Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit precedence: bulk Subject: Risks Digest 32.32 RISKS-LIST: Risks-Forum Digest Thursday 15 October 2020 Volume 32 : Issue 32 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at as The current issue can also be found at Contents: Various election shenanigans (PGN) Court Orders Seizure of Ransomware Botnet Controls as U.S. Election Nears (Reuters) Campaigns sidestep Cambridge Analytica crackdown with new methods (AFP) Severed cable takes out Virginia voter site on registration deadline (Ars Technica) A different way the news is dividing America (yahoo!) Inside the strange new world of being a deepfake actor (MIT Tech Review) From a small town in North Carolina to big-city hospitals, how software infuses racism into U.S. health care (Casey Ross) Split-Second `Phantom' Images Can Fool Tesla's Autopilot (WiReD) Car design about to change forever? (Fast Company) Cruise received a permit from the California DMV to remove human backup drivers from our self-driving cars (Twitter) This Ferrari got bricked because someone tried to upgrade it underground, where there's no cell reception. DRM in cars rules. (Twitter) Fifth of countries at risk of ecosystem collapse, analysis finds (The Guardian) The Man Who Speaks Softly -- and Commands a Big Cyber Army (WiReD) SpaceX Is Building a Military Rocket to Ship Weapons Anywhere in the World in 1 hour (Business Insider) Israel cyber watchdog rests on the sabbath (Israel Defense) Hacking a Coffee Maker (Bruce Schneier's CRYPTO-GRAM) Apple's T2 security chip has an unfixable flaw (Lily Hay Newman) Indian Police Accuse Popular TV Station of Ratings Fraud (NYTimes) Watch out for this green dot on your iPhone -- it means someone is watching (The Sun) Fairfax County Schools Employee Data Leaked On Dark Web: Report (Patch) A prison video visitation service exposed private calls between inmates and their attorneys (Tech Crunch) Herd immunity letter signed by fake experts including 'Dr Johnny Bananas (The Guardian) Updated Eusprig page (Patrick O'Beirne) 'I Feel Like I Have Dementia': Brain Fog Plagues Covid Survivors (NYTimes) International Statement: End-To-End Encryption and Public Safety (DoJ) Wearable tattoo: Scientists print sensors directly onto skin without heat (UPI) Continuous glucose monitoring/insulin dosing systems (NIH via Richard Stein) Onions too sexy for Facebook (BBC) Interview techniques and the "don't know" answer (Rob Slade) To my friends and colleagues in the U.S.: Be careful out there. (Rob Slade) Re: Why cars are more "fragile": more technology has reduced robustness (Chris Drewe) Re: Risks of Excel (Anthony Thorn) Re: Botched Excel import may have caused loss of 15,841 UK COVID-19 cases (A Michael W Bacon) Re: Apple marches to a different beat (Henry Baker) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Mon, 12 Oct 2020 11:41:57 PDT From: "Peter G. Neumann" Subject: Various election shenanigans [RISKS readers should not be surprised by these items:] RUSSIAN BOTNETS: Microsoft takes down massive hacking operation that could have affected the election (CNN); Federal judge rejects GA challenge Microsoft seeks to disrupt Russian criminal botnet it fears could seek to sow confusion in the presidential election MS won a court order to seize servers used by the Trickbot botnet, a network of infected computers that Microsoft says might have been used to lock up voter-registration systems. https://www.washingtonpost.com/technology/2020/10/12/microsoft-trickbot-ransomware https://www.cnn.com/2020/10/12/tech/microsoft-election-ransomware/index.html RANSOMWARE: https://www.cnn.com/2020/10/12/tech/microsoft-election-ransomware/index.html Of course this is ridiculous, but ignores all of the warnings about connecting any critical system to the Internet. GEORGIA RULING: Federal judge rejects challenge to touch-screen voting machines in Georgia https://www.nytimes.com/live/2020/10/12/us/trump-vs-biden/as-early-voting-begins-in-georgia-a-judge-rejects-a-challenge-to-touch-screen-voting-machines A federal judge on Sunday night left in place Georgia's new $108 million touch-screen voting system, rejecting a call by election-integrity advocates to switch to handwritten paper ballots hours before Georgians flooded polling sites for the first day of early voting. At least one local official in Atlanta reported technical glitches, similar to problems that plagued the machines during primaries earlier this year. REPUBLICAN-OWNED DROP-BOXES for your ballots: Private phony drop-boxes that the Republicans are appearing in California that claim to be "Official Drop Boxes". https://www.cnn.com/2020/10/12/tech/microsoft-election-ransomware/index.html California Officials Tell State GOP To Stop Distributing Ballot Drop Boxes (NPR) https://www.npr.org/2020/10/12/923119170/california-officials-tell-state-gop-to-stop-distributing-ballot-drop-boxes?utm_medium=RSS&utm_campaign=news ------------------------------ Date: Wed, 14 Oct 2020 12:09:21 -0400 (EDT) From: ACM TechNews Subject: Court Orders Seizure of Ransomware Botnet Controls as U.S. Election Nears (Reuters) Joseph Menn and Chris Bing, Reuters, 12 Oct 2020 via ACM TechNews, 14 Oct 2020 Microsoft on Monday said it had seized via federal court order Internet Protocol (IP) addresses that had been directing activity on computers infected with Trickbot malware. Microsoft warned that Trickbot has infected a number of public government agencies, which could suffer worse damage if the operators encrypt files or install programs that interfere with voter registration records or the display and public disclosure of election results. Microsoft worked with companies including security firm ESET to disassemble Trickbot installations and trace them to their command IP addresses, and invoked copyright law to secure the court order. Said Microsoft's Tom Burt, "Ransomware is one of the largest threats to the upcoming election." https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-277e7x22591cx066339& ------------------------------ Date: Mon, 12 Oct 2020 10:26:46 -1000 From: geoff goodfellow Subject: Campaigns sidestep Cambridge Analytica crackdown with new methods (AFP) "Your early vote has not been recorded," one text message said, with a link for more information. Other messages tell voters they are not registered, or offer unverified information about a political opponent. Fraudulent messages like these are drawing attention as political campaigns ramp up data collection and voter targeting using their own technology to circumvent restrictions imposed by social media platforms following the Cambridge Analytica scandal. Facebook barred apps which scraped data on users and their contacts after revelations about the now-defunct British consulting group. But in response, President Donald Trump's campaign and some activist groups are using their own methods. "What we are seeing is almost more potent than in 2016," said Samuel Woolley, a University of Texas professor who leads propaganda research at the school's Center for Media Engagement Woolley's team, which examined messages such as the above-referenced ones, found that the Trump mobile app, and to a lesser extent those of Democrat Joe Biden and other political activist groups, scoop up data to create profiles to craft personalized, targeted messages by SMS, email or social media. [...] https://www.msn.com/en-us/news/world/campaigns-sidestep-cambridge-analytica-crackdown-with-new-methods/ar-BB19TX2S ------------------------------ Date: Wed, 14 Oct 2020 00:54:07 -0400 From: Monty Solomon Subject: Severed cable takes out Virginia voter site on registration deadline (Ars Technica) https://arstechnica.com/tech-policy/2020/10/severed-cable-takes-out-virginia-voter-site-on-registration-deadline/ Contractor installing a sewer line hit an unmarked cable. MORE added by PGN: https://www.wric.com/news/virginia-news/virginias-state-agency-websites-experiencing-outages/ https://www.oag.state.va.us/media-center/news-releases/1852-october-14-2020-judge-approves-attorney-general-herring-s-agreement-to-extend-voter-registration-deadline https://www.wric.com/news/virginia-news/calls-mount-to-extend-virginias-voter-registration-deadline-as-online-system-goes-down/ The RISKS archives are laden with accidental cable cuts. PGN ------------------------------ Date: Sun, 11 Oct 2020 14:06:24 +0800 From: Richard Stein Subject: A different way the news is dividing America (yahoo!) https://finance.yahoo.com/news/a-different-way-the-news-is-dividing-america-113945965.html The 'information haves' subscribe to be informed: they can afford it, and possess the luxurious volition to ignore or believe the published content. The 'information have-nots' have no choice. They are routinely under-informed or misinformed by "pink slime news:" freely accessible robot news sources or scripted news services that promote divisive propaganda designed to mislead and compel conflict. "Pink slime journalism is at its core about two things; getting clicks for a quick buck, or furthering a political agenda -- often the far-right or foreign state actors, such as the Russians. In many cases these factors are conflated into a foul, bubbling cauldron of propaganda, salaciousness and lies." "Think about the people who pay for the New York Times (NYT) (6.5 million digital subscribers), the Wall Street Journal, (2.2 million), the Washington Post, (2 million), the FT (750,000) etc. -- and the people who, well, don't. 'Redlining news and information is basically saying lower socioeconomic households won’t have access because they are unwilling or unable to pay for information and therefore relegated to a poor news diet,' says Victor Pickard, professor at the Annenberg School of Communication at the University of Pennsylvania and author of 'Democracy without Journalism? Confronting the Misinformation Society' 'It's very dangerous for a democratic society.'" Information source redlining reinforces economic dislocation. How can a society's citizens become globally competitive when so many are denied affordable or free access to viable and foundational information sources? These sources help guide daily and long-term decisions governing their personal health, economic welfare, or loyalty? The "pink slime information" publication problem appears intractable to resolve given short-term economic incentives that promote circulation. These incentives outweigh priorities that government institutions and programs established to benefit education, and create a functional democracy. That citizens of a democracy cannot afford to access viable and factual information seems unconstitutional, a textbook case of big-tech capitalism on overdrive (see https://www.scientificamerican.com/article/big-tech-out-of-control-capitalism-and-the-end-of-civilization/ retrieved on 11OCT2020 by John Horgan). Suppose there was an legally enforceable tax on pink slime information publication. The hypothetical "Pink Slime Information Taxation Act" authorizes government revenue collection from "pink slime publication" platforms. The taxes subsidizes public education: school districts receive grants and vouchers that enable students (and families) to access certified "non-pink slime" information sources. Does democracy's long-term survival depend on The Pink Slime Information Detector (see https://en.wikipedia.org/wiki/I_know_it_when_I_see_it)? It might be only a few keystrokes away from open source release. The "Daily Planet" headline from 04OCT2027 says it all: "Literature Nobel Prize Winner: Pink Slime Taxes Taught Me To Write." ------------------------------ Date: Sun, 11 Oct 2020 08:43:06 -1000 From: the keyboard of geoff goodfellow Subject: Inside the strange new world of being a deepfake actor (MIT Tech Review) *There's an art to being a performer whose face will never be seen.* In 2019, two multimedia artists, Francesca Panetta and Halsey Burgund, set about to pursue a provocative idea. Deepfake video and audio had been advancing in parallel but had yet to be integrated into a complete experience. Could they do it in a way that demonstrated the technology's full potential while educating people about how it could be abused? To bring the experiment to life, they chose an equally provocative subject: they would create an *alternative history of the 1969 Apollo moon landing* . Before the launch, US president Richard Nixon's speechwriters had prepared two versions of his national address -- one designated ``*In Event of Moon Disaster* ,'' in case things didn't go as planned. The real Nixon, fortunately, never had to deliver it. But a deepfake Nixon could. So Panetta, the creative director at MIT's Center for Virtuality, and Burgund, a fellow at the MIT Open Documentary Lab, partnered up with two AI companies. *Canny AI* would handle the deepfake video, and *Respeecher* would prepare the deepfake audio. With all the technical components in place, they just needed one last thing: an actor who would supply the performance. ``We needed to find somebody who was willing to do this, because it's a little bit of a weird ask,'' Burgund says. ``Somebody who was more flexible in their thinking about what an actor is and does.'' While deepfakes have now been around for a number of years, deepfake casting and acting are relatively new. Early deepfake technologies weren't very good, used primarily in dark corners of the Internet to swap celebrities into porn videos without their consent. But as deepfakes have grown increasingly realistic, more and more artists and filmmakers have begun using them in broadcast-quality productions and TV ads. This means hiring real actors for one aspect of the performance or another. Some jobs require an actor to provide `base' footage; others need a voice. For actors, it opens up exciting creative and professional possibilities. But it also raises a host of ethical questions. ``This is so new that there's no real process or anything like that,'' Burgund says. ``I mean, we were just sort of making things up and flailing about.'' ``Want to become Nixon?'' [...] https://www.technologyreview.com/2020/10/09/1009850/ai-deepfake-acting/ ------------------------------ Date: Wed, 14 Oct 2020 15:27:56 -0600 From: Jim Reisert AD1C Subject: From a small town in North Carolina to big-city hospitals, how software infuses racism into U.S. health care (Casey Ross) Casey Ross, StatNews, 13 Oct 2020 https://www.statnews.com/2020/10/13/how-software-infuses-racism-into-us-health-care/ A STAT investigation found that a common method of using analytics software to target medical services to patients who need them most is infusing racial bias into decision-making about who should receive stepped-up care. While a study published last year documented bias in the use of an algorithm in one health system, STAT found the problems arise from multiple algorithms used in hospitals across the country. The bias is not intentional, but it reinforces deeply rooted inequities in the American health care system, effectively walling off low-income Black and Hispanic patients from services that less sick white patients routinely receive. ------------------------------ Date: Mon, 12 Oct 2020 10:29:09 -1000 From: geoff goodfellow Subject: Split-Second `Phantom' Images Can Fool Tesla's Autopilot (WiReD) *Researchers found they could stop a Tesla by flashing a few frames of a stop sign for less than half a second on an Internet-connected billboard.* SAFETY CONCERNS OVER automated driver-assistance systems like Tesla's usually focus on what the car can't see, like the white side of a truck that one Tesla confused with a bright sky in 2016, leading to the death of a driver. But one group of researchers has been focused on what autonomous driving systems might see that a human driver doesn't -- including "phantom" objects and signs that aren't really there, which could wreak havoc on the road. Researchers at Israel's Ben Gurion University of the Negev have spent the last two years experimenting with those "phantom" images to trick semi-autonomous driving systems . They previously revealed that they could use split-second light projections on roads to successfully trick Tesla's driver-assistance systems into automatically stopping without warning when its camera sees spoofed images of road signs or pedestrians. In new research, they've found they can pull off the same trick with just a few frames of a road sign injected on a billboard's video. And they warn that if hackers hijacked an Internet-connected billboard to carry out the trick, it could be used to cause traffic jams or even road accidents while leaving little evidence behind. "The attacker just shines an image of something on the road or injects a few frames into a digital billboard, and the car will apply the brakes or possibly swerve, and that's dangerous," says Yisroel Mirsky, a researcher for Ben Gurion University and Georgia Tech who worked on the research, which will be presented next month at the ACM Computer and Communications Security conference. "The driver won't even notice at all. So somebody's car will just react, and they won't understand why." In their first round of research, published earlier this year , the team projected images of human figures onto a road, as well as road signs onto trees and other surfaces. They found that at night, when the projections were visible, they could fool both a Tesla Model X running the HW2.5 Autopilot driver-assistance system -- the most recent version available at the time, now the second-most-recent -- and a Mobileye 630 device. They managed to make a Tesla stop for a phantom pedestrian that appeared for a fraction of a second, and tricked the Mobileye device into communicating the incorrect speed limit to the driver with a projected road sign. In this latest set of experiments, the researchers injected frames of a phantom stop sign on digital billboards, simulating what they describe as a scenario in which someone hacked into a roadside billboard to alter its video. They also upgraded to Tesla's most recent version of Autopilot known as HW3. They found that they could again trick a Tesla or cause the same Mobileye device to give the driver mistaken alerts with just a few frames of altered video. [...] https://www.wired.com/story/tesla-model-x-autopilot-phantom-images/ [Richard Stein noted Advanced driver-assistance systems found to be susceptible to split-second flash phantoms (Techxplore.com) https://techxplore.com/news/2020-10-advanced-driver-assistance-susceptible-split-second-phantoms.html ------------------------------ Date: Sat, 10 Oct 2020 13:05:02 -1000 From: geoff goodfellow Subject: Car design about to change forever? (Fast Company) Electric vehicles are incredible. Beyond eliminating fossil fuels, they are whisper quiet, accelerate faster than gasoline cars, and according to *a new Consumer Reports study* , operate with less expensive maintenance over time. But one of the biggest benefits of EVs that they are *revolutionizing* the way cars are built. How? As this new video from Israeli startup Ree demonstrates, the EV of tomorrow is basically just a giant skateboard. With tiny motors placed inside the wheels, the car can assume any form imaginable; any sort of seating or storage arrangement can be built right on top of this flat base. Traditional gas cars were built atop a flat chassis, too. But that chassis was hardly so self contained. Components like your engine and steering system are on top. Then the motor propels a complex series of axles under the car. Of course you have brakes, suspension, cooling systems, gas lines, and other systems to snake around, too. It all adds up to *30,000 parts* which are screwed, pressed, glued, and welded together. Today, most modern manufacturing uses robots to frame out the entire car first like a house -- from chassis to body -- meaning your car's floorpan is permanent from its earliest moments on the assembly line. Ree was one of our Most Innovative Companies of 2020, and it's one of several manufacturers working on an alternative platform. Peers include automotive mainstays like *VW* , newer startups like *Rivian* , and even *Tesla* . But Ree's new video, seen here, is the first time I've witnessed the odd spectacle of these flat chassis whipping around a track with no other filigree attached. [...] https://www.fastcompany.com/90562654/car-design-is-about-to-change-forever-this-video-encapsulates-how ------------------------------ Date: Thu, 15 Oct 2020 08:48:36 -1000 From: the keyboard of geoff goodfellow Subject: Cruise received a permit from the California DMV to remove human backup drivers from our self-driving cars (Twitter) https://twitter.com/Cruise/status/1316786478291320834 [Gives new meaning to Cruise control, or the lack thereof? PGN] ------------------------------ Date: Wed, 14 Oct 2020 16:22:04 -1000 From: the keyboard of geoff goodfellow Subject: This Ferrari got bricked because someone tried to upgrade it underground, where there's no cell reception. DRM in cars rules. (Twitter) https://twitter.com/internetofshit/status/1315736960082808832 which leads to https://old.reddit.com/r/Justrolledintotheshop/comments/j914fh/dude_comes_straight_from_the_dealership_for_a/ ------------------------------ Date: Mon, Oct 12, 2020 at 1:49 AM From: Dewayne Hendricks Subject: Fifth of countries at risk of ecosystem collapse, analysis finds () Trillions of dollars of GDP depend on biodiversity, according to Swiss report One-fifth of the world's countries are at risk of their ecosystems collapsing because of the destruction of wildlife and their habitats, according to an analysis by the insurance firm Swiss Re. Natural services such as food, clean water and air, and flood protection have already been damaged by human activity. More than half of global GDP -- $42tn - depends on high-functioning biodiversity, according to the report, but the risk of tipping points is growing. Countries including Australia, Israel and South Africa rank near the top of Swiss Re's index of risk to biodiversity and ecosystem services, with India, Spain and Belgium also highlighted. Countries with fragile ecosystems and large farming sectors, such as Pakistan and Nigeria, are also flagged up. Countries including Brazil and Indonesia had large areas of intact ecosystems but had a strong economic dependence on natural resources, which showed the importance of protecting their wild places, Swiss Re said. ``CA staggering fifth of countries globally are at risk of their ecosystems collapsing due to a decline in biodiversity and related beneficial services,'' said Swiss Re, one of the world's biggest reinsurers and a linchpin of the global insurance industry. ``If the ecosystem service decline goes on [in countries at risk], you would see then scarcities unfolding even more strongly, up to tipping points,'' said Oliver Schelske, lead author of the research. Jeffrey Bohn, Swiss Re's chief research officer, said: ``This is the first index to our knowledge that pulls together indicators of biodiversity and ecosystems to cross-compare around the world, and then specifically link back to the economies of those locations.'' The index was designed to help insurers assess ecosystem risks when setting premiums for businesses but Bohn said it could have a wider use as it ``allows businesses and governments to factor biodiversity and ecosystems into their economic decision-making.'' The UN revealed in September that the world's governments failed to meet a single target to stem biodiversity losses in the last decade, while leading scientists warned in 2019 that humans were in jeopardy from the accelerating decline of the Earth's natural life-support systems. More than 60 national leaders recently pledged to end the destruction. The Swiss Re index is built on 10 key ecosystem services identified by the world's scientists and uses scientific data to map the state of these services at a resolution of one square kilometre across the world's land. The services include provision of clean water and air, food, timber, pollination, fertile soil, erosion control, and coastal protection, as well as a measure of habitat intactness. Those countries with more than 30% of their area found to have fragile ecosystems were deemed to be at risk of those ecosystems collapsing. Just one in seven countries had intact ecosystems covering more than 30% of their country area. Among the G20 leading economies, South Africa and Australia were seen as being most at risk, with China 7th, the US 9th and the UK 16th. Alexander Pfaff, a professor of public policy, economics and environment at Duke University in the US, said: ``Societies, from local to global, can do much better when we not only acknowledge the importance of contributions from nature -- as this index is doing -- but also take that into account in our actions, private and public.'' [...] https://www.theguardian.com/environment/2020/oct/12/fifth-of-nations-at-risk-of-ecosystem-collapse-analysis-finds ------------------------------ Date: Wed, 14 Oct 2020 00:57:46 -0400 From: Gabe Goldberg Subject: The Man Who Speaks Softly -- and Commands a Big Cyber Army (WiReD) Meet General Paul Nakasone. He reined in chaos at the NSA and taught the US military how to launch pervasive cyberattacks. And he did it all without you noticing. https://www.wired.com/story/general-paul-nakasone-cyber-command-nsa/ ------------------------------ Date: Sat, 10 Oct 2020 12:47:57 -1000 From: the keyboard of geoff goodfellow Subject: SpaceX Is Building a Military Rocket to Ship Weapons Anywhere in the World in 1 hour (Business Insider) Fresh Delivery SpaceX and the Pentagon just signed a contract to jointly develop a new rocket that can launch into space and deliver up to 80 tons of cargo and weaponry anywhere in the world -- in just one hour. Tests on the rocket are expected to begin as early as next year, *Business Insider reports *. It's expected to shuttle weapons around the world 15 times faster than existing aircraft, like the US C-17 Globemaster. ``Think about moving the equivalent of a C-17 payload anywhere on the globe in less than an hour,'' General Stephen Lyons, head of US Transportation Command said at a Wednesday conference . Military Contractor The new contract is further evidence that SpaceX is leaning hard into military partnerships. Earlier this week, the private space company won a contract with the military's Space Development Agency to *manufacture four missile-tracking satellites*. Prior to that, the *Army approached SpaceX* about turning its constellation of Starlink broadband satellites into a new military navigation network, and Space Force officials let slip earlier this year that they were *already working closely* with SpaceX after awarding the company a contract *in August*, *BI* reports. History Rhymes The new weapon delivery system resembles a militarized version of something that SpaceX CEO proposed *back in 2017* , when he talked about passenger space travel. Back then, Musk proposed launching passengers into space and then quickly landing them back down closer to their destination. The new plan is highly similar, just with weapons rather than people. READ MORE: The US military and Elon Musk are planning a 7,500 mph rocket that can deliver weapons anywhere in the world in an hour [*Business Insider*] More on SpaceX: *The US Military Wants Access to SpaceX's Satellite Constellation * https://futurism.com/the-byte/spacex-building-military-rocket-to-ship-weapons-anywhere-world ------------------------------ Date: Wed, 14 Oct 2020 19:57:27 +0300 From: Mike Rechtman Subject: Israel cyber watchdog rests on the sabbath (Israel Defense) https://www.israeldefense.co.il/he/node/45782">https://www.israeldefense.co.il/he/node/45782 (In Hebrew; does not appear in the English-language version) The Israel Lands Administration (a governmental department) has setup a cyber war-room SOC/SIEM for cyber support in cases of problems or the need to escalate issues to suppliers (rough translation) The centre will supply support 24 hours Sunday to Thursday, half-day on Friday, and none on Saturday. Do not waste your time attacking the Lands Adminstration sites on weekdays. ------------------------------ Date: Thu, 15 Oct 2020 07:43:26 +0000 From: Bruce Schneier Subject: Hacking a Coffee Maker (CRYPTO-GRAM) [Excerpted from Bruce's CRYPTO-GRAM, 15 Oct 2020 by PGN[ [2020.09.29] [https://www.schneier.com/blog/archives/2020/09/hacking-a-coffee-maker.html] As expected, IoT devices are filled with vulnerabilities [https://arstechnica.com/information-technology/2020/09/how-a-hacker-turned-a-250-coffee-maker-into-ransom-machine/]: As a thought experiment, Martin Hron, a researcher at security company Avast reverse-engineered one of the older coffee makers to see what kinds of hacks he could do with it. After just a week of effort, the unqualified answer was: quite a lot. Specifically, he could trigger the coffee maker to turn on the burner, dispense water, spin the bean grinder, and display a ransom message, all while beeping repeatedly. Oh, and by the way, the only way to stop the chaos was to unplug the power cord. [...] In any event, Hron said the ransom attack is just the beginning of what an attacker could do. With more work, he believes, an attacker could program a coffee maker -- and possibly other appliances made by Smarter -- to attack the router, computers, or other devices connected to the same network. And the attacker could probably do it with no overt sign anything was amiss. [No surprise. This is just one more example of the risks related to the Internet of Things, and of course to the Things Themselves. PGN] ------------------------------ Date: Sat, 10 Oct 2020 22:40:22 -0400 From: Monty Solomon Subject: Apple's T2 security chip has an unfixable flaw (Lily Hay Newman) Checkm8 vulnerability used to jailbreak iPhones hits Macs as well. by Lily Hay Newman, wired.com Oct 10, 2020 A recently released tool is letting anyone exploit an unusual Mac vulnerability to bypass Apple's trusted T2 security chip and gain deep system access. The flaw is one researchers have also been using for more than a year to jailbreak older models of iPhones. But the fact that the T2 chip is vulnerable in the same way creates a new host of potential threats. Worst of all, while Apple may be able to slow down potential hackers, the flaw is ultimately unfixable in every Mac that has a T2 inside. In general, the jailbreak community hasn't paid as much attention to macOS and OS X as it has iOS, because they don't have the same restrictions and walled gardens that are built into Apple's mobile ecosystem. But the T2 chip, launched in 2017, created some limitations and mysteries. Apple added the chip as a trusted mechanism for securing high-value features like encrypted data storage, Touch ID, and Activation Lock, which works with Apple's "Find My" services. But the T2 also contains a vulnerability, known as Checkm8, that jailbreakers have already been exploiting in Apple's A5 through A11 (2011 to 2017) mobile chipsets. Now Checkra1n, the same group that developed the tool for iOS, has released support for T2 bypass. [...] https://arstechnica.com/information-technology/2020/10/apples-t2-security-chip-has-an-unfixable-flaw/ https://www.wired.com/story/apple-t2-chip-unfixable-flaw-jailbreak-mac/ ------------------------------ Date: Sun, 11 Oct 2020 03:35:44 -0400 From: Monty Solomon Subject: Indian Police Accuse Popular TV Station of Ratings Fraud (NYTimes) But this week, police officials in Mumbai accused Republic TV and two smaller channels of rigging the ratings system by paying poor people the equivalent of a few dollars a month to tune into the station and leave their televisions on. In some cases, police officials said, people being bribed to watch the English-language channel did not speak English and were annoyed to tie up their television sets with programming that they couldn't even understand. [...] https://www.nytimes.com/2020/10/09/world/asia/india-republic-tv-ratings.html ------------------------------ Date: Sun, 11 Oct 2020 17:25:08 -0400 From: Gabe Goldberg Subject: Watch out for this green dot on your iPhone -- it means someone is watching (The Sun) IF you've ever panicked that an app might be watching through your iPhone's camera, Apple has got you covered. The latest iPhone update adds a new "warning dot" that alerts you whenever your microphone or camera is activated. https://www.the-sun.com/lifestyle/tech/1595314/iphone-green-dot-orange-camera-microphone-notification-ios-14/ The risks? Not running current iOS, not noticing little dots on screen. ------------------------------ Date: Sun, 11 Oct 2020 17:05:35 -0400 From: Gabe Goldberg Subject: Fairfax County Schools Employee Data Leaked On Dark Web: Report (Patch) https://patch.com/virginia/vienna/fairfax-county-schools-employee-data-leaked-dark-web-report ------------------------------ Date: Sat, 10 Oct 2020 21:09:30 -0400 From: Monty Solomon Subject: A prison video visitation service exposed private calls between inmates and their attorneys (Tech Crunch) Fearing the spread of coronavirus, jails and prisons remain on lockdown. Visitors are unable to see their loved ones serving time, forcing friends and families to use prohibitively expensive video visitation services that often don't work. But now the security and privacy of these systems are under scrutiny after one St Louis-based prison video visitation provider had a security lapse that exposed thousands of phone calls between inmates and their families, but also calls with their attorneys that were supposed to be protected by attorney-client privilege. [...] https://techcrunch.com/2020/10/10/prison-visitation-homewav-leak/ ------------------------------ Date: Sun, 11 Oct 2020 03:39:09 -0400 From: Monty Solomon Subject: Herd immunity letter signed by fake experts including 'Dr Johnny Bananas' (The Guardian) 9 Oct 2020 An open letter that made headlines calling for a herd immunity approach to Covid-19 lists a number of apparently fake names among its expert signatories, including Dr Johnny Bananas and Professor Cominic Dummings. The Great Barrington declaration, which was said to have been signed by more than 15,000 scientists and medical practitioners around the world, was found by Sky News to contain numerous false names, as well as those of several homeopaths. [...] https://www.theguardian.com/world/2020/oct/09/herd-immunity-letter-signed-fake-experts-dr-johnny-bananas-covid ------------------------------ Date: Wed, 14 Oct 2020 15:59:28 +0100 From: "Patrick O'Beirne" Subject: Updated Eusprig page Ever seen a report on an out of date website and think "oops thats my job"? So, I updated this page, please refresh to read it :) http://www.eusprig.org/horror-stories.htm My own analysis of the sorry tale is at https://sysmod.wordpress.com/2020/10/13/uk-covid-19-track-trace-excel-snafu-uncontrolled-spreadsheets-lead-to-data-loss/ ------------------------------ Date: Mon, Oct 12, 2020 at 12:00 AM From: Dewayne Hendricks Subject: 'I Feel Like I Have Dementia': Brain Fog Plagues Covid Survivors (NYTimes) * The condition is affecting thousands of patients, impeding their ability to work and function in daily life.* https://www.nytimes.com/2020/10/11/health/covid-survivors.html ------------------------------ Date: Mon, 12 Oct 2020 10:31:54 -1000 From: geoff goodfellow Subject: International Statement: End-To-End Encryption and Public Safety (DoJ) Department of Justice Office of Public Affairs FOR IMMEDIATE RELEASE Sunday, October 11, 2020 International Statement: End-To-End Encryption and Public Safety We, the undersigned, support strong encryption, which plays a crucial role in protecting personal data, privacy, intellectual property, trade secrets and cyber security. It also serves a vital purpose in repressive states to protect journalists, human rights defenders and other vulnerable people, as stated in the 2017 resolution of the UN Human Rights Council[1] . Encryption is an existential anchor of trust in the digital world and we do not support counter-productive and dangerous approaches that would materially weaken or limit security systems. Particular implementations of encryption technology, however, pose significant challenges to public safety, including to highly vulnerable members of our societies like sexually exploited children. We urge industry to address our serious concerns where encryption is applied in a way that wholly precludes any legal access to content. We call on technology companies to work with governments to take the following steps, focused on reasonable, technically feasible solutions: - Embed the safety of the public in system designs, thereby enabling companies to act against illegal content and activity effectively with no reduction to safety, and facilitating the investigation and prosecution of offences and safeguarding the vulnerable; - Enable law enforcement access to content in a readable and usable format where an authorisation is lawfully issued, is necessary and proportionate, and is subject to strong safeguards and oversight; and - Engage in consultation with governments and other stakeholders to facilitate legal access in a way that is substantive and genuinely influences design decisions. *IMPACT ON PUBLIC SAFETY* Law enforcement has a responsibility to protect citizens by investigating and prosecuting crime and safeguarding the vulnerable. Technology companies also have responsibilities and put in place terms of service for their users that provide them authority to act to protect the public. End-to-end encryption that precludes lawful access to the content of communications in any circumstances directly impacts these responsibilities, creating severe risks to public safety in two ways: 1. By severely undermining a company's own ability to identify and respond to violations of their terms of service. This includes responding to the most serious illegal content and activity on its platform, including child sexual exploitation and abuse, violent crime, terrorist propaganda and attack planning; and 2. By precluding the ability of law enforcement agencies to access content in limited circumstances where necessary and proportionate to investigate serious crimes and protect national security, where there is lawful authority to do so. Concern about these risks has been brought into sharp focus by proposals to apply end-to-end encryption across major messaging services. UNICEF estimates that one in three internet users is a child. The WePROTECT Global Alliance -- a coalition of 98 countries, 39 of the largest companies in the global technology industry, and 41 leading civil society organisations -- set out clearly the severity of the risks posed to children online by inaccessible encrypted services in its 2019 Global Threat Assessment: ``Publicly-accessible social media and communications platforms remain the most common methods for meeting and grooming children online. In 2018, Facebook Messenger was responsible for nearly 12 million of the 18.4 million worldwide reports of CSAM [child sexual abuse material to the US National Center for Missing and Exploited Children (NCMEC)]. These reports risk disappearing if end-to-end encryption is implemented by default, since current tools used to detect CSAM [child sexual abuse material] do not work in end-to-end encrypted environments.'' [2] On 3 October 2019 NCMEC published a statement on this issue, stating that: ``If end-to-end encryption is implemented without a solution in place to safeguard children, NCMEC estimates that more than half of its CyberTipline reports will vanish.'' [3] And on 11 December 2019, the United States and European Union (EU) issued a joint statement making clear that while encryption is important for protecting cyber security and privacy: ``the use of warrant-proof encryption by terrorists and other criminals =93 including those who engage in online child sexual exploitation =93 compromises the ability of law enforcement agencies to protect victims and the public at large.''[4] *RESPONSE* In light of these threats, there is increasing consensus across governments and international institutions that action must be taken: while encryption is vital and privacy and cyber security must be protected, that should not come at the expense of wholly precluding law enforcement, and the tech industry itself, from being able to act against the most serious illegal content and activity online. In July 2019, the governments of the United Kingdom, United States, Australia, New Zealand and Canada issued a communique, concluding that: ``tech companies should include mechanisms in the design of their encrypted products and services whereby governments, acting with appropriate legal authority, can gain access to data in a readable and usable format. Those companies should also embed the safety of their users in their system designs, enabling them to take action against illegal content.''[5] On 8 October 2019, the Council of the EU adopted its conclusions on combating child sexual abuse, stating: ``The Council urges the industry to ensure lawful access for law enforcement and other competent authorities to digital evidence, including when encrypted or hosted on IT servers located abroad, without prohibiting or weakening encryption and in full respect of privacy and fair trial guarantees consistent with applicable law.''[6] The WePROTECT Global Alliance, NCMEC and a coalition of more than 100 child protection organisations and experts from around the world have all called for action to ensure that measures to increase privacy =93 including end-to-end encryption =93 should not come at the expense of children's safety [7] . *CONCLUSION* We are committed to working with industry to develop reasonable proposals that will allow technology companies and governments to protect the public and their privacy, defend cyber security and human rights and support technological innovation. While this statement focuses on the challenges posed by end-to-end encryption, that commitment applies across the range of encrypted services available, including device encryption, custom encrypted applications and encryption across integrated platforms. We reiterate that data protection, respect for privacy and the importance of encryption as technology changes and global Internet standards are developed remain at the forefront of each state's legal framework. However, we challenge the assertion that public safety cannot be protected without compromising privacy or cyber security. We strongly believe that approaches protecting each of these important values are possible and strive to work with industry to collaborate on mutually agreeable solutions. *SIGNATORIES* Rt Hon Priti Patel MP, United Kingdom Secretary of State for the Home Department William P. Barr, Attorney General of the United States The Hon Peter Dutton MP, Australian Minister for Home Affairs Hon Andrew Little MP, Minister of Justice, Minister Responsible for the GCSB, Minister Responsible for the NZSIS The Honourable Bill Blair, Minister of Public Safety and Emergency Preparedness India Japan *11 October 2020* [1] https://documents-dds-ny.un.org/doc/UNDOC/LTD/G17/073/06/PDF/G1707306.pdf?OpenElement [2] WePROTECT Global Alliance, *2019 Global Threat Assessment*, available online at: < https://static1.squarespace.com/static/5630f48de4b00a75476ecf0a/t/5deecb0fc4c5ef23016423cf/1575930642519/FINAL+-+Global+Threat+Assessment.pdf > [3] http://www.missingkids.org/blog/2019/post-update/end-to-end-encryption [4] https://www.consilium.europa.eu/en/press/press-releases/2019/12/11/joint-eu-us-statement-following-the-eu-us-justice-and-home-affairs-ministerial-meeting/ [5] https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/822818/Joint_Meeting_of_FCM_and_Quintet_of_Attorneys_FINAL.pdf [6] https://data.consilium.europa.eu/doc/document/ST-12862-2019-INIT/en/pdf [7] http://www2.paconsulting.com/rs/526-HZE-833/images/WePROTECT%202019%20Global%20Threat%20Assessment%20%28FINAL%29.pdf?_ga=3D2.109176709.1865852339.1591953966-1877278557.1591953966, http://www.missingkids.org/blog/2019/post-update/end-to-end-encryption, https://www.nspcc.org.uk/globalassets/documents/policy/letter-to-mark-zuckerberg-february-2020.pdf https://www.justice.gov/opa/pr/international-statement-end-end-encryption-and-public-safety ------------------------------ Date: Tue, 13 Oct 2020 11:58:12 -1000 From: geoff goodfellow Subject: Wearable tattoo: Scientists print sensors directly onto skin without heat (UPI) Engineers have developed a way to print biometric sensors onto skin, like a non-permanent tattoo, without the use of heat. In addition to being more comfortable and less intrusive than today's wearable devices, the technology -- described Monday *in the journal ACS Applied Materials and Interfaces* -- can also collect more precise biometric measurements. "In this article, we report a simple yet universally applicable fabrication technique with the use of a novel sintering aid layer to enable direct printing for on-body sensors," first author Ling Zhang, researcher in the Harbin Institute of Technology in China, said in a news release. Zhang and lead researcher Huanyu "Larry" Cheng, professor of engineering science and mechanics at Penn State University, previously fabricated flexible printed circuit boards for wearable devices. [...] https://www.upi.com/Science_News/2020/10/12/Wearable-tattoo-Scientists-print-sensors-directly-onto-skin-without-heat/8371602507160/ ------------------------------ Date: Wed, 14 Oct 2020 10:28:05 +0800 From: Richard Stein Subject: Continuous glucose monitoring/insulin dosing systems The National Diabetes Statistics Report, 2020, yields "Estimates of Diabetes and Its Burden in the United States." The summary (pg. 3) states for calendar year 2018: https://www.cdc.gov/diabetes/pdfs/data/statistics/national-diabetes-statistics-report.pdf, * 34.2 million people of all ages -- or 10.5% of the US population -- had diabetes. * 34.1 million adults aged 18 years or older -- or 13.0% of all U.S. adults -- had diabetes (Table 1a; Table 1b). * 7.3 million adults aged 18 years or older who met laboratory criteria for diabetes were not aware of or did not report having diabetes (undiagnosed diabetes, Table 1b). This number represents 2.8% of all US adults (Table 1a) and 21.4% of all US adults with diabetes. Page 15 summarizes health care costs: The total direct and indirect estimated costs of diagnosed diabetes in the United States in 2017 was US$ 327B. Invoking https://catless.ncl.ac.uk/Risks/search?query=glucose reveals 10 prior posts from AUG2005 through APR2020 that discuss device/system safety, and document patient quality of life impact. https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4667344/ (retrieved on 12OCT2020) summarizes continuous glucose monitor (CGM) and Insulin Dosing (ID) device patient usage experience in the US and Germany. This limited study does not provide device deployment estimates per 100,000 population diagnosed with diabetes. https://www.americanactionforum.org/research/understanding-the-insulin-market/ (retrieved on 14OCT) indicates that 8.3M patients in the US require insulin to treat a diabetic condition. Patient insulin dependence is likely to determine CGM/ID device eligibility. Given the National Diabetes Report, the number of deployed devices is likely large (greater than 100,000) with anticipated growth. Refer to https://www.niddk.nih.gov/health-information/diabetes/overview/managing-diabetes/continuous-glucose-monitoring (retrieved on 12OCT2020) for an illustration and description of the major device components used in an CGM. The FDA's Total Product Lifecycle (TPLC) reporting system collates device problems for integrated glucose monitor and insulin dosing devices. There are four FDA allocated product codes: QFG, OZQ, OZP and OZO categorizing these devices for certification and reporting purposes. This risks submission summarizes TPLC tabulations for devices assigned to product codes OZO and OZP. These product codes appear to possess the highest density of CGM/ID device problems and medical device reports (MDRs). MDRs usually originate from patient-device interactions that yield injury, malfunction, death, or other significant events that merit MDR submission to FDA's MAUDE utility. For OZO, from 01JAN2015 to 30SEP2020 (https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfTPLC/tplc.cfm?id=727&min_report_year=2015), the Top-10 TPLC Device Problems (in CSV format): Device Problems,MDRs with this Device Problem,Events in those MDRs Device Displays Incorrect Message,49762,49762 Adverse Event Without Identified Device or Use Problem,28727,28727 Patient Device Interaction Problem,27400,27400 Obstruction of Flow,16925,16925 No Display/Image,16613,16613 Pumping Stopped,13318,13318 No Apparent Adverse Event,11854,11854 Mechanical Problem,10551,10551 Device Difficult to Program or Calibrate,10441,10441 Power Problem,10175,10175 The same report yields medical device reports (MDR) originating with patients. Here's the Top-10: Patient Problems,MDRs with this Patient Problem,Events in those MDRs No Consequences Or Impact To Patient,130842,130842 Hyperglycemia,73219,73219 No Known Impact Or Consequence To Patient,42242,42242 Hypoglycemia,22639,22639 Diabetic Ketoacidosis,5174,5174 Vomiting,1671,1671 Nausea,1583,1583 Death,881,881 Blood Loss,854,854 Loss of consciousness,770,770 For OZP, from 01JAN2015 to 30SEP2020 (https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfTPLC/tplc.cfm?id=727&min_report_year=2015), the Top-10 TPLC Device Problems (in CSV format): Device Problems,MDRs with this Device Problem,Events in those MDRs Patient Device Interaction Problem,47719,47719 Adverse Event Without Identified Device or Use Problem,31499,31499 No Apparent Adverse Event,20789,20789 Power Problem,11452,11452 Connection Problem,11060,11060 No Display/Image,10546,10546 Appropriate Term/Code Not Available,9079,9079 Device Alarm System,7415,7415 Mechanical Problem,6354,6354 Device Difficult to Program or Calibrate,6024,6024 Moisture or Humidity Problem,5974,5974 The same report yields medical device reports (MDR) originating with patients. Here's the Top-10: Patient Problems,MDRs with this Patient Problem,Events in those MDRs: No Consequences Or Impact To Patient,95530,95530 Hyperglycemia,36555,36555 Hypoglycemia,15859,15859 Diabetic Ketoacidosis,2550,2550 Blood Loss,1999,1999 Nausea,1142,1142 Vomiting,940,940 Abdominal Pain,447,447 Dyspnea,355,355 No Known Impact Or Consequence To Patient,332,332 ------------------------------ Date: Mon, 12 Oct 2020 13:36:58 +0300 From: Amos Shapir Subject: Onions too sexy for Facebook (BBC) An ad for onions was rejected by Facebook's automatic censor because the onions were presented "in a sexually suggestive manner". Full story at: https://www.bbc.com/news/54467384 [This is a case of onion routing, in that the onion ads were routed. It should really make you want to cry. PGN] ------------------------------ Date: Wed, 14 Oct 2020 12:07:31 -0700 From: Rob Slade Subject: Interview techniques and the "don't know" answer While I'm not an expert on interviewing techniques, one of the pointers I do know is that when you ask a subject about something they should know about, and they have no idea or opinion, they are lying to you. Or, at the very least, trying to hide something. For example, I am a security maven. If you were to ask me how I would go about breaking into something, I should have at least half a dozen ideas to try, right off the top of my head. If I said I had no idea how I would approach breaking into whatever you were interested in, it's probably a good bet that I am already well along in my plan to actually break into it, and don't want to give the game away. As another example, if you are questioning, say, a judge, about appointment to a higher office, and you know that the judge under investigation clerked for a higher court judge, and you ask the judge under investigation about the higher court judges opinion that a case should have been decided otherwise, and the judge under investigation says that [he or] she doesn't want to give an opinion off the top of her head, she's lying. Well, she's either lying or completely incompetent, or trying, very seriously, to mislead you, or avoid answering. It's her job to have an opinion. And it wouldn't be off the top of her head: she worked with the higher court judge and probably had something to do with writing the dissenting opinion. It's her job, it's her background, and there is no reason for her to avoid answering the question, in great detail. Unless [he or] she's lying. ------------------------------ Date: Thu, 15 Oct 2020 09:34:26 -0700 From: Rob Slade Subject: To my friends and colleagues in the U.S.: Be careful out there. Oh, my colleagues and only friends, especially in the US--you are under threat. You are in danger. You are at risk. Please be careful. Possibly it is because I put myself through uni working in a hospital and even an isolation ward. Perhaps it is because I just finished writing a book on "Cybersecurity Lessons from CoVID-19." I am, perhaps, more sensitized to the topic, and I have, possibly, been keeping too close an eye on the numbers. But I suspect you may be heading for trouble. Maybe not you, personally, but, maybe. You, my colleagues and friends, are professionals, and live and work in environments that are probably not at greatest risk. But infectious diseases do not pay attention to rent levels. And possibly someone that you know and love is at greater risk. I live in BC. We've been very fortunate. We were at high risk due to levels of international travel, but we were randomly lucky in regard to things like the dates of spring school vacation, and having the world's greatest chief medical health officer. March and April were really hard, and then we seemed to get things under control. But, in pandemics, things may not be as they "seem." Recently we have had a surge in cases in BC. Every pandemic in history has had a second wave, and generally worse than the first. Unfortunately, there isn't a good pattern for second waves, other than that they exist; and the only way to know when you've had it is after it's over. Our recent surge, in BC, may be our second wave. Or, our second wave may still be to come. But four other provinces in Canada have also had surges. Europe is having a surge. And, despite having the highest rates both absolutely and per capita, there are indications that the US may be heading for a surge as well. The predictions of 400,000 deaths by January may be conservative. Everybody is tired of the pandemic. And the fact that there is so much we don't know about it makes it much harder to get people to pay attention. We do not like uncertainty. We dislike it so much that when things are uncertain we ignore them. We have only known of the existence of this class of virus for sixty years. We have had only one experience with a disease from this class of virus, and that was limited and short-lived. This type of virus defies our models of spread from better-known disease vectors. Getting a disease from many viruses confers life- long protection, but this one seems to be able to re-infect some people, sometimes within months. We are learning as we go, and it's hard to keep up. And, unfortunately, as we go, and as we learn, some people are dying, and others are getting very sick. Sometimes for a long time. We are working on a vaccine. At least 150 vaccines, in fact. A handful are under last stage trials. Two of those trials have been halted, hopefully temporarily, because of possible problems that have come to light during the trials. This is common, and it is the purpose of trials to find those problems. This time around it is making news only because people are so desperate for the vaccines. But, even when we find a vaccine (hopefully more than one), we then have to manufacture (carefully, and with due attention to contamination) billions of doses, and then figure out how everyone is going to get "shot." Many people are thinking we will have a vaccine by the beginning of the new year. I rather suspect that it will be June before enough people have been vaccinated to provide real protection. In the meantime, as Dr. Bonnie Henry has said, the future is in your hands, and you must continue to wash them. Strict isolation is not absolutely necessary, and, as Poe pointed out in "The Masque of the Red Death," not guaranteed. Nothing, in fact, is guaranteed. Defence in depth and layered defence is mandatory. Physical distancing is primary. Keeping groups; *all* groups, *all* meetings, *all* parties; small and to a minimum is primary. Washing your hands, constantly, is vital. Wearing a mask, if you must be in public or with others, is not magic and will not save you, but reduces (not eliminates) the risk of close contact. Follow the World Health Organization's Five Heroic Acts. (Speaking of the which, the integrity of advice is not only changing, but is under attack. Stick to the advice of those who know what they are talking about. Listen to experts like Bonnie Henry or Fauci, not Barrington and his gang of homeopaths.) Activities with heavy breathing and in large groups, like contact sports or choirs, are very dangerous. (Orgies are *definitely* contraindicated.) https://www.who.int/campaigns/connecting-the-world-to-combat- coronavirus/safehands-challenge/5-heroic-acts Be kind. Be calm. Be safe. Be careful. This is not forever, but it is for now. ------------------------------ Date: Mon, 12 Oct 2020 21:59:16 +0100 From: Chris Drewe Subject: Re: Why cars are more "fragile": more technology has reduced robustness (Robinson, RISKS-32.31) A few years ago, a motoring journalist commented that there seems to be an 'unholy alliance' between governments and car makers; they want to show how much they want to save our lives and save the planet so they add these costly features for improved safety, fuel economy, and lower emissions. Governments like this because it shows how caring and compassionate they are, and car makers like this because it allows them to control the repair business. And making cars difficult to repair probably earns more tax $$$$s for selling new ones. One example that comes to mind is the power steering on my car, made in 1988, which uses the traditional hydraulic pump and steering box. Works fine, but the slight snag is poor energy efficiency. Modern cars use electric power steering, with an electric motor and tons of complicated electronics. Much better energy efficiency as the assistance only works when it's needed, *and* the amount of assistance can be varied to suit the driver's taste (fingertip-light to sports car) with a dashboard control. Downside is that it's (reportedly) not a repairable item, with replacements (if still available) allegedly $1,000 or so + labour + cost of recalibrating the computers. The factory manual for my car gives instructions for rebuilding the steering pump and box on my kitchen table (not that I'd actually want to do this). The *real* reason for electric power steering is that it can be integrated with the (mandated) braking-stability control, which detects the steering-wheel angle and compares the actual car's turning movement with a yaw sensor, then distributes the braking force accordingly to reduce the chance of a skid. That's apart from 'lane-assist' and similar collision-avoidance features, of course. Dunno how these things are checked at vehicle inspection times ("MoT" in UK) -- presumably heavily dependent on self-diagnostics? As the original poster said, it's not clear what the future holds. Many of these 'fragile' features, like the CAN bus mentioned, are legal requirements in a lot of countries so car buyers can't just choose to avoid them, and it's likely that running older cars will become more difficult over time; I believe that in mainland Europe there are often restrictions on using 'historic' vehicles, typically by selecting required days per year with a scratch card. Some British cities are proposing low-emission schemes and reduction of traffic with varying degrees of aggression -- in London there's the daily congestion charge for all vehicles in the central area, with a hefty supplementary charge for those not meeting the latest emission standards. ------------------------------ Date: Mon, 12 Oct 2020 10:18:09 +0200 From: Anthony Thorn Subject: Re: Risks of Excel (RISKS-32.31) Risk of Spreadsheets In view of the recent RISKS entries about Excel, I was mildly amused to learn that the Covid 19 Aerosol Transmission model recently published by the Max Planck institute is an Excel spreadsheet. https://www.mpic.de/4747065/risk-calculation For an academic paper Excel is probably appropriate. However after thinking a bit I was no longer amused. I believe that many of the (unpublished) models used by epidemiologists and policymakers probably also use Excel spreadsheets. There is a real risk of bad decisions resulting from errors in large complicated spreadsheets, which could have serious consequences. The other risk is that an application will in the future be used in an application for which it was not intended and is not suitable. ------------------------------ Date: Tue, 13 Oct 2020 09:46:13 +0100 From: A Michael W Bacon Subject: Re: Botched Excel import may have caused loss of 15,841 UK COVID-19 cases (RISKS-32.31) The "dumbed-down" reports of this in British mainstream media, including that quoted by Thomas Dzubin, did not expose the basic issue ... which was that Public Health England (PHE) was apparently using Excel 2003 (or earlier). Office 2003 went out of support in Spring 2014, but it was (reportedly) only in July this year that PHE identified a need to upgrade. ------------------------------ Date: Sun, 11 Oct 2020 07:56:05 -0700 From: Henry Baker Subject: Re: Apple marches to a different beat (Klein, RISKS-32.31) Thanks to Steve and everyone else who replied to my message. As best I can determine, my problem started with the 'Catalina' MacOS upgrade. I never had a problem with the clock prior to this upgrade. Apparently, the Catalina upgrade turned *off* automatic time sync'ing for me, thus allowing a slow clock drift over a number of months which resulted in a several minute discrepancy. Thanks to several replies, I turned automatic time sync'ing back on, and everything is working again. ------------------------------ Date: Mon, 1 Aug 2020 11:11:11 -0800 From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume/previous directories or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00 ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: ------------------------------ End of RISKS-FORUM Digest 32.32 ************************