Risks Digest 33.02

Skip to first unread message

RISKS List Owner

Jan 15, 2022, 6:32:49 PMJan 15
to ri...@csl.sri.com
RISKS-LIST: Risks-Forum Digest Saturday 15 January 2021 Volume 33 : Issue 02

Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
The current issue can also be found at

A High-Risk Medical Device Didn't Meet Federal Standards. The Government
Paid Millions for More. (ProPublica)
Software glitch snarls New York City schools (NYTimes)
Why planes might soon have just one pilot (CNN Travel)
How a Hacker Controlled Dozens of Teslas Using a Flaw in Third-Party App
Project Torogoz: Extensive Hacking of Media & Civil Society in El Salvador
with Pegasus Spyware (CitizenLab)
New Apple Warning Affects All iPhone Users (Forbes)
German interior minister threatens to ban Telegram (Thomas Koenig)
Fake QR Codes on Parking Meters (Bruce Schneier)
Metaverse's Dark Side: Here Come Harassment and Assaults (NYTimes)
Metro says timing for return of suspended railcars is unknown (WashPost)
Norton 360 Now Comes With a Cryptominer (Krebs on Security)
Hackers Are Exploiting a Flaw Microsoft Fixed 9 Years Ago (WiReD)
New Chrome security measure aims to curtail an entire class of Web attack
(Ars Technica)
Black box that could record collapse of civilisation set to be installed on
Earth (The Mirror)
Automakers Rev Up Subscription Services (Washington Consumers' Checkbook)
Biden Administration Warns Against Spyware Targeting Dissidents (NYTimes)
Tackling Hard Computational Problems (Steve Nasis MIT News)
How Game Theory Changed Poker (Oliver Roeder WSJ)
Paper on finance and technology manias (Andrew Odlyzko)
Wearing Many Hats: The Rise of the Professional Security Hacker
(Gabriella Coleman via PGN)
Abridged info on RISKS (comp.risks)


Date: Fri, 7 Jan 2022 23:22:59 -0500
From: "Gabe Goldberg" <ga...@gabegold.com>
Subject: A High-Risk Medical Device Didn't Meet Federal Standards. The
Government Paid Millions for More. (ProPublica)

For years after federal inspectors found serious problems with the HeartWare
heart pump, agencies like the Department of Veterans Affairs and Centers for
Medicare & Medicaid Services continued paying to implant it in patients.



Date: Sat, 15 Jan 2022 11:48:48 PST
From: Peter Neumann <neu...@csl.sri.com>
Subject: Software glitch snarls New York City schools (NYTimes)

Lola Fadula, *The New York Times*, 15 Jan 2022

Skedula, a platform that helps NYC teachers post assignments and track
grades and attendance -- and even helps track Covid test results -- stopped
working a week ago on 8 Jan, and was still down at the end of the week.
This is apparently a particularly bad time for the outage. The contractor
Illuminate Education said this was the result of ``an attempted security
threat'' -- an investigation of which is still ongoing. [PGN-ed]

[This might be called Skedula Oblongona, as it is the connection to the
school brain. PGN]


Date: Thu, 13 Jan 2022 23:53:45 -0500
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Why planes might soon have just one pilot (CNN Travel)

(CNN) If you boarded a passenger plane in 1950 and peeked into the cockpit,
you would have seen five people in there (almost certainly men): two pilots,
a radio operator, a navigator, and a flight engineer.

Over the years, technical advances in radio communications, navigation
systems and on-board monitoring equipment gradually removed the need for the
last three, making it possible to safely fly a passenger plane with just two
pilots. That has been the norm in commercial aviation for about 30 years.

Soon, however, things could streamline further, and one of the two remaining
pilots -- technically the first officer -- could soon go, leaving behind
only the captain. Many smaller and military aircraft are already manned by a
single pilot, but for commercial aviation this would mean venturing into a
brave new world. [...]

However, removing a pilot from the cockpit will help develop the very
technology required for the next, and final, step: removing human pilots
altogether and fly planes remotely or autonomously. That, however, sounds
like an even more complicated conversation: "Two pilots to one pilot is a
major step," says Smith, "but one pilot to no pilots is an immense one."



Date: Thu, 13 Jan 2022 16:34:55 -1000
From: geoff goodfellow <ge...@iconia.com>
Subject: How a Hacker Controlled Dozens of Teslas Using a Flaw in
Third-Party App (Vice)

A security researcher found flaws in a third-party open-source app that
allowed him to track and unlock some Teslas.

A 19-year-old hacker and security researcher said he was able to control
some features of dozens of Tesla cars all over the world thanks to a
vulnerability in a third-party app that allows car owners to track their
car's movements, remotely unlock doors, open windows, start keyless
driving, honk, and flash lights.

David Colombo, the researcher who found the issue, asked Motherboard not to
reveal all the details about his findings -- such as the name of the
third-party app -- given that some of the vulnerabilities he discovered are
yet to be fixed. Colombo allowed Motherboard to review his upcoming blog
post, which contained the details.

``There are those Teslas around the world right now in 13 countries and I'm
able to disable the sentry mode, unlock the doors, start keyless driving,
and take them on a road trip,'' Colombo told Motherboard in an interview.


[See also Katrina Nicholas and Jordan Robertson, Bloomberg, 12 Jan 2022]


Date: Fri, 14 Jan 2022 20:45:09 -0500
From: Jan Wolitzky <jan.wo...@gmail.com>
Subject: Project Torogoz: Extensive Hacking of Media & Civil Society in
El Salvador with Pegasus Spyware (CitizenLab)

The Citizen Lab and Access Now have conducted a joint investigation into
Pegasus hacking in El Salvador in collaboration with Frontline Defenders,
SocialTIC, and Fundaci=C3=B3n Acceso.

We confirmed 35 cases of journalists and members of civil society whose
phones were successfully infected with NSO's Pegasus spyware between July
2020 and November 2021. We shared a sample of forensic data with Amnesty
International's Security Lab which independently confirms the findings.

Targets included journalists at El Faro, GatoEncerrado, La Prensa
Gr=C3=A1fica, Revista Digital Disruptiva, Diario El Mundo, El Diario de Hoy,
and two independent journalists. Civil society targets included
Fundaci=C3=B3n DTJ, Cristosal, and another NGO.

The hacking took place while the organizations were reporting on sensitive
issues involving the administration of President Bukele, such as a scandal
involving the government's negotiation of a pact with the MS-13 gang for a
reduction in violence and electoral support.

While evidence linking a particular infection to a particular Pegasus
customer is often unavailable, in this case we identified a Pegasus customer
operating almost exclusively in El Salvador since at least November 2019
that we call TOROGOZ, and have connected this operator to an infection
attempt against El Faro.



Date: Sat, 8 Jan 2022 15:50:42 -1000
From: geoff goodfellow <ge...@iconia.com>
Subject: New Apple Warning Affects All iPhone Users (Forbes)

Last year saw the biggest hack in iPhone history, complete with individual
horror stories from affected users. Now a haunting new discovery could make
all iPhone attacks a lot worse.

It is called *NoReboot* and was discovered by (highly respected mobile
security specialists ZecOps. The company describes it as ``the ultimate
persistence bug'' because it can stop iPhones affected by even temporary
attacks from escaping their hacker. Moreover, it affects every iPhone model
and every version of iOS and Apple cannot fix it which sets alarm bells

The concept behind NoReboot is simple, but this is also what makes it so
dangerous: it tricks users into thinking they have switched off or restarted
their iPhones. It works by hijacking the InCallService, SpringBoard
<https://apple.fandom.com/wiki/SpringBoard> and backboardd
<https://iphonedev.wiki/index.php/Backboardd> background processes which
handle the reboot process on iPhones and shows them a fake shutdown or
startup sequence instead when users try to initiate either process. In
reality, the iPhone remains on at all times.

Why is this dangerous? Because it is easier for hackers to access iPhones
with *non-persistent* attacks but -- as the name implies -- these are
removed when a user shuts down or restarts their phone. But the damage these
hacks can now do supersizes when combined with NoReboot code because the
user cannot (by design or by accident) rid themselves of the hack. ZecOps
illustrates this in the video below. [...]


Date: Sat, 15 Jan 2022 14:51:16 +0100
From: Thomas Koenig <tko...@netcologne.de>
Subject: German interior minister threatens to ban Telegram

The new German minister of the interior, Nancy Fraeser, has threatened to
shut down Telegram:


If this threat is carried out, Germany would join the ranks of the
countries listed in



Date: Sat, 15 Jan 2022 09:46:19 +0000
From: Bruce Schneier <schn...@schneier.com>
Subject: Fake QR Codes on Parking Meters

[PGN-excerpted from Bruce's CRYPTO-GRAM, 15 Jan 2022

The City of Austin is warning about QR codes stuck to parking meters
that take people to fraudulent payment sites.


Date: Thu, 6 Jan 2022 13:34:02 -0500
From: "Gabe Goldberg" <ga...@gabegold.com>
Subject: Metaverse's Dark Side: Here Come Harassment and Assaults (NYTimes)

As Meta and other companies bet big on an immersive digital world, questions
about its harms are rising.

SAN FRANCISCO -- Chanelle Siggens recently strapped on an Oculus Quest
virtual reality headset to play her favorite shooter game, Population
One. Once she turned on the game, she maneuvered her avatar into a virtual
lobby in the immersive digital world and waited for the action to begin.

But as she waited, another player's avatar approached hers. The stranger
then simulated groping and ejaculating onto her avatar, Ms. Siggens
said. Shocked, she asked the player, whose avatar appeared male, to stop.

``He shrugged as if to say: I don't know what to tell y'u. It's the
metaverse -- I'll do what I want," and then he walked away."'' [...]

Meta has asked its employees to volunteer to test the metaverse, according
to an internal memo viewed by *The New York Times*. A stranger recently
groped the avatar of one tester of a Meta virtual reality game, Horizon
Worlds, a company spokeswoman said. The incident, which Meta has said it
learned from, was reported earlier by The Verge.

Misbehavior in virtual reality is typically difficult to track because
incidents occur in real time and are generally not recorded.

Titania Jordan, the chief parent officer at Bark, which uses artificial
intelligence to monitor children's devices for safety reasons, said she was
especially concerned about what children might encounter in the
metaverse. She said abusers could target children through chat messages in a
game or by speaking to them through headsets, actions that are difficult to


Today's Internet in VR, what could go wrong...


Date: Wed, 12 Jan 2022 23:39:55 -0500
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Metro says timing for return of suspended railcars is unknown

The latest hang-up: Technicians didn't know whether to pass or fail a
railcar if its wheels moved precisely 1/32 of an inch.

After a second suspension in late December, transit officials acknowledged
Friday they don't know when the cars will return to service. The latest
hang-up: Technicians didn't know whether to pass or fail a rail car if its
wheels moved precisely 1/32 of an inch -- a scenario not spelled out in
Metro's restoration plan. In such cases, Metro acted on its own accord and
against the wishes of an oversight commission. ...

The latest violation the safety commission cited stems from a small tweak
Metro made while measuring the width between wheels, transit officials
said. In its plan to the commission, Metro said its technicians would flag
any car with wheels that deviated more than 1/32 of an inch on their axles
from the standard width of 53 5/16 inches.

Several cars, however, landed right at that limit, and technicians were
unclear on whether to fail those cars or to allow them back into
service. The confusion among technicians was compounded because the distance
was so small that widths on a car could fluctuate from the heat they
generated if a car was coming directly out of service.

Without consulting the safety commission, Metro supervisors told technicians
to pass the limit, a decision that placed them back into service.

Swink Benson said, “the modification of the process was not submitted to the
[safety commission] for their approval prior to implementation.


The risk? Not understanding mathematical relationships. "More than" seems
pretty clear, not needing interpretation.


Date: Thu, 6 Jan 2022 14:29:47 -0500
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Norton 360 Now Comes With a Cryptominer (Krebs on Security)

Norton 360, one of the most popular antivirus products on the market today,
has installed a cryptocurrency mining program on its customers' computers.
Norton's parent firm says the cloud-based service that activates the program
and allows customers to profit from the scheme -- in which the company keeps
15 percent of any currencies mined -- is opt-in,

Norton users complain the mining program is difficult to remove, and
reactions from longtime customers have ranged from unease and disbelief to,
``Dude, where's my crypto?'' [...]

>From reading user posts on the Norton Crypto community forum, it seems some
longtime Norton customers were horrified at the prospect of their antivirus
product installing coin-mining software, regardless of whether the mining
service was turned off by default.

``How on Earth could anyone at Norton think that adding crypto mining within
a security product would be a good thing? Norton should be *detecting* and
killing off crypto-mining hijacking, not installing their own. the post
reads. The product people need firing.

[Norton should be *detecting* and killing off crypto mining hijacking, not
installing their own. The product people need firing. GG]



Date: Wed, 5 Jan 2022 19:55:08 -0500
From: Jan Wolitzky <jan.wo...@gmail.com>
Subject: Hackers Are Exploiting a Flaw Microsoft Fixed 9 Years Ago (WiReD)

Unless you go out of your way to install the patch, your system could be


The widely used malware ZLoader crops up in all sorts of criminal hacking,
from efforts that aim to steal banking passwords and other sensitive data to
ransomware attacks. Now, a ZLoader campaign that began in November has
infected almost 2,200 victims in 111 countries by abusing a Windows flaw
that Microsoft fixed back in 2013.


Date: Fri, 14 Jan 2022 14:19:03 -0500
From: Monty Solomon <mo...@roscom.com>
Subject: New Chrome security measure aims to curtail an entire class of Web
attack (Ars Technica)



Date: Thu, 13 Jan 2022 16:16:12 -1000
From: geoff goodfellow <ge...@iconia.com>
Subject: Black box that could record collapse of civilisation set to be
installed on Earth (The Mirror)

The black box, which is set to built on the west coast of Tasmania, will be
connected to the Internet and will record information to help a future
civilisation if humanity suffers a major apocalyptic event. [...]



Date: Thu, 13 Jan 2022 20:45:50 -0500
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Automakers Rev Up Subscription Services (Washington Consumers'

When you buy or lease your next car, you might be required to pay a monthly
or yearly subscription fee to activate some of its features.

Although automakers are making record profits despite pandemic-induced
production problems, they continue to look for ways to increase revenue
beyond sales, financing, and repairs. Stellantis, the world's fourth largest
automaker (formerly known as Fiat Chrysler), announced last month that it
plans to generate about $22.5 billion (20 billion euros) in new annual
revenue by 2030 from software services and subscriptions. [...]

Most car companies now offer a subscription package of some type, whether
it’s satellite radio, enhancements to the entertainment system, or a
connectivity package that provides roadside assistance, concierge services,
and triggers 911 calls in an accident (such as OnStar).

But until recently, most of these subscriptions didn't relate to the
functioning of the vehicle. And because of that, after the free-trial
period, many drivers cancel their subscriptions.

``Manufacturers are struggling to make these subscription services more
valuable, and one way to do that is to require a subscription for some
pretty basic services.''Eisenstein told Checkbook. Manufacturers say the
subscription model allows them to meet the diverse needs of their customers.

But what if you had to subscribe to driver assistance software, or
voice-recognition technology? Would you pay a monthly fee to activate
optional safety features, such as automatic emergency braking,
forward-collision warning, or blind-spot warning? [...]

Toyota owners have been unpleasantly surprised to discover that when their
complimentary subscription to the automaker's Remote Connect service expires
-- after three years in some cases, 10 years in others -- the remote start
feature on their key fob no longer works.

``That's absurd. It's a clear attempt to gouge consumers and drive up the
real cost of buying their vehicles.''

According to a blog post on The Drive, Toyota appears to be the first
company to charge for full use of a physical key fob -- either $8 a month or
$80 a year at the Remote Connect plan's current price.



Date: Fri, 7 Jan 2022 14:08:50 -0500
From: Jan Wolitzky <jan.wo...@gmail.com>
Subject: Biden Administration Warns Against Spyware Targeting Dissidents

The U.S. intelligence community offered steps that would mitigate -- but not
stop -- spyware developed by firms like the NSO Group.

The federal government on Friday warned the public about the risks of
commercial surveillance tools that have been used to spy on journalists and
political dissidents by infecting their phones with malware.



Date: Wed, 12 Jan 2022 12:22:31 -0500 (EST)
From: ACM TechNews <technew...@acm.org>
Subject: Tackling Hard Computational Problems (MIT News)

Steve Nadis, MIT News. 10 Jan 2022, via ACM TechNews, 12 Jan 2022

The Massachusetts Institute of Technology's David Gamarnik and colleagues
have developed the overlap gap property (OGP) tool to analyze difficult
computational problems that involve randomness. "We discovered that all
known problems of a random nature that are algorithmically hard have a
version of this property," Gamarnik said. "This provides a more precise
measure of algorithmic hardness." Scientists can evaluate the challenge of
creating fast algorithms to solve particular problems with the OGP, and
Gamarnik said the tool has already shown that stable algorithms, including
quantum approximation optimization algorithms, cannot handle such problems.



Date: Fri, 14 Jan 2022 12:12:06 -0500 (EST)
From: ACM TechNews <technew...@acm.org>
Subject: How Game Theory Changed Poker (Oliver Roeder)

Oliver Roeder, *The Wall Street Journal*, 13 Jan 2022
via ACM TechNews, 14 Jan 2022

Researchers at the University of Alberta's Computer Poker Research Group in
Canada pioneered game theory mathematics that has transformed how
professional poker players approach the game. Poker's mathematical
complexity rivals or surpasses that of chess while adding randomness and
hidden data, bringing it closer to the "real world" that artificial
intelligence scientists want to control. Many poker-playing algorithms
incorporate the minimization of regret, a mathematical concept for
decision-making in uncertain environments. Game-theory optimal poker players
hire programmers to analyze their game data, finding "leaks" or errors in
strategy, and to conduct game-theoretical analyses, calculating optimal
plays in any of the innumerable situations that can confront a player.



Date: Tue, 11 Jan 2022 19:35:29 -0600 (CST)
From: Andrew Odlyzko <odl...@umn.edu>
Subject: Paper on finance and technology manias

[Slightly adapted for RISKS. PGN]

Enclosed is a notice of my latest paper on technology and financial manias.
As there is currently much concern about the possible instability of the
financial system that might lead to a crash, given elevated valuations,
unprecedented levels of government intervention, low interest rates, opaque
interrelationships, very complex systems, rise of fintech, zombie companies,
and so on, it might be of interest to see what happened a century and a half
ago, when many similar phenomena reigned and when the "roving cavaliers of
credit" (to borrow a phrase from Karl Marx) managed to facilitate a giant
expansion of a public transportation infrastructure, and ruined themselves
and many others through "financial innovation." This paper describes a
major, but previously undocumented, step in the "financialization" of the

There are also interesting similarities to the Silicon Valley "fake it till
you make it" philosophy, to the "alternate reality" concerns about the
post-truth world, and other currently hot topics.

Your assistance in the work that led to this paper is gratefully
acknowledged, although it may not have affected this manuscript, and may
only influence later ones. You are listed, along with everyone else who
assisted in this project on the web page


[...] if you have any comments on this work, I would be delighted to receive

and if there are any problems with those, also

The railway mania of the 1860s and financial innovation

The 1860s witnessed Britain's third, and last, large railway mania.
Although it added about as much mileage to the rail network as the great
Railway Mania of the 1840s, little is known about it in modern literature.
This paper documents how this mania managed to delude investors into pouring
immense sums into the expansion of a public infrastructure. It did so by
stealth, by introducing a variety of "financial innovations" reminiscent of
those involved in the Global Financial Crisis of 2008. That period, just
like ours, featured new technologies, novel business models, rapid
globalization, dramatic increases in speed of information transmission, and
proliferation of misinformation and disinformation. Combined with
progressive relaxation of government regulation and extremely opaque
accounts, the "financial engineering" of the 1860s misled even very
knowledgeable and inquisitive observers, such as Walter Bagehot. The
results included the Overend, Gurney crash of 1866, ruin to many individuals
and businesses, and a large, but inefficient, expansion of the rail network.
These in turn likely influenced the legal and institutional foundations of
corporate capitalism. There are striking similarities to many aspects of
modern financial markets that might be instructive, especially in the
widespread reliance on "search for a greater fool" approaches.

As a reminder, the above piece, as well as previous ones in this
series, is available at:


P.S. This draft was written for submission to the proceedings of the 7th
International Virtual Early Railways Conference, where a lecture on this
material was presented. [...]


Date: Fri, 14 Jan 2022 11:03:20 PST
From: Peter Neumann <neu...@csl.sri.com>
Subject: Wearing Many Hats: The Rise of the Professional Security Hacker
(Gabriella Coleman)

Gabriella Coleman <bie...@riseup.net>


Date: Mon, 1 Aug 2020 11:11:11 -0800
From: RISKS-...@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)

The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:

=> SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
*** Contributors are assumed to have read the full info file for guidelines!

=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume/previous directories
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-33.00
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:


End of RISKS-FORUM Digest 33.02

Reply all
Reply to author
0 new messages