info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Risks Digest 31.34
62 views
Skip to first unread message
RISKS List Owner
Jul 25, 2019, 9:10:42 PM7/25/19
to ri...@csl.sri.com
RISKS-LIST: Risks-Forum Digest Thursday 25 July 2019 Volume 31 : Issue 34
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/31.34>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
Senate Intelligence report on election integrity (NYTimes)
Nuclear industry pushing for fewer inspections at plants (NBC)
Tesla floats fully self-driving cars as soon as this year.
Many are worried about what that will unleash. (WashPost)
Airbus A350 software bug forces airlines to turn planes off and on
every 149 hours (The Register)
Home elevator deaths (WashPost)
Numerous airport passengers hijacked by robots (JXM)
Satellite Outage Serves as a Warning (WiReD)
'Dumb' robot ants are alarmingly smart -- and strong -- working together
(Geoff Goodfellow)
The AI Metamorphosis (The Atlantic)
Cylances AI-based AV easily spoofed (SkylightCyber)
AI Could Escalate New Type Of Voice Phishing Cyber Attacks (CSHub)
Uber glitch charges passengers 100 times the advertised price,
resulting in crosstown fares in the thousands of dollars (WashPost)
"Google says leaked assistant recordings are a violation of data
security policies" (Asha Barbaschow)
U.S. Companies Learn to Defend Themselves in Cyberspace (WSJ)
Agora farewell (Rob Slade)
NYC Subway Service Is Suspended on Several Lines, MTA Says (NYTimes)
Brazil is at the forefront of a new type of router attack (ZDNet)
My browser, the spy: How extensions slurped up browsing histories
from 4M users (Ars Technica)
Amazon Prime Day Glitch Let People Buy $13,000 Camera Gear for $94 (Gizmodo)
Microsoft Office 365: Banned in German schools over privacy fears
(Cathrin Schaer)
Sweden and UK's surveillance programs on trial at the European Court of
Human Rights (Catalin Cimpanu)
Bluetooth exploit can track and identify iOS, Microsoft mobile device users
(ZDNet)
Clean Energy Regulator, WA Mines Department, and Vet Surgeons Board
trying to access metadata (Comms Alliance)
Permission-greedy apps delayed Android 6 upgrade so they could
harvest more user data (ZDNet)
Do drivers think you're a Ridezilla'? Better check your Uber rating.
(WashPost)
London Police Twitter feed was hacked; then Trump got in on the act
(WashPost)
Car locks itself, trapping toddler inside (DerWesten)
Hackers breach FSB contractor, expose Tor deanonymization project and more
(Catalin Cimpanu)
Facebook's Libra currency spawns a wave of fakes, including on Facebook
itself (WashPost)
Facebook Stock: Facebook's Libra Surrenders to Authority (InvestorPlace)
Tether's $5B error exposes cryptocurrency market fragility (WSJ)
College student was late returning a textbook to Amazon, so the
company took $3,800 from her father (Libercus)
Notre-Dame came far closer to collapsing than people knew.
This is how it was saved. (NYTimes)
One in five US tech employees abuse pain relief drugs, reveals study
(Eileen Brown)
Here's The Story Behind That Photo Of A Waterfall Inside A Metro Car (Dcist)
Stallone in Terminator 2? How one deepfake prankster is changing cinema
history (Digital Trends)
Cellphone WiFi auto-connect identifies vandals (Boston Globe)
Risks of an untimely text (Boston Globe)
Minister apologizes for text alert (Taipei Times)
Re: Line just went Orwellian on Japanese users with its social,
credit-scoring system (Brian Inglis)
Re: Galileo sat-nav system experiences service outage (Gabe Goldberg)
Re: How Fake News Could Lead to Real War (Dick Mills)
Re: London commuters Wi-FiTube being tracked (Chris Drewe)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Thu, 25 Jul 2019 15:18:55 PDT
From: "Peter G. Neumann" <neu...@csl.sri.com>
Subject: Senate Intelligence report on election integrity (NYTimes)
WASHINGTON DC: The Senate Intelligence Committee concluded [on 25 July 2019]
that election systems in all 50 states were targeted by Russia in 2016,
largely undetected by the states and federal officials at the time, but at
the demand of American intelligence agencies the committee was forced to
redact its findings so heavily that key lessons for the 2020 election are
blacked out.
While the report is not directly critical of either American intelligence
agencies or the states, it described what amounted to a cascading
intelligence failure, in which the scope of the Russian effort was
underestimated, warnings to the states were too muted, and state officials
either underreacted or in some cases, resisted federal efforts to offer
help.''
https://www.nytimes.com/2019/07/25/us/politics/russian-hack-of-elections-system-was-far-reaching-report-finds.html
------------------------------
Date: Wed, 17 Jul 2019 15:15:39 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Nuclear industry pushing for fewer inspections at plants (NBC)
Caputo, who previously worked for nuclear plant operator Exelon Corp, told
operators this week her aim was "risk-informed decision-making,"
concentrating regulatory oversight on high-risk problems.
"We shouldn't regulate to zero risk," said David Wright, a former South
Carolina public-utility commissioner appointed to the NRC board last year.
"The NRC mission is reasonable assurance of adequate protection -- no more,
no less," Wright said.
https://www.nbcnews.com/politics/politics-news/nuclear-industry-pushing-fewer-inspections-plants-n983671
What could go wrong?
------------------------------
Date: Wed, 17 Jul 2019 20:28:05 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Tesla floats fully self-driving cars as soon as this year.
Many are worried about what that will unleash. (WashPost)
The electric-car maker said it will do that without light detection and
ranging, or lidar, complex sensors that use laser lights to map the
environment -- technology most autonomous vehicle makers consider necessary.
Even with lidar, many of those manufacturers have adopted a slow and
deliberate approach to self-driving vehicles, with limited testing on public
roads.
Tesla shows little sign of such caution. And because autonomous vehicles are
largely self-regulated -- guided by industry standards but with no clearly
enforceable rules -- no one can stop the automaker from moving ahead.
*The Washington Post* spoke with a dozen transportation officials and
executives, including current and former safety regulators, auto industry
executives, safety advocacy group leaders and autonomous-vehicle
competitors. In interviews, they expressed worries that Tesla's plan to
unleash robo-cars on the road on an expedited timeline likely without
regulated vetting -- could result in crashes, lawsuits and confusion. Plus,
they said, Tesla's promised `full self-driving' features fall short of
industry standards for a true autonomous vehicle because humans will still
need to be engaged at all times and ready to intervene in the
beginning. Some of the people interviewed requested anonymity because of the
sensitivity of the matter. ...
Tesla has raised eyebrows with its statements that autonomous driving can be
achieved through a slimmed-down system that sheds all but the most critical
equipment. Musk says he wants Tesla's system to use a combination of cameras
and radar sensors that triangulate a field of vision, similar to human
eyesight, forgoing lidar. It also forgoes a driver-monitoring camera to
improve safety in the cabin, instead relying on torque-sensing
steering-wheel monitors to detect whether the driver's hands are on the
wheel.
Tesla executives said at an April conference that the company is using its
radar and cameras to understand depth around its cars and real-world road
conditions, as well as its Shadow Mode, which allows it to test how
self-driving technologies perform without actually activating those features
-- something the company says lets it train and refine its networks without
needing to do the same testing as other companies.
``Lidar is lame,'' Musk said in April. Rivals are ``all going to dump
lidar. That's my prediction. Mark my words.''
Meanwhile, traditional auto-industry executives have preached caution.
https://www.washingtonpost.com/technology/2019/07/17/tesla-floats-fully-self-driving-cars-soon-this-year-many-are-worried-about-what-that-will-unleash/
------------------------------
Date: Thu, 25 Jul 2019 11:53:05 -0400
From: Steve Golson <sgo...@trilobyte.com>
Subject: Airbus A350 software bug forces airlines to turn planes off and on
every 149 hours (The Register)
https://www.theregister.co.uk/2019/07/25/a350_power_cycle_software_bug_149_hours/
The airworthiness directive says in part:
Prompted by in-service events where a loss of communication occurred between
some avionics systems and avionics network, analysis has shown that this may
occur after 149 hours of continuous aeroplane power-up. Depending on the
affected aeroplane systems or equipment, different consequences have been
observed and reported by operators, from redundancy loss to complete loss on
a specific function hosted on common remote data concentrator and core
processing input/output modules.
This condition, if not corrected, could lead to partial or total loss of
some avionics systems or functions, possibly resulting in an unsafe
condition.
I suspect they have a 32-bit counter that updates every 125 microseconds
(8kHz). Such a counter will overflow after 149 hours, 7 minutes, 51
seconds.
------------------------------
Date: Thu, 18 Jul 2019 14:42:28 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Home elevator deaths (WashPost)
https://www.washingtonpost.com/business/economy/home-elevator-deaths/2019/07/18/27b53434-968e-11e9-830a-21b9b36b64ad_story.html
------------------------------
Date: Tue, 16 Jul 2019 08:28:53 -0700
From: <j...@calidris.net>
Subject: Numerous airport passengers hijacked by robots
Here's a brief transport/automation problem that I encountered last week/
During the afternoon of 9 July 2019, the automated AirTrain shuttle service
at Newark airport went seriously awry.
AirTrain is an unmanned monorail service with a single line that links the
airport's three terminals with the parking and car rental facilities, as
well as the NJTransit/Amtrak station. Starting about 3.00pm, passengers were
instructed by AirTrain staff to evacuate the vehicles, to transfer back and
forth between certain trains, and to ignore the automated signs and
announcements. Some trains appeared to suddenly reverse direction and return
to their origin without visiting the terminals. Others arrived at one end of
the line already jammed with passengers who had expected to get to the other
end. There were numerous mismatches between the system's destination
indicators and the actual train movements.
For many dozens of people, what should have been a ten-minute transfer took
well over an hour, presumably with a corresponding number of missed
flights. There was no indication of any form of police activity or airport
security problems, that might have caused the mixup.
It would be interesting to find out if anyone actually got to the root
of this robotic hijacking incident.
------------------------------
Date: Sat, 20 Jul 2019 00:33:45 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Satellite Outage Serves as a Warning (WiReD)
Europe's Galileo satellite navigation system largely regained service
Thursday [18 Jul 2019], after a mass outage began on 11 Jul. The European
Global Navigation Satellite Systems Agency, known as GSA, said that
commercial users would start to see coverage returning, but that there might
be "fluctuations" in the system. What remains unclear is what exactly caused
the downtime -- nd why it persisted for so long.
https://www.wired.com/story/galileo-satellite-outage-gps/
ices might also be making connections with the Russian (Glonass) and
Chinese (Beidou) networks.
https://www.bbc.com/news/science-environment-48985399
------------------------------
Date: Tue, 16 Jul 2019 15:06:00 -1000
From: the keyboard of geoff goodfellow <ge...@iconia.com>
Subject: 'Dumb' robot ants are alarmingly smart -- and strong -- working
together
Everyone knows robot ants can't move a rubber tree plant. Oh shoot, they
can!
EXCERPT:
A team of Swiss researchers with bugs on the brain has created an army of
simple robotic "ants" capable of some impressive feats. The takeaway from
these 10 gram bots, which are inexpensive to make and surprisingly simple in
design? *Teamwork makes the dream work. *
As described in a new paper in the journal Nature, the ants can communicate
with each other, assign roles among themselves, and complete complex tasks
and overcome obstacles together. That means that while simple compared to
much more complex autonomous agents, these origami-inspired robots can solve
complex challenges, such navigating uneven surfaces or, yes, moving
comparatively huge objects.
The robots <https://www.zdnet.com/blog/robotics/>, which are T-shaped and
called Tribots by researchers at the Ecole polytechnique federale de
Lausanne <https://www.epfl.ch/en/>, a Swiss research institute, have
infrared and proximity sensors for detection and communication. Made of
foldable thin materials, they're also easy to manufacture. The actuated
robots can jump and crawl to explore uneven surfaces.
"Their movements are modeled on those of Odontomachus ants," says Zhenishbek
Zhakypov, the first author of the Nature article. "These insects normally
crawl, but to escape a predator, they snap their powerful jaws together to
jump from leaf to leaf."...
------------------------------
Date: Mon, 15 Jul 2019 15:15:00 -1000
From: the keyboard of geoff goodfellow <ge...@iconia.com>
Subject: The AI Metamorphosis (The Atlantic)
*AI will bring many wonders. It may also destabilize everything from nuclear
detente to human friendships. We need to think much harder about how to
adapt.*
EXCERPT:
Humanity is at the edge of a revolution driven by artificial intelligence.
It has the potential to be one of the most significant and far-reaching
revolutions in history, yet it has developed out of disparate efforts to
solve specific practical problems rather than a comprehensive plan.
Ironically, the ultimate effect of this case-by-case problem solving may be
the transformation of human reasoning and decision making.
This revolution is unstoppable. Attempts to halt it would cede the future to
that element of humanity more courageous in facing the implications of its
own inventiveness. Instead, we should accept that AI is bound to become
increasingly sophisticated and ubiquitous, and ask ourselves: How will its
evolution affect human perception, cognition, and interaction? What will be
its impact on our culture and, in the end, our history?
Such questions brought together the three authors of this article: a
historian and sometime policy maker; a former chief executive of a major
technology company; and the dean of a principal technology-oriented academic
institution. We have been meeting for three years to try to understand these
issues and their associated riddles. Each of us is convinced of our
inability, within the confines of our respective fields of expertise, to
fully analyze a future in which machines help guide their own evolution,
improving themselves to better solve the problems for which they were
designed. So as a starting point -- and, we hope, a springboard for wider
discussion -- we are engaged in framing a more detailed set of questions
about the significance of AI's development for human civilization...
https://www.theatlantic.com/magazine/archive/2019/08/henry-kissinger-the-metamorphosis-ai/592771/
------------------------------
Date: Fri, 19 Jul 2019 9:53:16 PDT
From: "Peter G. Neumann" <neu...@csl.sri.com>
Subject: Cylances AI-based AV easily spoofed (SkylightCyber)
Steven Cheung just read a fun article that has been slashdotted.
It's about how a team defeats Cylance, a popular machine-learning-based
antivirus software
https://www.vice.com/en_us/article/9kxp83/researchers-easily-trick-cylances-ai-based-antivirus-into-thinking-malware-is-goodware
here are more technical details:
https://skylightcyber.com/2019/07/18/cylance-i-kill-you/
------------------------------
Date: Mon, 15 Jul 2019 12:40:55 -0400
From: =?UTF-8?Q?Jos=C3=A9_Mar=C3=ADa_Mateos?= <ch...@rinzewind.org>
Subject: AI Could Escalate New Type Of Voice Phishing Cyber Attacks
(CSHub)
https://www.cshub.com/attacks/articles/ai-could-escalate-new-type-of-voice-phishing-cyber-attacks
While many cyber security professionals have been looking at (and even
investing in) the potential benefits of utilizing artificial intelligence
(AI) technology within many different business functions, earlier this week,
the Israel National Cyber Directorate (INCD) issued a warning of a new type
of cyber-attack that leverages AI to impersonate senior enterprise
executives. The method instructs company employees to perform transactions
including money transfers and other malicious activity on the network.
There are recent reports of this type of cyber-attack received at the
operational center of the INCD. While business email compromise (BEC) types
of fraud oftentimes use social engineering methods for a more effective
attack, this new method escalates the attack type by using AI-based
software, which makes voice phishing calls to senior executives. ---
(Via BreachExchange:
https://lists.riskbasedsecurity.com/listinfo/breachexchange)
------------------------------
Date: Thu, 18 Jul 2019 18:19:02 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Uber glitch charges passengers 100 times the advertised price,
resulting in crosstown fares in the thousands of dollars (WashPost)
``We understand that this has been frustrating,'' Uber said in response to
one of the riders' complaints. ``There was a known issue that caused your
authorization hold to be very high. Our team has already fixed this
issue. Thank you so much for your patience.''
https://www.washingtonpost.com/technology/2019/07/18/uber-glitch-charges-passengers-times-normal-price-resulting-crosstown-fares-thousands-dollars/
------------------------------
Date: Mon, 15 Jul 2019 09:50:22 -0700
From: Gene Wirchenko <ge...@shaw.ca>
Subject "Google says leaked assistant recordings are a violation of data
security policies" (Asha Barbaschow)
Asha Barbaschow | 11 Jul 2019
https://www.zdnet.com/article/google-says-leaked-assistant-recordings-are-a-violation-of-data-security-policies/
The search giant has confirmed humans are listening in to 'Okay Google'
commands, but it says leaking the recordings are a violation of its data
security policies.
opening text:
Earlier this week, a report from Belgium-based VRT NWS revealed that Google
employees had been "systematically listening" to audio files recorded by
Google Home smart speakers and the Google Assistant smartphone app.
The report detailed how employees were listening to excerpts of recordings
that are captured when a user activates the device by the usual "Okay
Google" or "Hey Google" commands.
After obtaining copies of some recordings, VRT NWS reached out to the users
and had them verify their voice, or those of their children, talking to the
digital assistant.
------------------------------
Date: Mon, 15 Jul 2019 17:21:15 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: U.S. Companies Learn to Defend Themselves in Cyberspace (WSJ)
From a friend, his comments below.
"One chief information-security officer at a major bank told us that, in
five years, his bank will largely be immune to cyberattacks because it is
upgrading from legacy systems that are insecure by default to cutting-edge
systems that are secure by design."
https://www.wsj.com/articles/u-s-companies-learn-to-defend-themselves-in-cyberspace-11562941994
Um, right. Wish I knew which bank that was so we could short its stock.
(Not that IBM Z is *necessarily* more secure, but if they really think
`cutting-edge systems' are `secure by design', well ...)
------------------------------
Date: Sat, 20 Jul 2019 09:39:29 -0800
From: Rob Slade <rms...@shaw.ca>
Subject: Agora farewell
Security does not have a community. It has several siloed, sliced, and
separated communities. Security has always taken "security by obscurity"
too readily to heart, and despite the fact that we know SBO doesn't work;
and even works against us; we still insist on dividing ourselves into
smaller and smaller sub-sets. Intelligence doesn't talk to law enforcement
which doesn't talk to academia which doesn't talk to business which doesn't
talk to military which doesn't talk to industry which doesn't talk to
government which doesn't talk to research. In all my decades in the field,
I've only ever found two venues that attracted, encouraged, and almost
forced the interaction (and often long-term relationships) of all these
disparate groups (and more).
If you've never been to the Agora meetings, you're too late. I attended the
last one yesterday. For the past twenty-five years, those in the know
would, every quarter, make every effort to spend Friday morning together.
That was it: Friday morning. Three hours long, never more than three main
presentations. There were also announcements, job postings, occasional
queries, and, every August 15th, storytime. (That's an Agora joke. I don't
expect you to get it. If you tell it to someone and they laugh, they've
been to Agora recently.)
Agora didn't just happen, of course. It was created and diligently (and
creatively and competently) managed by Kirk Bailey, later ably assisted by
Ann Nagel and Daniel Schwalbe. Also assisted by various students and a
whole host of attendees and even companies, but that list would a) make this
piece far too long and b) I'd definitely forget someone. Those of us who
attended owe them all a debt of gratitude.
Kirk's ability to attract speakers was legendary. We heard presentations at
Agora I've never heard anywhere else, and some I never thought to hear. I
recall a drive back after one Agora, when we we discussing a rather
lackluster piece, and I was suddenly struck by the fact that, even if this
meeting hadn't been sterling, the worst Agora meeting I'd ever attended was
better than the best conference I'd ever attended.
But the presentations were only half of what made Agora special. The other
half was the people you met. People from three-letter agencies. People
from high up in important corporations. People who were just there out of
interest. People with political and social positions at extravagantly wild
variance to your own. I remember, when I was first researching the
implications, for security, of the potential capabilities of quantum
computers, I got very excited over the possibilities for improving emergency
management in the midst of a disaster. At Agora I met a Navy captain who
got equally excited over similar possibilities for battle command.
A number of us from the SIG drove down for the meetings, despite the three
hour trip if nothing went wrong. Highway construction, bridge collapses
(that's another Agora joke), local traffic, and border guards could easily
double that. But we happily faced eleven hours of travel time for three
hours of Agora and, if we were lucky, a couple of hours of "networking" and
possibly lunch.
We envied the people from the local area, but they weren't the only ones who
came. Lots of people regularly came considerable distances. Before
governments lost their travel budgets there were pretty much constant
attendees from DC and Ottawa. People came from other continents. (Some of
the DC crowd were pretty high up in DHS. If I could stay for one of the
post-Agora lunches, the DHS guys always tried to grab me for their table.
They wanted to know the latest border horror story, and I always had one for
them. They regularly fell on the floor laughing about it.) (Recounting
those would also make this piece far too long.)
You will note that I haven't said where we met. That's another, well, not
so much Agora joke as Agora tribute. Agora was governed by a sort of
variant set of Chatham House Rules. What was said at Agora stayed at Agora.
As an attendee, you never quoted any of the presentations, or any of the
people you talked to at the breaks. For years this was simply understood by
all involved. After one notable failure, a more formal NDA was created, but
that was late in the game.
Agora was the security world's worst kept secret. Nobody blabbed about what
was said at Agora, or who went. But, despite the fact that Agora had no
legal existence, no bank account, no Website, and no offices, almost
everyone who ever attended became an instant devotee, and, often,
evangelist. Within a few years of it's creation, attendance was hitting
600. During the Great Recession, the slashing of budgets and demands that
security people stick to their desks dropped attendance to the 150 region,
but, for the past few years it's been back in the 400 range.
There was never any charge for membership in, or attendance at, Agora.
There was a cost, certainly. Much of that was "sweat equity" on the part of
Kirk and a number of others. There were also other direct costs, generally
borne by whoever would pay for (or donate) a venue, or mailing costs, or
refreshments, or (latterly) the "Agora spam gun." In the end, Agora became
a victim of it's own success: it just became too hard to find people or
institutions willing to donate, provide, pay for, or give priority to rooms
big enough for the group to meet.
Agora is gone, but leaves a legacy. That legacy is the model. We need a
space. Or, more probably, spaces. We need other other venues, sites,
and/or communities where the various communities can meet. Together. We
need others to take up the Agora torch, and create places, physical or
virtual, where anyone who is committed to (or even just strongly interested
in) security, of whatever type, can meet together and, safely, exchange
ideas. We need spaces where the formal can meet the anarchic, where the
business can meet the exploratory, where the old can meet the young and pass
along wisdom (and occasional silliness). Hopefully, Agora's death will have
been a spawning or a sporing out, and not just a mere termination.
------------------------------
Date: Sat, 20 Jul 2019 21:44:25 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: NYC Subway Service Is Suspended on Several Lines, MTA Says
(NYTimes)
https://www.nytimes.com/2019/07/19/nyregion/subway-service-suspended-mta.html
The Metropolitan Transportation Authority attributed the disruption to a
`network communications' issue
------------------------------
Date: Wed, 17 Jul 2019 11:41:45 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Brazil is at the forefront of a new type of router attack (ZDNet)
Avast: More than 180,000 routers in Brazil had their DNS settings changed in
Q1 2019.
For nearly a year, Brazilian users have been targeted with a new type of
router attack that has not been seen anywhere else in the world.
The attacks are nearly invisible to end users and can have disastrous
consequences, having the ability to lead to direct financial losses for
hacked users.
What's currently happening to routers in Brazil should be a warning sign for
users and ISPs from all over the world, who should take precautions to
secure devices before the attacks observed in South American country spread
to them as well. ...
https://www.zdnet.com/article/brazil-is-at-the-forefront-of-a-new-type-of-router-attack/
------------------------------
Date: Thu, 18 Jul 2019 17:54:35 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: My browser, the spy: How extensions slurped up browsing histories
from 4M users (Ars Technica)
https://arstechnica.com/information-technology/2019/07/dataspii-inside-the-debacle-that-dished-private-data-from-apple-tesla-blue-origin-and-4m-people/
------------------------------
Date: Sun, 21 Jul 2019 00:07:05 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Amazon Prime Day Glitch Let People Buy $13,000 Camera Gear for $94.
(Gizmodo)
https://gizmodo.com/amazon-prime-day-glitch-let-people-buy-13-000-camera-g-1836487919
------------------------------
Date: Mon, 15 Jul 2019 09:55:33 -0700
From: Gene Wirchenko <ge...@shaw.ca>
Subject: Microsoft Office 365: Banned in German schools over privacy fears
(Cathrin Schaer)
Cathrin Schaer, ZDNet, 12 Jul 2019
State of Hesse says student and teacher information could be "exposed" to US
spy agencies.
https://www.zdnet.com/article/microsoft-office-365-banned-in-german-schools-over-privacy-fears/
opening text:
Schools in the central German state of Hesse have been have been told it's
now illegal to use Microsoft Office 365.
The state's data-protection commissioner has ruled that using the popular
cloud platform's standard configuration exposes personal information about
students and teachers "to possible access by US officials". That might
sound like just another instance of European concerns about data privacy or
worries about the current US administration's foreign policy. But in fact
the ruling by the Hesse Office for Data Protection and Information Freedom
is the result of several years of domestic debate about whether German
schools and other state institutions should be using Microsoft software at
all.
Besides the details that German users provide when they're working with the
platform, Microsoft Office 365 also transmits telemetry data back to the US.
Last year, investigators in the Netherlands discovered that that data could
include anything from standard software diagnostics to user content from
inside applications, such as sentences from documents and email subject
lines. All of which contravenes the EU's General Data Protection Regulation,
or GDPR, the Dutch said.
------------------------------
Date: Mon, 15 Jul 2019 09:58:00 -0700
From: Gene Wirchenko <ge...@shaw.ca>
Subject: Sweden and UK's surveillance programs on trial at the European
Court of Human Rights (Catalin Cimpanu)
Catalin Cimpanu for Zero Day | 12 Jul 2019
Last chance for Europe's top human rights court to rule against dragnet
surveillance programs.
https://www.zdnet.com/article/sweden-and-uks-surveillance-programs-on-trial-at-the-european-court-of-human-rights/
opening text:
This week, the highest body of the European Court of Human Rights heard
arguments against the mass surveillance programs of two countries, Sweden
and the United Kingdom.
------------------------------
Date: Thu, 18 Jul 2019 17:53:31 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Bluetooth exploit can track and identify iOS, Microsoft mobile
device users (ZDNet)
A flaw in the Bluetooth communication protocol may expose modern device
users to tracking and could leak their ID, researchers claim.
The vulnerability can be used to spy on users despite native OS protections
that are in place and impacts Bluetooth devices on Windows 10, iOS, and
macOS machines. This includes iPhones, iPads, Apple Watch models, MacBooks,
and Microsoft tablets & laptops. Security 101 How to protect your privacy
from hackers, spies, and the government
How to protect your privacy from hackers, spies, and the government
Simple steps can make the difference between losing your online accounts or
maintaining what is now a precious commodity: Your privacy.
On Wednesday, researchers from Boston University David Starobinski and
Johannes Becker presented the results of their research at the 19th Privacy
Enhancing Technologies Symposium, taking place in Stockholm, Sweden.
According to the research paper, Tracking Anonymized Bluetooth Devices
(.PDF), many Bluetooth devices will use MAC addresses when advertising their
presence to prevent long-term tracking, but the team found that it is
possible to circumvent the randomization of these addresses to permanently
monitor a specific device.
https://www.zdnet.com/article/bluetooth-vulnerability-can-be-exploited-to-track-and-id-iphone-smartwatch-microsoft-tablet-users/
------------------------------
Date: Wed, 17 Jul 2019 10:44:43 -0700
From: Gene Wirchenko <ge...@shaw.ca>
Subject: Clean Energy Regulator, WA Mines Department, and Vet Surgeons Board
trying to access metadata (Comms Alliance)
Chris Duckett | 17 Jul 2019
The Communications Alliance has listed 27 other agencies that have tried to
access metadata following the introduction of Australia's data retention
regime.
https://www.zdnet.com/article/clean-energy-regulator-wa-mines-department-and-vet-surgeons-board-trying-to-access-metadata-comms-alliance/
opening text:
Agencies trying to access metadata when not specifically listed as an
enforcement agency for the purposes of Australia's data retention regime has
been labelled as a "serious and persistent phenomenon" by the Communications
Alliance industry group.
Writing in a submission to the Parliamentary Joint Committee on Intelligence
and Security (PJCIS) review of the mandatory data retention regime, Comms
Alliance said it was a "problem that continues to grow in magnitude".
------------------------------
Date: Wed, 17 Jul 2019 10:35:58 -0700
From: Gene Wirchenko <ge...@shaw.ca>
Subject: Permission-greedy apps delayed Android 6 upgrade so they could
harvest more user data (ZDNet)
Catalin Cimpanu for Zero Day | 16 Jul 2019
App devs delayed upgrading apps, but lost in the long run due to more
negative reviews and less Play Store visibility.
https://www.zdnet.com/article/permission-greedy-apps-delayed-android-6-upgrade-so-they-could-harvest-more-user-data/
selected text:
Android app developers intentionally delayed updating their applications to
work on top of Android 6.0, so they could continue to have access to an
older permission-requesting mechanism that granted them easy access to large
quantities of user data, research published by the University of Maryland
last month has revealed.
And, ironically, the research team also found that app makers who delayed
upgrading their apps to the newer Android 6.0 in order to keep access to a
simpler system for harvesting user data received more negative ratings.
These negative ratings eventually affected the apps' visibility on the Play
Store, where positively-reviewed apps are placed higher in search results
and recommendations.
------------------------------
From: Monty Solomon <mo...@roscom.com>
Date: Sun, 21 Jul 2019 00:34:43 -0400
Subject: Do drivers think you're a Ridezilla'? Better check your Uber rating.
(WashPost)
For some rideshare users, a little number can be heavy baggage.
https://www.washingtonpost.com/lifestyle/do-drivers-think-youre-a-ridezilla-better-check-your-uber-rating/2019/07/18/8b441588-a291-11e9-b732-41a79c2551bf_story.html
------------------------------
Date: Sun, 21 Jul 2019 00:47:32 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: London Police Twitter feed was hacked; then Trump got in on the act
(WashPost)
https://www.washingtonpost.com/world/2019/07/20/london-police-twitter-feed-was-hacked-then-trump-got-act/
------------------------------
Date: Sun, 21 Jul 2019 17:27:38 +0200
From: Thomas Koenig <tko...@netcologne.de>
Subject: Car locks itself, trapping toddler inside (DerWesten)
A mother got out of her car at a supermarket parking lot when suddenly, the
central lock activated and locked the car. The key was still inside the
car, as was her young son.
She immediately called emergency services, who arrived a short time later,
broke a window and were able to free the toddler from the car, which had
alredy heated up considerably.
https://www.derwesten.de/panorama/aldi-frau-steigt-aus-auto-aus-und-waehlt-sofort-den-notruf-id226542237.html
------------------------------
Date: Mon, 22 Jul 2019 10:39:38 -0700
From: Gene Wirchenko <ge...@shaw.ca>
Subject: Hackers breach FSB contractor, expose Tor deanonymization project
and more (Catalin Cimpanu)
Catalin Cimpanu, ZDNet, 20 Jul 2019
https://www.zdnet.com/article/hackers-breach-fsb-contractor-expose-tor-deanonymization-project/
SyTech, the hacked company, was working on research projects for the FSB,
Russia's intelligence service.
Hackers have breached SyTech, a contractor for FSB, Russia's national
intelligence service, from where they stole information about internal
projects the company was working on behalf of the agency -- including one
for deanonymizing Tor traffic. [...]
------------------------------
From: Monty Solomon <mo...@roscom.com>
Date: Mon, 22 Jul 2019 22:16:18 -0400
Subject: Facebook's Libra currency spawns a wave of fakes, including on
Facebook itself (WashPost)
The fakes could undermine Facebook's efforts to inspire confidence and
satisfy the regulators now scrutinizing the global currency.
https://www.washingtonpost.com/technology/2019/07/22/facebooks-libra-currency-spawns-wave-fakes-including-facebook-itself/
------------------------------
Date: Tue, 16 Jul 2019 23:34:02 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Facebook Stock: Facebook's Libra Surrenders to Authority
(InvestorPlace)
https://investorplace.com/2019/07/facebooks-libra-surrenders-to-authority/
------------------------------
Date: Wed, 17 Jul 2019 11:20:14 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Tether's $5B error exposes cryptocurrency market fragility (WSJ)
Sudden flood of digital coins spooked market and drove down price of bitcoin
by about 12%
https://www.wsj.com/articles/tethers-5-billion-error-exposes-crypto-markets-fragility-11563280121
------------------------------
Date: Sun, 14 Jul 2019 01:06:06 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: College student was late returning a textbook to Amazon, so the
company took $3,800 from her father (Libercus)
http://pge.libercus.net//.pf/showstory/201907110011/3
Well, yeah. Likely debit was automatic but hassle getting it undone is
systemic problem/failure.
When AI runs everything it'll all be perfect. Nevermind Hal 9000, Skynet, or
Colossus: The Forbin Project.
------------------------------
Date: Wed, 17 Jul 2019 15:18:00 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Notre-Dame came far closer to collapsing than people knew.
This is how it was saved. (NYTimes)
*The New York Times*
The fire warning system at Notre-Dame took dozens of experts six years to
put together, and in the end involved thousands of pages of diagrams, maps,
spreadsheets and contracts, according to archival documents found in a
suburban Paris library by The Times.
The result was a system so arcane that when it was called upon to do the one
thing that mattered -- warn -- fire! and say where -- it produced instead a
nearly indecipherable message. It made a calamity almost inevitable, fire
experts consulted by *The Times* said.
https://www.nytimes.com/interactive/2019/07/16/world/europe/notre-dame.html
Stunning visuals, tragic outcome.
------------------------------
Date: Wed, 17 Jul 2019 10:27:33 -0700
From: Gene Wirchenko <ge...@shaw.ca>
Subject: One in five US tech employees abuse pain relief drugs, reveals study
(Eileen Brown)
Eileen Brown for Social Business, ZDNet, 15 Jul 2019
https://www.zdnet.com/article/one-in-five-us-tech-employees-abuse-pain-relief-drugs-reveals-study/
There is nothing wrong with bonding over a beer or two after work, but when
it becomes too much, it is important to spot the warning signs of substance
abuse and addiction, according to a new study.
------------------------------
Date: Tue, 16 Jul 2019 17:32:31 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Here's The Story Behind That Photo Of A Waterfall Inside A Metro
Car (Dcist)
``It appears that the water entered the car through the fresh air intake of
the HVAC system which is mounted on the roof of 7000-series vehicles; In
normal or heavy rainfall, any water is diverted through ducts and exits the
car through drains. At Virginia Square, the sudden deluge of water falling
directly into the fresh air intake was more than the car could divert,
resulting in water entering the cabin.''
In response to safety concerns, she noted that wiring is enclosed in secure
boxes or run on the underside of the car, and each car ``undergoes
rigorous `water tightness testing'.''
https://dcist.com/story/19/07/16/heres-the-story-behind-that-photo-of-a-waterfall-inside-a-metro-car/
Done right, it seems. This really was epic/biblical rainstorm.
------------------------------
Date: Mon, 15 Jul 2019 15:14:00 -1000
From: the keyboard of geoff goodfellow <ge...@iconia.com>
Subject: Stallone in Terminator 2? How one deepfake prankster is changing
cinema history (Digital Trends)
EXCERPT:
In some parallel universe, there's a version of *Casino Royale* with Hugh
Jackman playing everyone's favorite suave British agent, James Bond. And one
in which Matthew McConaughey took the Leo role in *Titanic*. And DiCaprio
and Brad Pitt co-starred in *Brokeback Mountain*. And *Saved by the Bell*'s
Tiffani Thiessen played Rachel in *Friends*.
The entertainment industry isn't exactly short on `what if?' scenarios in
which actors came close to, but were ultimately passed over, playing iconic
roles. For more than 99% of movie history, fans have been able to do little
more than squirrel away this trivia for use in pop quizzes. That is until
the arrival of deepfakes
<https://www.digitaltrends.com/cool-tech/samsung-ai-deepfake-videos/>.
Springing to life in the past couple of years, deepfakes use artificial
intelligence technology to combine and superimpose new images and videos
onto existing source footage using machine learning. That could mean
anything from face swaps to mapping one person's body onto someone else's
movements.
<https://www.digitaltrends.com/cool-tech/uc-berkeley-deepfake-ai-dance/>
The results can be jaw-droppingly realistic, which is why many people
rightfully worry about its potential to be used for malicious hoaxes
<https://www.digitaltrends.com/cool-tech/ai-spots-writing-by-ai/>.
One tech enthusiast and movie buff thinks different, though. Operating under
the YouTube username *Ctrl Shift Face*,
<https://www.youtube.com/channel/UCKpH0CKltc73e4wh0_pgL3g> this high-tech
Hollywood fan has used deepfake technology to create some astonishing
remixes of iconic movie scenes -- complete with all new actors. Ever wanted
to see *The Shining* starring Jim Carrey instead of Jack Nicholson? Sly
Stallone in *Terminator 2: Judgement Day*? Heck, he's even broken w ith the
movie theme by dropping David Bowie into Rick Astley's infamous
song-turned-meme *Never Gonna Give You Up*.
``The Bowie one is my favorite,'' its creator told Digital Trends. ``I
wanted to Rickroll people and blow them away at the same time. Bowie fitted
the role of Rick Astley, and had interesting facial features for a
deepfake.'' [...]
https://www.digitaltrends.com/cool-tech/ctrl-shift-face-deepfake-changing-hollywood-history/
------------------------------
From: David Tarabar <dtar...@acm.org>
Date: Tue, 16 Jul 2019 08:40:33 -0400
Subject: Cellphone WiFi auto-connect identifies vandals (The Boston Globe)
Four Maryland teenagers sneaked onto their school's property the night
before graduation last year and covered it in racist, homophobic and
anti-Semitic graffiti.
They wore masks, but they were caught because their cellphones automatically
connected to the school WiFi network -- using their student IDs.
https://www.bostonglobe.com/news/nation/2019/07/10/helped-identify-teens-who-drew-racist-anti-semitic-graffiti-maryland-school/S0hQ1PwZNyXrzT43olZ2ZO/story.html
------------------------------
Date: Tue, 16 Jul 2019 16:15:00 -0400
From: David Tarabar <dtar...@acm.org>
Subject: Risks of an untimely text (Boston Globe)
A couple in Rhode Island was being investigated for marriage fraud -- that
they entered into a sham marriage to get permanent resident status for the
husband. When the wife was being interviewed, she produced her cellphone to
show texts from her husband. A text message arrived: We had the best sex
ever. Unfortunately the text was not from the husband. A federal trial is
in progress.
https://www.bostonglobe.com/metro/2019/07/16/had-best-sexy-ever-steamy-text-helps-spark-marriage-fraud-case/QlRNLVhGzFcfzO1lNXFwLM/story.html
------------------------------
Date: Mon, 15 Jul 2019 15:26:20 +0800
From: Dan Jacobson <jid...@jidanni.org>
Subject: Minister apologizes for text alert (Taipei Times)
http://www.taipeitimes.com/News/taiwan/archives/2019/07/11/2003718476
"The alert was originally set up to be sent to residents within 300m of the
borough, but the unit of distance was later changed to kilometers."
Way to go, clodsburg.
------------------------------
Date: Sun, 21 Jul 2019 23:24:10 -0600
From: Brian Inglis <Brian....@systematicsw.ab.ca>
Subject: Re: Line just went Orwellian on Japanese users with its social,
credit-scoring system (Jacobson, RISKS-31.33)
>> Still, it's unnerving that tech companies seem to think that social
>> credit ratings are the next big thing for now. Hopefully, this is a
>> trend that will not catch on.
>
> Stack Exchange was first.
> Some might say not the same thing...
> But users quickly learn to dot their i's and cross their t's...
Some might say the same about BBS message boards (1978 CBBS), moderated
Usenet netnews groups (UUCP 1979), and discussion lists (Listserv@Bitnic
1984), like this one, which preceded SE (2009) by decades. Who didn't pay
attention when d...@bell-labs.com posted to comp.lang.c?
https://en.wikipedia.org/wiki/Usenet#cite_ref-54
"As long as there are folks who think a command line is better than a mouse,
the original text-only social network will live on" in "Reports of Usenet's
Death Are Greatly Exaggerated", August 1, 2008, TechCrunch.
https://en.wikipedia.org/wiki/Usenet#cite_note-54
The major appeal then and now is filtering and limiting the spam, garbage,
verbiage, and incivility that permeates other [anti-?]"social networks".
------------------------------
Date: Sun, 14 Jul 2019 21:15:20 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Re: Galileo sat-nav system experiences service outage (BBC News
in RISKS-31.33)
Europe's satellite-navigation system, Galileo, has suffered a major outage.
The network has been offline since Friday due to what has been described as
a "technical incident related to its ground infrastructure".
The problem means all receivers, such as the latest smartphone models, will
not be picking up any useable timing or positional information.
These devices will be relying instead on the data coming from the American
Global Positioning System (GPS).
Depending on the sat-nav chip they have installed, cell phones and other
devices might also be making connections with the Russian (Glonass) and
Chinese (Beidou) networks.
https://www.bbc.com/news/science-environment-48985399
------------------------------
Date: Tue, 16 Jul 2019 08:34:35 -0400
From: Dick Mills <dickandl...@gmail.com>
Subject: Re: How Fake News Could Lead to Real War (RISKS-31,33)
"Imagine what it might be like to be in the grip of a conspiracy theory,
when you've spent your whole professional life being one of those policy
mandarins who could smell a conspiracy theory a mile away?..."
The root problem here is lack of trust in authorities. It goes much deeper
than just technology. For my whole life, such trust has been eroding
among the public. The interesting thing about that story is that the shoe
is finally on the other foot, an authority is losing trust.
I say good. Maybe they may take steps to become trustworthy themselves.
------------------------------
Date: Tue, 16 Jul 2019 21:45:35 +0100
From: Chris Drewe <e76...@yahoo.co.uk>
Subject: Re: London commuters Wi-FiTube being tracked
[TfL is the authority that runs the London Underground]
https://www.dailymail.co.uk/news/article-7223711/Experts-warn-London-commuters-turn-phones-Wi-Fi-Tube-stop-tracked.html
Security experts warn London commuters to turn off their phones' Wi-Fi on
the Tube to stop being tracked as TfL starts harvesting signal data today
* *Operator will monitor travel patterns with beacon that detects Wi-Fi
capability * * *Phones, laptops or tablets do not have to join the
station's network to be tracked * * *Only way to ensure that you are not
tracked is to disable your Wi-Fi completely *
Sebastian Murphy-bates For Mailonline, 8 July 2019
This morning the Tube network introduced monitoring of signals to harvest
date from commuters in the capital. Transport for London says it is
collecting details of where, when and how customers use the service. Even
phones that are not connected to TfL's Wi-Fi will be vulnerable to tracking
dmg media <https://www.dmgmedia.co.uk/>
I went to a talk a year or two ago given by one of the Undergound's planning
staff on remodeling Bank station in the heart of the City of London business
district (so-named because the Bank of England building is just across the
street, not because it's on the bank of the River Thames as I had
incorrectly assumed when I was a kid). This is a major below-ground station
underneath a large road intersection, where multiple lines cross at several
levels, so it's quite a labyrinth.
For busy, complicated subway/rapid transit systems like London's, obviously
train capacity is a major planning challenge, but just as important is
handling the volume of passengers through the stations as they use
corridors, ticket barriers, elevators, stairs, escalators, etc. between
trains or trains and streets. Historically, measuring passenger flows was
done by groups of stewards located at strategic points around a station;
some would hand out numbered cards to passengers as they entered the station
or got off trains, while others would collect the cards as passengers left
the station or got on trains. This was OK in a basic way, but was
labour-intensive and rather intrusive at busy times, and only a small sample
of passengers could be covered.
Of course nowadays most people carry cellphone or wi-fi wireless devices and
the Underground has repeaters to keep them working below ground, so the
obvious step is to use these to log passenger movements, as it's totally
unobtrusive and allows detailed real-time tracking of almost every
passenger. The lady who gave the talk stressed that there's no attempt to
make contact with or identify any of the devices, and presumably details of
individual devices are not retained after analysing their movements --
pointless anyway unless GCHQ/MI5/FBI/CIA or whoever want to track random
people's journeys for the sake of it. She added that the technique was
unexpectedly useful as passengers were found to be surprisingly imaginative
at figuring out routes around the station, including several ways that the
planners hadn't considered themselves.
Presumably the warning signs on stations mentioned in the newspaper are to
comply with latest data-protection regulations.
------------------------------
Date: Mon, 14 Jan 2019 11:11:11 -0800
From: RISKS-...@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
=> SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!
=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 31.34
************************
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/31.34>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
Senate Intelligence report on election integrity (NYTimes)
Nuclear industry pushing for fewer inspections at plants (NBC)
Tesla floats fully self-driving cars as soon as this year.
Many are worried about what that will unleash. (WashPost)
Airbus A350 software bug forces airlines to turn planes off and on
every 149 hours (The Register)
Home elevator deaths (WashPost)
Numerous airport passengers hijacked by robots (JXM)
Satellite Outage Serves as a Warning (WiReD)
'Dumb' robot ants are alarmingly smart -- and strong -- working together
(Geoff Goodfellow)
The AI Metamorphosis (The Atlantic)
Cylances AI-based AV easily spoofed (SkylightCyber)
AI Could Escalate New Type Of Voice Phishing Cyber Attacks (CSHub)
Uber glitch charges passengers 100 times the advertised price,
resulting in crosstown fares in the thousands of dollars (WashPost)
"Google says leaked assistant recordings are a violation of data
security policies" (Asha Barbaschow)
U.S. Companies Learn to Defend Themselves in Cyberspace (WSJ)
Agora farewell (Rob Slade)
NYC Subway Service Is Suspended on Several Lines, MTA Says (NYTimes)
Brazil is at the forefront of a new type of router attack (ZDNet)
My browser, the spy: How extensions slurped up browsing histories
from 4M users (Ars Technica)
Amazon Prime Day Glitch Let People Buy $13,000 Camera Gear for $94 (Gizmodo)
Microsoft Office 365: Banned in German schools over privacy fears
(Cathrin Schaer)
Sweden and UK's surveillance programs on trial at the European Court of
Human Rights (Catalin Cimpanu)
Bluetooth exploit can track and identify iOS, Microsoft mobile device users
(ZDNet)
Clean Energy Regulator, WA Mines Department, and Vet Surgeons Board
trying to access metadata (Comms Alliance)
Permission-greedy apps delayed Android 6 upgrade so they could
harvest more user data (ZDNet)
Do drivers think you're a Ridezilla'? Better check your Uber rating.
(WashPost)
London Police Twitter feed was hacked; then Trump got in on the act
(WashPost)
Car locks itself, trapping toddler inside (DerWesten)
Hackers breach FSB contractor, expose Tor deanonymization project and more
(Catalin Cimpanu)
Facebook's Libra currency spawns a wave of fakes, including on Facebook
itself (WashPost)
Facebook Stock: Facebook's Libra Surrenders to Authority (InvestorPlace)
Tether's $5B error exposes cryptocurrency market fragility (WSJ)
College student was late returning a textbook to Amazon, so the
company took $3,800 from her father (Libercus)
Notre-Dame came far closer to collapsing than people knew.
This is how it was saved. (NYTimes)
One in five US tech employees abuse pain relief drugs, reveals study
(Eileen Brown)
Here's The Story Behind That Photo Of A Waterfall Inside A Metro Car (Dcist)
Stallone in Terminator 2? How one deepfake prankster is changing cinema
history (Digital Trends)
Cellphone WiFi auto-connect identifies vandals (Boston Globe)
Risks of an untimely text (Boston Globe)
Minister apologizes for text alert (Taipei Times)
Re: Line just went Orwellian on Japanese users with its social,
credit-scoring system (Brian Inglis)
Re: Galileo sat-nav system experiences service outage (Gabe Goldberg)
Re: How Fake News Could Lead to Real War (Dick Mills)
Re: London commuters Wi-FiTube being tracked (Chris Drewe)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Thu, 25 Jul 2019 15:18:55 PDT
From: "Peter G. Neumann" <neu...@csl.sri.com>
Subject: Senate Intelligence report on election integrity (NYTimes)
WASHINGTON DC: The Senate Intelligence Committee concluded [on 25 July 2019]
that election systems in all 50 states were targeted by Russia in 2016,
largely undetected by the states and federal officials at the time, but at
the demand of American intelligence agencies the committee was forced to
redact its findings so heavily that key lessons for the 2020 election are
blacked out.
While the report is not directly critical of either American intelligence
agencies or the states, it described what amounted to a cascading
intelligence failure, in which the scope of the Russian effort was
underestimated, warnings to the states were too muted, and state officials
either underreacted or in some cases, resisted federal efforts to offer
help.''
https://www.nytimes.com/2019/07/25/us/politics/russian-hack-of-elections-system-was-far-reaching-report-finds.html
------------------------------
Date: Wed, 17 Jul 2019 15:15:39 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Nuclear industry pushing for fewer inspections at plants (NBC)
Caputo, who previously worked for nuclear plant operator Exelon Corp, told
operators this week her aim was "risk-informed decision-making,"
concentrating regulatory oversight on high-risk problems.
"We shouldn't regulate to zero risk," said David Wright, a former South
Carolina public-utility commissioner appointed to the NRC board last year.
"The NRC mission is reasonable assurance of adequate protection -- no more,
no less," Wright said.
https://www.nbcnews.com/politics/politics-news/nuclear-industry-pushing-fewer-inspections-plants-n983671
What could go wrong?
------------------------------
Date: Wed, 17 Jul 2019 20:28:05 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Tesla floats fully self-driving cars as soon as this year.
Many are worried about what that will unleash. (WashPost)
The electric-car maker said it will do that without light detection and
ranging, or lidar, complex sensors that use laser lights to map the
environment -- technology most autonomous vehicle makers consider necessary.
Even with lidar, many of those manufacturers have adopted a slow and
deliberate approach to self-driving vehicles, with limited testing on public
roads.
Tesla shows little sign of such caution. And because autonomous vehicles are
largely self-regulated -- guided by industry standards but with no clearly
enforceable rules -- no one can stop the automaker from moving ahead.
*The Washington Post* spoke with a dozen transportation officials and
executives, including current and former safety regulators, auto industry
executives, safety advocacy group leaders and autonomous-vehicle
competitors. In interviews, they expressed worries that Tesla's plan to
unleash robo-cars on the road on an expedited timeline likely without
regulated vetting -- could result in crashes, lawsuits and confusion. Plus,
they said, Tesla's promised `full self-driving' features fall short of
industry standards for a true autonomous vehicle because humans will still
need to be engaged at all times and ready to intervene in the
beginning. Some of the people interviewed requested anonymity because of the
sensitivity of the matter. ...
Tesla has raised eyebrows with its statements that autonomous driving can be
achieved through a slimmed-down system that sheds all but the most critical
equipment. Musk says he wants Tesla's system to use a combination of cameras
and radar sensors that triangulate a field of vision, similar to human
eyesight, forgoing lidar. It also forgoes a driver-monitoring camera to
improve safety in the cabin, instead relying on torque-sensing
steering-wheel monitors to detect whether the driver's hands are on the
wheel.
Tesla executives said at an April conference that the company is using its
radar and cameras to understand depth around its cars and real-world road
conditions, as well as its Shadow Mode, which allows it to test how
self-driving technologies perform without actually activating those features
-- something the company says lets it train and refine its networks without
needing to do the same testing as other companies.
``Lidar is lame,'' Musk said in April. Rivals are ``all going to dump
lidar. That's my prediction. Mark my words.''
Meanwhile, traditional auto-industry executives have preached caution.
https://www.washingtonpost.com/technology/2019/07/17/tesla-floats-fully-self-driving-cars-soon-this-year-many-are-worried-about-what-that-will-unleash/
------------------------------
Date: Thu, 25 Jul 2019 11:53:05 -0400
From: Steve Golson <sgo...@trilobyte.com>
Subject: Airbus A350 software bug forces airlines to turn planes off and on
every 149 hours (The Register)
https://www.theregister.co.uk/2019/07/25/a350_power_cycle_software_bug_149_hours/
The airworthiness directive says in part:
Prompted by in-service events where a loss of communication occurred between
some avionics systems and avionics network, analysis has shown that this may
occur after 149 hours of continuous aeroplane power-up. Depending on the
affected aeroplane systems or equipment, different consequences have been
observed and reported by operators, from redundancy loss to complete loss on
a specific function hosted on common remote data concentrator and core
processing input/output modules.
This condition, if not corrected, could lead to partial or total loss of
some avionics systems or functions, possibly resulting in an unsafe
condition.
I suspect they have a 32-bit counter that updates every 125 microseconds
(8kHz). Such a counter will overflow after 149 hours, 7 minutes, 51
seconds.
------------------------------
Date: Thu, 18 Jul 2019 14:42:28 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Home elevator deaths (WashPost)
https://www.washingtonpost.com/business/economy/home-elevator-deaths/2019/07/18/27b53434-968e-11e9-830a-21b9b36b64ad_story.html
------------------------------
Date: Tue, 16 Jul 2019 08:28:53 -0700
From: <j...@calidris.net>
Subject: Numerous airport passengers hijacked by robots
Here's a brief transport/automation problem that I encountered last week/
During the afternoon of 9 July 2019, the automated AirTrain shuttle service
at Newark airport went seriously awry.
AirTrain is an unmanned monorail service with a single line that links the
airport's three terminals with the parking and car rental facilities, as
well as the NJTransit/Amtrak station. Starting about 3.00pm, passengers were
instructed by AirTrain staff to evacuate the vehicles, to transfer back and
forth between certain trains, and to ignore the automated signs and
announcements. Some trains appeared to suddenly reverse direction and return
to their origin without visiting the terminals. Others arrived at one end of
the line already jammed with passengers who had expected to get to the other
end. There were numerous mismatches between the system's destination
indicators and the actual train movements.
For many dozens of people, what should have been a ten-minute transfer took
well over an hour, presumably with a corresponding number of missed
flights. There was no indication of any form of police activity or airport
security problems, that might have caused the mixup.
It would be interesting to find out if anyone actually got to the root
of this robotic hijacking incident.
------------------------------
Date: Sat, 20 Jul 2019 00:33:45 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Satellite Outage Serves as a Warning (WiReD)
Europe's Galileo satellite navigation system largely regained service
Thursday [18 Jul 2019], after a mass outage began on 11 Jul. The European
Global Navigation Satellite Systems Agency, known as GSA, said that
commercial users would start to see coverage returning, but that there might
be "fluctuations" in the system. What remains unclear is what exactly caused
the downtime -- nd why it persisted for so long.
https://www.wired.com/story/galileo-satellite-outage-gps/
ices might also be making connections with the Russian (Glonass) and
Chinese (Beidou) networks.
https://www.bbc.com/news/science-environment-48985399
------------------------------
Date: Tue, 16 Jul 2019 15:06:00 -1000
From: the keyboard of geoff goodfellow <ge...@iconia.com>
Subject: 'Dumb' robot ants are alarmingly smart -- and strong -- working
together
Everyone knows robot ants can't move a rubber tree plant. Oh shoot, they
can!
EXCERPT:
A team of Swiss researchers with bugs on the brain has created an army of
simple robotic "ants" capable of some impressive feats. The takeaway from
these 10 gram bots, which are inexpensive to make and surprisingly simple in
design? *Teamwork makes the dream work. *
As described in a new paper in the journal Nature, the ants can communicate
with each other, assign roles among themselves, and complete complex tasks
and overcome obstacles together. That means that while simple compared to
much more complex autonomous agents, these origami-inspired robots can solve
complex challenges, such navigating uneven surfaces or, yes, moving
comparatively huge objects.
The robots <https://www.zdnet.com/blog/robotics/>, which are T-shaped and
called Tribots by researchers at the Ecole polytechnique federale de
Lausanne <https://www.epfl.ch/en/>, a Swiss research institute, have
infrared and proximity sensors for detection and communication. Made of
foldable thin materials, they're also easy to manufacture. The actuated
robots can jump and crawl to explore uneven surfaces.
"Their movements are modeled on those of Odontomachus ants," says Zhenishbek
Zhakypov, the first author of the Nature article. "These insects normally
crawl, but to escape a predator, they snap their powerful jaws together to
jump from leaf to leaf."...
------------------------------
Date: Mon, 15 Jul 2019 15:15:00 -1000
From: the keyboard of geoff goodfellow <ge...@iconia.com>
Subject: The AI Metamorphosis (The Atlantic)
*AI will bring many wonders. It may also destabilize everything from nuclear
detente to human friendships. We need to think much harder about how to
adapt.*
EXCERPT:
Humanity is at the edge of a revolution driven by artificial intelligence.
It has the potential to be one of the most significant and far-reaching
revolutions in history, yet it has developed out of disparate efforts to
solve specific practical problems rather than a comprehensive plan.
Ironically, the ultimate effect of this case-by-case problem solving may be
the transformation of human reasoning and decision making.
This revolution is unstoppable. Attempts to halt it would cede the future to
that element of humanity more courageous in facing the implications of its
own inventiveness. Instead, we should accept that AI is bound to become
increasingly sophisticated and ubiquitous, and ask ourselves: How will its
evolution affect human perception, cognition, and interaction? What will be
its impact on our culture and, in the end, our history?
Such questions brought together the three authors of this article: a
historian and sometime policy maker; a former chief executive of a major
technology company; and the dean of a principal technology-oriented academic
institution. We have been meeting for three years to try to understand these
issues and their associated riddles. Each of us is convinced of our
inability, within the confines of our respective fields of expertise, to
fully analyze a future in which machines help guide their own evolution,
improving themselves to better solve the problems for which they were
designed. So as a starting point -- and, we hope, a springboard for wider
discussion -- we are engaged in framing a more detailed set of questions
about the significance of AI's development for human civilization...
https://www.theatlantic.com/magazine/archive/2019/08/henry-kissinger-the-metamorphosis-ai/592771/
------------------------------
Date: Fri, 19 Jul 2019 9:53:16 PDT
From: "Peter G. Neumann" <neu...@csl.sri.com>
Subject: Cylances AI-based AV easily spoofed (SkylightCyber)
Steven Cheung just read a fun article that has been slashdotted.
It's about how a team defeats Cylance, a popular machine-learning-based
antivirus software
https://www.vice.com/en_us/article/9kxp83/researchers-easily-trick-cylances-ai-based-antivirus-into-thinking-malware-is-goodware
here are more technical details:
https://skylightcyber.com/2019/07/18/cylance-i-kill-you/
------------------------------
Date: Mon, 15 Jul 2019 12:40:55 -0400
From: =?UTF-8?Q?Jos=C3=A9_Mar=C3=ADa_Mateos?= <ch...@rinzewind.org>
Subject: AI Could Escalate New Type Of Voice Phishing Cyber Attacks
(CSHub)
https://www.cshub.com/attacks/articles/ai-could-escalate-new-type-of-voice-phishing-cyber-attacks
While many cyber security professionals have been looking at (and even
investing in) the potential benefits of utilizing artificial intelligence
(AI) technology within many different business functions, earlier this week,
the Israel National Cyber Directorate (INCD) issued a warning of a new type
of cyber-attack that leverages AI to impersonate senior enterprise
executives. The method instructs company employees to perform transactions
including money transfers and other malicious activity on the network.
There are recent reports of this type of cyber-attack received at the
operational center of the INCD. While business email compromise (BEC) types
of fraud oftentimes use social engineering methods for a more effective
attack, this new method escalates the attack type by using AI-based
software, which makes voice phishing calls to senior executives. ---
(Via BreachExchange:
https://lists.riskbasedsecurity.com/listinfo/breachexchange)
------------------------------
Date: Thu, 18 Jul 2019 18:19:02 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Uber glitch charges passengers 100 times the advertised price,
resulting in crosstown fares in the thousands of dollars (WashPost)
``We understand that this has been frustrating,'' Uber said in response to
one of the riders' complaints. ``There was a known issue that caused your
authorization hold to be very high. Our team has already fixed this
issue. Thank you so much for your patience.''
https://www.washingtonpost.com/technology/2019/07/18/uber-glitch-charges-passengers-times-normal-price-resulting-crosstown-fares-thousands-dollars/
------------------------------
Date: Mon, 15 Jul 2019 09:50:22 -0700
From: Gene Wirchenko <ge...@shaw.ca>
Subject "Google says leaked assistant recordings are a violation of data
security policies" (Asha Barbaschow)
Asha Barbaschow | 11 Jul 2019
https://www.zdnet.com/article/google-says-leaked-assistant-recordings-are-a-violation-of-data-security-policies/
The search giant has confirmed humans are listening in to 'Okay Google'
commands, but it says leaking the recordings are a violation of its data
security policies.
opening text:
Earlier this week, a report from Belgium-based VRT NWS revealed that Google
employees had been "systematically listening" to audio files recorded by
Google Home smart speakers and the Google Assistant smartphone app.
The report detailed how employees were listening to excerpts of recordings
that are captured when a user activates the device by the usual "Okay
Google" or "Hey Google" commands.
After obtaining copies of some recordings, VRT NWS reached out to the users
and had them verify their voice, or those of their children, talking to the
digital assistant.
------------------------------
Date: Mon, 15 Jul 2019 17:21:15 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: U.S. Companies Learn to Defend Themselves in Cyberspace (WSJ)
From a friend, his comments below.
"One chief information-security officer at a major bank told us that, in
five years, his bank will largely be immune to cyberattacks because it is
upgrading from legacy systems that are insecure by default to cutting-edge
systems that are secure by design."
https://www.wsj.com/articles/u-s-companies-learn-to-defend-themselves-in-cyberspace-11562941994
Um, right. Wish I knew which bank that was so we could short its stock.
(Not that IBM Z is *necessarily* more secure, but if they really think
`cutting-edge systems' are `secure by design', well ...)
------------------------------
Date: Sat, 20 Jul 2019 09:39:29 -0800
From: Rob Slade <rms...@shaw.ca>
Subject: Agora farewell
Security does not have a community. It has several siloed, sliced, and
separated communities. Security has always taken "security by obscurity"
too readily to heart, and despite the fact that we know SBO doesn't work;
and even works against us; we still insist on dividing ourselves into
smaller and smaller sub-sets. Intelligence doesn't talk to law enforcement
which doesn't talk to academia which doesn't talk to business which doesn't
talk to military which doesn't talk to industry which doesn't talk to
government which doesn't talk to research. In all my decades in the field,
I've only ever found two venues that attracted, encouraged, and almost
forced the interaction (and often long-term relationships) of all these
disparate groups (and more).
If you've never been to the Agora meetings, you're too late. I attended the
last one yesterday. For the past twenty-five years, those in the know
would, every quarter, make every effort to spend Friday morning together.
That was it: Friday morning. Three hours long, never more than three main
presentations. There were also announcements, job postings, occasional
queries, and, every August 15th, storytime. (That's an Agora joke. I don't
expect you to get it. If you tell it to someone and they laugh, they've
been to Agora recently.)
Agora didn't just happen, of course. It was created and diligently (and
creatively and competently) managed by Kirk Bailey, later ably assisted by
Ann Nagel and Daniel Schwalbe. Also assisted by various students and a
whole host of attendees and even companies, but that list would a) make this
piece far too long and b) I'd definitely forget someone. Those of us who
attended owe them all a debt of gratitude.
Kirk's ability to attract speakers was legendary. We heard presentations at
Agora I've never heard anywhere else, and some I never thought to hear. I
recall a drive back after one Agora, when we we discussing a rather
lackluster piece, and I was suddenly struck by the fact that, even if this
meeting hadn't been sterling, the worst Agora meeting I'd ever attended was
better than the best conference I'd ever attended.
But the presentations were only half of what made Agora special. The other
half was the people you met. People from three-letter agencies. People
from high up in important corporations. People who were just there out of
interest. People with political and social positions at extravagantly wild
variance to your own. I remember, when I was first researching the
implications, for security, of the potential capabilities of quantum
computers, I got very excited over the possibilities for improving emergency
management in the midst of a disaster. At Agora I met a Navy captain who
got equally excited over similar possibilities for battle command.
A number of us from the SIG drove down for the meetings, despite the three
hour trip if nothing went wrong. Highway construction, bridge collapses
(that's another Agora joke), local traffic, and border guards could easily
double that. But we happily faced eleven hours of travel time for three
hours of Agora and, if we were lucky, a couple of hours of "networking" and
possibly lunch.
We envied the people from the local area, but they weren't the only ones who
came. Lots of people regularly came considerable distances. Before
governments lost their travel budgets there were pretty much constant
attendees from DC and Ottawa. People came from other continents. (Some of
the DC crowd were pretty high up in DHS. If I could stay for one of the
post-Agora lunches, the DHS guys always tried to grab me for their table.
They wanted to know the latest border horror story, and I always had one for
them. They regularly fell on the floor laughing about it.) (Recounting
those would also make this piece far too long.)
You will note that I haven't said where we met. That's another, well, not
so much Agora joke as Agora tribute. Agora was governed by a sort of
variant set of Chatham House Rules. What was said at Agora stayed at Agora.
As an attendee, you never quoted any of the presentations, or any of the
people you talked to at the breaks. For years this was simply understood by
all involved. After one notable failure, a more formal NDA was created, but
that was late in the game.
Agora was the security world's worst kept secret. Nobody blabbed about what
was said at Agora, or who went. But, despite the fact that Agora had no
legal existence, no bank account, no Website, and no offices, almost
everyone who ever attended became an instant devotee, and, often,
evangelist. Within a few years of it's creation, attendance was hitting
600. During the Great Recession, the slashing of budgets and demands that
security people stick to their desks dropped attendance to the 150 region,
but, for the past few years it's been back in the 400 range.
There was never any charge for membership in, or attendance at, Agora.
There was a cost, certainly. Much of that was "sweat equity" on the part of
Kirk and a number of others. There were also other direct costs, generally
borne by whoever would pay for (or donate) a venue, or mailing costs, or
refreshments, or (latterly) the "Agora spam gun." In the end, Agora became
a victim of it's own success: it just became too hard to find people or
institutions willing to donate, provide, pay for, or give priority to rooms
big enough for the group to meet.
Agora is gone, but leaves a legacy. That legacy is the model. We need a
space. Or, more probably, spaces. We need other other venues, sites,
and/or communities where the various communities can meet. Together. We
need others to take up the Agora torch, and create places, physical or
virtual, where anyone who is committed to (or even just strongly interested
in) security, of whatever type, can meet together and, safely, exchange
ideas. We need spaces where the formal can meet the anarchic, where the
business can meet the exploratory, where the old can meet the young and pass
along wisdom (and occasional silliness). Hopefully, Agora's death will have
been a spawning or a sporing out, and not just a mere termination.
------------------------------
Date: Sat, 20 Jul 2019 21:44:25 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: NYC Subway Service Is Suspended on Several Lines, MTA Says
(NYTimes)
https://www.nytimes.com/2019/07/19/nyregion/subway-service-suspended-mta.html
The Metropolitan Transportation Authority attributed the disruption to a
`network communications' issue
------------------------------
Date: Wed, 17 Jul 2019 11:41:45 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Brazil is at the forefront of a new type of router attack (ZDNet)
Avast: More than 180,000 routers in Brazil had their DNS settings changed in
Q1 2019.
For nearly a year, Brazilian users have been targeted with a new type of
router attack that has not been seen anywhere else in the world.
The attacks are nearly invisible to end users and can have disastrous
consequences, having the ability to lead to direct financial losses for
hacked users.
What's currently happening to routers in Brazil should be a warning sign for
users and ISPs from all over the world, who should take precautions to
secure devices before the attacks observed in South American country spread
to them as well. ...
https://www.zdnet.com/article/brazil-is-at-the-forefront-of-a-new-type-of-router-attack/
------------------------------
Date: Thu, 18 Jul 2019 17:54:35 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: My browser, the spy: How extensions slurped up browsing histories
from 4M users (Ars Technica)
https://arstechnica.com/information-technology/2019/07/dataspii-inside-the-debacle-that-dished-private-data-from-apple-tesla-blue-origin-and-4m-people/
------------------------------
Date: Sun, 21 Jul 2019 00:07:05 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Amazon Prime Day Glitch Let People Buy $13,000 Camera Gear for $94.
(Gizmodo)
https://gizmodo.com/amazon-prime-day-glitch-let-people-buy-13-000-camera-g-1836487919
------------------------------
Date: Mon, 15 Jul 2019 09:55:33 -0700
From: Gene Wirchenko <ge...@shaw.ca>
Subject: Microsoft Office 365: Banned in German schools over privacy fears
(Cathrin Schaer)
Cathrin Schaer, ZDNet, 12 Jul 2019
State of Hesse says student and teacher information could be "exposed" to US
spy agencies.
https://www.zdnet.com/article/microsoft-office-365-banned-in-german-schools-over-privacy-fears/
opening text:
Schools in the central German state of Hesse have been have been told it's
now illegal to use Microsoft Office 365.
The state's data-protection commissioner has ruled that using the popular
cloud platform's standard configuration exposes personal information about
students and teachers "to possible access by US officials". That might
sound like just another instance of European concerns about data privacy or
worries about the current US administration's foreign policy. But in fact
the ruling by the Hesse Office for Data Protection and Information Freedom
is the result of several years of domestic debate about whether German
schools and other state institutions should be using Microsoft software at
all.
Besides the details that German users provide when they're working with the
platform, Microsoft Office 365 also transmits telemetry data back to the US.
Last year, investigators in the Netherlands discovered that that data could
include anything from standard software diagnostics to user content from
inside applications, such as sentences from documents and email subject
lines. All of which contravenes the EU's General Data Protection Regulation,
or GDPR, the Dutch said.
------------------------------
Date: Mon, 15 Jul 2019 09:58:00 -0700
From: Gene Wirchenko <ge...@shaw.ca>
Subject: Sweden and UK's surveillance programs on trial at the European
Court of Human Rights (Catalin Cimpanu)
Catalin Cimpanu for Zero Day | 12 Jul 2019
Last chance for Europe's top human rights court to rule against dragnet
surveillance programs.
https://www.zdnet.com/article/sweden-and-uks-surveillance-programs-on-trial-at-the-european-court-of-human-rights/
opening text:
This week, the highest body of the European Court of Human Rights heard
arguments against the mass surveillance programs of two countries, Sweden
and the United Kingdom.
------------------------------
Date: Thu, 18 Jul 2019 17:53:31 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Bluetooth exploit can track and identify iOS, Microsoft mobile
device users (ZDNet)
A flaw in the Bluetooth communication protocol may expose modern device
users to tracking and could leak their ID, researchers claim.
The vulnerability can be used to spy on users despite native OS protections
that are in place and impacts Bluetooth devices on Windows 10, iOS, and
macOS machines. This includes iPhones, iPads, Apple Watch models, MacBooks,
and Microsoft tablets & laptops. Security 101 How to protect your privacy
from hackers, spies, and the government
How to protect your privacy from hackers, spies, and the government
Simple steps can make the difference between losing your online accounts or
maintaining what is now a precious commodity: Your privacy.
On Wednesday, researchers from Boston University David Starobinski and
Johannes Becker presented the results of their research at the 19th Privacy
Enhancing Technologies Symposium, taking place in Stockholm, Sweden.
According to the research paper, Tracking Anonymized Bluetooth Devices
(.PDF), many Bluetooth devices will use MAC addresses when advertising their
presence to prevent long-term tracking, but the team found that it is
possible to circumvent the randomization of these addresses to permanently
monitor a specific device.
https://www.zdnet.com/article/bluetooth-vulnerability-can-be-exploited-to-track-and-id-iphone-smartwatch-microsoft-tablet-users/
------------------------------
Date: Wed, 17 Jul 2019 10:44:43 -0700
From: Gene Wirchenko <ge...@shaw.ca>
Subject: Clean Energy Regulator, WA Mines Department, and Vet Surgeons Board
trying to access metadata (Comms Alliance)
Chris Duckett | 17 Jul 2019
The Communications Alliance has listed 27 other agencies that have tried to
access metadata following the introduction of Australia's data retention
regime.
https://www.zdnet.com/article/clean-energy-regulator-wa-mines-department-and-vet-surgeons-board-trying-to-access-metadata-comms-alliance/
opening text:
Agencies trying to access metadata when not specifically listed as an
enforcement agency for the purposes of Australia's data retention regime has
been labelled as a "serious and persistent phenomenon" by the Communications
Alliance industry group.
Writing in a submission to the Parliamentary Joint Committee on Intelligence
and Security (PJCIS) review of the mandatory data retention regime, Comms
Alliance said it was a "problem that continues to grow in magnitude".
------------------------------
Date: Wed, 17 Jul 2019 10:35:58 -0700
From: Gene Wirchenko <ge...@shaw.ca>
Subject: Permission-greedy apps delayed Android 6 upgrade so they could
harvest more user data (ZDNet)
Catalin Cimpanu for Zero Day | 16 Jul 2019
App devs delayed upgrading apps, but lost in the long run due to more
negative reviews and less Play Store visibility.
https://www.zdnet.com/article/permission-greedy-apps-delayed-android-6-upgrade-so-they-could-harvest-more-user-data/
selected text:
Android app developers intentionally delayed updating their applications to
work on top of Android 6.0, so they could continue to have access to an
older permission-requesting mechanism that granted them easy access to large
quantities of user data, research published by the University of Maryland
last month has revealed.
And, ironically, the research team also found that app makers who delayed
upgrading their apps to the newer Android 6.0 in order to keep access to a
simpler system for harvesting user data received more negative ratings.
These negative ratings eventually affected the apps' visibility on the Play
Store, where positively-reviewed apps are placed higher in search results
and recommendations.
------------------------------
From: Monty Solomon <mo...@roscom.com>
Date: Sun, 21 Jul 2019 00:34:43 -0400
Subject: Do drivers think you're a Ridezilla'? Better check your Uber rating.
(WashPost)
For some rideshare users, a little number can be heavy baggage.
https://www.washingtonpost.com/lifestyle/do-drivers-think-youre-a-ridezilla-better-check-your-uber-rating/2019/07/18/8b441588-a291-11e9-b732-41a79c2551bf_story.html
------------------------------
Date: Sun, 21 Jul 2019 00:47:32 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: London Police Twitter feed was hacked; then Trump got in on the act
(WashPost)
https://www.washingtonpost.com/world/2019/07/20/london-police-twitter-feed-was-hacked-then-trump-got-act/
------------------------------
Date: Sun, 21 Jul 2019 17:27:38 +0200
From: Thomas Koenig <tko...@netcologne.de>
Subject: Car locks itself, trapping toddler inside (DerWesten)
A mother got out of her car at a supermarket parking lot when suddenly, the
central lock activated and locked the car. The key was still inside the
car, as was her young son.
She immediately called emergency services, who arrived a short time later,
broke a window and were able to free the toddler from the car, which had
alredy heated up considerably.
https://www.derwesten.de/panorama/aldi-frau-steigt-aus-auto-aus-und-waehlt-sofort-den-notruf-id226542237.html
------------------------------
Date: Mon, 22 Jul 2019 10:39:38 -0700
From: Gene Wirchenko <ge...@shaw.ca>
Subject: Hackers breach FSB contractor, expose Tor deanonymization project
and more (Catalin Cimpanu)
Catalin Cimpanu, ZDNet, 20 Jul 2019
https://www.zdnet.com/article/hackers-breach-fsb-contractor-expose-tor-deanonymization-project/
SyTech, the hacked company, was working on research projects for the FSB,
Russia's intelligence service.
Hackers have breached SyTech, a contractor for FSB, Russia's national
intelligence service, from where they stole information about internal
projects the company was working on behalf of the agency -- including one
for deanonymizing Tor traffic. [...]
------------------------------
From: Monty Solomon <mo...@roscom.com>
Date: Mon, 22 Jul 2019 22:16:18 -0400
Subject: Facebook's Libra currency spawns a wave of fakes, including on
Facebook itself (WashPost)
The fakes could undermine Facebook's efforts to inspire confidence and
satisfy the regulators now scrutinizing the global currency.
https://www.washingtonpost.com/technology/2019/07/22/facebooks-libra-currency-spawns-wave-fakes-including-facebook-itself/
------------------------------
Date: Tue, 16 Jul 2019 23:34:02 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Facebook Stock: Facebook's Libra Surrenders to Authority
(InvestorPlace)
https://investorplace.com/2019/07/facebooks-libra-surrenders-to-authority/
------------------------------
Date: Wed, 17 Jul 2019 11:20:14 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Tether's $5B error exposes cryptocurrency market fragility (WSJ)
Sudden flood of digital coins spooked market and drove down price of bitcoin
by about 12%
https://www.wsj.com/articles/tethers-5-billion-error-exposes-crypto-markets-fragility-11563280121
------------------------------
Date: Sun, 14 Jul 2019 01:06:06 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: College student was late returning a textbook to Amazon, so the
company took $3,800 from her father (Libercus)
http://pge.libercus.net//.pf/showstory/201907110011/3
Well, yeah. Likely debit was automatic but hassle getting it undone is
systemic problem/failure.
When AI runs everything it'll all be perfect. Nevermind Hal 9000, Skynet, or
Colossus: The Forbin Project.
------------------------------
Date: Wed, 17 Jul 2019 15:18:00 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Notre-Dame came far closer to collapsing than people knew.
This is how it was saved. (NYTimes)
*The New York Times*
The fire warning system at Notre-Dame took dozens of experts six years to
put together, and in the end involved thousands of pages of diagrams, maps,
spreadsheets and contracts, according to archival documents found in a
suburban Paris library by The Times.
The result was a system so arcane that when it was called upon to do the one
thing that mattered -- warn -- fire! and say where -- it produced instead a
nearly indecipherable message. It made a calamity almost inevitable, fire
experts consulted by *The Times* said.
https://www.nytimes.com/interactive/2019/07/16/world/europe/notre-dame.html
Stunning visuals, tragic outcome.
------------------------------
Date: Wed, 17 Jul 2019 10:27:33 -0700
From: Gene Wirchenko <ge...@shaw.ca>
Subject: One in five US tech employees abuse pain relief drugs, reveals study
(Eileen Brown)
Eileen Brown for Social Business, ZDNet, 15 Jul 2019
https://www.zdnet.com/article/one-in-five-us-tech-employees-abuse-pain-relief-drugs-reveals-study/
There is nothing wrong with bonding over a beer or two after work, but when
it becomes too much, it is important to spot the warning signs of substance
abuse and addiction, according to a new study.
------------------------------
Date: Tue, 16 Jul 2019 17:32:31 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Here's The Story Behind That Photo Of A Waterfall Inside A Metro
Car (Dcist)
``It appears that the water entered the car through the fresh air intake of
the HVAC system which is mounted on the roof of 7000-series vehicles; In
normal or heavy rainfall, any water is diverted through ducts and exits the
car through drains. At Virginia Square, the sudden deluge of water falling
directly into the fresh air intake was more than the car could divert,
resulting in water entering the cabin.''
In response to safety concerns, she noted that wiring is enclosed in secure
boxes or run on the underside of the car, and each car ``undergoes
rigorous `water tightness testing'.''
https://dcist.com/story/19/07/16/heres-the-story-behind-that-photo-of-a-waterfall-inside-a-metro-car/
Done right, it seems. This really was epic/biblical rainstorm.
------------------------------
Date: Mon, 15 Jul 2019 15:14:00 -1000
From: the keyboard of geoff goodfellow <ge...@iconia.com>
Subject: Stallone in Terminator 2? How one deepfake prankster is changing
cinema history (Digital Trends)
EXCERPT:
In some parallel universe, there's a version of *Casino Royale* with Hugh
Jackman playing everyone's favorite suave British agent, James Bond. And one
in which Matthew McConaughey took the Leo role in *Titanic*. And DiCaprio
and Brad Pitt co-starred in *Brokeback Mountain*. And *Saved by the Bell*'s
Tiffani Thiessen played Rachel in *Friends*.
The entertainment industry isn't exactly short on `what if?' scenarios in
which actors came close to, but were ultimately passed over, playing iconic
roles. For more than 99% of movie history, fans have been able to do little
more than squirrel away this trivia for use in pop quizzes. That is until
the arrival of deepfakes
<https://www.digitaltrends.com/cool-tech/samsung-ai-deepfake-videos/>.
Springing to life in the past couple of years, deepfakes use artificial
intelligence technology to combine and superimpose new images and videos
onto existing source footage using machine learning. That could mean
anything from face swaps to mapping one person's body onto someone else's
movements.
<https://www.digitaltrends.com/cool-tech/uc-berkeley-deepfake-ai-dance/>
The results can be jaw-droppingly realistic, which is why many people
rightfully worry about its potential to be used for malicious hoaxes
<https://www.digitaltrends.com/cool-tech/ai-spots-writing-by-ai/>.
One tech enthusiast and movie buff thinks different, though. Operating under
the YouTube username *Ctrl Shift Face*,
<https://www.youtube.com/channel/UCKpH0CKltc73e4wh0_pgL3g> this high-tech
Hollywood fan has used deepfake technology to create some astonishing
remixes of iconic movie scenes -- complete with all new actors. Ever wanted
to see *The Shining* starring Jim Carrey instead of Jack Nicholson? Sly
Stallone in *Terminator 2: Judgement Day*? Heck, he's even broken w ith the
movie theme by dropping David Bowie into Rick Astley's infamous
song-turned-meme *Never Gonna Give You Up*.
``The Bowie one is my favorite,'' its creator told Digital Trends. ``I
wanted to Rickroll people and blow them away at the same time. Bowie fitted
the role of Rick Astley, and had interesting facial features for a
deepfake.'' [...]
https://www.digitaltrends.com/cool-tech/ctrl-shift-face-deepfake-changing-hollywood-history/
------------------------------
From: David Tarabar <dtar...@acm.org>
Date: Tue, 16 Jul 2019 08:40:33 -0400
Subject: Cellphone WiFi auto-connect identifies vandals (The Boston Globe)
Four Maryland teenagers sneaked onto their school's property the night
before graduation last year and covered it in racist, homophobic and
anti-Semitic graffiti.
They wore masks, but they were caught because their cellphones automatically
connected to the school WiFi network -- using their student IDs.
https://www.bostonglobe.com/news/nation/2019/07/10/helped-identify-teens-who-drew-racist-anti-semitic-graffiti-maryland-school/S0hQ1PwZNyXrzT43olZ2ZO/story.html
------------------------------
Date: Tue, 16 Jul 2019 16:15:00 -0400
From: David Tarabar <dtar...@acm.org>
Subject: Risks of an untimely text (Boston Globe)
A couple in Rhode Island was being investigated for marriage fraud -- that
they entered into a sham marriage to get permanent resident status for the
husband. When the wife was being interviewed, she produced her cellphone to
show texts from her husband. A text message arrived: We had the best sex
ever. Unfortunately the text was not from the husband. A federal trial is
in progress.
https://www.bostonglobe.com/metro/2019/07/16/had-best-sexy-ever-steamy-text-helps-spark-marriage-fraud-case/QlRNLVhGzFcfzO1lNXFwLM/story.html
------------------------------
Date: Mon, 15 Jul 2019 15:26:20 +0800
From: Dan Jacobson <jid...@jidanni.org>
Subject: Minister apologizes for text alert (Taipei Times)
http://www.taipeitimes.com/News/taiwan/archives/2019/07/11/2003718476
"The alert was originally set up to be sent to residents within 300m of the
borough, but the unit of distance was later changed to kilometers."
Way to go, clodsburg.
------------------------------
Date: Sun, 21 Jul 2019 23:24:10 -0600
From: Brian Inglis <Brian....@systematicsw.ab.ca>
Subject: Re: Line just went Orwellian on Japanese users with its social,
credit-scoring system (Jacobson, RISKS-31.33)
>> Still, it's unnerving that tech companies seem to think that social
>> credit ratings are the next big thing for now. Hopefully, this is a
>> trend that will not catch on.
>
> Stack Exchange was first.
> Some might say not the same thing...
> But users quickly learn to dot their i's and cross their t's...
Some might say the same about BBS message boards (1978 CBBS), moderated
Usenet netnews groups (UUCP 1979), and discussion lists (Listserv@Bitnic
1984), like this one, which preceded SE (2009) by decades. Who didn't pay
attention when d...@bell-labs.com posted to comp.lang.c?
https://en.wikipedia.org/wiki/Usenet#cite_ref-54
"As long as there are folks who think a command line is better than a mouse,
the original text-only social network will live on" in "Reports of Usenet's
Death Are Greatly Exaggerated", August 1, 2008, TechCrunch.
https://en.wikipedia.org/wiki/Usenet#cite_note-54
The major appeal then and now is filtering and limiting the spam, garbage,
verbiage, and incivility that permeates other [anti-?]"social networks".
------------------------------
Date: Sun, 14 Jul 2019 21:15:20 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Re: Galileo sat-nav system experiences service outage (BBC News
in RISKS-31.33)
Europe's satellite-navigation system, Galileo, has suffered a major outage.
The network has been offline since Friday due to what has been described as
a "technical incident related to its ground infrastructure".
The problem means all receivers, such as the latest smartphone models, will
not be picking up any useable timing or positional information.
These devices will be relying instead on the data coming from the American
Global Positioning System (GPS).
Depending on the sat-nav chip they have installed, cell phones and other
devices might also be making connections with the Russian (Glonass) and
Chinese (Beidou) networks.
https://www.bbc.com/news/science-environment-48985399
------------------------------
Date: Tue, 16 Jul 2019 08:34:35 -0400
From: Dick Mills <dickandl...@gmail.com>
Subject: Re: How Fake News Could Lead to Real War (RISKS-31,33)
"Imagine what it might be like to be in the grip of a conspiracy theory,
when you've spent your whole professional life being one of those policy
mandarins who could smell a conspiracy theory a mile away?..."
The root problem here is lack of trust in authorities. It goes much deeper
than just technology. For my whole life, such trust has been eroding
among the public. The interesting thing about that story is that the shoe
is finally on the other foot, an authority is losing trust.
I say good. Maybe they may take steps to become trustworthy themselves.
------------------------------
Date: Tue, 16 Jul 2019 21:45:35 +0100
From: Chris Drewe <e76...@yahoo.co.uk>
Subject: Re: London commuters Wi-FiTube being tracked
[TfL is the authority that runs the London Underground]
https://www.dailymail.co.uk/news/article-7223711/Experts-warn-London-commuters-turn-phones-Wi-Fi-Tube-stop-tracked.html
Security experts warn London commuters to turn off their phones' Wi-Fi on
the Tube to stop being tracked as TfL starts harvesting signal data today
* *Operator will monitor travel patterns with beacon that detects Wi-Fi
capability * * *Phones, laptops or tablets do not have to join the
station's network to be tracked * * *Only way to ensure that you are not
tracked is to disable your Wi-Fi completely *
Sebastian Murphy-bates For Mailonline, 8 July 2019
This morning the Tube network introduced monitoring of signals to harvest
date from commuters in the capital. Transport for London says it is
collecting details of where, when and how customers use the service. Even
phones that are not connected to TfL's Wi-Fi will be vulnerable to tracking
dmg media <https://www.dmgmedia.co.uk/>
I went to a talk a year or two ago given by one of the Undergound's planning
staff on remodeling Bank station in the heart of the City of London business
district (so-named because the Bank of England building is just across the
street, not because it's on the bank of the River Thames as I had
incorrectly assumed when I was a kid). This is a major below-ground station
underneath a large road intersection, where multiple lines cross at several
levels, so it's quite a labyrinth.
For busy, complicated subway/rapid transit systems like London's, obviously
train capacity is a major planning challenge, but just as important is
handling the volume of passengers through the stations as they use
corridors, ticket barriers, elevators, stairs, escalators, etc. between
trains or trains and streets. Historically, measuring passenger flows was
done by groups of stewards located at strategic points around a station;
some would hand out numbered cards to passengers as they entered the station
or got off trains, while others would collect the cards as passengers left
the station or got on trains. This was OK in a basic way, but was
labour-intensive and rather intrusive at busy times, and only a small sample
of passengers could be covered.
Of course nowadays most people carry cellphone or wi-fi wireless devices and
the Underground has repeaters to keep them working below ground, so the
obvious step is to use these to log passenger movements, as it's totally
unobtrusive and allows detailed real-time tracking of almost every
passenger. The lady who gave the talk stressed that there's no attempt to
make contact with or identify any of the devices, and presumably details of
individual devices are not retained after analysing their movements --
pointless anyway unless GCHQ/MI5/FBI/CIA or whoever want to track random
people's journeys for the sake of it. She added that the technique was
unexpectedly useful as passengers were found to be surprisingly imaginative
at figuring out routes around the station, including several ways that the
planners hadn't considered themselves.
Presumably the warning signs on stations mentioned in the newspaper are to
comply with latest data-protection regulations.
------------------------------
Date: Mon, 14 Jan 2019 11:11:11 -0800
From: RISKS-...@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
=> SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!
=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 31.34
************************
0 new messages