info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Risks Digest 32.77
39 views
Skip to first unread message
RISKS List Owner
Jul 22, 2021, 9:12:06 PM7/22/21
to ri...@csl.sri.com
RISKS-LIST: Risks-Forum Digest Thursday 22 July 2021 Volume 32 : Issue 77
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.77>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
NSW teachers in ‘state of paralysis’ after cyber-attack
(Sydney Morning Herald)
Internet Futures: Spotlight on the technologiesm, which may shape the
Internet of the future (UK OFCOM report)
EU Parliament allows blanket scans for child pornography (Politico)
YouTube fined 100 000 Euros delaying court order to restore video
(Thomas König)
Rounding errors could make certain stop-watches pick wrong race winners
(Eurekalert)
Veteran Affairs big software upgrade is plagued by hidden costs and
flawed training (Dave Philipps)
Is Washington ready for space tourism to take off? (politico.com)
Traffic Analysis and Herd Immunity (Rob Slade)
Wabi Sabi Systems Programming (Henry Baker)
Russia's most aggressive ransomware group disappeared. It's
unclear who disabled them. (NTimes via Matthew Kruk)
Russian-based cyberattacks (Lauren Weinstein)
Binance Froze When Bitcoin Crashed. Now Users Want Their Money Back
(WSJ)
A secret algorithm is transforming DNA evidence. This defendant could be the
first to scrutinize it. (WashPost)
Israeli listening device exposed (Gadi Evron)
Re: Cell phones and cancer: New UC Berkeley study suggests cell phones
sharply increase tumor risk
Re: Social-credit score system for Germany (Lars-Henrik Eriksson,
goldy, Fritz Grammer)
Re: Supreme Court sides with credit agency (John Levine,
Stanley Chow)
Re: Insider attacks (Ross Anderson)
Re: NY's "Excelsior" vaccine "passport" is a mess
(John Levine, Lauren Weinstein)
Re: Some locals say a bitcoin mining operation is ruining one of
the Finger Lakes. Here's how. (John Levine)
Re: RFI on scientific integrity (Henry Baker)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Mon, 12 Jul 2021 23:25:15 +0000
From: "John Colville" <John.C...@uts.edu.au>
Subject: NSW teachers in ‘state of paralysis’ after cyber-attack
(Sydney Morning Herald)
NSW (New South Wales) is Australia's most populous state. There are 810 000 students in NSW public schools.
https://www.smh.com.au/national/nsw/nsw-teachers-in-state-of-paralysis-after-cyber-attack-20210708-p5883b.html
Public school teachers and principals could be without access to their
online learning materials and email accounts until next week, after a cyber
attack hit the NSW Education Department just hours after the state
government directed schools to return to remote learning.
Educators have been locked out of the department’s online portal and unable
to access their calendars, remote learning resources and communications
since Wednesday evening, when the department deactivated its systems as a
precaution while investigating the attack. The error message on the
department's portal.
On Thursday, department secretary Georgina Harrisson said she was confident
online access would be restored by the start of term three, which begins on
Tuesday, and assured families home learning would not be impacted.
------------------------------
Date: Tue, 20 Jul 2021 15:47:20 +0300
From: "Olivier MJ Crépin-Leblond" <o...@gih.com>
Subject: Internet Futures: Spotlight on the technologiesm, which may shape the
Internet of the future (UK OFCOM report)
In what could read like a complete issue of RISKS-L, UK regulator OFCOM has
today released a report on the technologies which is has identified, are
likely to share the Internet of the future.
https://www.ofcom.org.uk/research-and-data/internet-and-on-demand-research/internet-futures
This makes for very interesting reading.
------------------------------
Date: Mon, 12 Jul 2021 08:39:47 +0200
From: "Thomas König" <t...@tkoenig.net>
Subject: EU Parliament allows blanket scans for child pornography
(Politico)
The European Parliament on Tuesday approved a controversial law that would
allow digital companies to detect and report child sexual abuse on their
platforms for the next three years. [...]
What comes next? [...]
With most of the child trafficking and abuse done through encrypted
communications on apps like WhatsApp and Telegram, the Commission wants to
limit how secure those communications can be.
https://www.politico.eu/article/european-parliament-platforms-child-sexual-abuse-reporting-law/
------------------------------
Date: Mon, 12 Jul 2021 20:16:27 +0200
From: "Thomas König" <t...@tkoenig.net>
Subject: YouTube fined 100 000 Euros delaying court order to restore video
YouTube has been fined 100 000 Euros for being late in following
a court injunction to restore a video.
The 25-minute video about Corona protests in Switzerland had been removed
because of a five-second utterance of a demonstrator about Covid.
The Higher Regional Court at Dresden hat issued an interim injunction to
resintate the video on 2021-04-20; it took until 2021-05-14 for the video to
reappear.
To justify the delay, YouTube wrote
# The debtor [YouTube] therefore had to carefully weigh the respective
# consequences of the Higher Regional Court of Dresden's decision and its
# options before posting the video material back on YouTube for retrieval by
# third parties.
The opposing attorney was not amused (or maybe he was) and wrote
# The debtor thus once again underlines her assessment that she considers
# herself above the unconditional observance of a court prohibition and
# subordinates this to her own discretion. The Chamber will have to evaluate
# this attitude.
The court was not amused either and found that
# Against this background, the infringement is to be seen as a deliberate
# and - due to the duration - also serious infringement on the part of the
# defendant against the injunction, which - also taking into account the
# economic circumstances of the defendant against the injunction - justifies
# the imposition of a significantly higher fine than assumed by the Regional
# Court. Since, on the other hand, this is the first infringement on the
# part of the defendant, the Chamber has refrained from setting the fine at
# the maximum amount, but instead considers the imposition of a fine in the
# amount of €100,000.00 to be (still) sufficient as a result of the overall
# consideration.
# If it is not possible to recover the fine, it will be replaced by
# imprisonment.
A YouTube spokesperson was reported to have commented
"We have a responsibility to connect our users with trustworthy information
and combat misinformation during Covid-19." and "This is a single decision,
which we will respect and review accordingly".
Sources:
https://www.spiegel.de/netzwelt/netzpolitik/gesperrtes-video-gericht-verhaengt-offenbar-100-000-euro-ordnungsgeld-gegen-YouTube-a-3b1ce68d-fdc5-462c-a5fc-6b7a302f50ee
Original of the legal quotations are from
https://www.steinhoefel.com/2021/07/rumms-oberlandesgericht-dresden-verhaengt-ordnungsgeld-von-e-100-00000-gegen-YouTube.html
------------------------------
Date: Wed, 21 Jul 2021 18:49:44 +0200
From: Toebs Douglass <ri...@winterflaw.net>
Subject: Rounding errors could make certain stop-watches pick
wrong race winners (Eurekalert)
"Researchers at the University of Surrey found certain stop-watches commit
rounding errors when converting raw times to final submitted times."
https://www.eurekalert.org/pub_releases/2021-07/aiop-rec072121.php
------------------------------
Date: Sat, 10 Jul 2021 16:01:29 PDT
From: Peter Neumann <neu...@csl.sri.com>
Subject: Veteran Affairs big software upgrade is plagued by hidden costs and
flawed training (Dave Philipps)
Dave Philipps, *The New York Times*, 10 Jul 2021
This is somewhat depressing for the VA modernization process to replace the
old Vista system, ten years, and over $16 billion, including an apparently
unexpected extra $2.5 billion for new laptops to accommodate the new
software. The training efforts appear to have had mixed results. Not
surprisingly, blame is widely diverse, aimed at past and present
administrations. [Apparently just routine for most modernization programs
report here in the past decades. PGN-ed]
------------------------------
Date: Tue, 20 Jul 2021 12:41:55 +0800
From: "Richard Stein" <rms...@ieee.org>
Subject: Is Washington ready for space tourism to take off? (politico.com)
https://www.politico.com/news/2021/07/19/washington-space-tourism-500139
"When it comes to public safety, traffic jams and environmental hazards,
there is no framework for regulating private space travel."
The framework's measurement and enforcement seeds are plugged into the US
air traffic control system. See
https://www.faa.gov/news/fact_sheets/news_story.cfm?newsId=23476 (retrieved
on 20JUL2021) for the "Space Data Integration" platform.
In 2019, globally, there were 102 reported launches (and 5 of these launches
failed) per http://www.spacelaunchreport.com/log2019.html (retrieved on
20JUL2021). ~40 launches in the US consisting of various Internet-access
enhancing satellites and constellations that pollute ground-based
astronomical observations, earth observation platforms,
military/intelligence platforms, tardigrade experiments, quantum network
experiments, and the odd "Scoop" asteroid sample return mission of the
"Andromeda Strain", etc.
The US launch number is projected to grow to ~70 or more in the next few
years, especially for von Karman line "joy rides" (@ ~100 kilometers
altitude per https://en.wikipedia.org/wiki/K%C3%A1rm%C3%A1n_line).
If you've ever experienced an airport ground stop while the U.S. president's
flight stops air traffic for a runway haircut, or while that PIP
(politically important person) traverses an air corridor's radius near you,
you'll know the hassle it introduces to departure and landing schedules,
idle jet engine fuel consumption, and air traffic routing congestion.
With SDI, the FAA can factor planned rocket departures and re-rentry
touchdowns into their scheduled air traffic planning and tracking
platforms. Assuming there's no launch failure catastrophe or a re-entry
flotsam shower, you'll be largely unaffected by the low launch quantity.
https://www.faa.gov/air_traffic/by_the_numbers/ (retrieved on 20JUL2021)
estimates ~16.41M annual departures, ~45K per day. The arithmetic favors
no ground stop delay for Wichita, KS to Patuxent River, MD air travel.
------------------------------
Date: Sat, 17 Jul 2021 12:17:54 -0700
From: Rob Slade <rsl...@gmail.com>
Subject: Traffic Analysis and Herd Immunity
Ever since we got vaccines for CoVID, people have been talking about herd
immunity. (No, this is not “I heard that vitamin D protects you against
CoVID, so I’m not getting vaccinated.” That’s not heard immunity, it’s just
cluelessness. And selfishness.) We keep hearing numbers like 70%, 80% and
so forth. But herd immunity is not an absolute number. It can be a very
complicated calculation, relying on a large number of factors, and it may be
very difficult to predict in advance. It is, however, very real, and we, in
technology, see it in operation all the time.
The math behind herd immunity has a number of similarities to traffic
analysis. In the technical world we run into traffic analysis all the time,
even if we don’t do the formal math on it. But we do encounter it and see
the results.
First, let’s look at real traffic. Consider a stretch of road or highway at
rush hour. To simplify things to the greatest extent, consider a bridge.
As you inject more traffic (add cars, going to work or home), the throughput
of the bridge increases. This continues (adding more traffic increases the
throughput of the bridge), pretty linearly, until we get close to a certain
maximum. At this point, the bridge has reached maximum capacity and
throughput. If you add more traffic, cars get too close to each other,
drivers get nervous, traffic slows down, and the throughput starts to fall.
Very often the fall-off in throughput is precipitous and dramatic very soon
after we exceed the maximum, and we get a traffic jam.
We see the same thing in various types of data networks. Consider Ethernet.
We see the same pattern. As we inject traffic, the bandwidth increases.
This continues until we reach a maximum. (In the case of Ethernet, that
maximum is a rather surprisingly low 18% of the theoretical bandwidth.) At
this point we get collisions, retransmission attempts, and the bandwidth
starts to fall. (I recall one network where over 90% of the actual traffic
on it was the noise of collisions and retransmissions.) Again, everything
seems fine until we exceed the maximum, at which point the bandwidth,
utility, and productivity of the net falls dramatically.
Herd immunity is very similar. I suppose, since everyone is talking about
herd immunity but very few have actually studied it, that I have to explain
that the concept of herd immunity was discovered by vets, and they were
talking about an actual herd. (I should also point out that, in the initial
paper on the subject, they weren’t talking about vaccinations as much as
which animals were immune to a certain disease, and their initially
recommended course was not vaccinating the non-immune, but culling them
first. Taking that approach in the current situation might have a very
beneficial effect on vaccine hesitancy.)
While the totality of herd immunity calculus is extremely complicated, one
aspect can be illustrated very simply. Take a set of Go stones, or any
large set of pieces or tiles that are divided into two colours. Consider
white as unvaccinated, and black as vaccinated. Start with maybe 10%
vaccinated. Dump the stones onto a flat surface such that the stones form a
single layer. Wherever you have white stones touching each other, you have
the potential for transmission. Where you have long strings of white
together, you have the possibility of outbreaks. Continue dumping the
stones, increasing the proportion of vaccinated stones each time. As the
proportion of black stones increases, the number and length of white strings
diminishes. Eventually, you get to the point where each white stone is
completely surrounded by black. At that point you have illustrated herd
immunity, because although not all of the population is vaccinated, the
unvaccinated don’t 'touch' anyone to whom they can transmit.
We don’t, yet, have enough solid data about transmissibility, infection
rates, vaccine efficacy, and other factors to predict, in advance, what
level of vaccination we have to get to in order to reach herd immunity. We
do know that, as I write this, we haven’t reached it anywhere in the world.
We know that because we are still, despite various levels of precautions,
seeing numbers of cases of CoVID every day. Once we reach herd immunity,
the number of cases will drop quite dramatically.
Get vaccinated. Tell your family to get vaccinated. Tell your friends and
work colleagues to get vaccinated. It protects you. It protects your
family. It protects your neighbours and community. It allows you to go and
visit your brand new great grandchildren. It allows you to start going to
restaurants and movies. It allows for restarting economies. It prevents
the development of new and more dangerous variants. (If I can’t convince
you any other way, did I mention that one of the symptoms of long haul CoVID
is sexual or erectile dysfunction?) Just do it.
------------------------------
Date: Mon, 19 Jul 2021 13:59:53 -0700
From: "Henry Baker" <hba...@pipeline.com>
Subject: Wabi Sabi Systems Programming
[Sort of a continuation of Wabi-sabi software systems in RISKS-32.72.
PGN]
'Capability'/'Tagged' computer HW systems have traditionally lost out to
'bare metal'-based HW systems due to higher complexity and higher cost.
>From Burroughs to Multics to Lisp Machines to Intel iAPX 432 & i960, the
road to safety has been littered with good intentions.
Initially, the additional memory cost for the tags was blamed; if we can't
even afford memory parity bits, we certainly can't afford tag bits.
Thankfully, memory storage size is no longer an issue, and ECC memory is now
nearly ubiquitous.
Next up in the blame game was CISC v. RISC. But modern instruction stream
caches have completely obliterated this issue; indeed, CISC instructions are
routinely 'compiled on-the-fly' into RISC instructions for storage into a
RISC I-cache and executed at 100X memory speeds.
Yet 'use-after-free' and other memory mischief still consume trillions of
dollars of effort each year by both the black hats and white hats.
Computer systems have to cater to *programming patterns* that provide both
efficiency and security. No matter how safe a computer architecture is, it
cannot be commercially successful unless it enables the highest speeds for
compression/decompression, encryption/decryption, hashing, FFT's, AI/ML and
the general efficiencies of the O(1) access time RAM ('random access
memory') model.
The *Rust* programming language is one of the first 'high level' language to
potentially provide both the raw efficiency of 'C' with the type and memory
safety of languages like Lisp, Java, and Javascript. Furthermore, none of
Rust's primitive operations require any 'heavyweight'
(time/space/complexity) implementations. Finally, Rust's advantage also
extends to multi-threading, thus making it an ideal candidate for a OS-less
'bare metal' language capable of expressing a complete micro-kernel.
By contrast, garbage-collected languages like Lisp can form the basis of an
operating system, but only by hiding a huge amount of 'firmware' that
implements the garbage-collector and lots of other heavyweight machinery
under the hood, where 'security by obscurity' vainly attempts to rule.
The paper "Safe Systems Programming in Rust" in the April 2021 issue of
CACM is an extremely lucid explanation of Rust's advantages.
"[Rust] tackles this challenge using a strong type system based on the ideas
of ownership and borrowing, which statically prohibits the mutation of
shared state. This approach enables many common systems programming pitfalls
to be detected at *compile time*."
"There are a number of data types whose implementations fundamentally depend
on shared mutable state and thus cannot be type-checked according to Rust's
strict ownership discipline. To support such data types, Rust embraces the
judicious use of unsafe code encapsulated within safe APIs."
"For example, consider data races: unsynchronized accesses to shared memory
(at least one of which is a write). Even though data races effectively
constitute undefined (or weakly defined) behavior for concurrent code, most
'safe' languages (such as Java and Go) permit them, and they are a reliable
source of concurrency bugs. In contrast, Rust's type system rules out data
races at compile time."
"Rust's approach generalizes beyond memory management: other resources like
file descriptors, sockets, lock handles, and so on are handled with the same
mechanism, so that Rust programmers do not have to worry, for instance,
about closing files or releasing locks."
"The proof technique of semantic type soundness, together with advances in
separation logic and machine-checked proof, has enabled us to begin building
rigorous formal foundations for Rust as part of the RustBelt project."
I applaud the use of strong type systems and machine-checkable proof systems
to provide assurances of safety in OS-level kernel code. (AI may eventually
prove (!) useful for *developing* a machine-checkable proof, but AI will
never *replace* the need for the proof itself.)
Once we have a solid theoretical foundation in the form of a suitably
expressive *systems programming language* like Rust, it will be time to
revisit what changes & optimizations might be useful at the HW level --
e.g., in the form of specialized instruction sets, cache designs and MMU
designs -- to further increase the efficiency and reduce the cost of CPU
implementations.
Safe Systems Programming in Rust
https://dl.acm.org/doi/pdf/10.1145/3418295?download=true
------------------------------
Date: Tue, 13 Jul 2021 21:47:13 -0600
From: "Matthew Kruk" <mkr...@gmail.com>
Subject: Russia's most aggressive ransomware group disappeared. It's
unclear who disabled them.
https://www.nytimes.com/2021/07/13/us/politics/russia-hacking-ransomware-revil.html
Just days after President Biden demanded that President Vladimir V. Putin of
Russia shut down ransomware groups attacking American targets, the most
aggressive of the groups suddenly went off-line early Tuesday.
The mystery is who made it happen.
The group, called REvil, short for "Ransomware evil," has been identified by
U.S. intelligence agencies as responsible for the attack on one of America's
largest beef producers, JBS. Two weeks after Mr. Biden and Mr. Putin met in
Geneva last month, REvil took credit for a hack that affected thousands of
businesses around the world over the July 4 holiday.
------------------------------
Date: Fri, 9 Jul 2021 15:40:15 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Russian-based cyberattacks
U.S. "cyber-retaliation" against Russia for the actions of non-state-actors
located in Russia conducting cyberattacks aren't likely to stop the attacks,
but are likely to do a lot of collateral damage to innocent parties. It's
really, really, tough to know where exactly to aim.
------------------------------
Date: Mon, 12 Jul 2021 15:17:31 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Binance Froze When Bitcoin Crashed. Now Users Want Their Money
Back. (WSJ)
The world’s largest crypto exchange has no headquarters, making it difficult
for disgruntled traders to complain about the May crash
https://www.wsj.com/articles/binance-froze-when-bitcoin-crashed-now-users-want-their-money-back-11626001202?st=7xcg6caurbv813r
------------------------------
Date: Wed, 14 Jul 2021 10:10:52 +0900
From: "David Farber" <far...@keio.jp>
Subject: A secret algorithm is transforming DNA evidence. This
defendant could be the first to scrutinize it. (WashPost)
Justin Jouvenal, WashPost, 12 Jul 2021
A secret algorithm is transforming DNA evidence. This defendant could be the
first to scrutinize it. Prosecutors have used software to help convict
thousands but have never revealed its source code. A Virginia defendant has
won the right to examine it for errors.
https://www.washingtonpost.com/local/legal-issues/trueallele-software-dna-courts/2021/07/12/66d27c44-6c9d-11eb-9f80-3d7646ce1bc0_story.html
------------------------------
Date: Thu, 22 Jul 2021 17:44:47 +0300
From: Gadi Evron <gev...@gmail.com>
Subject: Israeli listening device exposed
A listening device (blamed on Israeli Shin Bet) found in a sofa at an
advanced Jewish religious school (Kollel) at Kiryat Arba, in Israel.
Video [Omitted here; please contact Gadi. PGN]
------------------------------
Date: Thu, Jul 8, 2021 at 2:11 PM
From: Martin Cooper <mco...@dynallc.com>
Subject: Re: Cell phones and cancer: New UC Berkeley study suggests
cell phones sharply increase tumor risk
[via geoff goodfellow]
If we are to believe this meta study, the risk of getting a brain tumor
increases from about 1 in 150 to about 1 in 100 due to excessive use of cell
phones. There is no credible scientific evidence that I am aware of that low
level non-ionizing radiation has any effect on the human body. There is a
huge amount of evidence that the connectivity offered by cell phones has
reduced poverty, enhanced education, increased social interaction (which
increases longevity), and has the potential to improve health care. One
might also ask whether the use of cell phones reduces the need for
automobile travel. The probability that a person will die during a lifetime
in an auto accident is roughly one percent. That’s a statistic, not a
meta-study.
------------------------------
Date: Sat, 10 Jul 2021 22:53:40 +0200
From: "Lars-Henrik Eriksson" <l...@it.uu.se>
Subject: Re: Social-credit score system for Germany (Vorausschau)
Thomas Koenig's message in RISKS 32.76 gives the impression that the German
ministry for education and science proposes a Chinese-style social credit
system for Germany.
In reality, the study is an attempt to forecast societal trends: "The role
of Strategic Foresight is to anticipate technological, economic, legal and
geopolitical developments." The study also points out that "It is currently
unclear which developments will take hold in the long term and which will
not."
The study describes six different scenarios, one of which predict the
emergence of Chinese-style social credit system.
Lars-Henrik Eriksson, PhD, Senior Lecturer
Computing Science, Dept. of Information Technology, Uppsala University, Sweden
------------------------------
Date: Sun, 11 Jul 2021 16:16:11 -0600
From: goldy <gold...@gmail.com>
Subject: Re: Social-credit score system for Germany (RISKS-32.76)
> The German ministry for education and science (BMBF) has published a study
in which it puts forward a Chinese-style social credit system for Germany.
I think Charlie Booker already imagined what this would look like in a
Western society: https://en.wikipedia.org/wiki/Nosedive_(Black_Mirror) .
Not surprisingly, his vision differs from the BMBF version.
------------------------------
Date: Tue, 13 Jul 2021 21:26:40 +0200
From: "Fritz Grammer" <Fritz....@gmx.de>
Subject: Re: Social-credit score system for Germany (RISKS-32.76)
Th.Koenig in the article "Social-credit score system for Germany" writes
"The German ministry for education and science (BMBF) has published a study
in which it puts forward a Chinese-style social credit system for Germany."
This is absolutely wrong and biased.
The study of the BMBF describes 6 possible scenarios of the future, the
"social-credit score system" being just one of it. The BMBF writes "none of
the six scenarios is particularly likely or unlikely. Rather, the study aims
to capture which developments are possible for multifaceted futures, in
order to use these in turn as a basis for discussion."
------------------------------
Date: 10 Jul 2021 18:23:15 -0400
From: "John Levine" <jo...@iecc.com>
Subject: Re: Supreme Court sides with credit agency (Klein, RISKS-32.75)
That's easily solved. Just click here and read all about it.
https://www.supremecourt.gov/opinions/20pdf/20-297_4g25.pdf
>Is this as f**ked up as it sounds?
Yes indeed. The dissent which starts on page 32 explains in detail.
------------------------------
Date: Sat, 10 Jul 2021 21:53:53 -0400
From: "Stanley Chow" <stanle...@pobox.com>
Subject: Re: Supreme Court sides with credit agency (Klein, RISKS-32.75)
Thanks, John. I have skimmed the decision, it pains me to agree with
Clarence Thomas (being a long standing lefty in Canada).
Incidentally, I used to read many US Supreme decisions; and the more I read,
the less respect I have for them. When I started reading, decades ago, the
Justices would at least pretend to have some integrity and consistency, but
over the decades, as the political atmosphere change in the US, people like
Scalia didn't even pretend anymore. I have now mostly stopped reading the
decisions.
Anyway, thanks for the link,
------------------------------
Date: Tue, 13 Jul 2021 22:40:39 +0100
From: "Ross Anderson" <Ross.A...@cl.cam.ac.uk>
Subject: Re: Insider attacks
I am impressed by this new paper from Jenny Blessing, Mike Specter and
Danny Weitzner:
https://arxiv.org/abs/2107.04940
By collating data on bugs in crypto-code, they provide empirical support to
the proposition that complexity is the enemy of security. Expect to add
another vulnerability for every thousand lines of code. Worth reading in
its entirety.
------------------------------
Date: 10 Jul 2021 18:19:57 -0400
From: "John Levine" <jo...@iecc.com>
Subject: Re: NY's "Excelsior" vaccine "passport" is a mess (TechReview,
RISKS-32.76)
> https://www.technologyreview.com/2021/07/06/1027770/vaccine-passport-new-york-excelsior-pass/
Even by the uneven standards of Tech Review, that is a truly dreadful
article. It is full of FUD, and plain old errors.
All the app does is to display a 2-D barcode which is a JSON blob of the
data with a digital signature so it can be verified offline. Any generic
barcode scanner can scan it and show you the JSON. Since it's just showing
a barcode, you can equally well print the barcode from the pass' web site,
no app needed, indeed no phone needed. I don't know why it took four tries
for the author to get his barcode, other than perhaps the usual difficulty
of typing accurately on a tiny screen. I've had no trouble getting the
barcodes for my wife and me.
I have also used the scanner app which does what it says, it scans the
barcode from screen or paper, and if it's valid shows you the info,
name, age, pass expiration date. If it's sucking up data and saving
it. I don't know where it's doing so since it's not saving it anywhere
I can see it, and since I haven't told them who or where I am, it is
not obvious what the point would be.
------------------------------
Date: Sat, 10 Jul 2021 15:35:12 -0700
From: "Lauren Weinstein" <lau...@vortex.com>
Subject: Re: NY's "Excelsior" vaccine "passport" is a mess (TechReview)
EFF just published a piece pointing out the problems with the Calif
version, noting I think that it was worse than the NY version. Given
the history of apps screwing up when it comes to data privacy,
particularly when the government is involved, it's hard to see why
anyone should trust these apps, even if we make the dubious assumption
that they are free of relevant bugs.
------------------------------
Date: 10 Jul 2021 18:30:46 -0400
From: "John Levine" <jo...@iecc.com>
Subject: Re: Some locals say a bitcoin mining operation is ruining one of
the Finger Lakes. Here's how. (NBC News)
A bill to ban fossil fuel powered cryptocoin mining has passed the NY Senate
and is currently in front of the house.
I live about 1/2 hr from Seneca Lake and they can't pass it soon enough.
------------------------------
Date: Sat, 10 Jul 2021 14:15:51 -0700
From: "Henry Baker" <hba...@pipeline.com>
Subject: Re: RFI on scientific integrity (White House OSTP)
I'll forgive President Biden, the NSTC and the OSTP for committing the
Santayana Sin of attempting to repeat the uglier events of history; they
certainly aren't the first nor will they be the last.
If one compares the goals of Biden's "Scientific Integrity" task force and
those of an earlier "Inquisition" task force, one finds that they are
roughly equivalent: to prevent the suppression or distortion of dogma.
The heart of the problem is that scientific 'truths' -- unlike
mathematical truths -- are contingent and contextual, because they must
contingently rely on a host of other contingent and contextual
truths. Attempting to stamp out scientific 'untruths' ('distruths' ?)
throws the baby out with the bath-water. *There is NO scientific
progress without heresy!*
Examples are embarrassingly common and recent: 'eugenics' was 'settled
science' in the early 20th C.; Supreme Court language such as "three
generations of imbeciles are enough" led directly to the Nazi
Holocaust. Aussie scientists Barry Marshall and Robin Warren couldn't
get funding due to their heretical belief that stomach ulcers were
caused by some sort of a bug.
Just recently, Katalin Kariko was finally proven correct about the
incredible potential of mRNA-based vaccines with the Moderna and Pfizer
COVID vaccines. "She migrated from lab to lab, relying on one senior
scientist after another to take her in. She never made more than $60,000
a year."
https://www.nytimes.com/2021/04/08/health/coronavirus-mrna-kariko.html
Innovation in science is a messy, chaotic business which doesn't respect
race, language, age, tuition amount, gender or gender preference,
religion, or political boundaries.
Mao was correct:
"Letting a hundred flowers blossom and a hundred schools of thought
contend is the policy for promoting progress in the arts and the
sciences..."
while cynically psychopathic:
"[Mao's] initiative [may have been] a deliberate attempt to flush out
dissidents by encouraging them to show themselves as critical of the
regime. Whether or not it was a deliberate trap isn't clear but it is
the case that many of those who put forward views that were unwelcome to
Mao were executed."
We don't need any more inquisitional 'task forces' which will demoralize
inventive scientific thought; on the contrary, we need to instead
encourage more risk-taking through a wider distribution of research
grants.
------------------------------
Date: Mon, 1 Aug 2020 11:11:11 -0800
From: RISKS-...@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
=> SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!
=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume/previous directories
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 32.77
************************
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.77>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
NSW teachers in ‘state of paralysis’ after cyber-attack
(Sydney Morning Herald)
Internet Futures: Spotlight on the technologiesm, which may shape the
Internet of the future (UK OFCOM report)
EU Parliament allows blanket scans for child pornography (Politico)
YouTube fined 100 000 Euros delaying court order to restore video
(Thomas König)
Rounding errors could make certain stop-watches pick wrong race winners
(Eurekalert)
Veteran Affairs big software upgrade is plagued by hidden costs and
flawed training (Dave Philipps)
Is Washington ready for space tourism to take off? (politico.com)
Traffic Analysis and Herd Immunity (Rob Slade)
Wabi Sabi Systems Programming (Henry Baker)
Russia's most aggressive ransomware group disappeared. It's
unclear who disabled them. (NTimes via Matthew Kruk)
Russian-based cyberattacks (Lauren Weinstein)
Binance Froze When Bitcoin Crashed. Now Users Want Their Money Back
(WSJ)
A secret algorithm is transforming DNA evidence. This defendant could be the
first to scrutinize it. (WashPost)
Israeli listening device exposed (Gadi Evron)
Re: Cell phones and cancer: New UC Berkeley study suggests cell phones
sharply increase tumor risk
Re: Social-credit score system for Germany (Lars-Henrik Eriksson,
goldy, Fritz Grammer)
Re: Supreme Court sides with credit agency (John Levine,
Stanley Chow)
Re: Insider attacks (Ross Anderson)
Re: NY's "Excelsior" vaccine "passport" is a mess
(John Levine, Lauren Weinstein)
Re: Some locals say a bitcoin mining operation is ruining one of
the Finger Lakes. Here's how. (John Levine)
Re: RFI on scientific integrity (Henry Baker)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Mon, 12 Jul 2021 23:25:15 +0000
From: "John Colville" <John.C...@uts.edu.au>
Subject: NSW teachers in ‘state of paralysis’ after cyber-attack
(Sydney Morning Herald)
NSW (New South Wales) is Australia's most populous state. There are 810 000 students in NSW public schools.
https://www.smh.com.au/national/nsw/nsw-teachers-in-state-of-paralysis-after-cyber-attack-20210708-p5883b.html
Public school teachers and principals could be without access to their
online learning materials and email accounts until next week, after a cyber
attack hit the NSW Education Department just hours after the state
government directed schools to return to remote learning.
Educators have been locked out of the department’s online portal and unable
to access their calendars, remote learning resources and communications
since Wednesday evening, when the department deactivated its systems as a
precaution while investigating the attack. The error message on the
department's portal.
On Thursday, department secretary Georgina Harrisson said she was confident
online access would be restored by the start of term three, which begins on
Tuesday, and assured families home learning would not be impacted.
------------------------------
Date: Tue, 20 Jul 2021 15:47:20 +0300
From: "Olivier MJ Crépin-Leblond" <o...@gih.com>
Subject: Internet Futures: Spotlight on the technologiesm, which may shape the
Internet of the future (UK OFCOM report)
In what could read like a complete issue of RISKS-L, UK regulator OFCOM has
today released a report on the technologies which is has identified, are
likely to share the Internet of the future.
https://www.ofcom.org.uk/research-and-data/internet-and-on-demand-research/internet-futures
This makes for very interesting reading.
------------------------------
Date: Mon, 12 Jul 2021 08:39:47 +0200
From: "Thomas König" <t...@tkoenig.net>
Subject: EU Parliament allows blanket scans for child pornography
(Politico)
The European Parliament on Tuesday approved a controversial law that would
allow digital companies to detect and report child sexual abuse on their
platforms for the next three years. [...]
What comes next? [...]
With most of the child trafficking and abuse done through encrypted
communications on apps like WhatsApp and Telegram, the Commission wants to
limit how secure those communications can be.
https://www.politico.eu/article/european-parliament-platforms-child-sexual-abuse-reporting-law/
------------------------------
Date: Mon, 12 Jul 2021 20:16:27 +0200
From: "Thomas König" <t...@tkoenig.net>
Subject: YouTube fined 100 000 Euros delaying court order to restore video
YouTube has been fined 100 000 Euros for being late in following
a court injunction to restore a video.
The 25-minute video about Corona protests in Switzerland had been removed
because of a five-second utterance of a demonstrator about Covid.
The Higher Regional Court at Dresden hat issued an interim injunction to
resintate the video on 2021-04-20; it took until 2021-05-14 for the video to
reappear.
To justify the delay, YouTube wrote
# The debtor [YouTube] therefore had to carefully weigh the respective
# consequences of the Higher Regional Court of Dresden's decision and its
# options before posting the video material back on YouTube for retrieval by
# third parties.
The opposing attorney was not amused (or maybe he was) and wrote
# The debtor thus once again underlines her assessment that she considers
# herself above the unconditional observance of a court prohibition and
# subordinates this to her own discretion. The Chamber will have to evaluate
# this attitude.
The court was not amused either and found that
# Against this background, the infringement is to be seen as a deliberate
# and - due to the duration - also serious infringement on the part of the
# defendant against the injunction, which - also taking into account the
# economic circumstances of the defendant against the injunction - justifies
# the imposition of a significantly higher fine than assumed by the Regional
# Court. Since, on the other hand, this is the first infringement on the
# part of the defendant, the Chamber has refrained from setting the fine at
# the maximum amount, but instead considers the imposition of a fine in the
# amount of €100,000.00 to be (still) sufficient as a result of the overall
# consideration.
# If it is not possible to recover the fine, it will be replaced by
# imprisonment.
A YouTube spokesperson was reported to have commented
"We have a responsibility to connect our users with trustworthy information
and combat misinformation during Covid-19." and "This is a single decision,
which we will respect and review accordingly".
Sources:
https://www.spiegel.de/netzwelt/netzpolitik/gesperrtes-video-gericht-verhaengt-offenbar-100-000-euro-ordnungsgeld-gegen-YouTube-a-3b1ce68d-fdc5-462c-a5fc-6b7a302f50ee
Original of the legal quotations are from
https://www.steinhoefel.com/2021/07/rumms-oberlandesgericht-dresden-verhaengt-ordnungsgeld-von-e-100-00000-gegen-YouTube.html
------------------------------
Date: Wed, 21 Jul 2021 18:49:44 +0200
From: Toebs Douglass <ri...@winterflaw.net>
Subject: Rounding errors could make certain stop-watches pick
wrong race winners (Eurekalert)
"Researchers at the University of Surrey found certain stop-watches commit
rounding errors when converting raw times to final submitted times."
https://www.eurekalert.org/pub_releases/2021-07/aiop-rec072121.php
------------------------------
Date: Sat, 10 Jul 2021 16:01:29 PDT
From: Peter Neumann <neu...@csl.sri.com>
Subject: Veteran Affairs big software upgrade is plagued by hidden costs and
flawed training (Dave Philipps)
Dave Philipps, *The New York Times*, 10 Jul 2021
This is somewhat depressing for the VA modernization process to replace the
old Vista system, ten years, and over $16 billion, including an apparently
unexpected extra $2.5 billion for new laptops to accommodate the new
software. The training efforts appear to have had mixed results. Not
surprisingly, blame is widely diverse, aimed at past and present
administrations. [Apparently just routine for most modernization programs
report here in the past decades. PGN-ed]
------------------------------
Date: Tue, 20 Jul 2021 12:41:55 +0800
From: "Richard Stein" <rms...@ieee.org>
Subject: Is Washington ready for space tourism to take off? (politico.com)
https://www.politico.com/news/2021/07/19/washington-space-tourism-500139
"When it comes to public safety, traffic jams and environmental hazards,
there is no framework for regulating private space travel."
The framework's measurement and enforcement seeds are plugged into the US
air traffic control system. See
https://www.faa.gov/news/fact_sheets/news_story.cfm?newsId=23476 (retrieved
on 20JUL2021) for the "Space Data Integration" platform.
In 2019, globally, there were 102 reported launches (and 5 of these launches
failed) per http://www.spacelaunchreport.com/log2019.html (retrieved on
20JUL2021). ~40 launches in the US consisting of various Internet-access
enhancing satellites and constellations that pollute ground-based
astronomical observations, earth observation platforms,
military/intelligence platforms, tardigrade experiments, quantum network
experiments, and the odd "Scoop" asteroid sample return mission of the
"Andromeda Strain", etc.
The US launch number is projected to grow to ~70 or more in the next few
years, especially for von Karman line "joy rides" (@ ~100 kilometers
altitude per https://en.wikipedia.org/wiki/K%C3%A1rm%C3%A1n_line).
If you've ever experienced an airport ground stop while the U.S. president's
flight stops air traffic for a runway haircut, or while that PIP
(politically important person) traverses an air corridor's radius near you,
you'll know the hassle it introduces to departure and landing schedules,
idle jet engine fuel consumption, and air traffic routing congestion.
With SDI, the FAA can factor planned rocket departures and re-rentry
touchdowns into their scheduled air traffic planning and tracking
platforms. Assuming there's no launch failure catastrophe or a re-entry
flotsam shower, you'll be largely unaffected by the low launch quantity.
https://www.faa.gov/air_traffic/by_the_numbers/ (retrieved on 20JUL2021)
estimates ~16.41M annual departures, ~45K per day. The arithmetic favors
no ground stop delay for Wichita, KS to Patuxent River, MD air travel.
------------------------------
Date: Sat, 17 Jul 2021 12:17:54 -0700
From: Rob Slade <rsl...@gmail.com>
Subject: Traffic Analysis and Herd Immunity
Ever since we got vaccines for CoVID, people have been talking about herd
immunity. (No, this is not “I heard that vitamin D protects you against
CoVID, so I’m not getting vaccinated.” That’s not heard immunity, it’s just
cluelessness. And selfishness.) We keep hearing numbers like 70%, 80% and
so forth. But herd immunity is not an absolute number. It can be a very
complicated calculation, relying on a large number of factors, and it may be
very difficult to predict in advance. It is, however, very real, and we, in
technology, see it in operation all the time.
The math behind herd immunity has a number of similarities to traffic
analysis. In the technical world we run into traffic analysis all the time,
even if we don’t do the formal math on it. But we do encounter it and see
the results.
First, let’s look at real traffic. Consider a stretch of road or highway at
rush hour. To simplify things to the greatest extent, consider a bridge.
As you inject more traffic (add cars, going to work or home), the throughput
of the bridge increases. This continues (adding more traffic increases the
throughput of the bridge), pretty linearly, until we get close to a certain
maximum. At this point, the bridge has reached maximum capacity and
throughput. If you add more traffic, cars get too close to each other,
drivers get nervous, traffic slows down, and the throughput starts to fall.
Very often the fall-off in throughput is precipitous and dramatic very soon
after we exceed the maximum, and we get a traffic jam.
We see the same thing in various types of data networks. Consider Ethernet.
We see the same pattern. As we inject traffic, the bandwidth increases.
This continues until we reach a maximum. (In the case of Ethernet, that
maximum is a rather surprisingly low 18% of the theoretical bandwidth.) At
this point we get collisions, retransmission attempts, and the bandwidth
starts to fall. (I recall one network where over 90% of the actual traffic
on it was the noise of collisions and retransmissions.) Again, everything
seems fine until we exceed the maximum, at which point the bandwidth,
utility, and productivity of the net falls dramatically.
Herd immunity is very similar. I suppose, since everyone is talking about
herd immunity but very few have actually studied it, that I have to explain
that the concept of herd immunity was discovered by vets, and they were
talking about an actual herd. (I should also point out that, in the initial
paper on the subject, they weren’t talking about vaccinations as much as
which animals were immune to a certain disease, and their initially
recommended course was not vaccinating the non-immune, but culling them
first. Taking that approach in the current situation might have a very
beneficial effect on vaccine hesitancy.)
While the totality of herd immunity calculus is extremely complicated, one
aspect can be illustrated very simply. Take a set of Go stones, or any
large set of pieces or tiles that are divided into two colours. Consider
white as unvaccinated, and black as vaccinated. Start with maybe 10%
vaccinated. Dump the stones onto a flat surface such that the stones form a
single layer. Wherever you have white stones touching each other, you have
the potential for transmission. Where you have long strings of white
together, you have the possibility of outbreaks. Continue dumping the
stones, increasing the proportion of vaccinated stones each time. As the
proportion of black stones increases, the number and length of white strings
diminishes. Eventually, you get to the point where each white stone is
completely surrounded by black. At that point you have illustrated herd
immunity, because although not all of the population is vaccinated, the
unvaccinated don’t 'touch' anyone to whom they can transmit.
We don’t, yet, have enough solid data about transmissibility, infection
rates, vaccine efficacy, and other factors to predict, in advance, what
level of vaccination we have to get to in order to reach herd immunity. We
do know that, as I write this, we haven’t reached it anywhere in the world.
We know that because we are still, despite various levels of precautions,
seeing numbers of cases of CoVID every day. Once we reach herd immunity,
the number of cases will drop quite dramatically.
Get vaccinated. Tell your family to get vaccinated. Tell your friends and
work colleagues to get vaccinated. It protects you. It protects your
family. It protects your neighbours and community. It allows you to go and
visit your brand new great grandchildren. It allows you to start going to
restaurants and movies. It allows for restarting economies. It prevents
the development of new and more dangerous variants. (If I can’t convince
you any other way, did I mention that one of the symptoms of long haul CoVID
is sexual or erectile dysfunction?) Just do it.
------------------------------
Date: Mon, 19 Jul 2021 13:59:53 -0700
From: "Henry Baker" <hba...@pipeline.com>
Subject: Wabi Sabi Systems Programming
[Sort of a continuation of Wabi-sabi software systems in RISKS-32.72.
PGN]
'Capability'/'Tagged' computer HW systems have traditionally lost out to
'bare metal'-based HW systems due to higher complexity and higher cost.
>From Burroughs to Multics to Lisp Machines to Intel iAPX 432 & i960, the
road to safety has been littered with good intentions.
Initially, the additional memory cost for the tags was blamed; if we can't
even afford memory parity bits, we certainly can't afford tag bits.
Thankfully, memory storage size is no longer an issue, and ECC memory is now
nearly ubiquitous.
Next up in the blame game was CISC v. RISC. But modern instruction stream
caches have completely obliterated this issue; indeed, CISC instructions are
routinely 'compiled on-the-fly' into RISC instructions for storage into a
RISC I-cache and executed at 100X memory speeds.
Yet 'use-after-free' and other memory mischief still consume trillions of
dollars of effort each year by both the black hats and white hats.
Computer systems have to cater to *programming patterns* that provide both
efficiency and security. No matter how safe a computer architecture is, it
cannot be commercially successful unless it enables the highest speeds for
compression/decompression, encryption/decryption, hashing, FFT's, AI/ML and
the general efficiencies of the O(1) access time RAM ('random access
memory') model.
The *Rust* programming language is one of the first 'high level' language to
potentially provide both the raw efficiency of 'C' with the type and memory
safety of languages like Lisp, Java, and Javascript. Furthermore, none of
Rust's primitive operations require any 'heavyweight'
(time/space/complexity) implementations. Finally, Rust's advantage also
extends to multi-threading, thus making it an ideal candidate for a OS-less
'bare metal' language capable of expressing a complete micro-kernel.
By contrast, garbage-collected languages like Lisp can form the basis of an
operating system, but only by hiding a huge amount of 'firmware' that
implements the garbage-collector and lots of other heavyweight machinery
under the hood, where 'security by obscurity' vainly attempts to rule.
The paper "Safe Systems Programming in Rust" in the April 2021 issue of
CACM is an extremely lucid explanation of Rust's advantages.
"[Rust] tackles this challenge using a strong type system based on the ideas
of ownership and borrowing, which statically prohibits the mutation of
shared state. This approach enables many common systems programming pitfalls
to be detected at *compile time*."
"There are a number of data types whose implementations fundamentally depend
on shared mutable state and thus cannot be type-checked according to Rust's
strict ownership discipline. To support such data types, Rust embraces the
judicious use of unsafe code encapsulated within safe APIs."
"For example, consider data races: unsynchronized accesses to shared memory
(at least one of which is a write). Even though data races effectively
constitute undefined (or weakly defined) behavior for concurrent code, most
'safe' languages (such as Java and Go) permit them, and they are a reliable
source of concurrency bugs. In contrast, Rust's type system rules out data
races at compile time."
"Rust's approach generalizes beyond memory management: other resources like
file descriptors, sockets, lock handles, and so on are handled with the same
mechanism, so that Rust programmers do not have to worry, for instance,
about closing files or releasing locks."
"The proof technique of semantic type soundness, together with advances in
separation logic and machine-checked proof, has enabled us to begin building
rigorous formal foundations for Rust as part of the RustBelt project."
I applaud the use of strong type systems and machine-checkable proof systems
to provide assurances of safety in OS-level kernel code. (AI may eventually
prove (!) useful for *developing* a machine-checkable proof, but AI will
never *replace* the need for the proof itself.)
Once we have a solid theoretical foundation in the form of a suitably
expressive *systems programming language* like Rust, it will be time to
revisit what changes & optimizations might be useful at the HW level --
e.g., in the form of specialized instruction sets, cache designs and MMU
designs -- to further increase the efficiency and reduce the cost of CPU
implementations.
Safe Systems Programming in Rust
https://dl.acm.org/doi/pdf/10.1145/3418295?download=true
------------------------------
Date: Tue, 13 Jul 2021 21:47:13 -0600
From: "Matthew Kruk" <mkr...@gmail.com>
Subject: Russia's most aggressive ransomware group disappeared. It's
unclear who disabled them.
https://www.nytimes.com/2021/07/13/us/politics/russia-hacking-ransomware-revil.html
Just days after President Biden demanded that President Vladimir V. Putin of
Russia shut down ransomware groups attacking American targets, the most
aggressive of the groups suddenly went off-line early Tuesday.
The mystery is who made it happen.
The group, called REvil, short for "Ransomware evil," has been identified by
U.S. intelligence agencies as responsible for the attack on one of America's
largest beef producers, JBS. Two weeks after Mr. Biden and Mr. Putin met in
Geneva last month, REvil took credit for a hack that affected thousands of
businesses around the world over the July 4 holiday.
------------------------------
Date: Fri, 9 Jul 2021 15:40:15 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Russian-based cyberattacks
U.S. "cyber-retaliation" against Russia for the actions of non-state-actors
located in Russia conducting cyberattacks aren't likely to stop the attacks,
but are likely to do a lot of collateral damage to innocent parties. It's
really, really, tough to know where exactly to aim.
------------------------------
Date: Mon, 12 Jul 2021 15:17:31 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Binance Froze When Bitcoin Crashed. Now Users Want Their Money
Back. (WSJ)
The world’s largest crypto exchange has no headquarters, making it difficult
for disgruntled traders to complain about the May crash
https://www.wsj.com/articles/binance-froze-when-bitcoin-crashed-now-users-want-their-money-back-11626001202?st=7xcg6caurbv813r
------------------------------
Date: Wed, 14 Jul 2021 10:10:52 +0900
From: "David Farber" <far...@keio.jp>
Subject: A secret algorithm is transforming DNA evidence. This
defendant could be the first to scrutinize it. (WashPost)
Justin Jouvenal, WashPost, 12 Jul 2021
A secret algorithm is transforming DNA evidence. This defendant could be the
first to scrutinize it. Prosecutors have used software to help convict
thousands but have never revealed its source code. A Virginia defendant has
won the right to examine it for errors.
https://www.washingtonpost.com/local/legal-issues/trueallele-software-dna-courts/2021/07/12/66d27c44-6c9d-11eb-9f80-3d7646ce1bc0_story.html
------------------------------
Date: Thu, 22 Jul 2021 17:44:47 +0300
From: Gadi Evron <gev...@gmail.com>
Subject: Israeli listening device exposed
A listening device (blamed on Israeli Shin Bet) found in a sofa at an
advanced Jewish religious school (Kollel) at Kiryat Arba, in Israel.
Video [Omitted here; please contact Gadi. PGN]
------------------------------
Date: Thu, Jul 8, 2021 at 2:11 PM
From: Martin Cooper <mco...@dynallc.com>
Subject: Re: Cell phones and cancer: New UC Berkeley study suggests
cell phones sharply increase tumor risk
[via geoff goodfellow]
If we are to believe this meta study, the risk of getting a brain tumor
increases from about 1 in 150 to about 1 in 100 due to excessive use of cell
phones. There is no credible scientific evidence that I am aware of that low
level non-ionizing radiation has any effect on the human body. There is a
huge amount of evidence that the connectivity offered by cell phones has
reduced poverty, enhanced education, increased social interaction (which
increases longevity), and has the potential to improve health care. One
might also ask whether the use of cell phones reduces the need for
automobile travel. The probability that a person will die during a lifetime
in an auto accident is roughly one percent. That’s a statistic, not a
meta-study.
------------------------------
Date: Sat, 10 Jul 2021 22:53:40 +0200
From: "Lars-Henrik Eriksson" <l...@it.uu.se>
Subject: Re: Social-credit score system for Germany (Vorausschau)
Thomas Koenig's message in RISKS 32.76 gives the impression that the German
ministry for education and science proposes a Chinese-style social credit
system for Germany.
In reality, the study is an attempt to forecast societal trends: "The role
of Strategic Foresight is to anticipate technological, economic, legal and
geopolitical developments." The study also points out that "It is currently
unclear which developments will take hold in the long term and which will
not."
The study describes six different scenarios, one of which predict the
emergence of Chinese-style social credit system.
Lars-Henrik Eriksson, PhD, Senior Lecturer
Computing Science, Dept. of Information Technology, Uppsala University, Sweden
------------------------------
Date: Sun, 11 Jul 2021 16:16:11 -0600
From: goldy <gold...@gmail.com>
Subject: Re: Social-credit score system for Germany (RISKS-32.76)
> The German ministry for education and science (BMBF) has published a study
in which it puts forward a Chinese-style social credit system for Germany.
I think Charlie Booker already imagined what this would look like in a
Western society: https://en.wikipedia.org/wiki/Nosedive_(Black_Mirror) .
Not surprisingly, his vision differs from the BMBF version.
------------------------------
Date: Tue, 13 Jul 2021 21:26:40 +0200
From: "Fritz Grammer" <Fritz....@gmx.de>
Subject: Re: Social-credit score system for Germany (RISKS-32.76)
Th.Koenig in the article "Social-credit score system for Germany" writes
"The German ministry for education and science (BMBF) has published a study
in which it puts forward a Chinese-style social credit system for Germany."
This is absolutely wrong and biased.
The study of the BMBF describes 6 possible scenarios of the future, the
"social-credit score system" being just one of it. The BMBF writes "none of
the six scenarios is particularly likely or unlikely. Rather, the study aims
to capture which developments are possible for multifaceted futures, in
order to use these in turn as a basis for discussion."
------------------------------
Date: 10 Jul 2021 18:23:15 -0400
From: "John Levine" <jo...@iecc.com>
Subject: Re: Supreme Court sides with credit agency (Klein, RISKS-32.75)
That's easily solved. Just click here and read all about it.
https://www.supremecourt.gov/opinions/20pdf/20-297_4g25.pdf
>Is this as f**ked up as it sounds?
Yes indeed. The dissent which starts on page 32 explains in detail.
------------------------------
Date: Sat, 10 Jul 2021 21:53:53 -0400
From: "Stanley Chow" <stanle...@pobox.com>
Subject: Re: Supreme Court sides with credit agency (Klein, RISKS-32.75)
Thanks, John. I have skimmed the decision, it pains me to agree with
Clarence Thomas (being a long standing lefty in Canada).
Incidentally, I used to read many US Supreme decisions; and the more I read,
the less respect I have for them. When I started reading, decades ago, the
Justices would at least pretend to have some integrity and consistency, but
over the decades, as the political atmosphere change in the US, people like
Scalia didn't even pretend anymore. I have now mostly stopped reading the
decisions.
Anyway, thanks for the link,
------------------------------
Date: Tue, 13 Jul 2021 22:40:39 +0100
From: "Ross Anderson" <Ross.A...@cl.cam.ac.uk>
Subject: Re: Insider attacks
I am impressed by this new paper from Jenny Blessing, Mike Specter and
Danny Weitzner:
https://arxiv.org/abs/2107.04940
By collating data on bugs in crypto-code, they provide empirical support to
the proposition that complexity is the enemy of security. Expect to add
another vulnerability for every thousand lines of code. Worth reading in
its entirety.
------------------------------
Date: 10 Jul 2021 18:19:57 -0400
From: "John Levine" <jo...@iecc.com>
Subject: Re: NY's "Excelsior" vaccine "passport" is a mess (TechReview,
RISKS-32.76)
> https://www.technologyreview.com/2021/07/06/1027770/vaccine-passport-new-york-excelsior-pass/
Even by the uneven standards of Tech Review, that is a truly dreadful
article. It is full of FUD, and plain old errors.
All the app does is to display a 2-D barcode which is a JSON blob of the
data with a digital signature so it can be verified offline. Any generic
barcode scanner can scan it and show you the JSON. Since it's just showing
a barcode, you can equally well print the barcode from the pass' web site,
no app needed, indeed no phone needed. I don't know why it took four tries
for the author to get his barcode, other than perhaps the usual difficulty
of typing accurately on a tiny screen. I've had no trouble getting the
barcodes for my wife and me.
I have also used the scanner app which does what it says, it scans the
barcode from screen or paper, and if it's valid shows you the info,
name, age, pass expiration date. If it's sucking up data and saving
it. I don't know where it's doing so since it's not saving it anywhere
I can see it, and since I haven't told them who or where I am, it is
not obvious what the point would be.
------------------------------
Date: Sat, 10 Jul 2021 15:35:12 -0700
From: "Lauren Weinstein" <lau...@vortex.com>
Subject: Re: NY's "Excelsior" vaccine "passport" is a mess (TechReview)
EFF just published a piece pointing out the problems with the Calif
version, noting I think that it was worse than the NY version. Given
the history of apps screwing up when it comes to data privacy,
particularly when the government is involved, it's hard to see why
anyone should trust these apps, even if we make the dubious assumption
that they are free of relevant bugs.
------------------------------
Date: 10 Jul 2021 18:30:46 -0400
From: "John Levine" <jo...@iecc.com>
Subject: Re: Some locals say a bitcoin mining operation is ruining one of
the Finger Lakes. Here's how. (NBC News)
A bill to ban fossil fuel powered cryptocoin mining has passed the NY Senate
and is currently in front of the house.
I live about 1/2 hr from Seneca Lake and they can't pass it soon enough.
------------------------------
Date: Sat, 10 Jul 2021 14:15:51 -0700
From: "Henry Baker" <hba...@pipeline.com>
Subject: Re: RFI on scientific integrity (White House OSTP)
I'll forgive President Biden, the NSTC and the OSTP for committing the
Santayana Sin of attempting to repeat the uglier events of history; they
certainly aren't the first nor will they be the last.
If one compares the goals of Biden's "Scientific Integrity" task force and
those of an earlier "Inquisition" task force, one finds that they are
roughly equivalent: to prevent the suppression or distortion of dogma.
The heart of the problem is that scientific 'truths' -- unlike
mathematical truths -- are contingent and contextual, because they must
contingently rely on a host of other contingent and contextual
truths. Attempting to stamp out scientific 'untruths' ('distruths' ?)
throws the baby out with the bath-water. *There is NO scientific
progress without heresy!*
Examples are embarrassingly common and recent: 'eugenics' was 'settled
science' in the early 20th C.; Supreme Court language such as "three
generations of imbeciles are enough" led directly to the Nazi
Holocaust. Aussie scientists Barry Marshall and Robin Warren couldn't
get funding due to their heretical belief that stomach ulcers were
caused by some sort of a bug.
Just recently, Katalin Kariko was finally proven correct about the
incredible potential of mRNA-based vaccines with the Moderna and Pfizer
COVID vaccines. "She migrated from lab to lab, relying on one senior
scientist after another to take her in. She never made more than $60,000
a year."
https://www.nytimes.com/2021/04/08/health/coronavirus-mrna-kariko.html
Innovation in science is a messy, chaotic business which doesn't respect
race, language, age, tuition amount, gender or gender preference,
religion, or political boundaries.
Mao was correct:
"Letting a hundred flowers blossom and a hundred schools of thought
contend is the policy for promoting progress in the arts and the
sciences..."
while cynically psychopathic:
"[Mao's] initiative [may have been] a deliberate attempt to flush out
dissidents by encouraging them to show themselves as critical of the
regime. Whether or not it was a deliberate trap isn't clear but it is
the case that many of those who put forward views that were unwelcome to
Mao were executed."
We don't need any more inquisitional 'task forces' which will demoralize
inventive scientific thought; on the contrary, we need to instead
encourage more risk-taking through a wider distribution of research
grants.
------------------------------
Date: Mon, 1 Aug 2020 11:11:11 -0800
From: RISKS-...@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
=> SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!
=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume/previous directories
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 32.77
************************
0 new messages