracle-employees-describe-recent-layoffs [Despite *the NYTimes* lead story yesterday about how employment is now back to pre-COVID. PGN] ------------------------------ Date: Thu, 4 Aug 2022 00:50:06 -0400 From: Gabe Goldberg <g...@gabegold.com> Subject: Robinhood Lays Off 23 Percent of Its Staff, Blaming Crypto Meltdown (NYTimes) The trading app that helped drive the meme stock frenzy announced staff cuts for the second time this year. Robinhood declined to comment on the layoffs. The announcement followed closely on the heels of cuts in April, when Robinhood laid off 340 workers, or about 9 percent of its employees at the time. Since then, Mr. Tenev wrote, further worsening of the economy, including inflation and the crash of the crypto market, has "reduced customer trading activity and assets under custody." The price of Bitcoin has fallen by more than half this year, to about $23,000 per coin. The cryptocurrency rose as high as $66,000 in late 2021. ------------------------------ Date: Thu, 4 Aug 2022 20:19:39 -0400 From: Gabe Goldberg <g...@gabegold.com> Subject: Bitcoin mining in the crypto crash -- mining companies' creative accounting (Amy Castor) Bitcoin mining is a highly lucrative business as long as the price of bitcoin keeps going up â and as long as investors believe it will keep going up. When the price crashes â and the price of bitcoin has halved since the start of the year â crypto miners face margin calls, they have to dump their bitcoins, and reality comes knocking. In this post, we outline some of the biggest problems facing North American bitcoin miners: * Miners are nothing like as profitable as they report to the public stock markets that they are. * Miners don't want to sell their freshly mined bitcoins, as this is would risk crashing the price of bitcoin -- so instead, they borrow against the bitcoins, and against their rigs, too! * This business model only works if number goes up forever. * Number does go up forever. https://amycastor.com/2022/08/04/bitcoin-mining-in-the-crypto-crash-the-mining-companies-creative-accounting/ ------------------------------ Date: Thu, 4 Aug 2022 00:52:10 -0400 From: Gabe Goldberg <g...@gabegold.com> Subject: Pearson says NFT textbooks will let it profit off secondhand sales (The Verge) But is there any reason to do it? Textbook publisher Pearson suggests blockchain tech could let it take a cut of secondary textbook sales, capturing a section of the book market thatâs so far escaped it. As quoted by Bloomberg, Pearson CEO Andy Bird believes non-fungible tokens, or NFTs, could help publishers make money off textbook resales, although he stopped short of describing concrete plans. [...] As with many mainstream crypto applications, NFTs don't bring an obvious technical innovation to this question. ------------------------------ Date: Tue, 17 May 2022 16:27:40 -0400 From: "Gabe Goldberg" <g...@gabegold.com> Subject: The Bad Times Are Coming for Startups (WiReD) A spate of layoffs is just the first sign of trouble for early-stage companies facing an economic downturn. "Right now, the startups that are in the trickiest situation are growth-stage startups with unicorn-type valuations, a high burn rate, good but not great metrics, and 12 months of cash," says Matt Turck, a partner at venture capital firm Firstmark. "You're going to see a lot of layoffs there, because companies need to urgently cut their burn if they don't want to run out of cash." https://www.wired.com/story/startups-layoffs-economy-bad-times/ ------------------------------ Date: Thu, 4 Aug 2022 00:46:51 -0400 From: Gabe Goldberg <g...@gabegold.com> Subject: The Microsoft Team Racing to Catch Bugs Before They Happen (WiReD) What's it like to be responsible for a billion people's digital security? Just ask the company's Morse researchers. https://www.wired.com/story/microsoft-morse-team/ ------------------------------ Date: Sat, 6 Aug 2022 00:00:15 -0400 From: "Steven J. Greenwald" <greenwald.st...@gmail.com> Subject: French Scientist, distant star, and chorizo Some extracts from the journal "People": A French scientist is in hot water after he trolled his Twitter followers with a picture of what he said was of a distant star taken by the James Webb Space Telescope. In reality, it was a piece of sausage. On July 31, French scientist Etienne Klein tweeted an image of a glowing red circle with a caption saying it was Proxima Centauri, the closest star to the Sun. "Well, when it's time for the aperitif, cognitive biases seem to have a field day," he later tweeted. <https://twitter.com/EtienneKlein/status/1553765864553472003?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1553765864553472003%7Ctwgr%5E70a999974c25a56b3c583436dfbd4c8fc8aa0f75%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fwww.cbsnews.com%2Fnews%2Fscientist-etienne-klein-posts-webb-telescope-image-star-actually-slice-chorizo-apology%2F> https://people.com/human-interest/french-scientist-apologizes-says-space-telescope-image-of-distant-star-was-actually-just-chorizo/ ------------------------------ Date: Sun, 7 Aug 2022 10:20:51 PDT From: Peter Neumann <neum...@csl.sri.com> Subject: Rats deserve equal presence with Squirrels in RISKS (T.M. Brown) Engine Troubles? Check for Rats. T. M. Brown, *The New York Times*, 7 Aug 2022 This article begins by resuscitating an old tale from early 2021 of a Prius in NYCity's DUMBO area downtown: "The check engine kept flashing .. despite the car driving just fine. They did a bunch of tests and couldn't figure out what it was." Finally they discovered a rat had chewed through a sensor wire. $700 bill. The usual RISKS story of trying to spread the blame to bad city planning, the pandemic, more food trucks in residential areas, overcrowding, etc. T.M. Brown's last paragraph is worth quoting: Two years ago, a looming fear among bureaucrats, business people, and undying loyalists to the city's complexities was that New York [City] would dangerously thin out, that enough people would make permanent their exodus to Connecticut or Duchess County to destroy an already precarious economic and social equilibrium. Instead the new story is simply a replay of the old one -- a narrative of tensions among impassioned competing interests that all feel entitled to lay their personal claims to public space. It's maddening, perhaps impossible in the end and yet deeply reassuring all at once. Risks relevance? Many things seem to be changing underfoot with the pandemic, but in many ways the problems remain more of the same -- only perhaps intensified. ------------------------------ Date: Wed, 03 Aug 2022 16:46:31 -0700 From: "Robert R. Fenichel, MD" <b...@fenichel.net> Subject: Robotic Surgery (RISKS 33.36) More complete reporting of the rates of robotic and manual surgery wouldn't be sufficient to make the comparative risks much less challenging to interpret. The problem, as is always the case with nonrandomized medical data, is selection bias. The patients who undergo robotic procedures are not necessarily similar to those who get manual procedures, the nurses who attend them are not necessarily similar, and the surgeons are obviously dissimilar, in ways that may be pertinent. To make a reliable comparison of the two techniques, one would need to do a randomized trial. Randomized trials to make this sort of comparison are not new. For example, see British Journal of Surgery 92(1): 44-49 (2005). The less easily solved problems, apparently raised in the IEEE article cited by Stein, and raised earlier when laparoscopic abdominal surgery became popular ~20 years ago, are those faced by trainees: * Learning how to do high-tech procedures is tricky, because trainees' participation in them is even more passive than it is during most open procedures. * Open procedures may be getting rarer and rarer, but sometimes they are needed. Sometimes (possibly more in abdominal procedures than in prostate procedures; I don't know), procedures are begun as laparoscopic or robotic procedures but then the surgeon finds anatomic variants, old scars, or other surprises that force the surgeon to switch to an open procedure. Nowadays a trainee surgeon may hardly ever have seen (let alone performed) a conventional open cholecystectomy. This is not a solved problem. ------------------------------ Date: Thu, 04 Aug 2022 22:22:08 +0000 From: "Richard Marlon Stein" <rmst...@protonmail.com> Subject: Re: Who is at fault when medical software gets it wrong? (R 33 36) https://medicalxpress.com/news/2022-08-fault-medical-software-wrong.html "There is a lot of research showing that clinical decision support software is generally beneficial. For instance, it reduces medication prescribing errors and enhances the chance that doctors will follow guidelines for delivering high-quality healthcare. Yet there is also increasing awareness that malfunctions in clinical decision support software are more common than we think." The FDA's regulatory approach to CDS software functions are published here: https://www.fda.gov/media/109618/download (retrieved on 05AUG2022). The CDS must accurately determine if a prescription fits the condition, does not interact with a patient's current medicine schedule, the patient is not allergic to the new medicine, etc. If a dispenser fills the wrong medicine, though the prescription order is correct, how can one blame the physician? Physicians don't stock dispensers. I tried to ferret out CDS software adverse device events from the FDA's TPLC platform, but did not discover a huge trove of records. In fact, I could not find ANY devices in the TPLC repository assigned to product codes by searching for "clinical decision support". I found a few devices assigned to the term "medication" and "dispenser": Consult https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfTPLC/tplc.cfm and apply product code "KYX" or "NXB" to view the MDR history on devices that dispense liquid or solid medications. ------------------------------ Date: 3 Aug 2022 23:37:50 -0400 From: "John Levine" <jo...@iecc.com> Subject: Re: Tech giants, including Meta, Google, and Amazon, want to put an end to leap-seconds (Bacher, RISKS-33.36) TAI is the time standard that doesn't use leap seconds, while UTC does. They currently are 37 seconds apart. Unless you are an astronomer, it makes no practical difference whether you use TAI or UTC so long as you and your friends use the same one. The UTC adjustment means that at noon UTC in Greenwich, England, the sun will be directly overhead, but since we all use time zones, for most of us the sun has never been overhead at noon because we are not in the exact middle of our zone. Rather than moving the clocks forward or backward a second every few years, just let the UTC clocks keep ticking, and let the astronomers take care of themselves. (I gather they do that now, since astronomy needs way better than one second resolution.) Perhaps by 2200 the difference between TAI and UTC will be enough that people care, so they will add a leap ten minutes, but by then we and our grandchildren will be long gone. ------------------------------ Date: Thu, 04 Aug 2022 10:39:26 -0400 From: "Sam Steingold" <s...@gnu.org> Subject: Re: BMW's Heated as a Service Model Has Drivers Seeking Hacks (Goldberg, RISKS-33.36) I think you are missing the point. I think people are unhappy not because the feature requires a paid activation _once_, but because they don't like the "subscription" model where they _pay per use_. Imagine you have to pay your fridge maker every time you want to open the fridge door. ------------------------------ Date: Thu, 4 Aug 2022 01:45:00 -0400 From: Gabe Goldberg <g...@gabegold.com> Subject: Re: BMW's Heated as a Service Model Has Drivers Seeking Hacks (John Levine, RISKS-33.36) Yes (your first four paragraphs). But, that's price discrimination for selling identical products rather than offering different products at different price points. ...which next two paragraphs discuss. Regarding "[IBM] could have sold them all without the delay relay and not gone broke" -- sure, but why should they? And at what price? Why is what they did worse for the market than having two actually different devices, vs. one device offering different benefits for different prices? Why would it be better -- and unremarkable -- for BMW to have used two seat models, vs. one model with different benefits at different price points? Putting aside the objectionable rental model, why is charging more for heated seats bad because it's implemented in software, vs. how it's been done traditionally, with different seats? ------------------------------ Date: Thu, 4 Aug 2022 12:24:50 -0400 To: risks@csl.sri.com, Sam Steingold <s...@gnu.org> From: Gabe Goldberg <g...@gabegold.com> Subject: Re: BMW's Heated as a Service Model Has Drivers Seeking Hacks (Steingold, RISKS-33.36) My main objection is to charging subscription model for features, not to having them software enabled. Features should be offered at one-time fair prices. (And not absurdly bundled so you must buy more than wanted to get what IS wanted). BUT -- it might be nice to have the option -- if a feature isn't purchased -- to be able to pay per use/week/month. Imagine you travel from warm climate where you live to someplace bitter cold -- you didn't buy heated seats but want them temporarily. Or you need the refrigerator light just once to clean back of shelves. ;-) ------------------------------ Date: 4 Aug 2022 13:51:18 -0400 From: "John Levine" <jo...@iecc.com> Subject: Re: Study finds Wikipedia influences judicial behavior (RISKS-33.36) It's worth reading the paper and not just the press release. The study is well designed. They picked a representative set of Irish supreme court cases, wrote articles about them, added half the articles to Wikipedia, and indeed the cases they added got more citations and the citations resembled the articles. This does not mean that anything bad happened. Partly it's a statistical question, since they didn't distinguish citations that used language from the original cases, which should be OK, rather than from the summaries, which might not be. To create these articles, first they went through and selected important cases, then they had law students write the summaries, which were overseen and edited by law faculty. The summaries should have been good and the cases were important -- why wouldn't you want a judge to use them? Beyond that, Wikipedia has a process to remove articles about topics that aren't sufficiently notable, but it is quite slow, and they'd have to wait a long time to see whether their added articles stayed or were deleted. To test whether judges just used the articles without checking the actual decisions, they'd have to add articles with deliberately wrong summaries, or summarize fake cases, but that kind of human experimentation has ethical issues. https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4174200 ------------------------------ Date: Thu, 4 Aug 2022 From: Gabe Goldberg <g...@gabegold.com> Subject: Kids Are Back in Classrooms and Laptops Are Still Spying on Them (WiReD) As the post-Roe era underscores the risks of digital surveillance, a new survey shows that teens face increased monitoring from teachers nd police. https://www.wired.com/story/student-monitoring-software-privacy-in-schools/ ------------------------------ Date: Thu, 4 Aug 2022 16:25:38 -0400 From: Gabe Goldberg <g...@gabegold.com> Subject: Re: School Surveillance Will Never Protect Kids From Shootings (WiReD) If we are to believe the purveyors of school surveillance systems, K-12 schools will soon operate in a manner akin to some agglomeration of Minority Report, Person of Interest, and Robocop. "Military grade" systems would slurp up student data, picking up on the mere hint of harmful ideations, and dispatch officers before the would-be perpetrators could carry out their vile acts. In the unlikely event that someone were able to evade the predictive systems, they would inevitably be stopped by next-generation weapon-detection systems and biometric sensors that interpret the gait or tone of a person, warning authorities of impending danger. The final layer might be the most technologically advancedâsome form of drone or maybe even a robot dog, which would be able to disarm, distract, or disable the dangerous individual before any real damage is done. If we invest in these systems, the line of thought goes, our children will finally be safe. ------------------------------ Date: Thu, 4 Aug 2022 10:06:01 +0200 From: Lars-Henrik Eriksson <l...@it.uu.se> Subject: Re: "Dr. Birx ADMITS She 'Knew' COVID-19 Vaccines 'Were Not Going to Protect Against Infection' (RISKS-33.35) > "Overwhelming", you say? But you might check out the website "How Bad Is > My Batch", which if you you check your batch numbers, points out > something else: 5% of the Pfizer and Moderna batches are apparently > responsible for 80% of the bad reactions including deaths and permanent > disablement from the vaccines. So maybe only 95% of the batches do what > you say. PGN] "How Bad Is My Batch" is clearly an anti-vaccine conspiracy site. While it is entirely possible that different batches have different effectiveness and even that some have more side effects (after all, that's why we keep track of batches) this website suggests that some batches are *deliberately* made "toxic". See https://www.howbadismybatch.com/allnothing.html. A criticism of the web site pointing out more issues and also notes other disturbing comments made by the person behind the web site can be found on https://www.thedailybeast.com/craig-paardekoopers-shady-site-shows-covid-anti-vaxxers-will-believe-anything. [Lars-Henrik, I an NEITHER an anti-vaxxer NOR a conspiracy theorist. However, a criticism of your criticism is needed. There is so much disinformation here that there may be no trees left in the forest. Your "clearly" is *clearly* a gross overstatement. It has become almost impossible to get to the truth when every truth gets shot down as a conspiracy theory or fake news. A close personal friend was one of nine more or less healthy people vaccinated one day in January lst year. Six of them died shortly thereafter with rather *evident* correlation with the vaccine. If that was one of the clearly bad batches in the website data, then you are shooting yourself in the foot by condemning *everything* on the website. I believe a conspiracy may be on the side of overhyping the effectiveness of the vaccines and hiding some negative results -- perhaps in false hopes of discouraging the anti-vaxxers. PGN] ------------------------------ Date: Sat, 06 Aug 2022 15:20:42 -0700 From: Steve Lamont <s...@tirebiter.org> Subject: Re: Dr. Birx ADMITS She 'Knew' COVID-19 Vaccines 'Were Not Going to Protect Against Infection' (RISKS-33.36) Dr Birx "admitted" no such thing. https://www.politifact.com/factchecks/2022/jul/29/facebook-posts/no-deborah-birx-didnt-change-her-tune-covid-vaccin/ Birx's full comments show she said she believes the vaccines do work and people should get them. PolitiFact found no record of Birx stating the vaccine could provide complete protection against infection. During the initial vaccine rollout, Birx said it was unclear the level of immunity that the vaccine provided. ------------------------------ Date: Sun, 7 Aug 2022 18:23:40 +0000 From: Douglas W Jones <douglas-w-jo...@uiowa.edu> Subject: Book Review: America's Biggest Lottery Scam by Bob Sand [Reproduced with permission from another list. PGN] I just finished an interesting book, America's Biggest Lottery Scam by Bob Sand. The author was the lead prosecutor in uncovering the rigging of lottery equipment from the Multistate Lottery Association (MUSL) by their employee Eddie Tipton. This is a textbook example of an insider threat at work in an organization that had what looked like really good internal controls to guard against such things. When we talk about how difficult it would be to rig voting machines, that is because of similar kind of internal controls that might be vulnerable to similar insider threats. The book is written as a narrative from the prosecutor's perspective, so it's structured as a detective story. Viewed from that perspective, the story is interesting because the statute of limitation was running out as the first lottery rigging case reached the point where charges could possibly be brought. Furthermore, that case was not strong. They get a conviction halfway through the book, and that is where things start getting interesting because only then did the scale of the lottery rigging become apparent, and only then did the technical detail s begin to come out. The book ends with the first case being as good as thrown out on appeal at about the same time that Tipton agreed to a plea deal in the larger case that included a complete confession, allowing the various state lotteries that had been defrauded to tighten their own defenses. The technical details of the lottery technology dribble out slowly over the course of the book, but they are there. As is the case with election machinery, code for the sealed lottery computers was installed with oversight from a third party testing organization that also examined the source code. There was room for sleight of hand, though, allowing Eddy Tipton to install hacked code in lottery computers while turning over clean code to the testing organization. The hack? On scattered but predictable dates, the lottery computers would be less than random, with a set of possible winning numbers small enough that you could buy a manageable stack of tickets and have a good chance of winning. Rigged lottery computers from MUSL ended up in Iowa, Wisconsin, Missouri, Colorado, Ohio and possibly other states. Tipton gave away winning lottery tickets or notes on winning numbers to a number of friends and relatives. Only two of the wins attracted investigations. When his brother won the Colorado lottery, he cashed the check and got a suitcase full of consecutively numbered $100 bills. That spooked him and he tried to launder the money, attracting the FBI's attention. They couldn't identify the crime, but the case was weird enough that the age nt involved remembered it and became involved when Sand began to dig. Sand was brought in because a multi-million dollar winning ticket in Iowa went unclaimed for most of a year, and then two credible attempts were made to claim it, neither of which involved someone who resembled the ticket purchaser --the law required the lottery ticket to be redeemed by the person who purchased the ticket, and they had surveillance camera footage of the purchaser who seemed very intent on not being recognized. On the downside, the author spends several chapters on autobiography and biography, talking about his upbringing and about Eddy Tipton, both who grew up in small rural communities. Sand is very interested in the psychology of the crime, what would lead a bright programmer to rig the machines and then use that rigging in a series of stolen jackpots, mostly benefiting others. Sand also ends on an autobiographical note, describing how, after working as an assistant attorney-general prosecuting white collar crime, he realized that the job was changing him in ways he didn't like. So he ran for state auditor, a job he now holds. That means that this book can be seen as campaign literature as well as an interesting true computer crime story. ------------------------------ Date: Mon, 1 Aug 2020 11:11:11 -0800 From: risks-requ...@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume/previous directories or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-33.00 ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 33.37 ************************