Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit precedence: bulk Subject: Risks Digest 32.52 RISKS-LIST: Risks-Forum Digest Saturday 6 March 2021 Volume 32 : Issue 52 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at as The current issue can also be found at Contents: Fed outage shuts down U.S. payment system (Tom Van Vleck via Ars Technica) DC Vaccine Appointment Website, Phone Line Crashes Early Thursday (DCist) Weaknesses in FAA's certification and delegation processes hindered its oversight of the 737 MAX 8 (DOT) EU Report Warns AI Makes Autonomous Vehicles 'Highly Vulnerable' to Attack (Khari Johnson) Heavy Rain Affects Object Detection by Autonomous Vehicle LiDAR Sensors (U.Warwick) XC40 Recharge buyers have been told to sit tight (The Verge) Vintage technology: 'It sounds so much cleaner' (BBC News) Error-prone software reportedly ruined lives: Post Office scandal: Postmasters have convictions quashed (BBC) Software Bug Keeping Hundreds Of Inmates In Arizona Prisons Beyond Release Dates (KJZZ) Alexa in the car Toyota) Experts find a way to learn what you're typing during video calls (The Hacker News) Israel adopts law allowing names of unvaccinated to be shared (AFP) Judge in Google case disturbed that even *incognito* users are tracked (Bloomberg) Facebook will roll back its block on news posts in Australia (Engadget) Relativity Space unveils a reusable 3D-printed rocket to compete with SpaceX's Falcon 9 (CNBC) Big data healthcare project raises privacy issues (M.K.McGee) Contact-tracing apps help reduce COVID infections, data suggest (Nature) Can Zapping Our Brains Really Cure Depression? (NYTimes) Student Surveillance Vendor Proctorio Files SLAPP Lawsuit to Silence A Critic (EFF) Computers get Sundays off? (Gabe Goldberg) Formula E's Software Communication Problem (The Register via Ben Moore) Gig Workers Gather Their Own Data to Check the Algorithm's Math (WiReD) 'Drunk' robot vacuums spark complaints from owners (BBC News) Predictive Text Feature Coming to Microsoft Word in March (PCMag) Doctor joins Zoom court hearing while operating on patient (BBC News) Carranza resigns as NYC schools chancellor; Meisha Porter will replace him (NYTimes) New security flaws detected in more credit cards (Leo Hermann)) "Virtual computer chip tests expose flaws, protect against hackers" (Matthew Sparkes) Is Your Browser Extension a Botnet Backdoor? (Krebs on Security) When Companies Skimp on Cybersecurity (Bruce Schneier) Former SolarWinds CEO blames intern for "solarwinds123" password leak (CNNPolitics) Post Office scandal: Postmasters have convictions quashed (BBC) Objective or Biased (Bayerischer Rundfunk) Amazon's new rotating, follow-you camera is useful —0 and invasive (WashPost) Vaccine passport certificates already exist (Clive Page) Texas power outages demonstrate grid cyber-vulnerability and inadequacy of existing regulations (Joe Weiss) Re: His Lights Stayed on During Texas's Storm. Now He Owes $16,752 (Keith Medcalf) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Thu, 25 Feb 2021 08:19:17 -0800 From: Tom Van Vleck Subject: Fed outage shuts down U.S. payment system (Ars Technica) I ran across this and wonder what really happened, and whether it can happen again. https://arstechnica.com/tech-policy/2021/02/fed-outage-shuts-down-us-payment-systems-for-more-than-an-hour/ [Of course it can, although perhaps for a slightly different reason. PGN] ------------------------------ Date: Thu, 25 Feb 2021 18:48:16 -0500 From: Gabe Goldberg Subject: DC Vaccine Appointment Website, Phone Line Crashes Early Thursday (DCist) The District's phone and online system crashed on Thursday morning just as thousands of residents became newly eligible to sign up for 4,350 appointments for the COVID-19 vaccine. Mayor Muriel Bowser said this week that appointments would open at 9 a.m. to residents living in priority ZIP codes who are 65 or older, are 18 and older and have a qualifying medical condition ranging from asthma to cancer, or work in a number of essential jobs from child care to grocery stores. But the demand almost immediately overwhelmed the city's online and phone system, with many callers reporting that they couldn't even get through on the phone. Others reported that even when they did get through online, the system wasn't updated to reflect the new eligibility criteria for pre-existing conditions and essential workers. https://dcist.com/story/21/02/25/dc-vaccine-appointment-system-crashes-qualifying-medical-conditions/ Testing scalability -- why bother? That's what customers are for. ------------------------------ Date: Fri, 26 Feb 2021 08:15:28 +0800 From: Richard Stein Subject: Weaknesses in FAA's certification and delegation processes hindered its oversight of the 737 MAX 8 (DOT) (Office of Inspector General, Transportation) https://www.oig.dot.gov/library-item/38302 "While FAA and Boeing followed the established certification process for the 737 MAX 8, we identified limitations in FAA's guidance and processes that impacted certification and led to a significant misunderstanding of the Maneuvering Characteristics Augmentation System (MCAS), the flight control software identified as contributing to the two accidents. First, FAA's certification guidance does not adequately address integrating new technologies into existing aircraft models. Second, FAA did not have a complete understanding of Boeing's safety assessments performed on MCAS until after the first accident. Communication gaps further hindered the effectiveness of the certification process. In addition, management and oversight weaknesses limit FAA's ability to assess and mitigate risks with the Boeing ODA. For example, FAA has not yet implemented a risk-based approach to ODA oversight, and engineers in FAA's Boeing oversight office continue to face challenges in balancing certification and oversight responsibilities. Moreover, the Boeing ODA process and structure do not ensure ODA personnel are adequately independent. While the Agency has taken steps to develop a risk-based oversight model and address concerns of undue pressure at the Boeing ODA, it is not clear that FAA's current oversight structure and processes can effectively identify future high-risk safety concerns at the ODA." ODA == Organization Designation Authorization is the FAA designation for delegated certification authority of 737-MAX certifications to Boeing. See page 29 of this report for percent of delegation for certified flight systems on the 737-MAX: Boeing performed ~30% certifications (self-certifications) in JAN2014 to ~100% by JAN2017. The OIG's report raises troubling questions about self-certification of 737-MAX flight systems by Boeing. Government delegation of certification authority to industry indicates policy review is essential, and revisions to delegation practices, are urgently required. Risk: Self-certification authority without independent enforcement oversight ------------------------------ Date: Wed, 24 Feb 2021 12:37:38 -0500 (EST) From: ACM TechNews Subject: EU Report Warns AI Makes Autonomous Vehicles 'Highly Vulnerable' to Attack (Khari Johnson) Khari Johnson, *VentureBeat*, 22 Feb 2021 via TechNews, Wednesday, February 24, 2021 EU Report Warns AI Makes Autonomous Vehicles 'Highly Vulnerable' to Attack A report by the European Union Agency for Cybersecurity (ENISA) describes autonomous vehicles as "highly vulnerable to a wide range of attacks" that could jeopardize passengers, pedestrians, and people in other vehicles. The report identifies potential threats to self-driving vehicles as including sensor attacks with light beams, as well as adversarial machine learning (ML) hacks. With growing use of artificial intelligence (AI) and the sensors that power autonomous vehicles offering greater potential for attacks, the researchers advised policymakers and businesses to foster a security culture across the automotive supply chain, including third-party providers. The researchers suggested AI and ML systems for autonomous vehicles "should be designed, implemented, and deployed by teams where the automotive domain expert, the ML expert, and the cybersecurity expert collaborate." https://orange.hosting.lsoft.com/trk/click?ref=3Dznwrbbrs9_6-299f0x228a9ax070159& ------------------------------ Date: Fri, 26 Feb 2021 12:08:57 -0500 (EST) From: ACM TechNews Subject: Heavy Rain Affects Object Detection by Autonomous Vehicle LiDAR Sensors (U.Warwick) University of Warwick (U.K.) 25 Feb 2021, via ACM TechNews, 26 Feb 2021 Researchers at the University of Warwick in the U.K. have found that the LiDAR sensors on autonomous vehicles (AVs) are less effective in detecting objects at a distance during periods of heavy rain. The researchers used the university's WMG 3xD simulator to test an AV's LiDAR sensors in different intensities of rain on real roads; they found that when the rainfall increased up to 50 mm per hour, object detection by the sensors dropped in conjunction with a longer range in distance. Warwick's Valentina Donzella said, "Ultimately we have confirmed that the detection of objects is hindered to LiDAR sensors the heavier the rain and the further away they are." https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-29a98x228c44x070842& ------------------------------ Date: Mon, 1 Mar 2021 14:22:05 -1000 From: geoff goodfellow Subject: XC40 Recharge buyers have been told to sit tight Volvo XC40 Recharge electric SUVs are currently being held at US ports because the company is waiting to ship a crucial software update before releasing them to customers and dealers, *The Verge *has learned. The problem appears to be that these XC40 Recharge SUVs -- which is Volvo's first all-electric vehicle -- left the company's factory without the Volvo On Call software activated. Volvo On Call is a subscription service that connects Volvo cars to an owner's smartphone, allowing them to remotely turn the vehicle on and off, lock or unlock the doors, and access diagnostic information. [...] https://www.theverge.com/2021/3/1/22307866/volvo-xc40-recharge-delay-software-update-on-call-ota ------------------------------ Date: Fri, 26 Feb 2021 17:00:00 -0500 From: Gabe Goldberg Subject: Vintage technology: 'It sounds so much cleaner' (BBC News) Air Vice Marshal Rich Maddison is a senior RAF officer with decades of flying experience. "As an Air Force we are as high-tech as you get, but this, this is just me." He is referring to a miniature computer with a black and lime green screen and minuscule memory that uses AA batteries to power a 1997 design. It is a Psion 5 device and for AVM Maddison it represents his personal aviation history. The dated device is where he keeps his own flying log. Hailing from an era when computers came with their own programming languages, the Psion invited users to tinker with its limited applications. He could take fields in its address book and convert them to resemble a pilot's logbook. https://www.bbc.com/news/business-55808632 Funny, backup isn't mentioned. I guess that hadn't been invented yet. [Cute. But Multics had a lovely backup system in the 1960s. PGN] ------------------------------ Date: Mon, 1 Mar 2021 14:24:23 -0500 From: Gabe Goldberg Subject: Error-prone software reportedly ruined lives: Post Office scandal: Postmasters have convictions quashed (BBC) Six former sub-postmasters have had fraud convictions linked to a faulty computer system quashed in court. The long-running scandal began when the Post Office installed a new computer system that led to hundreds of sub-postmasters being wrongly convicted. https://www.bbc.com/news/business-55271193 ------------------------------ Date: Tue, 23 Feb 2021 16:03:42 -0700 From: Jim Reisert AD1C Subject: Software Bug Keeping Hundreds Of Inmates In Arizona Prisons Beyond Release Dates (KJZZ) Jimmy Jenkins, KJZZ, February 23, 2021 https://kjzz.org/content/1660988/whistleblowers-software-bug-keeping-hundreds-inmates-arizona-prisons-beyond-release According to Arizona Department of Corrections whistleblowers, hundreds of incarcerated people who should be eligible for release are being held in prison because the inmate management software cannot interpret current sentencing laws. As of 2019, the department had spent more than $24 million contracting with IT company Business & Decision, North America to build and maintain the software program, known as ACIS, that is used to manage the inmate population in state prisons. One of the software modules within ACIS, designed to calculate release dates for inmates, is presently unable to account for an amendment to state law that was passed in 2019. Senate Bill 1310, authored by former Sen. Eddie Farnsworth, amended the Arizona Revised Statutes so that certain inmates convicted of nonviolent offenses could earn additional release credits upon the completion of programming in state prisons. Gov. Ducey signed the bill in June of 2019. But department sources say the ACIS software is not still able to identify inmates who qualify for SB 1310 programming, nor can it calculate their new release dates upon completion of the programming. [Also noted by Dougherty. PGN] ------------------------------ Date: Tue, 23 Feb 2021 20:40:21 -0500 From: Gabe Goldberg Subject: Alexa in the car (Toyota) Toyota announced they're adding Amazon Alexa as a feature in some of their cars, but will it be as convenient and helpful as it's supposed to be? Ellen Previews the New Alexa Backseat Driver https://www.youtube.com/watch?v=0HugGCoK7m0 [Someone commented: So it's just like being married.] ------------------------------ Date: Tue, 23 Feb 2021 13:07:07 -1000 From: geoff goodfellow Subject: Experts find a way to learn what you're typing during video calls () A new attack framework aims to infer keystrokes typed by a target user at the opposite end of a video conference call by simply leveraging the video feed to correlate observable body movements to the text being typed. The research was undertaken by Mohd Sabra, and Murtuza Jadliwala from the University of Texas at San Antonio and Anindya Maiti from the University of Oklahoma, who say the attack can be extended beyond live video feeds to those streamed on YouTube and Twitch as long as a webcam's field-of-view captures the target user's visible upper body movements. "With the recent ubiquity of video capturing hardware embedded in many consumer electronics, such as smartphones, tablets, and laptops, the threat of information leakage through visual channel[s] has amplified," the researchers *said*. "The adversary's goal is to utilize the observable upper body movements across all the recorded frames to infer the private text typed by the target." . To achieve this, the recorded video is fed into a video-based keystroke inference framework that goes through three stages. [...] https://thehackernews.com/2021/02/experts-find-way-to-learn-what-youre.html ------------------------------ Date: Wed, 24 Feb 2021 14:35:45 -1000 From: the keyboard of geoff goodfellow Subject: Israel adopts law allowing names of unvaccinated to be shared (AFP) Israel's parliament passed a law Wednesday allowing the government to share the identities of people not vaccinated against the coronavirus with other authorities, raising privacy concerns for those opting out of inoculation. The measure, which passed with 30 votes for and 13 against, gives local governments, the director general of the education ministry and some in the welfare ministry the right to receive the names, addresses and phone numbers of unvaccinated citizens. The objective of the measure -- valid for three months or until the Covid-19 pandemic is declared over -- is "to enable these bodies to encourage people to vaccinate by personally addressing them", a parliament statement said. [...] https://news.yahoo.com/israel-adopts-law-allowing-names-153232886.html ------------------------------ Date: Fri, 26 Feb 2021 21:43:04 -0500 From: Monty Solomon Subject: Judge in Google case disturbed that even *incognito* users are tracked (Bloomberg) https://www.bloomberg.com/news/articles/2021-02-26/google-judge-disturbed-that-even-incognito-users-are-tracked ------------------------------ Date: Mon, 22 Feb 2021 20:43:14 -0800 From: Lauren Weinstein Subject: Facebook will roll back its block on news posts in Australia (Engadget) As anticipated. https://www.engadget.com/facebook-australia-news-043441256.html ------------------------------ Date: Mon, 1 Mar 2021 11:32:04 -1000 From: geoff goodfellow Subject: Relativity Space unveils a reusable 3D-printed rocket to compete with SpaceX's Falcon 9 (CNBC) - 3D-printing rocket builder Relativity Space is working on Terran R, a fully reusable launch vehicle that would be near the capabilities of SpaceX's Falcon 9 rocket. - Terran R is ``really an obvious evolution'' from the company's Terran 1 rocket, Relativity CEO Tim Ellis told CNBC, the latter of which is scheduled to launch for the first time later this year. - ``I've always been a huge fan of reusability. No matter how you look at it ... making [a reusable rocket] has got to be part of that future,'' Ellis added. [...] https://www.cnbc.com/2021/02/25/relativitys-reusable-terran-rocket-competitor-to-spacexs-falcon-9.html ------------------------------ Date: Mon, 1 Mar 2021 15:34:36 PST From: Peter Neumann Subject: Big data healthcare project raises privacy issues (M.K.McGee) Marianne Kolbasuk McGee (HealthInfoSec), 26 Feb 2021 (healthcareinfosecurity.com) Truveta Initiative Involves Sharing De-Identified Data From 14 Provider Organizations https://www.healthcareinfosecurity.com/big-data-healthcare-project-raises-privacy-issues-a-16077 [This is scary stuff. Massive potentials for misuse. PGN] ------------------------------ Date: Tue, 23 Feb 2021 17:32:20 -0500 From: Monty Solomon Subject: Contact-tracing apps help reduce COVID infections, data suggest (Nature) Evaluations find apps are useful, but would benefit from better integration into health-care systems. https://www.nature.com/articles/d41586-021-00451-y ------------------------------ Date: Thu, 25 Feb 2021 12:25:11 +0800 From: Richard Stein Subject: Can Zapping Our Brains Really Cure Depression? (NYTimes) https://www.nytimes.com/2021/02/24/magazine/brain-stimulation-mental-health.html "The brain is an electrical organ. Everything that goes on in there is a result of millivolts zipping from one neuron to another in particular patterns. This raises the tantalizing possibility that, should we ever decode those patterns, we could electrically adjust them to treat neurological dysfunction -- from Alzheimers to schizophrenia -- or even optimize desirable qualities like intelligence and resilience." Brain tissue possesses plasticity: neural pathways can be molded. Adjust the neural pathway, and the characteristic electrical impulses (pulse frequency and amplitude) can modify human behavior and/or physiological response. Exploring transcranial stimulation to treat depression suggests that traditional therapies (talk + medicine) underachieves expected outcomes. Depression is a significant public health disorder that requires priority treatment. The US CDC estimates that 4.7% of the population aged 18+ regularly experiences feelings of depression. (https://www.cdc.gov/nchs/fastats/depression.htm) That's 0.047 * 255M =~ 12M people (https://datacenter.kidscount.org/data/tables/99-total-population-by-child-and-adult-populations#detailed/1/any/false/1729,37,871,870,573,869,36,868,867,133/39,40,41/416,417) for 2019 population estimates). The FDA assigns five product codes (OBP, OKP, QCI, QFF, QMD) for approved medical devices based on transcranial stimulation. Visit https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfTPLC/tplc.cfm and apply "transcranial" in the textbox to view medical device reports. These devices typically apply electromagnetic induction (discovered by Michael Faraday in 1831): a low-frequency, high-intensity magnetic field therapeutically adjusts the brain's neural pathways, a personalized electromagnetic pulse (EMP). Patients report immediate change in emotional state when applied. Whether or not these therapeutic devices yield persistent palliative relief from symptomatic depression remains to be demonstrated. Risk: Iatrogenic result. ------------------------------ Date: Thu, 25 Feb 2021 14:38:13 -0500 From: Gabe Goldberg Subject: Student Surveillance Vendor Proctorio Files SLAPP Lawsuit to Silence A Critic (EFF) Electronic Frontier Foundation During the pandemic, a dangerous business has prospered: invading students' privacy with proctoring software and apps. In the last year, we've seen universities compel students to download apps that collect their face images, driver's license data, and network information. Students who want to move forward with their education are sometimes forced to accept being recorded in their own homes and having the footage reviewed for suspicious behavior. Given these invasions, it's no surprise that students and educators are fighting back against these apps. Last fall, Ian Linkletter, a remote learning specialist at the University of British Columbia, became part of a chorus of critics concerned with this industry. Now, he's been sued for speaking out. The outrageous lawsuit -- which relies on a bizarre legal theory that linking to publicly viewable videos is copyright infringement -- will become an important test of a 2019 British Columbia law passed to defend free speech, the Protection of Public Participation Act, or PPPA. https://www.eff.org/deeplinks/2021/02/student-surveillance-vendor-proctorio-files-slapp-lawsuit-silence-critic ------------------------------ Date: Mon, 1 Mar 2021 15:57:19 -0500 From: Gabe Goldberg Subject: Computers get Sundays off? I griped yesterday (Sunday, Feb 28) to my money manager that my February distribution hadn't been paid: Today is last day of month, last business day was Friday -- no expected deposit. This needs to be reliable -- what happened? This should be automatic? Response: Unfortunately, when the date of the distribution falls on a Saturday or Sunday, it pushes the payment to the next business day which is today.  The funds should be posted to your account this morning.  For your March 28 distribution, it will post to your banking account on Monday, March 29. My response: But that does seem strange -- computers don't work on Sundays? Funds transfer networks take Sundays off? Surely these payments are made automatically so what's the reason Sundays are skipped? So I'm waiting for some nonsense justification. Friend speculated: Whaddaya wanna bet this is some ancient rule that these can only happen on biz days? Really, every day's a business day these days. Credit card companies have no problem with billing days on weekends. And customers can't tell them that they're delaying payment to Monday. So payments should be made on weekends. Or should be made Friday before, not Monday after. ------------------------------ Date: Mon, 1 Mar 2021 20:23:01 -0600 From: Ben Moore Subject: Formula E's Software Communication Problem `Incorrect software parameter' sends Formula E's Edoardo Mortara to hospital: Brakes' fail-safe system failed (The Register) https://www.theregister.com/2021/03/01/formula_e_bug/ Swiss Formula E driver Edoardo Mortara ended up in hospital after a software error left him driving into a safety wall at the ABB FIA Formula E World Championship in Diriyah, Saudia Arabia, on Saturday. The Mercedes-EQ Team said they've managed to correct the software problem and convince ruling body the FIA (Federation Internationale de l'Automobile) that the problem has been resolved. Former Audi driver Daneil Abt, who, prior to being suspended for cheating in an online race last May, had a similar accident also attributed to braking software and took note of the parallel circumstances. The Diriyah race saw also a more alarming accident, involving driver Alex Lynn (said to be well), and a missile interception over the city that occurred in the midst of a fireworks display. [Also noted by Tom Van Vleck. PGN] ------------------------------ Date: Tue, 2 Mar 2021 00:22:49 -0500 From: Gabe Goldberg Subject: Gig workers gather their own data to check the algorithm's math (WiReD) Drivers for Uber, Lyft, and other firms are building apps to compare their mileage with pay slips. One group is selling the data to government agencies. https://www.wired.com/story/gig-workers-gather-data-check-algorithm-math/ ------------------------------ Date: Tue, 2 Mar 2021 13:33:42 -0500 From: Gabe Goldberg Subject: 'Drunk' robot vacuums spark complaints from owners (BBC News) Owners of Roomba robot vacuums have complained the devices appear "drunk" following a software update. Problems include the machines "spinning around", constantly recharging or not charging at all, and moving in strange directions. The devices' maker iRobot has acknowledged its update had caused problems for "a limited number" of its i7 and s9 Roomba models. However, it added a fix would take "several weeks" to roll out worldwide. In the meantime, the firm is asking those affected to share the serial numbers of their devices so it can remove the most recent update. Ken Munro is a cyber-security expert who specialises in security around the Internet-of-things -- anything which is connected to the Internet. "Updates usually add new features or fix security bugs in smart products," he said. "They don't always go to plan though, sometimes introducing new bugs. https://www.bbc.com/news/technology-56239454 What could ever go wrong with over-the-air updates of automotive software? It'll be OK as long as it doesn't touch anything related to engine, handling, navigation, safety, or infotainment. I can't wait. ------------------------------ Date: Tue, 23 Feb 2021 01:18:19 -0500 From: Gabe Goldberg Subject: Predictive Text Feature Coming to Microsoft Word in March (PCMag) Over time, Word will learn and adapt to users' writing style while reducing spelling and grammatical errors. Redmond first tipped the text-prediction feature in September, when it had a limited rollout for Word beta testers and Microsoft 365 Word on the web users, as well as Outlook.com and Outlook on the web users in North America. The idea is to help users "write more efficiently by predicting text quickly and accurately," Microsoft said at the time. https://www.pcmag.com/news/predictive-text-feature-coming-to-microsoft-word-in-march What COULD go wrong with this... paving the way to even worse things than demented spelling checkers. ------------------------------ Date: Sun, 28 Feb 2021 20:29:41 -0500 From: Gabe Goldberg Subject: Doctor joins Zoom court hearing while operating on patient (BBC News) A doctor in Sacramento, California joined a traffic court hearing on Zoom while performing surgery on a patient. Scott Green was dressed in surgical scrubs in an operating theatre when he appeared at his virtual trial on Thursday, the Sacramento Bee reported. When questioned by the judge, Mr Green said he was happy to go ahead, and that he had "another surgeon right here who's doing the surgery with me". The judge said that would not be "appropriate" and postponed the trial. The Medical Board of California has now said in a statement that it would look into the incident, adding that it "expects physicians to follow the standard of care when treating their patients". https://www.bbc.com/news/world-us-canada-56222317 The risk? https://www.tvfanatic.com/quotes/whats-the-difference-between-god-and-a-doctor-god-knows-hes-not/ ------------------------------ Date: Fri, 26 Feb 2021 16:55:46 -0500 From: Gabe Goldberg Subject: Carranza resigns as NYC schools chancellor; Meisha Porter will replace him (NYTimes) The New York Times At issue was whether the city should continue to sort 4-year-olds into gifted and talented classes through a selective admissions process. Mr. de Blasio had said that the city would continue to offer an admissions exam for toddlers this year, then announce a new admissions system before he leaves office in January. https://www.nytimes.com/2021/02/26/nyregion/richard-carranza-nyc-schools.html What could go wrong with selecting 4-year old kids for enhanced learning, leaving others behind? Other issues here are desegregation and entrance criteria for New York's specialized schools (one of which I attended, so have opinion on entrance exams for them). ------------------------------ Date: Fri, 26 Feb 2021 12:08:57 -0500 (EST) From: ACM TechNews Subject: New security flaws detected in more credit cards (Leo Hermann)) Leo Hermann, ETH Zurich (Switzerland), 22 Reb 2021 Security Flaw Detected for 2nd Time in Credit Cards via ACM TechNews, Friday, February 26, 2021 A method for bypassing security measures to use certain credit and debit cards without a PIN code has been uncovered by researchers at Switzerland's ETH Zurich. Previously, the researchers had demonstrated that bypassing security was possible using Visa cards, while the new research shows security methods may be bypassed with Mastercard and Maestro cards by exploiting the data exchanged between the card and the card terminal. The method initially worked only with Visa cards, but the researchers were able to manipulate the payment process so the card terminal performed a Visa transaction and the card itself performed a Mastercard or Maestro transaction. The researchers informed Mastercard of their findings, after which the company updated the relevant safeguards. https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-29a98x228c4ax070842& ------------------------------ Date: Fri, 26 Feb 2021 12:08:57 -0500 (EST) From: ACM TechNews Subject: "Virtual computer chip tests expose flaws, protect against hackers" (Matthew Sparkes) Matthew Sparkes, *New Scientist*, 24 Feb 2021 via ACM TechNews, Friday, February 26, 2021 Researchers at the University of Michigan, Virginia Polytechnic Institute and State University, and Google have accelerated computer-chip testing by simulating chips and applying advanced software testing tools for analysis of the simulations. Virtual testing lets engineers utilize fuzzing, a method that monitors for unexpected results or crashes that can be reviewed and corrected. The researchers had to modify software fuzzers to run over time, rather than trigger a single input and wait for the response. This approach enabled a chip that would usually take 100 days to test to be analyzed in one day. The researchers think faster hardware testing could reduce development time and bring more reliable, more secure next-generation chips to market faster. https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-29a98x228c4dx070842& ------------------------------ Date: Mon, 1 Mar 2021 11:21:05 -1000 From: geoff goodfellow Subject: Is Your Browser Extension a Botnet Backdoor? (Krebs on Security) A company that rents out access to more than 10 million Web browsers so that clients can hide their true Internet addresses has built its network by paying browser extension makers to quietly include its code in their creations. This story examines the lopsided economics of extension development, and why installing an extension can be such a risky proposition. Singapore-based *Infatica[.]io* is part of a growing industry of shadowy firms trying to woo developers who maintain popular browser extensions -- desktop and mobile device software add-ons available for download from *Apple*, *Google*, *Microsoft* and *Mozilla* designed to add functionality or customization to one's browsing experience. Some of these extensions have garnered hundreds of thousands or even millions of users. But here's the rub: As an extension's user base grows, maintaining them with software updates and responding to user support requests tends to take up an inordinate amount of the author's time. Yet extension authors have few options for earning financial compensation for their work. So when a company comes along and offers to buy the extension -- or pay the author to silently include some extra code -- that proposal is frequently too good to pass up. For its part, Infatica seeks out authors with extensions that have at least 50,000 users. An extension maker who agrees to incorporate Infatica's computer code can earn anywhere from $15 to $45 each month for every 1,000 active users. [...] https://krebsonsecurity.com/2021/03/is-your-browser-extension-a-botnet-backdoor/ ------------------------------ Date: Thu, 25 Feb 2021 15:16:49 PST From: Peter Neumann Subject: When Companies Skimp on Cybersecurity (Bruce Schneier) Why was SolarWinds so vulnerable to hackers? Bruce Schneier, *The New York Times*, Op-Ed, 24 Feb 2021 Worth reading! Last paragraph: In today's unregulated markets, it's just too easy for software companies like SolarWinds to save money by skimping on security and to hope for the best[*]. That's a rational decision in our free-market world, and the only way to change that is to change the economic incentives. [* Note: "Hoping for the *best*" is totally unrealistic. It's really more like hoping that they get away with it even if there are failures that are not too serious! However, RISKS readers know that everything can potentially be compromised (at least by insiders, if not from outsiders). I keep harping on the underlying problem that even the software is not flawed, total-system compromises may result from exploitation of hardware vulnerabilities or errors. Thus the total-system supply chain is particularly critical. PGN] ------------------------------ Date: Sun, 28 Feb 2021 13:06:56 -0500 From: Gabe Goldberg Subject: Former SolarWinds CEO blames intern for "solarwinds123" password leak (CNNPolitics) Washington (CNN) Current and former top executives at SolarWinds are blaming a company intern for a critical lapse in password security that apparently went undiagnosed for years. The password in question, "solarwinds123," was discovered in 2019 on the public Internet by an independent security researcher who warned the company that the leak had exposed a SolarWinds file server. https://www.cnn.com/2021/02/26/politics/solarwinds123-password-intern/index.html A system so insecure that an intern can compromise it. ------------------------------ Date: Mon, 1 Mar 2021 09:56:06 -0800 From: Lauren Weinstein Subject: Post Office scandal: Postmasters have convictions quashed [Re: Error-prone software that reportedly ruined lives] https://www.bbc.com/news/business-55271193 ------------------------------ Date: Sat, 27 Feb 2021 20:30:15 -1000 From: geoff goodfellow Subject: Objective or Biased Less prejudice, more objectivity: An application process that is not influenced by the personal preferences of a recruiter. That is the promise of many AI companies entering the market worldwide, including a start-up based in Munich. According to the software developer, the artificial intelligence analyzes tone of voice, language, gestures and facial expressions and creates a behavioural personality profile. The application process will not only be ``faster, but also more objective and fair'', according to the start-up. Apparently that sounds promising: the company has just received a seven-digit funding from investors. The start-up states that it cooperates with DAX-listed companies, the brand logos of Lufthansa, BMW Group and ADAC can be found on the website. Similar products are already in use in the US. Hirevue, a company from the US state of Utah, claims to have 700 companies as customers. Hirevue products have drawn criticism from AI experts, the software's results were considered to be opaque. And yet, AI is considered a key technology and already now it's hard to imagine a future without it =93 =AFalso in recruiting. For this reason, a team of reporters from Bayerischer Rundfunk (German Public Broadcasting), performed several experiments with such a product in taking a closer look at the software of a Munich based start-up. [...] https://web.br.de/interaktiv/ki-bewerbung/en/ ------------------------------ Date: Sun, 28 Feb 2021 17:09:42 -0500 From: Monty Solomon Subject: Amazon's new rotating, follow-you camera is useful —- and invasive (WashPost) The Echo Show 10 tracks your movement to make sure you're always in the frame on video calls. But it also doubles as a surveillance camera inside your home. https://www.washingtonpost.com/technology/2021/02/26/amazon-echo-show-10/ ------------------------------ Date: Wed, 24 Feb 2021 10:50:58 +0000 From: Clive Page Subject: Vaccine passport certificates already exist (Re: Slade, RISKS-32.50) I'd like to point out vaccine certificates have existed for many years, and I've just dug mine out of the filing cabinet to look at it carefully. It is a bright yellow booklet about the size of a passport but much thinner. It is labeled in English and French "International Certificate of Vaccination In accordance with the International Health Regulations of the World Health Organisation". It is primarily for Yellow Fever, of course, but has pages dedicated for Typhoid, Cholera, and "Other" which could surely cover Covid-19. Mine has stamps on several pages, and I've carried it a few times when visiting countries where Yellow Fever vaccination might be required. My certificate reminds me to get another Yellow Fever vaccination by the end of November 2021. So the format exists, is WHO approved, and internationally recognised. It is very easy to carry and read, does not require data connectivity, has no battery to run down, and will never prompt me to update its software. No doubt the current document format is easy to forge but that could easily be improved as we know from modern plastic banknotes bearing holograms that many countries now use (but perhaps not the USA yet?). Is it really necessary to adopt a brand-new digital format that would require lengthy negotiations to achieve international recognition when we already have something in printed form that appears to work well? [Clive, I was waiting for someone to post what you did since i ran Rob's item. I did not have time to dig into the predecessors the way you have. Thanks. PGN] ------------------------------ Date: Mon, 1 Mar 2021 15:51:48 +0000 (UTC) From: Joe Weiss Subject: Texas power outages demonstrate grid cyber-vulnerability and inadequacy of existing regulations (Control Global) Following severe man-made or natural disasters, the grid and other critical infrastructure are subject to cyberthreats but with much less cyberprotection than normal. The recent Texas outages that were caused by severe storms could have had the outages and recovery significantly impacted by cyberthreats. The existing regulations and standards such as the NERC CIPs were shown to be dangerously lacking. These gaps apply to all US utilities and have been exploited resulting in wide-spread outages and equipment damage. There is an opportunity to use the Texasexperience to make needed changes to regulations and guidance on cybersecurity of critical infrastructures. It is evident that our adversaries are watching what happened, how we are responding, and what is being done to prevent future grid impacts. As such, resilience means addressing what could possibly be expected. The solution to building and operating a more resilient grid and other critical infrastructures lies with leadership in industry, government, Congress, and stakeholders such as credit rating agencies and insurance companies. https://www.controlglobal.com/blogs/unfettered/texas-power-outages-demonstrate-grid-cyber-vulnerability-and-inadequacy-of-existing-regulations/ Respectfully,Joe ------------------------------ Date: Fri, 26 Feb 2021 08:16:15 -0700 From: "Keith Medcalf" Subject: Re: His Lights Stayed on During Texas's Storm. Now He Owes $16,752 (RISKS-32.51) > Under some of the plans, when demand increases, prices rise. The goal, > architects of the system say, is to balance the market by encouraging > >consumers to reduce their usage and power suppliers to create more > >electricity. This is the simplified view for the proletariat. The market clearing price represents the marginal cost to "generate" one additional mWh of power in the current clearing period for the current supply and demand. When fully operational this marginal price system (which is used in the pricing of all demand-produced commodities ranging from Natural Gas, Oil and Gasoline, to Electricity) is used to balance a more-or-less theoretical price sensitive demand above baseload against the cost of production of that commodity. >But when last week's crisis hit and power systems faltered, the state's >Public Utilities Commission ordered that the price cap be raised to its >maximum limit of $9 per kilowatt-hour, easily pushing many customers' daily >electric costs above $100. And in some cases, like Mr. Willoughby's bills >rose by more than 50 times the normal cost. And this is the root of the problem -- political interference in the operation of a perfectly good system by artificial setting of the marginal price such that it did not represent current operational conditions. It is entirely possible to have low demand and rolling blackouts and at the same time a low (or negative) marginal price. Just because large segments of the grid are offline does not affect the marginal price of the supply/demand balance for the parts that are working. > Many of the people who have reported extremely high charges, including > Mr. Willoughby, are customers of Griddy, a small company in Houston that > provides electricity at wholesale prices, which can quickly change based > on supply and demand. This is because it is obvious to anyone with even half a working brain-cell that in the long run paying the marginal price is more cost effective than paying a fixed price. If this were not the case, then all the offerers of fixed pricing would be bankrupt because they would not be charging their markup. ------------------------------ Date: Mon, 1 Aug 2020 11:11:11 -0800 From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume/previous directories or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00 ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: ------------------------------ End of RISKS-FORUM Digest 32.52 ************************