Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Risks Digest 32.26

40 views
Skip to first unread message

RISKS List Owner

unread,
Sep 13, 2020, 7:13:27 PM9/13/20
to ri...@csl.sri.com
RISKS-LIST: Risks-Forum Digest Sunday 13 September 2020 Volume 32 : Issue 26

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.26>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents:
Insecure satellite Internet is threatening ship and plane safety
(Ars Technica)
The Hubble Space Telescope Still Works Great, Except When It Doesn't
(npr.org)
SpaceX's Dark Satellites Are Still Too Bright for Astronomers
(Scientific American)
Man vs. machine: Pentagon plans 2024 dogfight between human pilot,
artificial intelligence (WashTimes)
Weakened Encryption: The Threat to America's National Security (Third Way)
Why Do Voting Machines Break on Election Day? (The Markup)
Why human brains are bad at assessing the risks of pandemics (WashPost)
First Pandemic, Now Ransomware: Attack Forces Hartford to Postpone School
(NYTimes)
Website Crashes and Cyberattacks Welcome Students Back to School (NYTimes)
44 Square Feet: A School-Reopening Detective Story (WiReD)
Creepy Geofence Finds Anyone Who Went Near a Crime Scene (WiReD)
Apple postpones iOS 14 privacy update following Facebook uproar
(Business Insider)
How Big Oil Misled The Public Into Believing Plastic Would Be Recycled
(npr.org)
New Raccoon Attack Could Let Attackers Break SSL/TLS Encryption
(The Hacker News)
Ericsson spotlights open RAN security risks (MobileWorldLive)
Re: Intel Slips, and a High-Profile Supercomputer Is Delayed (Phil Martel)
Re: Humans Take a Step Closer to Flying Car (Amos Shapir)
Re: Leap-seconds (John Stockton)
Re: Happy National Poll Worker Recruitment Day (Richard A. DeMattia)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Tue, 8 Sep 2020 15:33:22 -1000
From: geoff goodfellow <ge...@iconia.com>
Subject: Insecure satellite Internet is threatening ship and plane safety
(Ars Technica)

Attacks that worked 10 years ago have only gotten worse despite growing use.

More than a decade has passed since researchers demonstrated serious privacy
<https://www.theregister.com/2009/02/17/satellite_tv_hacking/> and security
holes
<https://www.blackhat.com/presentations/bh-dc-10/Nve_Leonardo/BlackHat-DC-2010-Nve-Playing-with-SAT-1.2-slides.pdf>
in satellite-based Internet services. The weaknesses allowed attackers to
snoop on and sometimes tamper with data received by millions of users
thousands of miles away. You might expect that in 2020 -- as satellite
Internet has grown more popular -- providers would have fixed those
shortcomings, but you'd be wrong.

In a briefing
<https://www.blackhat.com/us-20/briefings/schedule/index.html#whispers-among-the-stars-a-practical-look-at-perpetrating-and-preventing-satellite-eavesdropping-attacks-19391>
delivered on Wednesday at the Black Hat security conference online,
researcher and Oxford PhD candidate James Pavur presented findings that show
that satellite-based Internet is putting millions of people at risk, despite
providers adopting new technologies that are supposed to be more advanced.

Over the course of several years, he has used his vantage point in mainland
Europe to intercept the signals of 18 satellites beaming Internet data to
people, ships, and planes in a 100 million-square-kilometer swath that
stretches from the United States, Caribbean, China, and India. What he
found is concerning. A small sampling of the things he observed include:

- A Chinese airliner receiving unencrypted navigational information and
potentially avionics data. Equally worrisome, that data came from the same
connection passengers used to send email and browse webpages, raising the
possibility of hacks from passengers.
- A system administrator logging in to a wind turbine in southern
France, some 600 kilometers away from Pavur, and in the process exposing a
session cookie used for authentication.
- The interception of communications from an Egyptian oil tanker
reporting a malfunctioning alternator as the vessel entered a port in
Tunisia. Not only did the transmission allow Pavur to know the ship would
be out of commission for a month or more, he also obtained the name and
passport number of the engineer set to fix the problem.
- A cruise ship broadcasting sensitive information about its
Windows-based local area network, including the log-in information stored
in the Lightweight Directory Access Protocol
<https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol>
database
- Email a lawyer in Spain sent a client about an upcoming case.
- The account reset password for accessing the network of a Greek
billionaire's yacht.

Hacking satellite communications at scale. [...]
https://arstechnica.com/information-technology/2020/08/insecure-satellite-internet-is-threatening-ship-and-plane-safety/

------------------------------

Date: Tue, 8 Sep 2020 11:07:11 +0800
From: Richard Stein <rms...@ieee.org>
Subject: The Hubble Space Telescope Still Works Great, Except When It
Doesn't (npr.org)

https://www.npr.org/2020/09/07/909199421/the-hubble-space-telescope-still-works-great-except-when-it-doesnt

"This is an aging telescope, after all. Back in 2018, when a gyroscope on
Hubble failed, researchers activated one of its on-board spares -- the
so-called gyroscope 3. It's been glitchy from the get-go."

A flaky gyroscope causes the Hubble's aim to wander -- non-deterministic
axial guidance disables reliable observation. Astronomers are forced to roll
dice.

The Ace Satellite Repair Company closed in MAY2009. Doubtful a robotic
repair attempt would be funded. Unknown if there are available standby
gyroscopes on-board to replace the bad actor. Hubble's cupboard may be
"empty down to the cat" on that resource.

------------------------------

Date: Fri, 11 Sep 2020 10:16:36 +0800
From: Richard Stein <rms...@ieee.org>
Subject: SpaceX's Dark Satellites Are Still Too Bright for Astronomers
(Scientific American)

https://www.scientificamerican.com/article/spacexs-dark-satellites-are-still-too-bright-for-astronomers/

"These results show that DarkSat is essentially a dead end, says Jonathan
McDowell, a researcher at the Center for Astrophysics at Harvard University
and the Smithsonian Institution, who has run computer simulations of
megaconstellation effects on astronomical observations. Nevertheless, he
says, the investigation by Tregloan-Reed's team is an important step. 'This
study is notable as one of the first significant observational studies of a
Starlink satellite, something that the community is now organizing to do on
a much bigger scale,' McDowell adds. He cautions that if the satellites
continue to be launched without a fix, 'the impact would be huge.'"

Prior comp.risks submissions on Starlink and satellite megaconstellations
impact on astronomical observations:

1) https://catless.ncl.ac.uk/Risks/31/28#subj1.1
2) https://catless.ncl.ac.uk/Risks/31/51#subj4.1
3) https://catless.ncl.ac.uk/Risks/31/57#subj18.1

------------------------------

Date: Thu, 10 Sep 2020 16:03:14 -1000
From: geoff goodfellow <ge...@iconia.com>
Subject: Man vs. machine: Pentagon plans 2024 dogfight between human pilot,
artificial intelligence (WashTimes)

AI programs have bested human pilots so far in flight simulations

The Pentagon is planning a 2024 showdown between an F-16 piloted by a human
and one controlled by artificial intelligence, a man versus machine matchup
that military officials believe could represent a key turning point in
technological development.

Defense Secretary Mark Esper announced the 2024 contest during a speech on
AI development Wednesday at the Pentagon. The Defense Advanced Research
Projects Agency, or DARPA, already has held numerous combat simulations
between human pilots and machines.

In the most recent round, officials said the AI-controlled system easily
defeated the human. [...]
https://www.washingtontimes.com/news/2020/sep/10/pentagon-2024-fight-pilot-artificial-intelligence/

------------------------------

Date: Thu, 10 Sep 2020 10:03:55 PDT
From: "Peter G. Neumann" <neu...@csl.sri.com>
Subject: Weakened Encryption: The Threat to America's National Security
(Third Way)

https://www.thirdway.org/report/weakened-encryption-the-threat-to-americas-national-security

------------------------------

Date: Fri, 11 Sep 2020 16:57:13 +0000
From: "Fleming, Cody [M E]" <flem...@iastate.edu>
Subject: Why Do Voting Machines Break on Election Day? (The Markup)

https://themarkup.org/ask-the-markup/2020/09/10/broken-voting-machines-election-day

I guess one problem is figuring out how just many risks there are now with
respect to elections. Too many to count?

------------------------------

Date: Sun, 13 Sep 2020 00:18:31 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Why human brains are bad at assessing the risks of pandemics
(WashPost)

https://www.washingtonpost.com/lifestyle/magazine/why-human-brains-are-bad-at-assessing-the-risks-of-pandemics/2020/09/03/7395321c-dd9d-11ea-b205-ff838e15a9a6_story.html

Cause or effect, beliefs are tribal.

------------------------------

Date: Tue, 8 Sep 2020 17:48:50 -0400
From: Jan Wolitzky <jan.wo...@gmail.com>
Subject: First Pandemic, Now Ransomware: Attack Forces Hartford to Postpone
School (NYTimes)

https://www.nytimes.com/2020/09/08/nyregion/hartford-schools-ransomware.html

------------------------------

Date: Tue, 8 Sep 2020 20:29:24 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Website Crashes and Cyberattacks Welcome Students Back to School
(NYTimes)

With many districts across the country opting for online learning, a range
of technical issues marred the first day of classes.

https://www.nytimes.com/2020/09/08/us/school-districts-cyberattacks-glitches.html

------------------------------

Date: Sat, 12 Sep 2020 22:30:07 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: 44 Square Feet: A School-Reopening Detective Story (WiReD)

Author writes:

Schools -- but not public health officials -- across the US are making it a
rule: Every student needs to have 44 sq. ft. of space. I tried to find out
why. [...] Two days later I was on the phone with Mary Filardo, executive
director of the NCSF, a nonprofit that supports K-12 school facilities
officials in more than 25 states. I walked her through the mystery at hand
-- the school plan, the consultant, the Education Week guide, and, finally,
the diagram credit pointing back to her. My knee was bouncing, fingers at
the ready at my keyboard for transcription. At last, the enigma would be no
more. But before I could even finish asking the question, she interrupted in
a tone that was equal parts alarm, annoyance, and puzzlement. ``That's way
off!'' she cried. ``No wonder you're confused.''

After we hung up, I placed what seemed to be the final pin on my crazy wall
<https://www.google.com/search?q=%22crazy+wall%22&sxsrf=ALeKk03MaqGoIw-zgkFZ5LmZg0KNujChTA:1597692369425&source=lnms&tbm=isch&sa=X&ved=2ahUKEwjb947x-6LrAhWNc98KHVm5BkEQ_AUoAXoECA4QAw&biw=1382&bih=766>:
My school district had gotten the all-important number 44 from a consultant
who'd found it in an /Education Week/ article that had somehow bungled the
advice from an educational nonprofit. But there was still another layer
below. It wasn't clear, from talking to Filardo, how the NCSF came up with
44 square feet as the lower-bound approximation. The depth of my rabbit
hole was approaching the Earth's mantle. I could feel the heat of magma
burbling just beyond.

https://www.wired.com/story/44-square-feet-a-school-reopening-detective-story/

...thus transmuting questionable assumptions and math into nonsense.

------------------------------

Date: Tue, 8 Sep 2020 00:37:43 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Creepy Geofence Finds Anyone Who Went Near a Crime Scene (WiReD)

Police increasingly ask Google and other tech firms for data about who was
where, when. Two judges ruled the investigative tool invalid in a Chicago
case.

https://www.wired.com/story/creepy-geofence-finds-anyone-near-crime-scene/

------------------------------

Date: Wed, 9 Sep 2020 13:52:28 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Apple postpones iOS 14 privacy update following Facebook uproar
(Business Insider)

Apple is giving developers some breathing space to get ready for an update
to iOS 14 that will let users opt out of being tracked for advertising
purposes.

The update was supposed to be released as part of iOS 14, which is expected
to roll out this month. In a statement on Thursday, however, Apple said it
was delaying this particular part of the update until 2021.

"We want to give developers the time they need to make the necessary
changes, and as a result, the requirement to use this tracking permission
will go into effect early next year," Apple said in blog post on Thursday.

When Apple announced the privacy update, it drew the rancor of developers
who said it could wreak havoc on their ad-revenue streams. Facebook said
the update could slash revenues from its Audience Network by up to 50%. The
company added that the change might even lead it to stop developing its
Audience Network for iOS altogether.

https://www.businessinsider.com/apple-ios-14-update-postponed-14-2020-9

What a shame that wouldn't be -- hurting Facebook revenue in the interest of
privacy.

------------------------------

From: Richard Stein <rms...@ieee.org>
Date: Sat, 12 Sep 2020 10:49:40 +0800
Subject: How Big Oil Misled The Public Into Believing Plastic Would Be
Recycled (npr.org)

[Not computer-related; an environmental life cycle issue impacting Earth's
ecosystem.]

https://www.npr.org/2020/09/11/897692090/how-big-oil-misled-the-public-into-believing-plastic-would-be-recycled

"We found that the industry sold the public on an idea it knew wouldn't work
-- that the majority of plastic could be, and would be, recycled -- all
while making billions of dollars selling the world new plastic."

Epidemic plastic pollution threatens the environment, food chain and public
health. A serious global problem in search of an urgent, effective solution.

How to proactively mitigate pervasive plastic pollution? Let nature take its
course? Earthworms or bacteria partially digest certain plastics. Does this
effluent enhance the environment and diminish the pollution risk?

Would a master settlement agreement compel industry to act on a clean up?
Recall the Tobacco MSA
https://en.wikipedia.org/wiki/Tobacco_Master_Settlement_Agreement to
compensate US States for medical expenses. An agreement of this scope would
likely motivate a industrial regulatory arbitrage exercise -- shift
operations to a lower-cost jurisdiction, and export products.

https://en.wikipedia.org/wiki/Plastic_pollution#Effects_on_humans identifies
plastic pollution impact on human thyroid and reproductive hormones from BPA
(bisphenol A).

See https://catless.ncl.ac.uk/Risks/31/08#subj22 by Goodfellow.

Risk: Groupthink. Carbon-extraction industrial interests conspire to
misinform regulatory oversight and political leadership about product
risk. Again.

------------------------------

Date: Thu, 10 Sep 2020 15:57:43 -1000
From: geoff goodfellow <ge...@iconia.com>
Subject: New Raccoon Attack Could Let Attackers Break SSL/TLS Encryption
(The Hacker News)

A group of researchers has detailed a new timing vulnerability in Transport
Layer Security (TLS) protocol that could potentially allow an attacker to
break the encryption and read sensitive communication under specific
conditions.

Dubbed "Raccoon Attack <https://raccoon-attack.com/>," the server-side
attack exploits a side-channel in the cryptographic protocol (versions 1.2
and lower) to extract the shared secret key used for secure communications
between two parties.

"The root cause for this side channel is that the TLS standard encourages
non-constant-time processing of the DH secret," the researchers explained
their findings in a paper. "If the server reuses ephemeral keys, this side
channel may allow an attacker to recover the premaster secret by solving an
instance of the Hidden Number Problem."

However, the academics stated that the vulnerability is hard to exploit and
relies on very precise timing measurements and on a specific server
configuration to be exploitable.

A Timing Attack to Leak Secret Keys [...]

https://thehackernews.com/2020/09/raccoon-ssl-tls-encryption.html

------------------------------

Date: Fri, 11 Sep 2020 08:21:22 -1000
From: geoff goodfellow <ge...@iconia.com>
Subject: Ericsson spotlights open RAN security risks (MobileWorldLive)

Ericsson dampened open RAN enthusiasm, arguing more work needs to be done
to address key security risks associated with the technology.

In a blog, head of security for network product solutions Jason Boswell
highlighted several areas of vulnerability, including new and expanded risks
from the use of fresh interfaces and third-party network applications.

Added security measures are also needed to address new threats presented by
the decoupling of hardware and software functions, and vendors should
carefully scrutinise open source code they plan to use, he said.

Boswell stressed ``security cannot be an afterthought,'' advocating the
importance of a risk-based approach. [...]
https://www.mobileworldlive.com/featured-content/top-three/ericsson-spotlights-open-ran-security-risks

------------------------------

Date: Mon, 7 Sep 2020 22:15:06 -0400
From: Phil Martel <poma...@comcast.net>
Subject: Re: Intel Slips, and a High-Profile Supercomputer Is Delayed
(Stein, RISKS-32.25)

> The exascale computer: 1E9 GFLOP == 10^15 FLOPs, or 1 exaFLOP (1 EFLOP?),
> double-precision FLOPS @ 64-bit per IEEE-754-2008.

Of course, 1E9 GFLOP = 1E18 FLOP

[Also noted by Eric Sosman, who seems to be about three orders of
magnitude off. FLOP inflation, maybe? Or G deflation? Or exa-sensory
deception? ES]

------------------------------

Date: Fri, 11 Sep 2020 13:23:47 +0300
From: Amos Shapir <amo...@gmail.com>
Subject: Re: Humans Take a Step Closer to Flying Car (RISKS-32.25)

Flying cars have appeared in almost all future technology predictions since
the early 20th century; yet despite many other predictions since then having
materialized, flying cars never actually took off (excuse the pun).

The reason for that becomes evident when one considers what could an actual
flying car be used for: the only benefit is not having to switch vehicles
when reaching an airport -- and even that is greatly diminished by some
flying car models which require configuration changes at the airport, or
VTOL models which do not require driving to an airport anyway.

OTOH, a flying car would always have to lug around a lot of unused hardware,
whether traveling on a road or flying; it could never become as efficient as
a single-purpose car nor as an airplane.

------------------------------

Date: Tue, 8 Sep 2020 14:10:43 +0100
From: John Stockton <dr.j.r....@gmail.com>
Subject: Re: Leap-seconds (Ross, RISKS-32.25)

> "Leap-seconds are announced about 30 days in advance."

My observations indicate that the announcement is normally over 5.5 months
in advance, not 30 days. For example, see the current issue of Bulletin C at
https://hpiers.obspm.fr/eoppc/bul/bulc/bulletinc.dat.

Terje Mathisen, following, wrote "The 0200--0300 change is pretty much
standard everywhere that uses daylight savings adjustments." The EU rules,
which apply also in other nearby Western European countries, are that all
the clocks should be altered simultaneously at 01:00 UTC on the chosen
Sundays, Brussels Time, whatever the local time might be. My present
understanding is that in the USA the clocks are altered, one way or the
other, on reaching 02:00 local time. Canadian provinces in the past have
altered their clocks at varied times of day; I don't know whether that is
still the case. In Lord Howe Island, the clocks are altered by only half an
hour - Wikipedia, and
https://www.timeanddate.com/time/zone/australia/lord-howe-island .

------------------------------

Date: Mon, 7 Sep 2020 17:28:26 -0400
From: "Richard A. DeMattia" <radem...@sbcglobal.net>
Subject: Re: Happy National Poll Worker Recruitment Day (RISKS-32.25)

Poll worker recruitment might be a bit more effective if half-day shifts
were permitted, unlike in Ohio where the work shift is from before 6am to
probably 8pm or later, and no partial-shift volunteers accepted.

------------------------------

Date: Mon, 1 Aug 2020 11:11:11 -0800
From: RISKS-...@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)

The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks

=> SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!

=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume/previous directories
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 32.26
************************

0 new messages