info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Risks Digest 30.68
78 views
Skip to first unread message
RISKS List Owner
May 5, 2018, 8:34:12 PM5/5/18
to ri...@csl.sri.com
RISKS-LIST: Risks-Forum Digest Saturday 5 May 2018 Volume 30 : Issue 68
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.68>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
Iowa Lottery fraud resolved (PGN on NYTimes item)
"Online voting is impossible to secure. So why are some governments
using it?" (Porup)
Lightning Struck Her Home. Then Her Brain Implant Stopped Working (NY Times)
KRACK Wi-Fi vulnerability can expose medical devices, patient records
(Charlie Osborne)
"A critical security flaw in popular industrial software put power plants
at risk" (Zack Whittaker)
"Oracle Access Manager security bug so serious it let anyone access
protected data" (Lian Tung)
How not to announce a loss of secure information (SMH)
Why Silicon Valley can't fix itself (The Guardian)
"Google Maps user? Beware attackers using URL-sharing to send
you to shady sites" (Lian Tung)
China's bungled drone display breaks world record (via BBC.com)
When a stranger takes your face, Facebook failed crackdown on fake accounts
(WashPo)
The Era of Fake Video Begins (Franklin Foer)
Souped-up smartphones, robots to help police fight crime more effectively
(Straits Times)
"GitHub says bug exposed some plaintext passwords" (ZDNet)
"Gaming: The System" (NY Times)
France seizes France.com from man who's had it since 1994, so he sues
(Ars Technica)
Transparent Eel-Like Soft Robot Can Swim Silently Underwater (ACM Technews)
He Drove a Tesla on Autopilot From the Passenger Seat. The Court
Was Not Amused. (NYTimes)
Is My Not-So-Smart House Watching Me? (NYTimes)
Following the Trail of Online Ads, Wherever It Leads (NYTimes)
Criminals Used Flying Robots to Disrupt FBI Hostage Operation
(Fortune)
Facebook's dating service is a chance to meet the catfisher, advertiser,
or scammer of your dreams (WashPo)
Blockchain Will Be Theirs, Russian Spy Boasted at Conference
(Nathaniel Popper)
Blockchain is not only crappy technology but a bad vision for
the future (Kai Stinchcombe, John Levine)
Keeping your *Twitter* account secure (Gabe Goldberg)
Against Trendism: how to defang the social media disinformation complex
(Medium via John Ohno)
Letter to *Consumer Reports* responding to June article about connected cars
(Gabe Goldberg)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Thu, 3 May 2018 14:06:09 PDT
From: "Peter G. Neumann" <neu...@csl.sri.com>
Subject: Iowa Lottery fraud resolved (NYTimes)
The Iowa Hot Lotto fraud scandal has now been resolved. A programmer who
happened to be the info-security head for the Multi-State Lottery
Association managed to slip in a piece of code into the proprietary system
that changed the randomness on just three chosen days in the year. This
enabled a would-be payoff of $14.3M. The collaborators were detected when
they attempted to collect.
http://www.nytimes.com/interactive/2018/05/03/magazine/money-issue-iowa-lottery-fraud-mystery.html
This is reminiscent of the Harrah's Tahoe six-slot-machine progressive
payoff noted way back in RISKS-1.01 (where a shill chosen to collect the
payoff never showed up, because he had a record and feared exposure [perhaps
he was in a witness-protection program?], and the more recent Breeder's Cup
off-track pick-six $3M scam (RISKS-22.33,38-40) -- in which bets on the
first four races were altered by an insider after those races were over, and
the next races wildcarded to cover all possible horses, but in a system in
which the bets were never transmitted until after the fourth race (to save
bandwidth?).
The combination of proprietary code that cannot be inspected externally and
the insider being the IT security person should recall the corresponding
situation with proprietary election systems that can be hacked or rigged by
insiders. [And then read Gene Wirchenko's next item! PGN]
------------------------------
Date: Thu, 03 May 2018 09:01:31 -0700
From: Gene Wirchenko <ge...@telus.net>
Subject: "Online voting is impossible to secure. So why are some governments
using it?" (Porup)
J.M. Porup, CSO, 2 May 2018
http://www.csoonline.com/article/3269297/security/online-voting-is-impossible-to-secure-so-why-are-some-governments-using-it.html
If you thought electronic voting machines were insecure, wait until you meet
online voting.
selected text:
A researcher at the University of Melbourne in Australia, Teague has twice
demonstrated massive security flaws in the online voting systems used in
state elections in Australia -- including one of the largest deployments of
online voting ever, the 2015 New South Wales (NSW) state election, with
280,000 votes cast online.
The response? Official complaints about her efforts to university
administrators, and a determination by state election officials to keep
using online voting, despite ample empirical proof, she says, that these
systems are not secure.
While insecure voting machines have received most of the attention since the
2016 U.S. presidential election, states and municipalities continue to use
-- even enthusiastically adopt -- web-based online voting, including 31
states in the U.S., two provinces in Canada, and two states in Australia.
Wales in the UK is pushing hard for online voting. The country of Estonia
uses online voting for its national elections.
Security researchers point out flaws; election officials get angry and
ignore security issues that threaten the integrity of the voting
results. Teague's story repeats itself around the world.
The NSW state election of 2015 was so insecure that one seat in the upper
house of the state parliament may have been decided by hacked votes. In
response to the scandal, the electoral commission went to great lengths to
avoid transparency regarding the security issues Teague and her team
reported, and only revealed the true nature of the problem under close
questioning in state parliament a year later.
Before the election, the state electoral commission told the Australian
Broadcasting Corporation (ABC) that "People's vote is completely secret...
It's fully encrypted and safeguarded, it can't be tampered with." Yet it
took researchers only a few days to identify fatal flaws in the online
voting web application that could have easily been used to spy on and even
modify every single vote cast online, and to do so in an undetectable
manner.
The NSW electoral commission initially reported after the election that
there were no anomalies seen while using the online voting platform, but a
year later, under questioning in state parliament, admitted that there were,
in fact, significant anomalies reported by voters. More than 600 voters who
attempted to verify their votes using a rudimentary telephone-based system
were unable to do so -- a 10 percent failure rate, enough to call into
question the voting result of the state election. "That to me is the bottom
line," Teague says. "The really important thing is that we didn't find out
the truth at the time."
------------------------------
Date: Fri, 04 May 2018 08:12:36 +0800
From: Richard M Stein <rms...@ieee.org>
Subject: Lightning Struck Her Home. Then Her Brain Implant Stopped Working
(NY Times)
http://www.nytimes.com/2018/05/03/health/lightning-brain-implants.html
------------------------------
Date: Tue, 01 May 2018 09:38:02 -0700
From: Gene Wirchenko <ge...@telus.net>
Subject: KRACK Wi-Fi vulnerability can expose medical devices, patient
records (Charlie Osborne)
Charlie Osborne for Zero Day, 1 May 2018
http://www.zdnet.com/article/krack-wi-fi-vulnerability-strikes-medical-devices/
selected text:
Medical devices produced by Becton, Dickinson and Company (BD) are
vulnerable to the infamous KRACK bug, potentially exposing patient records.
Discovered in October, KRACK, which stands for Key Reinstallation Attack,
exploits a flaw in the Wi-Fi Protected Access II (WPA2) protocol which is
used to secure modern wireless networks.
If exploited, KRACK gives threat actors the key required to join wireless
networks which would otherwise require a password for authentication. Once
they have joined, they can snoop on network traffic, perform
Man-in-The-Middle (MiTM) attacks, hijack connections, and potentially send
out crafted, malicious network packets.
In a security bulletin, BD said that successful exploit in a select range of
products could also lead to patient record changes or exfiltration, as well
as major IT disruptions.
------------------------------
Date: Wed, 02 May 2018 08:59:05 -0700
From: Gene Wirchenko <ge...@telus.net>
Subject: "A critical security flaw in popular industrial software put power
plants at risk" (Zack Whittaker)
Zack Whittaker for Zero Day, 2 May 2018
The bug in the industrial control software could leave power and
manufacturing plants exposed. A severe vulnerability in a widely used
industrial control software could have been used to disrupt and shut down
power plants and other critical infrastructure.
http://www.zdnet.com/article/critical-security-flaw-schneider-industrial-software-power-plants-vulnerabilty/
------------------------------
Date: Thu, 03 May 2018 09:15:02 -0700
From: Gene Wirchenko <ge...@telus.net>
Subject: "Oracle Access Manager security bug so serious it let anyone
access protected data" (Lian Tung)
By Liam Tung | May 3, 2018 -- 12:42 GMT (05:42 PDT) | Topic: Security
The moral? Don't roll your own crypto, security researcher tells Oracle.
http://www.zdnet.com/article/oracle-access-manager-security-bug-so-serious-it-let-anyone-access-protected-data/
selected text:
A bug that Oracle recently patched broke the main functionality of Oracle
Access Manager (OAM), which should only give authorized users access to
protected enterprise data.
However, researchers at Austrian security firm SEC-Consult found a flaw in
OAM's cryptographic format that allowed them to create session tokens for
any user, which the attacker could use to impersonate any legitimate user
and access web apps that OAM should be protecting.
"What's more, the session cookie crafting process lets us create a session
cookie for an arbitrary username, thus allowing us to impersonate any user
known to the OAM."
------------------------------
Date: Fri, 4 May 2018 11:08:29 +1000
From: Dave Horsfall <da...@horsfall.org>
Subject: How not to announce a loss of secure information (SMH)
The Commonwealth Bank of Australia, who are in enough trouble as it is with
major scandals, did not tell its customers that some "tapes" went missing on
their way to be destroyed.
http://www.smh.com.au/business/banking-and-finance/almost-20-million-bank-account-records-lost-by-commonwealth-bank-20180502-p4zd02.html
``The tapes contained customer names, addresses, account numbers and
transaction details from 19.8 million accounts spanning 2000 to early
2016. They did not contain passwords, PINs or other data which could be
used to enable account fraud, CBA said in a statement on Wednesday night
after BuzzFeed broke the story.''
So, plenty of account numbers and transaction details etc, but we've got
nothing to worry about, right? Perhaps they should be reading RISKS...
Dave Horsfall VK2KFU North Gosford NSW 2250 Australia
------------------------------
Date: Sat, 5 May 2018 11:04:01 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Why Silicon Valley can't fix itself (The Guardian)
Tech insiders have finally started admitting their mistakes -- but the
solutions they are offering could just help the big players get even more
powerful.
http://www.theguardian.com/news/2018/may/03/why-silicon-valley-cant-fix-itself-tech-humanism
------------------------------
Date: Wed, 02 May 2018 09:02:16 -0700
From: Gene Wirchenko <ge...@telus.net>
Subject: "Google Maps user? Beware attackers using URL-sharing to send
you to shady sites" (Lian Tung)
Liam Tung, ZDNet, 2 May 2018
The Google Maps URL-sharing feature allows scammers to send victims to any
site they choose. Scammers are using the Google Maps URL-sharing feature to
direct victims not to Maps but any shady website the crooks want. According
to security firm Sophos, scammers are taking advantage of the fact the URL
sharing feature in Google Maps isn't an official product and lacks a
mechanism to report scammy links.
That's unlike Google's soon-to-be retired URL shortener goo.gl, which can be
used to conceal links to malware or phishing sites, but also has a simple
way for recipients to report scam links.
http://www.zdnet.com/article/google-maps-user-beware-attackers-using-url-sharing-to-send-you-to-shady-sites/
------------------------------
Date: Thu, 03 May 2018 09:29:21 +0800
From: Richard M Stein <rms...@ieee.org>
Subject: China's bungled drone display breaks world record (via BBC.com)
http://www.bbc.com/news/technology-43982522
Swarm intelligence is complicated to coordinate. "I believe everything
happens for a reason. Usually, the reason is that somebody screwed up."
(From Maxine -- the Hallmark Shoebox card character on 23JUN2007).Â
------------------------------
Date: Sat, 05 May 2018 00:54:41 +0000
From: Richard M Stein <rms...@ieee.org>
Subject: When a stranger takes your face, Facebook failed crackdown on fake
accounts (WashPo)
https://www.washingtonpost.com/business/economy/when-a-stranger-takes-your-face-facebooks-failed-crackdown-on-fake-accounts/2018/05/04/d3318838-4f1a-11e8-af46-b1d6dc0d9bfe_story.html%3Fnoredirect%3Don%26utm_term%3D.fc1e7548ed66
Perhaps a biometric supplement would boost authentication accuracy?
Would be good to learn Facebook user profile photo match rate against the
FBI's NCIC to test hit/miss rate. How many convicted felons or fugitives use
Facebook? Given this information, update T&Cs to hedge against
authentication theft.
------------------------------
Date: Sun, 29 Apr 2018 23:41:00 +0000
From: geoff goodfellow <ge...@iconia.com>
Subject: The Era of Fake Video Begins (Franklin Foer)
Franklin Foer, *The Atlantic*, May 2018 Issue
The digital manipulation of video may make the current era of fake news seem
quaint.
http://www.theatlantic.com/magazine/archive/2018/05/realitys-end/556877/
EXCERPT:
In a dank corner of the Internet, it is possible to find actresses from Game
of Thrones or Harry Potter engaged in all manner of sex acts. Or at least to
the world the carnal figures look like those actresses, and the faces in the
videos are indeed their own. Everything south of the neck, however, belongs
to different women. An artificial intelligence has almost seamlessly
stitched the familiar visages into pornographic scenes, one face swapped for
another. The genre is one of the cruelest, most invasive forms of identity
theft invented in the Internet era. At the core of the cruelty is the acuity
of the technology: A casual observer can't easily detect the hoax.
This development, which has been the subject of much hand-wringing in the
tech press, is the work of a programmer who goes by the nom de hack
*deepfakes*. And it is merely a beta version of a much more ambitious
project. One of deepfakes' compatriots told Vice's Motherboard site in
January that he intends to democratize this work. He wants to refine the
process, further automating it, which would allow anyone to transpose the
disembodied head of a crush or an ex or a co-worker into an extant
pornographic clip with just a few simple steps. No technical knowledge would
be required. And because academic and commercial labs are developing even
more-sophisticated tools for non-pornographic purposes -- algorithms that
map facial expressions and mimic voices with precision -- the sordid fakes
will soon acquire even greater verisimilitude. The Internet has always
contained the seeds of postmodern hell. Mass manipulation, from clickbait to
Russian bots to the addictive trickery that governs Facebook's News Feed, is
the currency of the medium. It has always been a place where identity is
terrifyingly slippery, where anonymity breeds coarseness and confusion,
where crooks can filch the very contours of selfhood. In this respect, the
rise of deepfakes is the culmination of the Internet's history to date --
and probably only a low-grade version of what's to come.
------------------------------
Date: Thu, 03 May 2018 17:19:08 +0800
From: Richard M Stein <rms...@ieee.org>
Subject: Souped-up smartphones, robots to help police fight crime more
effectively (Straits Times)
http://www.straitstimes.com/singapore/souped-up-smartphones-robots-to-help-police-fight-crime-more-effectively
"New technology unveiled on Thursday (May 3) will make it easier for the
police to fight crime and enforce the law.
"Souped-up smartphones will allow officers to respond faster and more
effectively to incidents, as well as call up key information on a
case. Robots on patrol can aid in the detection of suspicious activities,
and handheld scanners will make it easier to take real- time 3D scans of
crime scenes to aid in crime solving."
The article has several photos (showing 3 unique autonomous patrol unit
configurations) and lists the autonomous patrol unit's h/w specification.
------------------------------
Date: Wed, 02 May 2018 08:55:33 -0700
From: Gene Wirchenko <ge...@telus.net>
Subject: "GitHub says bug exposed some plaintext passwords" (ZDNet)
http://www.zdnet.com/article/github-says-bug-exposed-account-passwords/
Zack Whittaker for Zero Day, 1 May 2018
A small but unspecified number of GitHub staff could have seen plaintext
passwords. GitHub has said a bug exposed some user passwords -- in
plaintext.
------------------------------
Date: Mon, 30 Apr 2018 09:57:26 +0800
From: Richard M Stein <rms...@ieee.org>
Subject: "Gaming: The System" (NY Times)
https://www.nytimes.com/2018/04/28/opinion/sunday/gaming-the-system.htm
``My gamified life may be nutty and sad, but it doesn't hurt anyone. At
least that's what I thought until a few months ago, when my new car
insurance company, Liberty Mutual, invited me to join a program its
website describes this way: Using a small device that observes your
driving habits, we'll notice the safe choices you're making on the road
and reward you for them. The company promised a rate reduction of at
least 5 percent and up to 30 percent, based on driving performance over a
three-month period. Best of all, an app would let me track the size of my
discount in real time.''
Technology gamifies our lives as consumers -- a dopamine burst sustains
product interest boosted by a loyalty discount, while data capture
algorithms gleefully score your profile. Several economics Nobel prizes
attest to reward incentive influence on consumer behavior. Is gamification
deployed by social media bots that promote political candidates? Is
gamification deployed by industries opposing environmental or health
legislation? Has gamification emerged as a new public health threat
exploiting the brain's addiction channel?
See RISKS-29.21 for the first mention of 'gamification' in comp.risks: "The
brain-imaging experiment showed how the students concentrated and learned
better when studying was part of a game."
------------------------------
Date: Mon, 30 Apr 2018 00:38:06 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: France seizes France.com from man who's had it since 1994, so he sues
(Ars Technica)
http://arstechnica.com/tech-policy/2018/04/france-seizes-france-com-from-man-whos-had-it-since-94-so-he-sues/
Nice domain you have there. Would be a shame if anything happened to it...
------------------------------
Date: Wed, 2 May 2018 12:31:36 -0400
From: ACM TechNews <technew...@acm.org>
Subject: Transparent Eel-Like Soft Robot Can Swim Silently Underwater
University of California, San Diego (04/24/18) Ioana Patringenaru
via ACM TechNews, Wednesday, 2 May 2018
Researchers at the University of California, San Diego and the University of
California, Berkeley have created a nearly-transparent eel-like robot that
can swim silently in salt water using artificial muscles. Critical to the
new technology is the use of the salt water in which the robot swims, to
generate the electrical forces that propel it. The robot delivers negative
charges to the water just outside itself, and positive charges inside the
robot to trigger its muscles to bend, creating the robot's swimming motion.
The charges carry very little current, making them safe for marine life. The
technology is an important step toward a future when soft robots can swim in
the ocean alongside fish and invertebrates without harming them, the
researchers say.
http://orange.hosting.lsoft.com/trk/click%3Fref%3Dznwrbbrs9_6-1b1b0x215c58x070332%26
[The technology is fascinating, with lots of opportunities here. Risks?
Sharks might devour but not digest the robots, heat-sensing creatures
might cuddle up to them, or even befriend them, or redirect robots that
are stealthy torpedos to another target! PGN]
------------------------------
Date: Sun, 29 Apr 2018 17:31:40 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: He Drove a Tesla on Autopilot From the Passenger Seat. The Court
Was Not Amused. (NYTimes)
http://www.nytimes.com/2018/04/29/world/europe/uk-autopilot-driver-no-hands.html
The British man was barred from driving for 18 months after being videotaped
sitting with his hands behind his head, cruising at 40 miles per hour in
*heavy* traffic.
------------------------------
Date: Sun, 29 Apr 2018 17:32:05 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Is My Not-So-Smart House Watching Me? (NYTimes)
http://www.nytimes.com/2018/04/27/realestate/is-my-not-so-smart-house-watching-me.html
Smart-house technology has made it easier to turn on the lights and set the
thermostat, but sometimes objects go rogue.
------------------------------
Date: Sun, 29 Apr 2018 17:32:55 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Following the Trail of Online Ads, Wherever It Leads (NYTimes)
http://www.nytimes.com/2018/04/18/technology/personaltech/online-advertising-tracking.html
Sapna Maheshwari, who covers advertising for The Times, discusses how she
tracks the online ads that track us.
------------------------------
Date: Fri, 4 May 2018 23:50:14 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Criminals Used Flying Robots to Disrupt FBI Hostage Operation
(Fortune)
Criminals have discovered another use for drones -- to distract and spy on
law enforcement.
They recently tried to thwart an FBI hostage rescue, Joe Mazel, chief of the
FBI's operational technology law unit, said this week, according to a report
by news site Defense One.
Mazel, speaking at the AUVSI Xponential drone conference in Denver, said
that criminals launched a swarm of drones at an FBI rescue team during an
unspecified hostage situation near a large U.S. city, confusing law
enforcement. The criminals flew the drones at high speed over the heads of
FBI agents to drive them away while also shooting video that they then
uploaded to YouTube as a way to alert other nearby criminal members about
law enforcement's location.
http://fortune.com/2018/05/04/drone-fbi-hostage-criminals/
------------------------------
Date: Thu, 3 May 2018 19:44:28 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Facebook's dating service is a chance to meet the catfisher,
advertiser, or scammer of your dreams (WashPo)
via NNSquad
http://www.washingtonpost.com/news/the-switch/wp/2018/05/03/facebooks-dating-service-is-a-chance-to-meet-the-catfisher-advertiser-or-scammer-of-your-dreams/
The love-seeking singles of Facebook's new dating service, privacy experts
say, may not be prepared for what they'll encounter: sham profiles,
expanded data gathering and a new wave of dating fraud. Facebook -- under
fire for viral misinformation, fake accounts and breaches of tr[sic]
------------------------------
Date: Sun, 29 Apr 2018 17:02:35 -1000
From: geoff goodfellow <ge...@iconia.com>
Subject: Blockchain Will Be Theirs, Russian Spy Boasted at Conference
(Nathaniel Popper)
Nathaniel Popper, The New York Times, 29 Apr 2018
http://www.nytimes.com/2018/04/29/technology/blockchain-iso-russian-spies.html
EXCERPT:
Russian interest in the technology surrounding virtual currencies, like in
this crypto-mining operation in Moscow, is growing. Last year, employees of
Russia's spy agency attended a meeting where international standards for the
so-called blockchain were discussed. Andrey Rudakov/Bloomberg
SAN FRANCISCO -- Last year, representatives of 25 countries met in Tokyo to
work on setting international standards for the blockchain, the technology
that was introduced by the virtual currency Bitcoin and has ignited intense
interest in corporate and government circles.
Some of the technologists at the meeting of the International Standards
Organization were surprised when they learned that the head of the Russian
delegation, Grigory Marshalko, worked for the FSB, the intelligence agency
that is the successor to the KGB.
They were even more surprised when they asked the FSB agent why the Russians
were devoting such resources to the blockchain standards.
``Look, the Internet belongs to the Americans -- but blockchain will belong
to us,'' he said, according to one delegate who was there. The Russian added
that two other members of his country's four-person delegation to the
conference also worked for the FSB.
Another delegate who had a separate conversation with the head of the
Russian group remembers a slightly different wording: ``The Internet
belonged to America. The blockchain will belong to the Russians.''
Both of the delegates who recounted their conversations did so on the
condition of anonymity, because discussions at the International Standards
Organization are supposed to be confidential. Neither the Russian
organizations overseeing the delegation to the ISO nor the Russian delegates
responded to requests for comment.
------------------------------
Date: Sat, 5 May 2018 09:22:23 -0400
From: "Dave Farber" <far...@gmail.com>
Subject: Blockchain is not only crappy technology but a bad vision for
the future (Kai Stinchcombe)
Kai Stinchcombe, Medium, 5 Apr 2018 [Via Dave's IP distribution]
http://medium.com/%40kaistinchcombe/decentralized-and-trustless-crypto-paradise-is-actually-a-medieval-hellhole-c1ca122efdec
Blockchain is not only crappy technology but a bad vision for the future.
Its failure to achieve adoption to date is because systems built on trust,
norms, and institutions inherently function better than the type of
no-need-for-trusted-parties systems blockchain envisions. That's permanent:
no matter how much blockchain improves it is still headed in the wrong
direction.
This December I wrote a widely-circulated article on the inapplicability of
blockchain to any actual problem. People objected mostly not to the
technology argument, but rather hoped that decentralization could produce
integrity. [...]
------------------------------
Date: May 5, 2018 at 1:49:22 PM EDT
From: "John Levine" <jo...@iecc.com>
Subject: Blockchain is not only crappy technology but a bad vision for
the future (Re: Stinchcombe)
Well, gee, everything he says is self-evidently true.
Bitcoins remind me of a story from the late chair of the Princeton U.
astronomy department. In 1950 Immanuel Velikovsky published "Worlds in
Collision", a controversial best selling book that claimed that 3500 years
ago Venus and Mars swooped near the earth, causing `catastrophes that were
passed down in religions and mythologies.
The astronomer was talking to an anthropologist at a party and the book came
up.
"The astronomy is nonsense," said the astronomer, "but the anthropology is
really interesting."
"Funny," replied the anthropologist, "I was going to say almost the same
thing."
Bitcoin and blockchains lash together an unusual distributed database with a
libertarian economic model. People who understand databases realize that
blockchains only work as long as there are incentives to keep a sufficient
number of non-colluding miners active, preventing collusion is probably
impossible, and that scaling blockchains up to handle an interesting
transaction rate is very hard, but that no-government money is really
interesting.
People who understand economics and particularly economic history understand
why central banks manage their currencies, thin markets like the ones for
cryptocurrencies are easy to corrupt, and a payment system nees a way to
undo bogus payments, but that free permanent database ledger is really
interesting.
Not surprisingly, the most enthusiastic bitcoin and blockchain proponents
are the ones who understand neither databases nor economics.
------------------------------
Date: Thu, 3 May 2018 22:56:28 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Keeping your *Twitter* account secure
Or not.
http://blog.twitter.com/official/en_us/topics/company/2018/keeping-your-account-secure.html
When you set a password for your Twitter account, we use technology that
masks it so no one at the company can see it. We recently identified a bug
that stored passwords unmasked in an internal log. We have fixed the bug,
and our investigation shows no indication of breach or misuse by anyone.
------------------------------
Date: Fri, 04 May 2018 14:15:59 +0000
From: John Ohno <john...@gmail.com>
Subject: Against Trendism: how to defang the social media disinformation
complex (Medium)
http://medium.com/%40enkiv2/against-trendism-how-to-defang-the-social-media-disinformation-complex-81a8e2635956
There's an essential mistake that almost every social media platform makes
-- one inherited from marketing (where it makes some sense), and one that is
mostly unexamined and unaccounted-for even in otherwise fairly
socially-conscious projects like Mastodon and Diaspora. In almost every one
of these systems, incentives exist that confuse popularity with value.
I call this *trendism* -- the belief that an already-trending topic deserves
to be promoted.
In marketing, because the piece of information being spread is intended to
sell a product, the spread of that information is, in fact, theoretically
proportional to its value. In social media, the information being spread is
not a piece of advertising, and while most of these systems have revenue
models based on advertising, that advertising is generated on the fly based
on the viewer's browsing history and has nothing to do with the content of
the piece of information being spread.
The thing is, ideas travel in packs. When we encounter one idea, we tend to
see its nearest neighbours also. When we find out something new, our friends
hear about it too. So, trending posts are rarely surprising: by the very
nature of their popularity, they are already familiar in their essence to
most of the people who are directed toward them.
The information content of a message, in Claude Shannon's formulation, is
proportional to its deviation from expectation -- information is surprise.
Kolgorov's [Kolmogorov? PGN] formulation is similar: information content
proportional to the smallest possible message that could say the same thing
(which, of course, includes references to earlier messages or prior
knowledge as a possible tactic).
In other words, from an information-theoretic perspective, a post that only
tells you things you already know is worthless. Yet, trending content is
almost always composed solely of things the viewer has already seen.
There's one piece of information that a copy of a viral post actually has --
the association between the content of the post and the person posting it.
We share posts we've already seen as a way of expressing our identity, both
personally and within a group. That is the only form of information valued
by trending-oriented systems: tribal affiliation.
If we want to force our social media platforms into information-rich
environments and lower the amount of tribal rivalry we are exposed to, there
are a couple general-purpose solutions, and they all come down to
kneecapping the machinery of trendism.
1. Rather than block political content (only one kind of tribalist
content, and one that is at least theoretically grounded in genuine
philosophical differences about the ideal shape of the world, rather than
geography or social groups), we should block all shared content. Remove
retweets and shares from your feed entirely. Most of them are things you
have already seen, and most of the rest don't contain meaningful or useful
information.
2. Emotionally-manipulative posts get the most engagement, and are
therefore ranked higher in feeds. (I don't want to be emotionally
manipulated. Do you?)* To defeat this ranking, force your feed to
reverse-chronological order. To filter out emotionally-manipulative posts,
filter out anything with more than a set number of interactions.
3. Avoid being part of the problem. Before sharing, determine: is the
information true? Is it new? Is it playing mostly on my emotions? If
possible, delay your sharing for a long period of time -- read an article,
and then wait a few hours, or even a few days, before deciding whether or
not it is of sufficient quality to actually re-post.
4. Identify when you are being drawn into heated arguments, and ignore
them. In the heat of the moment, you're not actually making good points
anyhow, and you're more likely to misunderstand or misrepresent your
opponent. The suggestions from #3 apply here too for comments -- make sure
your comments are accurate, informative, and cool, even if that means
waiting several days to respond. Never let the system rush you.
5. Visible metrics gamify trendism. Remove them.
Most social media platforms don't make it easy to follow this advice.
Mastodon is closest -- it hides metrics from the timeline by default,
supports only reverse-chronological post ordering, and allows you to filter
all boosts from your timeline. For everything else, you will need to use
browser extensions.
Facebook Demetricator ... and Twitter Demetricator [...]
[Truncated for RISKS. PGN]
------------------------------
Date: Sat, 5 May 2018 10:58:12 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Letter to *Consumer Reports* responding to June article about
connected cars.
Your otherwise-excellent article on data-hoovering connected cars doesn't
mention the downside of manufacturers being able to update automobile
software: risking bad updates and (worse) hackers abusing update
mechanisms. Anyone who's endured PC/phone/tablet problems with vendor
patches -- even had devices "bricked" (made useless) -- should be terrified
of car updates made without owner permission. And everyone aware of today's
hacking environment should refuse to purchase anything without understanding
and consenting to its update mechanism.
------------------------------
Date: Tue, 10 Jan 2017 11:11:11 -0800
From: RISKS-...@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
=> SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!
=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-30.00
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
<http://the.wiretapped.net/security/info/textfiles/risks-digest/>
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks have done to URLs. I have
tried to extract the essence.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 30.68
************************
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.68>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
Iowa Lottery fraud resolved (PGN on NYTimes item)
"Online voting is impossible to secure. So why are some governments
using it?" (Porup)
Lightning Struck Her Home. Then Her Brain Implant Stopped Working (NY Times)
KRACK Wi-Fi vulnerability can expose medical devices, patient records
(Charlie Osborne)
"A critical security flaw in popular industrial software put power plants
at risk" (Zack Whittaker)
"Oracle Access Manager security bug so serious it let anyone access
protected data" (Lian Tung)
How not to announce a loss of secure information (SMH)
Why Silicon Valley can't fix itself (The Guardian)
"Google Maps user? Beware attackers using URL-sharing to send
you to shady sites" (Lian Tung)
China's bungled drone display breaks world record (via BBC.com)
When a stranger takes your face, Facebook failed crackdown on fake accounts
(WashPo)
The Era of Fake Video Begins (Franklin Foer)
Souped-up smartphones, robots to help police fight crime more effectively
(Straits Times)
"GitHub says bug exposed some plaintext passwords" (ZDNet)
"Gaming: The System" (NY Times)
France seizes France.com from man who's had it since 1994, so he sues
(Ars Technica)
Transparent Eel-Like Soft Robot Can Swim Silently Underwater (ACM Technews)
He Drove a Tesla on Autopilot From the Passenger Seat. The Court
Was Not Amused. (NYTimes)
Is My Not-So-Smart House Watching Me? (NYTimes)
Following the Trail of Online Ads, Wherever It Leads (NYTimes)
Criminals Used Flying Robots to Disrupt FBI Hostage Operation
(Fortune)
Facebook's dating service is a chance to meet the catfisher, advertiser,
or scammer of your dreams (WashPo)
Blockchain Will Be Theirs, Russian Spy Boasted at Conference
(Nathaniel Popper)
Blockchain is not only crappy technology but a bad vision for
the future (Kai Stinchcombe, John Levine)
Keeping your *Twitter* account secure (Gabe Goldberg)
Against Trendism: how to defang the social media disinformation complex
(Medium via John Ohno)
Letter to *Consumer Reports* responding to June article about connected cars
(Gabe Goldberg)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Thu, 3 May 2018 14:06:09 PDT
From: "Peter G. Neumann" <neu...@csl.sri.com>
Subject: Iowa Lottery fraud resolved (NYTimes)
The Iowa Hot Lotto fraud scandal has now been resolved. A programmer who
happened to be the info-security head for the Multi-State Lottery
Association managed to slip in a piece of code into the proprietary system
that changed the randomness on just three chosen days in the year. This
enabled a would-be payoff of $14.3M. The collaborators were detected when
they attempted to collect.
http://www.nytimes.com/interactive/2018/05/03/magazine/money-issue-iowa-lottery-fraud-mystery.html
This is reminiscent of the Harrah's Tahoe six-slot-machine progressive
payoff noted way back in RISKS-1.01 (where a shill chosen to collect the
payoff never showed up, because he had a record and feared exposure [perhaps
he was in a witness-protection program?], and the more recent Breeder's Cup
off-track pick-six $3M scam (RISKS-22.33,38-40) -- in which bets on the
first four races were altered by an insider after those races were over, and
the next races wildcarded to cover all possible horses, but in a system in
which the bets were never transmitted until after the fourth race (to save
bandwidth?).
The combination of proprietary code that cannot be inspected externally and
the insider being the IT security person should recall the corresponding
situation with proprietary election systems that can be hacked or rigged by
insiders. [And then read Gene Wirchenko's next item! PGN]
------------------------------
Date: Thu, 03 May 2018 09:01:31 -0700
From: Gene Wirchenko <ge...@telus.net>
Subject: "Online voting is impossible to secure. So why are some governments
using it?" (Porup)
J.M. Porup, CSO, 2 May 2018
http://www.csoonline.com/article/3269297/security/online-voting-is-impossible-to-secure-so-why-are-some-governments-using-it.html
If you thought electronic voting machines were insecure, wait until you meet
online voting.
selected text:
A researcher at the University of Melbourne in Australia, Teague has twice
demonstrated massive security flaws in the online voting systems used in
state elections in Australia -- including one of the largest deployments of
online voting ever, the 2015 New South Wales (NSW) state election, with
280,000 votes cast online.
The response? Official complaints about her efforts to university
administrators, and a determination by state election officials to keep
using online voting, despite ample empirical proof, she says, that these
systems are not secure.
While insecure voting machines have received most of the attention since the
2016 U.S. presidential election, states and municipalities continue to use
-- even enthusiastically adopt -- web-based online voting, including 31
states in the U.S., two provinces in Canada, and two states in Australia.
Wales in the UK is pushing hard for online voting. The country of Estonia
uses online voting for its national elections.
Security researchers point out flaws; election officials get angry and
ignore security issues that threaten the integrity of the voting
results. Teague's story repeats itself around the world.
The NSW state election of 2015 was so insecure that one seat in the upper
house of the state parliament may have been decided by hacked votes. In
response to the scandal, the electoral commission went to great lengths to
avoid transparency regarding the security issues Teague and her team
reported, and only revealed the true nature of the problem under close
questioning in state parliament a year later.
Before the election, the state electoral commission told the Australian
Broadcasting Corporation (ABC) that "People's vote is completely secret...
It's fully encrypted and safeguarded, it can't be tampered with." Yet it
took researchers only a few days to identify fatal flaws in the online
voting web application that could have easily been used to spy on and even
modify every single vote cast online, and to do so in an undetectable
manner.
The NSW electoral commission initially reported after the election that
there were no anomalies seen while using the online voting platform, but a
year later, under questioning in state parliament, admitted that there were,
in fact, significant anomalies reported by voters. More than 600 voters who
attempted to verify their votes using a rudimentary telephone-based system
were unable to do so -- a 10 percent failure rate, enough to call into
question the voting result of the state election. "That to me is the bottom
line," Teague says. "The really important thing is that we didn't find out
the truth at the time."
------------------------------
Date: Fri, 04 May 2018 08:12:36 +0800
From: Richard M Stein <rms...@ieee.org>
Subject: Lightning Struck Her Home. Then Her Brain Implant Stopped Working
(NY Times)
http://www.nytimes.com/2018/05/03/health/lightning-brain-implants.html
------------------------------
Date: Tue, 01 May 2018 09:38:02 -0700
From: Gene Wirchenko <ge...@telus.net>
Subject: KRACK Wi-Fi vulnerability can expose medical devices, patient
records (Charlie Osborne)
Charlie Osborne for Zero Day, 1 May 2018
http://www.zdnet.com/article/krack-wi-fi-vulnerability-strikes-medical-devices/
selected text:
Medical devices produced by Becton, Dickinson and Company (BD) are
vulnerable to the infamous KRACK bug, potentially exposing patient records.
Discovered in October, KRACK, which stands for Key Reinstallation Attack,
exploits a flaw in the Wi-Fi Protected Access II (WPA2) protocol which is
used to secure modern wireless networks.
If exploited, KRACK gives threat actors the key required to join wireless
networks which would otherwise require a password for authentication. Once
they have joined, they can snoop on network traffic, perform
Man-in-The-Middle (MiTM) attacks, hijack connections, and potentially send
out crafted, malicious network packets.
In a security bulletin, BD said that successful exploit in a select range of
products could also lead to patient record changes or exfiltration, as well
as major IT disruptions.
------------------------------
Date: Wed, 02 May 2018 08:59:05 -0700
From: Gene Wirchenko <ge...@telus.net>
Subject: "A critical security flaw in popular industrial software put power
plants at risk" (Zack Whittaker)
Zack Whittaker for Zero Day, 2 May 2018
The bug in the industrial control software could leave power and
manufacturing plants exposed. A severe vulnerability in a widely used
industrial control software could have been used to disrupt and shut down
power plants and other critical infrastructure.
http://www.zdnet.com/article/critical-security-flaw-schneider-industrial-software-power-plants-vulnerabilty/
------------------------------
Date: Thu, 03 May 2018 09:15:02 -0700
From: Gene Wirchenko <ge...@telus.net>
Subject: "Oracle Access Manager security bug so serious it let anyone
access protected data" (Lian Tung)
By Liam Tung | May 3, 2018 -- 12:42 GMT (05:42 PDT) | Topic: Security
The moral? Don't roll your own crypto, security researcher tells Oracle.
http://www.zdnet.com/article/oracle-access-manager-security-bug-so-serious-it-let-anyone-access-protected-data/
selected text:
A bug that Oracle recently patched broke the main functionality of Oracle
Access Manager (OAM), which should only give authorized users access to
protected enterprise data.
However, researchers at Austrian security firm SEC-Consult found a flaw in
OAM's cryptographic format that allowed them to create session tokens for
any user, which the attacker could use to impersonate any legitimate user
and access web apps that OAM should be protecting.
"What's more, the session cookie crafting process lets us create a session
cookie for an arbitrary username, thus allowing us to impersonate any user
known to the OAM."
------------------------------
Date: Fri, 4 May 2018 11:08:29 +1000
From: Dave Horsfall <da...@horsfall.org>
Subject: How not to announce a loss of secure information (SMH)
The Commonwealth Bank of Australia, who are in enough trouble as it is with
major scandals, did not tell its customers that some "tapes" went missing on
their way to be destroyed.
http://www.smh.com.au/business/banking-and-finance/almost-20-million-bank-account-records-lost-by-commonwealth-bank-20180502-p4zd02.html
``The tapes contained customer names, addresses, account numbers and
transaction details from 19.8 million accounts spanning 2000 to early
2016. They did not contain passwords, PINs or other data which could be
used to enable account fraud, CBA said in a statement on Wednesday night
after BuzzFeed broke the story.''
So, plenty of account numbers and transaction details etc, but we've got
nothing to worry about, right? Perhaps they should be reading RISKS...
Dave Horsfall VK2KFU North Gosford NSW 2250 Australia
------------------------------
Date: Sat, 5 May 2018 11:04:01 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Why Silicon Valley can't fix itself (The Guardian)
Tech insiders have finally started admitting their mistakes -- but the
solutions they are offering could just help the big players get even more
powerful.
http://www.theguardian.com/news/2018/may/03/why-silicon-valley-cant-fix-itself-tech-humanism
------------------------------
Date: Wed, 02 May 2018 09:02:16 -0700
From: Gene Wirchenko <ge...@telus.net>
Subject: "Google Maps user? Beware attackers using URL-sharing to send
you to shady sites" (Lian Tung)
Liam Tung, ZDNet, 2 May 2018
The Google Maps URL-sharing feature allows scammers to send victims to any
site they choose. Scammers are using the Google Maps URL-sharing feature to
direct victims not to Maps but any shady website the crooks want. According
to security firm Sophos, scammers are taking advantage of the fact the URL
sharing feature in Google Maps isn't an official product and lacks a
mechanism to report scammy links.
That's unlike Google's soon-to-be retired URL shortener goo.gl, which can be
used to conceal links to malware or phishing sites, but also has a simple
way for recipients to report scam links.
http://www.zdnet.com/article/google-maps-user-beware-attackers-using-url-sharing-to-send-you-to-shady-sites/
------------------------------
Date: Thu, 03 May 2018 09:29:21 +0800
From: Richard M Stein <rms...@ieee.org>
Subject: China's bungled drone display breaks world record (via BBC.com)
http://www.bbc.com/news/technology-43982522
Swarm intelligence is complicated to coordinate. "I believe everything
happens for a reason. Usually, the reason is that somebody screwed up."
(From Maxine -- the Hallmark Shoebox card character on 23JUN2007).Â
------------------------------
Date: Sat, 05 May 2018 00:54:41 +0000
From: Richard M Stein <rms...@ieee.org>
Subject: When a stranger takes your face, Facebook failed crackdown on fake
accounts (WashPo)
https://www.washingtonpost.com/business/economy/when-a-stranger-takes-your-face-facebooks-failed-crackdown-on-fake-accounts/2018/05/04/d3318838-4f1a-11e8-af46-b1d6dc0d9bfe_story.html%3Fnoredirect%3Don%26utm_term%3D.fc1e7548ed66
Perhaps a biometric supplement would boost authentication accuracy?
Would be good to learn Facebook user profile photo match rate against the
FBI's NCIC to test hit/miss rate. How many convicted felons or fugitives use
Facebook? Given this information, update T&Cs to hedge against
authentication theft.
------------------------------
Date: Sun, 29 Apr 2018 23:41:00 +0000
From: geoff goodfellow <ge...@iconia.com>
Subject: The Era of Fake Video Begins (Franklin Foer)
Franklin Foer, *The Atlantic*, May 2018 Issue
The digital manipulation of video may make the current era of fake news seem
quaint.
http://www.theatlantic.com/magazine/archive/2018/05/realitys-end/556877/
EXCERPT:
In a dank corner of the Internet, it is possible to find actresses from Game
of Thrones or Harry Potter engaged in all manner of sex acts. Or at least to
the world the carnal figures look like those actresses, and the faces in the
videos are indeed their own. Everything south of the neck, however, belongs
to different women. An artificial intelligence has almost seamlessly
stitched the familiar visages into pornographic scenes, one face swapped for
another. The genre is one of the cruelest, most invasive forms of identity
theft invented in the Internet era. At the core of the cruelty is the acuity
of the technology: A casual observer can't easily detect the hoax.
This development, which has been the subject of much hand-wringing in the
tech press, is the work of a programmer who goes by the nom de hack
*deepfakes*. And it is merely a beta version of a much more ambitious
project. One of deepfakes' compatriots told Vice's Motherboard site in
January that he intends to democratize this work. He wants to refine the
process, further automating it, which would allow anyone to transpose the
disembodied head of a crush or an ex or a co-worker into an extant
pornographic clip with just a few simple steps. No technical knowledge would
be required. And because academic and commercial labs are developing even
more-sophisticated tools for non-pornographic purposes -- algorithms that
map facial expressions and mimic voices with precision -- the sordid fakes
will soon acquire even greater verisimilitude. The Internet has always
contained the seeds of postmodern hell. Mass manipulation, from clickbait to
Russian bots to the addictive trickery that governs Facebook's News Feed, is
the currency of the medium. It has always been a place where identity is
terrifyingly slippery, where anonymity breeds coarseness and confusion,
where crooks can filch the very contours of selfhood. In this respect, the
rise of deepfakes is the culmination of the Internet's history to date --
and probably only a low-grade version of what's to come.
------------------------------
Date: Thu, 03 May 2018 17:19:08 +0800
From: Richard M Stein <rms...@ieee.org>
Subject: Souped-up smartphones, robots to help police fight crime more
effectively (Straits Times)
http://www.straitstimes.com/singapore/souped-up-smartphones-robots-to-help-police-fight-crime-more-effectively
"New technology unveiled on Thursday (May 3) will make it easier for the
police to fight crime and enforce the law.
"Souped-up smartphones will allow officers to respond faster and more
effectively to incidents, as well as call up key information on a
case. Robots on patrol can aid in the detection of suspicious activities,
and handheld scanners will make it easier to take real- time 3D scans of
crime scenes to aid in crime solving."
The article has several photos (showing 3 unique autonomous patrol unit
configurations) and lists the autonomous patrol unit's h/w specification.
------------------------------
Date: Wed, 02 May 2018 08:55:33 -0700
From: Gene Wirchenko <ge...@telus.net>
Subject: "GitHub says bug exposed some plaintext passwords" (ZDNet)
http://www.zdnet.com/article/github-says-bug-exposed-account-passwords/
Zack Whittaker for Zero Day, 1 May 2018
A small but unspecified number of GitHub staff could have seen plaintext
passwords. GitHub has said a bug exposed some user passwords -- in
plaintext.
------------------------------
Date: Mon, 30 Apr 2018 09:57:26 +0800
From: Richard M Stein <rms...@ieee.org>
Subject: "Gaming: The System" (NY Times)
https://www.nytimes.com/2018/04/28/opinion/sunday/gaming-the-system.htm
``My gamified life may be nutty and sad, but it doesn't hurt anyone. At
least that's what I thought until a few months ago, when my new car
insurance company, Liberty Mutual, invited me to join a program its
website describes this way: Using a small device that observes your
driving habits, we'll notice the safe choices you're making on the road
and reward you for them. The company promised a rate reduction of at
least 5 percent and up to 30 percent, based on driving performance over a
three-month period. Best of all, an app would let me track the size of my
discount in real time.''
Technology gamifies our lives as consumers -- a dopamine burst sustains
product interest boosted by a loyalty discount, while data capture
algorithms gleefully score your profile. Several economics Nobel prizes
attest to reward incentive influence on consumer behavior. Is gamification
deployed by social media bots that promote political candidates? Is
gamification deployed by industries opposing environmental or health
legislation? Has gamification emerged as a new public health threat
exploiting the brain's addiction channel?
See RISKS-29.21 for the first mention of 'gamification' in comp.risks: "The
brain-imaging experiment showed how the students concentrated and learned
better when studying was part of a game."
------------------------------
Date: Mon, 30 Apr 2018 00:38:06 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: France seizes France.com from man who's had it since 1994, so he sues
(Ars Technica)
http://arstechnica.com/tech-policy/2018/04/france-seizes-france-com-from-man-whos-had-it-since-94-so-he-sues/
Nice domain you have there. Would be a shame if anything happened to it...
------------------------------
Date: Wed, 2 May 2018 12:31:36 -0400
From: ACM TechNews <technew...@acm.org>
Subject: Transparent Eel-Like Soft Robot Can Swim Silently Underwater
University of California, San Diego (04/24/18) Ioana Patringenaru
via ACM TechNews, Wednesday, 2 May 2018
Researchers at the University of California, San Diego and the University of
California, Berkeley have created a nearly-transparent eel-like robot that
can swim silently in salt water using artificial muscles. Critical to the
new technology is the use of the salt water in which the robot swims, to
generate the electrical forces that propel it. The robot delivers negative
charges to the water just outside itself, and positive charges inside the
robot to trigger its muscles to bend, creating the robot's swimming motion.
The charges carry very little current, making them safe for marine life. The
technology is an important step toward a future when soft robots can swim in
the ocean alongside fish and invertebrates without harming them, the
researchers say.
http://orange.hosting.lsoft.com/trk/click%3Fref%3Dznwrbbrs9_6-1b1b0x215c58x070332%26
[The technology is fascinating, with lots of opportunities here. Risks?
Sharks might devour but not digest the robots, heat-sensing creatures
might cuddle up to them, or even befriend them, or redirect robots that
are stealthy torpedos to another target! PGN]
------------------------------
Date: Sun, 29 Apr 2018 17:31:40 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: He Drove a Tesla on Autopilot From the Passenger Seat. The Court
Was Not Amused. (NYTimes)
http://www.nytimes.com/2018/04/29/world/europe/uk-autopilot-driver-no-hands.html
The British man was barred from driving for 18 months after being videotaped
sitting with his hands behind his head, cruising at 40 miles per hour in
*heavy* traffic.
------------------------------
Date: Sun, 29 Apr 2018 17:32:05 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Is My Not-So-Smart House Watching Me? (NYTimes)
http://www.nytimes.com/2018/04/27/realestate/is-my-not-so-smart-house-watching-me.html
Smart-house technology has made it easier to turn on the lights and set the
thermostat, but sometimes objects go rogue.
------------------------------
Date: Sun, 29 Apr 2018 17:32:55 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Following the Trail of Online Ads, Wherever It Leads (NYTimes)
http://www.nytimes.com/2018/04/18/technology/personaltech/online-advertising-tracking.html
Sapna Maheshwari, who covers advertising for The Times, discusses how she
tracks the online ads that track us.
------------------------------
Date: Fri, 4 May 2018 23:50:14 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Criminals Used Flying Robots to Disrupt FBI Hostage Operation
(Fortune)
Criminals have discovered another use for drones -- to distract and spy on
law enforcement.
They recently tried to thwart an FBI hostage rescue, Joe Mazel, chief of the
FBI's operational technology law unit, said this week, according to a report
by news site Defense One.
Mazel, speaking at the AUVSI Xponential drone conference in Denver, said
that criminals launched a swarm of drones at an FBI rescue team during an
unspecified hostage situation near a large U.S. city, confusing law
enforcement. The criminals flew the drones at high speed over the heads of
FBI agents to drive them away while also shooting video that they then
uploaded to YouTube as a way to alert other nearby criminal members about
law enforcement's location.
http://fortune.com/2018/05/04/drone-fbi-hostage-criminals/
------------------------------
Date: Thu, 3 May 2018 19:44:28 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Facebook's dating service is a chance to meet the catfisher,
advertiser, or scammer of your dreams (WashPo)
via NNSquad
http://www.washingtonpost.com/news/the-switch/wp/2018/05/03/facebooks-dating-service-is-a-chance-to-meet-the-catfisher-advertiser-or-scammer-of-your-dreams/
The love-seeking singles of Facebook's new dating service, privacy experts
say, may not be prepared for what they'll encounter: sham profiles,
expanded data gathering and a new wave of dating fraud. Facebook -- under
fire for viral misinformation, fake accounts and breaches of tr[sic]
------------------------------
Date: Sun, 29 Apr 2018 17:02:35 -1000
From: geoff goodfellow <ge...@iconia.com>
Subject: Blockchain Will Be Theirs, Russian Spy Boasted at Conference
(Nathaniel Popper)
Nathaniel Popper, The New York Times, 29 Apr 2018
http://www.nytimes.com/2018/04/29/technology/blockchain-iso-russian-spies.html
EXCERPT:
Russian interest in the technology surrounding virtual currencies, like in
this crypto-mining operation in Moscow, is growing. Last year, employees of
Russia's spy agency attended a meeting where international standards for the
so-called blockchain were discussed. Andrey Rudakov/Bloomberg
SAN FRANCISCO -- Last year, representatives of 25 countries met in Tokyo to
work on setting international standards for the blockchain, the technology
that was introduced by the virtual currency Bitcoin and has ignited intense
interest in corporate and government circles.
Some of the technologists at the meeting of the International Standards
Organization were surprised when they learned that the head of the Russian
delegation, Grigory Marshalko, worked for the FSB, the intelligence agency
that is the successor to the KGB.
They were even more surprised when they asked the FSB agent why the Russians
were devoting such resources to the blockchain standards.
``Look, the Internet belongs to the Americans -- but blockchain will belong
to us,'' he said, according to one delegate who was there. The Russian added
that two other members of his country's four-person delegation to the
conference also worked for the FSB.
Another delegate who had a separate conversation with the head of the
Russian group remembers a slightly different wording: ``The Internet
belonged to America. The blockchain will belong to the Russians.''
Both of the delegates who recounted their conversations did so on the
condition of anonymity, because discussions at the International Standards
Organization are supposed to be confidential. Neither the Russian
organizations overseeing the delegation to the ISO nor the Russian delegates
responded to requests for comment.
------------------------------
Date: Sat, 5 May 2018 09:22:23 -0400
From: "Dave Farber" <far...@gmail.com>
Subject: Blockchain is not only crappy technology but a bad vision for
the future (Kai Stinchcombe)
Kai Stinchcombe, Medium, 5 Apr 2018 [Via Dave's IP distribution]
http://medium.com/%40kaistinchcombe/decentralized-and-trustless-crypto-paradise-is-actually-a-medieval-hellhole-c1ca122efdec
Blockchain is not only crappy technology but a bad vision for the future.
Its failure to achieve adoption to date is because systems built on trust,
norms, and institutions inherently function better than the type of
no-need-for-trusted-parties systems blockchain envisions. That's permanent:
no matter how much blockchain improves it is still headed in the wrong
direction.
This December I wrote a widely-circulated article on the inapplicability of
blockchain to any actual problem. People objected mostly not to the
technology argument, but rather hoped that decentralization could produce
integrity. [...]
------------------------------
Date: May 5, 2018 at 1:49:22 PM EDT
From: "John Levine" <jo...@iecc.com>
Subject: Blockchain is not only crappy technology but a bad vision for
the future (Re: Stinchcombe)
Well, gee, everything he says is self-evidently true.
Bitcoins remind me of a story from the late chair of the Princeton U.
astronomy department. In 1950 Immanuel Velikovsky published "Worlds in
Collision", a controversial best selling book that claimed that 3500 years
ago Venus and Mars swooped near the earth, causing `catastrophes that were
passed down in religions and mythologies.
The astronomer was talking to an anthropologist at a party and the book came
up.
"The astronomy is nonsense," said the astronomer, "but the anthropology is
really interesting."
"Funny," replied the anthropologist, "I was going to say almost the same
thing."
Bitcoin and blockchains lash together an unusual distributed database with a
libertarian economic model. People who understand databases realize that
blockchains only work as long as there are incentives to keep a sufficient
number of non-colluding miners active, preventing collusion is probably
impossible, and that scaling blockchains up to handle an interesting
transaction rate is very hard, but that no-government money is really
interesting.
People who understand economics and particularly economic history understand
why central banks manage their currencies, thin markets like the ones for
cryptocurrencies are easy to corrupt, and a payment system nees a way to
undo bogus payments, but that free permanent database ledger is really
interesting.
Not surprisingly, the most enthusiastic bitcoin and blockchain proponents
are the ones who understand neither databases nor economics.
------------------------------
Date: Thu, 3 May 2018 22:56:28 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Keeping your *Twitter* account secure
Or not.
http://blog.twitter.com/official/en_us/topics/company/2018/keeping-your-account-secure.html
When you set a password for your Twitter account, we use technology that
masks it so no one at the company can see it. We recently identified a bug
that stored passwords unmasked in an internal log. We have fixed the bug,
and our investigation shows no indication of breach or misuse by anyone.
------------------------------
Date: Fri, 04 May 2018 14:15:59 +0000
From: John Ohno <john...@gmail.com>
Subject: Against Trendism: how to defang the social media disinformation
complex (Medium)
http://medium.com/%40enkiv2/against-trendism-how-to-defang-the-social-media-disinformation-complex-81a8e2635956
There's an essential mistake that almost every social media platform makes
-- one inherited from marketing (where it makes some sense), and one that is
mostly unexamined and unaccounted-for even in otherwise fairly
socially-conscious projects like Mastodon and Diaspora. In almost every one
of these systems, incentives exist that confuse popularity with value.
I call this *trendism* -- the belief that an already-trending topic deserves
to be promoted.
In marketing, because the piece of information being spread is intended to
sell a product, the spread of that information is, in fact, theoretically
proportional to its value. In social media, the information being spread is
not a piece of advertising, and while most of these systems have revenue
models based on advertising, that advertising is generated on the fly based
on the viewer's browsing history and has nothing to do with the content of
the piece of information being spread.
The thing is, ideas travel in packs. When we encounter one idea, we tend to
see its nearest neighbours also. When we find out something new, our friends
hear about it too. So, trending posts are rarely surprising: by the very
nature of their popularity, they are already familiar in their essence to
most of the people who are directed toward them.
The information content of a message, in Claude Shannon's formulation, is
proportional to its deviation from expectation -- information is surprise.
Kolgorov's [Kolmogorov? PGN] formulation is similar: information content
proportional to the smallest possible message that could say the same thing
(which, of course, includes references to earlier messages or prior
knowledge as a possible tactic).
In other words, from an information-theoretic perspective, a post that only
tells you things you already know is worthless. Yet, trending content is
almost always composed solely of things the viewer has already seen.
There's one piece of information that a copy of a viral post actually has --
the association between the content of the post and the person posting it.
We share posts we've already seen as a way of expressing our identity, both
personally and within a group. That is the only form of information valued
by trending-oriented systems: tribal affiliation.
If we want to force our social media platforms into information-rich
environments and lower the amount of tribal rivalry we are exposed to, there
are a couple general-purpose solutions, and they all come down to
kneecapping the machinery of trendism.
1. Rather than block political content (only one kind of tribalist
content, and one that is at least theoretically grounded in genuine
philosophical differences about the ideal shape of the world, rather than
geography or social groups), we should block all shared content. Remove
retweets and shares from your feed entirely. Most of them are things you
have already seen, and most of the rest don't contain meaningful or useful
information.
2. Emotionally-manipulative posts get the most engagement, and are
therefore ranked higher in feeds. (I don't want to be emotionally
manipulated. Do you?)* To defeat this ranking, force your feed to
reverse-chronological order. To filter out emotionally-manipulative posts,
filter out anything with more than a set number of interactions.
3. Avoid being part of the problem. Before sharing, determine: is the
information true? Is it new? Is it playing mostly on my emotions? If
possible, delay your sharing for a long period of time -- read an article,
and then wait a few hours, or even a few days, before deciding whether or
not it is of sufficient quality to actually re-post.
4. Identify when you are being drawn into heated arguments, and ignore
them. In the heat of the moment, you're not actually making good points
anyhow, and you're more likely to misunderstand or misrepresent your
opponent. The suggestions from #3 apply here too for comments -- make sure
your comments are accurate, informative, and cool, even if that means
waiting several days to respond. Never let the system rush you.
5. Visible metrics gamify trendism. Remove them.
Most social media platforms don't make it easy to follow this advice.
Mastodon is closest -- it hides metrics from the timeline by default,
supports only reverse-chronological post ordering, and allows you to filter
all boosts from your timeline. For everything else, you will need to use
browser extensions.
Facebook Demetricator ... and Twitter Demetricator [...]
[Truncated for RISKS. PGN]
------------------------------
Date: Sat, 5 May 2018 10:58:12 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Letter to *Consumer Reports* responding to June article about
connected cars.
Your otherwise-excellent article on data-hoovering connected cars doesn't
mention the downside of manufacturers being able to update automobile
software: risking bad updates and (worse) hackers abusing update
mechanisms. Anyone who's endured PC/phone/tablet problems with vendor
patches -- even had devices "bricked" (made useless) -- should be terrified
of car updates made without owner permission. And everyone aware of today's
hacking environment should refuse to purchase anything without understanding
and consenting to its update mechanism.
------------------------------
Date: Tue, 10 Jan 2017 11:11:11 -0800
From: RISKS-...@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
=> SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!
=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-30.00
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
<http://the.wiretapped.net/security/info/textfiles/risks-digest/>
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks have done to URLs. I have
tried to extract the essence.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 30.68
************************
0 new messages