info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Risks Digest 32.68
58 views
Skip to first unread message
RISKS List Owner
May 21, 2021, 6:26:27 PM5/21/21
to ri...@csl.sri.com
RISKS-LIST: Risks-Forum Digest Friday 21 May 2021 Volume 32 : Issue 68
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.68>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
Waymo self-driving taxi fumbles in construction Zone, Blocks Traffic
(Youtube)
Tesla's Autopilot Mode Crashed a Car Right Into a Washington State Cop Car
(Gizmodo)
Tesla Autopilot system was on during fatal California crash, adding to
self-driving safety concerns (WashPost)
Your Car Is Spying on You. A CBP Contract Shows the Risks. (The Intercept)
Get Ready for In-Car Ads (The Intercept via geoff goodfellow)
CNA paid $40M for ransomware (Bloomberg)
Irish Health Service hit by ransomware (BBC)
Technobabble, Libertrarian Derp and Bitcoin (Paul Krugman)
The Full Story of the Stunning RSA Hack Can Finally Be Told (WiReD)
Flaw in Japan vaccine reservation system leaves government red-faced
(The Japan Times)
Just 12 People Are Behind Most Vaccine Hoaxes On Social Media, Research
Shows (NPR)
Prosecutors probe Pennsylvania contact-tracing data breach
(Meadville Tribune)
Millions of fake commenters asked the FCC to end net neutrality.
*Astroturfing* is a business model. (WashPost)
Police Departments Adopting Facial Recognition Tech Amid Allegations of
Wrongful Arrests (60 Minutes)
The Disinformation Dozen (NPR via Rob Slade)
Magecart Hackers Now hide PHP-Based Backdoor In Website Favicons
(The Hacker News)
Lies on Social Media Inflame Israeli-Palestinian Conflict (NYTimes)
Tech audit of Colonial Pipeline found glaring' problems (AP)
'Extreme Reaction' By Colonial Pipeline Baffles Energy Experts
(Arlington VA Patch)
DarkSide group that attacked Colonial Pipeline drops from sight online
(NYTimes)
FBI leads investigation of RPI computer attack (Albany Times Union)
Microsoft Data Shows That The FCC's Broadband Maps Are Fantasy (TechDirt)
Cheating Charges Upend Dartmouth Medical School (NYTimes)
Bias Is a Big Problem. But So Is Noise. (NYTimes)
We Found Joe Biden's Secret Venmo. Here's Why That's A Privacy Nightmare
For Everyone (Buzzfeed News)
Open Source and Cybersecurity (ZDNet via Rebecca Mercuir)
U.S. Has Almost 500,000 Job Openings in Cybersecurity (CBS News)
Californian RoboCop Had To Deal With Its First Crime, And It Did Not Go Well
(IFLScience)
The United States should make cybercrime a high priority (WashPost)
Mob Violence Against Palestinians in Israel Is Fueled by Groups on WhatsApp
(NYTimes)
Coinbase is down for some users as Bitcoin sees massive sell-off (CNBC)
Dutch civil servants used social media to spy on citizens, says study
(EuroNews)
How to Solve Captchas -- and Why They've So Hard to Solve (WiReD)
Cracking the Code of Letterlocking (Atlas Obscura)
Re: Marvin hacked (Tom Van Vleck)
Re: RISKS and Zero Day (Kim Zetter)
Re: I have been pwned! -- but not really (Merlyn)
Re: A mom panicked when her 4-year-old bought $2,600 in SpongeBob, Popsicles
(Bernie Cosell)
MIT STAMP/STPA Virtual Workshop 2021 (Nancy Leveson)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Sun, 16 May 2021 19:06:41 +0300
From: Amos Shapir <amo...@gmail.com>
Subject: Waymo self-driving taxi fumbles in construction Zone, Blocks
Traffic (Youtube)
This clip posted by JJRicks, shows a ride on a Waymo autonomous taxi, which
got confused about the meaning of traffic cones:
https://www.youtube.com/watch?v=zdKCQKBvH-A
[Lauren Weinstein noted this:
Waymo robocar gets stuck, blocks traffic, then attempts to escape its
human overseers
https://youtu.be/zdKCQKBvH-A?t=757
PGN]
------------------------------
Date: Tue, 18 May 2021 10:45:53 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Tesla's Autopilot Mode Crashed a Car Right Into a Washington State
Cop Car (Gizmodo)
https://gizmodo.com/teslas-autopilot-mode-crashed-a-car-right-into-a-washin-1846916808
------------------------------
Date: Fri, 14 May 2021 19:23:24 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Tesla Autopilot system was on during fatal California crash, adding
to self-driving safety concerns (WashPost)
Tesla Autopilot system was on during fatal California crash, adding to
self-driving safety concerns
https://www.washingtonpost.com/technology/2021/05/14/tesla-california-autopilot-crash/?utm_campaign=wp_main&utm_source=twitter&utm_medium=social
------------------------------
Date: Mon, 17 May 2021 00:14:27 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Your Car Is Spying on You. A CBP Contract Shows the Risks.
(The Intercept)
A vehicle forensics kit can reveal where you've driven, what doors you
opened, and who your friends are.
U.S. Customs and Border Protection purchased technology that vacuums up
reams of personal information stored inside cars, according to a federal
contract reviewed by The Intercept, illustrating the serious risks in
connecting your vehicle and your smartphone.
The contract, shared with The Intercept by Latinx advocacy organization
Mijente, shows that CBP paid Swedish data extraction firm MSAB $456,073 for
a bundle of hardware including five vehicle forensics kits manufactured by
Berla, an American company. A related document indicates that CBP believed
the kit would be ``critical in CBP investigations as it can provide evidence
[not only] regarding the vehicle's use, but also information obtained
through mobile devices paired with the infotainment system.'' The document
went on to say that iVe was the only tool available for purchase that could
tap into such systems.
https://theintercept.com/2021/05/03/car-surveillance-berla-msab-cbp/
------------------------------
Date: Sun, 16 May 2021 17:48:26 -1000
From: geoff goodfellow <ge...@iconia.com>
Subject: Get Ready for In-Car Ads (The Intercept)
Because being bombarded with roadside signage while taking a leisurely
Sunday drive isn't enough, Ford has patented a new system that uses a
vehicle's cameras to detect billboards and then pull them up on a car's
infotainment display as inescapable in-vehicle advertisements.
<https://pdfaiw.uspto.gov/.aiw?docid=20210133810&SectionNum=1&IDKey=1E5A14DC9924&HomeUrl/>
<https://thenextweb.com/news/ford-new-patent-ruin-driving-forever-hell>
Billboards are an effective way to subliminally make a driver hungry for an
approaching fast food restaurant, or convince them they need to pull off the
road and visit a nearby outlet mall for some discount Reeboks. What
billboards aren't great at is providing detailed information like a phone
number, an address, or a website, as even large signage often isn't visible
long enough for a driver or passenger to memorize important details. That's
the problem Ford is trying to solve with this new system it's patenting --
although the larger potential here is concerning.
Many vehicles now come standard with built-in cameras that are either used
for autonomous driving features, security, or for providing a driver with a
view outside the vehicle to make parking easier. What Ford wants to do is
leverage those cameras to also keep an eye out for passing billboards, and
then use image recognition to put a copy of the advertisement on a vehicle's
infotainment screens so it's visible to the driver and passengers for
longer. The system would also intelligently analyze the content of the
billboard and generate hyperlinks, either for easily dialing a posted phone
number, or for bringing up a company's website to see additional information.
https://gizmodo.com/get-ready-for-in-car-ads-1846888390
[More distractions for the surrogate-driver in a driverless vehicle (who
is still supposed to be paying attention), or for the actual driver in a
conventional vehicle with already distracting electronic displays. This
is a really terrible idea. Perhaps it would inspire a renewed attempt at
"Smell-o-Vision", although the 1960 movie-theater attempt ran into
lingering scents that would not go away, and the concept was quickly
abandoned. That's my two-scents' worth. PGN]
------------------------------
Date: Fri, 21 May 2021 9:38:35 PDT
From: Peter Neumann <neu...@csl.sri.com>
Subject: CNA paid $40M for ransomware (Bloomberg)
[Re: Colonial paid $5m ransom which I noted in RISKS-32.67,
here's another case. PGN]
Insurance carrier CNA paid a $40 million dollar ransom after an attack in
March 2021,
https://www.bloomberg.com/news/articles/2021-05-20/cna-financial-paid-40-million-in-ransom-after-march-cyberattack
------------------------------
Date: Fri, 14 May 2021 10:56:46 PDT
From: Peter G Neumann <neu...@csl.sri.com>
Subject: Irish Health Service hit by ransomware (BBC)
https://www.bbc.com/news/world-europe-57111615
------------------------------
Date: Fri, 21 May 2021 9:55:56 PDT
From: Peter Neumann <neu...@csl.sri.com>
Subject: Technobabble, Libertrarian Derp and Bitcoin (Paul Krugman)
Paul Krugman, *The New York Times*, 21 May 2021
Rising asset prices don't mean that silly ideas necesarily make sense.
Last para:
The good news is that none of this matters very much. Because Bitcoin and
its relatives haven't managed to achieve any meaningful economic role,
what happens to their value is basically irrelevant to those of us not
playing the crypto game.
------------------------------
Date: Fri, 21 May 2021 00:43:38 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: The Full Story of the Stunning RSA Hack Can Finally Be Told (WiReD)
In 2011, Chinese spies stole the crown jewels of cybersecurity -- stripping
protections from firms and government agencies worldwide. Here's how it
happened.
https://www.wired.com/story/the-full-story-of-the-stunning-rsa-hack-can-finally-be-told/
------------------------------
Date: Tue, 18 May 2021 20:43:55 +0900
From: Dave Farber <far...@gmail.com>
Subject: Flaw in Japan vaccine reservation system leaves government
red-faced (The Japan Times)
A quote that should apply to all software systems:
``It would have been better if we had fixed it from the start,'' the
minister said, adding that the ministry does not plan to conduct a large
system overhaul.
Flaw in Japan vaccine reservation system leaves government red-faced
Japan Times, 18 May 2021
<https://www.japantimes.co.jp/news/2021/05/18/national/japan-vaccine-reservation-flaw/>
<https://cdn-japantimes.com/wp-content/uploads/2021/05/np_file_87756-1.jpeg>
The Defense Ministry says it will fix a fault in the booking system for the
large vaccination centers it operates. | KYODO
The government said Tuesday it will fix a COVID-19 vaccine booking system
fault that allowed reservations to be made using nonexistent application
numbers.
The announcement came a day after the government started accepting online
bookings for older people to receive shots at large Self-Defense
Forces-staffed vaccination centers in Tokyo and Osaka as it attempts to ramp
up its inoculation rollout amid a fourth wave of infections.
The state-run booking system for the vaccination center in Tokyo was found
to accept municipality code numbers and vaccination ticket numbers that were
not issued by respective authorities.
"We plan on fixing (the system) so we can confirm the inputted data are
genuine information," Defense Minister Nobuo Kishi said at a news
conference.
"It would have been better if we had fixed it from the start," the minister
said, adding that the ministry does not plan to conduct a large system
overhaul.
The problem was reported Monday by major news organizations Asahi Shimbun
Publications Inc. and the Mainichi Shimbun, which signed up to test the
system using fictitious information. Both said in their reporting that they
had canceled reservations they created.
Kishi said he takes the actions of the companies "very seriously," calling
them "malicious and very regrettable" despite the significant flaws they
brought to light.
He asked the public not to make appointments using false information to
ensure slots are available to those who are eligible and so vaccines are not
wasted.
The problem with vaccination ticket numbers, issued to eligible individuals
by their municipality, was put down to a failure to cross-reference data in
the system with that from local municipalities, according to the Defense
Ministry.
"We did not think it appropriate for the Defense Ministry to retain private
information of every individual in the country subject to vaccination,"
Kishi said.
At a separate news conference, Chief Cabinet Secretary Katsunobu Kato warned
the government may consider taking legal action against people or groups
deemed to have taken advantage of the system failure in a malicious manner,
such as making many reservations using fictitious data.
Currently, residents of Tokyo's 23 wards and the city of Osaka age 65 or
older are able to make appointments via the Defense Ministry's website and
the Line messaging app but spots are filling up quickly with the launch of
online bookings.
The government moved to set up mass vaccination centers operated mostly by
Self-Defense Forces doctors and nurses to accelerate its vaccine rollout,
given only around 3% of its population of 126 million has received at least
one shot of a vaccine, the slowest vaccination rate among major economies.
Some municipalities that run local inoculation venues have experienced
problems processing appointments as phone lines and computer systems have
been overloaded.
According to the Defense Ministry, around 44,000 slots for the Tokyo center were booked by 7 a.m. Tuesday out of the 50,000 that had been made available between May 24 and May 30.
Additionally, all of the 25,000 slots for the Osaka center were filled
within 25 minutes on Monday afternoon, the ministry said.
Japan began inoculation of its older population of about 36 million in
mid-April after its vaccination effort for health care workers started in
February.
[Does anyone believe that the huge influx of counterfeit
proof-of-vaccination cards is going to increase herd immunity? I have not
heard the herd crying out for salvation. PGN]
------------------------------
Date: Fri, 14 May 2021 09:19:05 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Just 12 People Are Behind Most Vaccine Hoaxes On Social Media,
Research Shows ()
https://www.npr.org/2021/05/13/996570855/disinformation-dozen-test-facebooks-twitters-ability-to-curb-vaccine-hoaxes?utm_campaign=storyshare&utm_source=twitter.com&utm_medium=social
------------------------------
Date: Thu, 13 May 2021 14:51:12 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Prosecutors probe Pennsylvania contact-tracing data breach
(Meadville Tribune)
This impacted 72K people relative to COVID-19.
https://www.meadvilletribune.com/coronavirus/prosecutors-probe-pennsylvania-contact-tracing-data-breach/article_c97c5eb9-d364-52bd-a8d4-d85f8d3a129e.html
------------------------------
Date: Fri, 14 May 2021 21:53:30 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Millions of fake commenters asked the FCC to end net neutrality.
*Astroturfing'* is a business model. (WashPost)
The technology used this time may be new, but the business model has been
around for decades.
https://www.washingtonpost.com/politics/2021/05/14/millions-fake-commenters-asked-fcc-end-net-neutrality-astroturfing-is-business-model/
------------------------------
Date: Mon, 17 May 2021 12:34:06 -0400 (EDT)
From: ACM TechNews <technew...@acm.org>
Subject: Police Departments Adopting Facial Recognition Tech Amid
Allegations of Wrongful Arrests (60 Minutes)
Anderson Cooper, 60 Minutes 16 May 2021 via ACM TechNews, 17 May 2021
U.S. police departments are adopting facial recognition technology, despite
complaints of wrongful arrests resulting from its use. Clare Garvie at
Georgetown University Law's Center on Privacy and Technology thinks facial
recognition has been involved in hundreds of thousands of such cases, in
which users incorrectly assume the technology is faultless, given the
mathematical basis of its matches. The U.S. National Institute of Standards
and Technology's Patrick Grother evaluates prototype facial recognition
algorithms, and his team published a landmark study which determined that
many facial recognition algorithms found it difficult to distinguish between
Black, Asian, and female faces. Grother said false negatives arising from
such errors could lead to wrongful arrests. Since last summer, three Black
men have sued for wrongful arrest involving facial recognition; said Garvie,
"The fact that we only know of three misidentifications is more a product of
how little we know about the technology than how accurate it is."
https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2b09ax22b48bx069479&
------------------------------
Date: Fri, 14 May 2021 12:05:48 -0700
From: Rob Slade <rsl...@gmail.com>
Subject: The Disinformation Dozen (NPR)
An intriguing piece of research has found that the majority of antivax
disinformation is being distributed by only twelve people.
https://www.npr.org/2021/05/13/996570855/disinformation-dozen-test-facebooks-twitters-ability-to-curb-vaccine-hoaxes
On the downside, these few people are having a massively disproportionate
effect on public discourse and behaviour. Although only a dozen people are
the instigators, they use multiple accounts, get reposted by many others,
and use various ruses to try and avoid being banned by social media
platforms.
On the plus side, if this research holds true for other forms of
disinformation, it does indicate that a concerted effort could seriously
reduce the disinformation problem overall ...
------------------------------
Date: Fri, 14 May 2021 10:03:48 -1000
From: geoff goodfellow <ge...@iconia.com>
Subject: Magecart Hackers Now hide PHP-Based Backdoor In Website Favicons
(The Hacker News)
Cybercrime groups are distributing malicious PHP web shells disguised as a
favicon to maintain remote access to the compromised servers and inject
JavaScript skimmers into online shopping platforms with an aim to steal
financial information from their users.
"These web shells known as Smilodon or Megalodon are used to dynamically
load JavaScript skimming code via server-side requests into online stores,"
Malwarebytes J=C3=A9r=C3=B4me Segura said
<https://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/>
in a Thursday write-up. "This technique is interesting as most client-side
security tools will not be able to detect or block the skimmer."
Injecting web skimmers on e-commerce websites to steal credit card details
is a tried-and-tested modus operandi of Magecart, a consortium of different
hacker groups who target online shopping cart systems. Also known as
formjacking attacks, the skimmers take the form of JavaScript code that the
operators stealthily insert into an e-commerce website, often on payment
pages, with an intent to capture customers' card details in real-time and
transmit them to a remote server.
While injecting skimmers typically work by making a client-side request to
an external JavaScript resource hosted on an attacker-controlled domain when
a customer visits the online store in question, the latest attack is a
little different in that the skimmer code is introduced into the merchant
site dynamically at the server-side. [...]
https://thehackernews.com/2021/05/magecart-hackers-now-hide-php-based.html
------------------------------
Date: Fri, 14 May 2021 12:20:52 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Lies on Social Media Inflame Israeli-Palestinian Conflict (NYTimes)
https://www.nytimes.com/2021/05/14/technology/israel-palestine-misinformation-lies-social-media.html
------------------------------
Date: Sat, 15 May 2021 09:43:34 -1000
From: geoff goodfellow <ge...@iconia.com>
Subject: Tech audit of Colonial Pipeline found glaring' problems (AP)
An outside audit three years ago of the major East Coast pipeline company
hit by a cyberattack found *atrocious* information management practices and
``A Patchwork of poorly connected and secured systems,'' its author told The
Associated Press.
``We found glaring deficiencies and big problems,'' said Robert
F. Smallwood, whose consulting firm delivered an 89-page report in January
2018 after a six-month audit. ``I mean an eighth-grader could have hacked
into that system.''
How far the company, Colonial Pipeline, went to address the vulnerabilities
isn't clear. Colonial said Wednesday that since 2017, it has hired four
independent firms for cybersecurity risk assessments and increased its
overall IT spending by more than 50%. While it did not specify an amount, it
said it has spent tens of millions of dollars.
``We are constantly assessing and improving our security practices -- both
physical and digital,'' the privately held Georgia company said in response
to questions from the AP about the audit's findings. It did not name the
firms who did cybersecurity work but one firm, Rausch Advisory Services,
located in Atlanta near Colonial's headquarters, acknowledged being among
them. Colonial's chief information officer sits on Rausch's advisory board.
[...]
https://apnews.com/article/va-state-wire-technology-business-1f06c091c492c1630471d29a9cf6529d
------------------------------
Date: Sat, 15 May 2021 16:51:19 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: 'Extreme Reaction' By Colonial Pipeline Baffles Energy Experts
(Arlington VA Patch)
VIRGINIA -- The major East Coast pipeline behind the gasoline shortages in
the Southeast and mid-Atlantic is coming under scrutiny for its information
technology and cybersecurity practices.
Colonial Pipeline revealed Friday that it had been the target of a
cyberattack on its information technology system. The company said the
hackers stole nearly 100 gigabytes of data and encrypted at least a portion
of the company's information technology network.
The hackers, however, did not obtain access to the operational technology
side of the pipeline company's system. But Colonial Pipeline still decided
to shut down the entire pipeline system, which provides nearly 50 percent of
the gasoline and jet fuel to East Coast markets.
The decision to shut down the pipeline system has caused major shortages of
gasoline. In Virginia, 55 percent of gas stations had run dry of supplies as
of Thursday morning, according to GasBuddy, which tracks supply. In the
District of Columbia, about 51 percent of stations were out of gas. [...]
The cyberattack targeted the portion of Colonial Pipeline's technology
network that most of its employees use to check their email, review
contracts and write and distribute invoices, Bloomberg reported Wednesday.
Colonial Pipeline had no evidence that its operational technology systems,
which are not connected to its information technology system, had been
compromised in the attack, the company said. [...]
Pipeline system operations became more digital in the 1990s and 2000s.
According to an Associated Press report, though, an outside audit conducted
ç¢ree years ago of Colonial Pipeline found "atrocious" information
management practices and "a patchwork of poorly connected and secured
systems."
"We found glaring deficiencies and big problems," Robert F. Smallwood, whose
consulting firm completed a report in January 2018 after the audit, told the
AP. "I mean, an eighth grader could have hacked into that system."
The exact reason for Colonial Pipeline's decision to shut down the entire
pipeline system remains unclear. The company has acknowledged that the
cyberattack affected only a portion of its information technology system,
including the parts related to contracts and invoices.
https://patch.com/virginia/arlington-va/extreme-reaction-colonial-pipeline-baffles-energy-experts
------------------------------
Date: Fri, 14 May 2021 22:08:49 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: DarkSide group that attacked Colonial Pipeline drops from sight
online (NYTimes)
DarkSide group that attacked Colonial Pipeline drops from sight online
https://www.washingtonpost.com/technology/2021/05/14/darkside-ransomware-shutting-down/
https://www.nytimes.com/2021/05/14/business/darkside-pipeline-hack.html
------------------------------
Date: Fri, 14 May 2021 23:57:12 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: FBI leads investigation of RPI computer attack (Albany Times Union)
Albany Times Union, 12 May 2021
Malware has upended university operations during finals week
FBI and State Police cybersquads are investigating a malware attack that has
paralyzed computer systems at Rensselaer Polytechnic Institute since last
week.
Since it was detected on Friday, the cyberattack has disrupted nearly all of
the world-famous engineering and research school's operations officials
confirmed.
https://digital.olivesoftware.com/olive/ODN/AlbanyTimesUnion/shared/ShowArticle.aspx?doc=HATU%2F2021%2F05%2F12&entity=Ar00107&sk=D12A0898&mode=text#
------------------------------
Date: May 14, 2021 21:39:55 JST
From: Richard Forno <rfo...@infowarrior.org>
Subject: Microsoft Data Shows That The FCC's Broadband Maps Are Fantasy
(TechDirt)
https://www.techdirt.com/articles/20210511/07082546773/microsoft-data-shows-that-fccs-broadband-maps-are-fantasy.shtml
[via Dave Farber]
------------------------------
Date: Sun, 16 May 2021 01:25:27 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Cheating Charges Upend Dartmouth Medical School (NYTimes)
The university accused 17 students of cheating on remote exams, raising
questions about data mining and sowing mistrust on campus.
At the heart of the accusations is Dartmouth’s use of the Canvas system
to retroactively track student activity during remote exams without their
knowledge. In the process, the medical school may have overstepped by using
certain online activity data to try to pinpoint cheating, leading to some
erroneous accusations, according to independent technology experts, a review
of the software code and school documents obtained by The New York Times.
Online Cheating Charges Upend Dartmouth Medical School
https://www.nytimes.com/2021/05/09/technology/dartmouth-geisel-medical-cheating.html
------------------------------
Date: Sun, 16 May 2021 13:34:46 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Bias Is a Big Problem. But So Is Noise. (NYTimes)
The word *bias* commonly appears in conversations about mistaken judgments
and unfortunate decisions. We use it when there is discrimination, for
instance against women or in favor of Ivy League graduates. But the meaning
of the word is broader: A bias is any predictable error that inclines your
judgment in a particular direction. For instance, we speak of bias when
forecasts of sales are consistently optimistic or investment decisions
overly cautious.
Society has devoted a lot of attention to the problem of bias -- and rightly
so. But when it comes to mistaken judgments and unfortunate decisions, there
is another type of error that attracts far less attention: noise.
To see the difference between bias and noise, consider your bathroom
scale. If on average the readings it gives are too high (or too low), the
scale is biased. If it shows different readings when you step on it several
times in quick succession, the scale is noisy. (Cheap scales are likely to
be both biased and noisy.) While bias is the average of errors, noise is
their variability.
Although it is often ignored, noise is a large source of malfunction in
society. In a 1981 study, for example, 208 federal judges were asked to
determine the appropriate sentences for the same 16 cases. The cases were
described by the characteristics of the offense (robbery or fraud, violent
or not) and of the defendant (young or old, repeat or first-time offender,
accomplice or principal). You might have expected judges to agree closely
about such vignettes, which were stripped of distracting details and
contained only relevant information. ...
Once you become aware of noise, you can look for ways to reduce it. For
instance, independent judgments from a number of people can be averaged (a
frequent practice in forecasting). Guidelines, such as those often used in
medicine, can help professionals reach better and more uniform decisions. As
studies of hiring practices have consistently shown, imposing structure and
discipline in interviews and other forms of assessment tends to improve
judgments of job candidates.
No noise-reduction techniques will be deployed, however, if we do not first
recognize the existence of noise. Noise is too often neglected. But it is a
serious issue that results in frequent error and rampant
injustice. Organizations and institutions, public and private, will make
better decisions if they take noise seriously.
https://www.nytimes.com/2021/05/15/opinion/noise-bias-kahneman.html
------------------------------
Date: Sun, 16 May 2021 01:52:53 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: We Found Joe Biden's Secret Venmo. Here's Why That's A Privacy
Nightmare For Everyone (Buzzfeed News)
The peer-to-peer payments app leaves everyone from ordinary people to the
most powerful person in the world exposed.
BuzzFeed News found President Joe Biden's Venmo account after less than 10
minutes of looking for it, revealing a network of his private social
connections, a national security issue for the United States, and a major
privacy concern for everyone who uses the popular peer-to-peer payments app.
[...]
Privacy advocates and journalists have warned about Venmo's privacy problems
for years, yet the PayPal-owned app has persisted with features that can
place people -- including the president of the United States -- at risk.
While many critics have focused on how the app makes all transactions public
by default, Venmo's friend lists are arguably a larger privacy issue. Even
if a Venmo account is set to make payments private, its friend list remains
exposed. There is no setting to make this information private, which means
it can provide a window into someone's personal life that could be exploited
by anyone -- including trolls, stalkers, police, and spies.
https://www.buzzfeednews.com/article/ryanmac/we-found-joe-bidens-secret-venmo
------------------------------
Date: Sat, 15 May 2021 08:31:50 -0400
From: DrM <not...@mindspring.com>
Subject: Open Source and Cybersecurity
An interesting article:
https://www.zdnet.com/article/linux-and-open-source-communities-rise-to-bidens-cybersecurity-challenge/
------------------------------
Date: Fri, 21 May 2021 12:27:06 -0400 (EDT)
From: ACM TechNews <technew...@acm.org>
Subject: U.S. Has Almost 500,000 Job Openings in Cybersecurity (CBS News)
Khristopher J. Brooks, CBS News, 19 May 2021, via ACM TechNews, 21 May 2021
The U.S. Commerce Department's Cyber Seek technology job-tracking database
and the trade group CompTIA count about 465,000 current U.S. cybersecurity
jobs openings. Experts said private businesses and government agencies' need
for more cybersecurity staff has unlocked a prime opportunity for anyone
considering a job in that field. The University of San Diego's Michelle
Moore suggested switching to a cybersecurity career could be as simple as
obtaining a Network+ or Security+ certification, while an eight-week online
course could help someone gain an entry-level job earning $60,000 to $90,000
a year as a penetration tester, network security engineer, or incident
response analyst. Moore cited a lack of skilled cybersecurity personnel as a
problem, while CompTIA's Tim Herbert said only a small percentage of
computer science graduates pursue cybersecurity careers.
https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2b1dcx22b659x069602&
------------------------------
Date: Thu, 13 May 2021 17:42:18 -0700
From: Tom Van Vleck <th...@multicians.org>
Subject: Re: Marvin hacked (RISKS-32.67)
PGN suggested
> (Security was of course not in Turing's threat model.)
Yes, "security" is meaningful only relative to a model.
------------------------------
Date: Thu, 13 May 2021 20:07:34 -0700
From: Kim Zetter <kze...@gmail.com>
Subject: Re: RISKS and Zero Day
I noticed that you mis-credited CNN with the information that the Colonial
Pipeline had been shut down in part due to the fact that it's billing
system had been locked up by the ransomware. That information was first
reported by me four days ago in these two pieces (and CNN didn't give me
credit) published on my Zero Day substack publication:
https://zetter.substack.com/p/ransomware-infection-on-colonial
https://zetter.substack.com/p/biden-declares-state-of-emergency
Author: *Countdown to Zero Day: Stuxnet and the Launch of the World's First
Digital Weapon*
------------------------------
Date: Sat, 15 May 2021 15:11:03 -0700
From: mer...@stonehenge.com (Randal L. Schwartz)
Subject: Re: I have been pwned! -- but not really (Slade, RISKS-32.65)
I've had stonehenge.com since about the earliest possible time I could
register it. While I do get the expected misdirected pile of mail for that
big rock group in England, and the occasional mail for some other
stonehenge-like organization, the biggest breaches were back in the early
90s.
It seems that a large venture capital firm opened up, and although their
company name was something like Stonehenge Holdings Limited, every senior
staff member (and their assistants) seemed to think that their email address
was "some...@stonehenge.com". You have not seen misdirected email until
you've had complete business plans, various investment strategies, and other
private communications delivered to your inbox, all meant for people with
large sums of money to hand out.
I tried repeatedly to explain this to everyone I could find at the company,
but most of the time, they either apologized (and then forgot), or somehow
accused me of hacking. I could almost imagine that their business cards
might have even been wrong.
Thank goodness they eventually went out of business.
------------------------------
Date: Thu, 13 May 2021 20:59:14 -0400
From: "Bernie Cosell" <cos...@alum.mit.edu>
Subject: Re: A mom panicked when her 4-year-old bought $2,600 in
SpongeBob, Popsicles (RISKS-32.65)
On 13 May 2021 at 15:02, Martin Ward wrote:
> Install the NoScript Firefox extension and ensure that
> washingtonpost.com is blocked. You can then read all the articles
> without the annoying popup asking you to subscribe or login.
How handy! We needed a forum on how to "share" things that we ought to pay
for. Next fun activity on RISKS -- how to get ATMs to spit out money.
NB: I don't mean to start a fight but I don't think that kind of "help" is
appropriate for RISKS.
[I don't think so either, but ran that item as a sort of test, for which
you are the only one thus far who responded. However, perhaps we have
done The Post a service by noting the lacuna, or perhaps they know about
it and believe it helps business. Historically, you might remember the
lame encryption used in early online games that seems to have increased
business by alerting more people to the game. PGN]
------------------------------
Date: Tue, 18 May 2021 11:54:26 -0400
From: Nancy Leveson via Ata-watchers <ata-wa...@airlinersafety.info>
Subject: MIT STAMP/STPA Virtual Workshop 2021
The free MIT STAMP/STPA Workshop be held virtually again this year (maybe
next year we can meet in person) spread out over the period from June
21-June 30. In case you are not aware, STAMP is a new accident causality
model based on systems theory and systems thinking described in Nancy
Leveson's book *Engineering a Safer World*. STAMP integrates into
engineering analysis the causal factors in our increasingly complex systems
such as software, human-decision making and human factors, new technology,
social and organizational design, and safety culture. STPA is a powerful new
hazard/cybersecurity analysis technique based on STAMP while CAST is the
equivalent for accident/incident analysis. These tools are now used globally
in almost every industry.
Free tutorials or videos of tutorials from last year will be provided so
everyone can participate, regardless of experience with STAMP or the
STAMP-based analysis techniques. You can access the tutorials from last year
at the PSAS website (http://psas.scripts.mit.edu/home) as well as
presentations from previous workshops. You will also find more information
about this year's workshop at the PSAS website as it becomes available.
The workshop is free, but In order to avoid spamming people, this is the
only message we will send to those who have not registered. We will also
use the registration list to send out passwords for the workshop in order to
provide security and avoid zoom bombers. You can register at
http://psas.scripts.mit.edu/home/2021-stamp-workshop-registration/
If you are unable to get to the registration site, please send me (
lev...@mit.edu) the following information: Name, Email, Affiliation
(company, government agency, university, etc.), Country, Industry, and Level
of Experience with STAMP-based methods) and I will make sure you are
registered.
The program is below although we are still working out details about day and
time. There were a large number of abstracts submitted so we could accept
only 20% of those submitted. The exact days and times will be provided
later. We expect speakers and attendees worldwide from almost every time
zone (last year there were over 3000 attendees) so we are still trying to
optimize timing. The presentations on any day will be limited to avoid zoom
fatigue.
*Presentations*
*Effectiveness of CAST, 5M and HFACS in Accident Investigation and
Prevention*, KAEFER Guenter (Austrian Air Force), KOGLBAUER Ioana (Graz
University of Technology, Austria)
*Safety Analysis of a Low-cost Insulin Infusion Pump using STPA: A Case
Study with Brazilian Company*, Aldo Martinazzo (Federal University of
S=C3=A3o Paulo), Luiz Eduardo Martins (Federal University of S=C3=A3o
Paulo), Tatiana Cunha (Federal University of S=C3=A3o Paulo)
*STPA Evaluation of Potential Conflicts between Large Commercial Air
Traffic and Small Uncrewed Aircraft Systems in the Terminal Airspace*,
Paul Stanley (Boeing), Victor Arcos Barraquero (Boeing)
*STPA at Google*, Tim Falzone (Google)
*STPA Return on Investment -- An Industry Perspective*, Marc Nance (Boeing
Retired, STAMP Engineering Services), Mark Vernacchia (General Motors),
Lori Smith (Boeing Retired, STAMP Engineering Services)
*Leveraging STPA to Create a More Informed Risk Matrix*, Sam Yoo and Dro
Gregorian (MIT)
*Analyzing National Responses to COVID-19 Pandemic using STPA*, Shufeng
Chen (WMG, University of Warwick)
*STPA Analysis Self-Driving Vehicles on level crossings -- lessons
learned*, Elma Dijkerman (Movares), Gea Kolk (Movares), Ello Weits
(Movares)
*Safety analysis of interoperability conformance profiles in Medical
Information Exchange*, Jens Weber (University of Victoria)
*Key Safety Indicators using STPA*, Stuart Williams (University of
Strathclyde, Glasgow)
*Introducing STAMP to a Major Health Organisation*, Wallace Grimmett
(MATER)
*Applying STPA in Development of Autonomous Container Handling Machinery*,
Eetu Heikkil=C3=A4 (VTT Technical Research Centre of Finland Ltd.)
*STPA in Support of Next-Gen Automotive E/E Architecture Development*.
Sandro N=C3=BCesch (Huawei Technologies Duesseldorf GmbH), Christoph
Ainhauser (Huawei Technologies Duesseldorf GmbH), Gereon Hinz (STTech GmbH
)
*Lightning Talks*
*Consideration of STPA in Civil Aviation*, Linh Le (Federal Aviation
Administration), Eric M Peterson (Federal Aviation Administration)
*Discussion on STPA Validation, Replicability and Analyst Bias*, Idoaldo
Lima (RWTH Aachen)
*Cybersecurity Incident Analysis by CAST using the Report of Unauthorized
Access to the Information System*, Tomoko Kaneko, Ph.D. (Researcher of
National Institute of Informatics)
*Hazard Analysis of Teaming Systems*, Andrew Kopeikin (MIT)
*Using STPA to Address Challenges in Achieving SOTIF*, Amardeep Sidhu
(Independent)
*Safety Analysis for an In-wheel Electric Motor Powertrain*, Joaquim Maria
Castella Triginer (Virtual Vehicle), Helmut Martin (Virtual Vehicle)
*Incorporating STPA into DoD Acquisition Program*, Drake Mailes (USAF)
*Open STPA with RAAML and Gaphor*, Dan Yeaw (Ford Motor Company), Kyle Post
(Ford Motor Company)
*Applying CAST to Human Error Related Manufacturing Mishaps*, Jess Reid
(Boeing)
*STPA-sec Supporting Zero Trust Partners*, William Young (USAF)
*Using STPA to identify conflicts in coal mining safety procedures*,
Alicja Krzemien (GIG Research Institute), Stanislaw Prusek (GIG Research
Institute)
*Panel Sessions*
Panel sessions with expert industry practitioners will give participants a
chance to ask questions and learn how they were able to implement
STAMP-based methods successfully.
Introducing STPA and CAST into Organizations
Progress on Including STPA in Industry Standards
And more...
*Interesting Uses Spotlights*
These will be very short introductions to new and interesting applications
that are not complete enough yet for a regular presentation:
Machine Learning (AI)
Indigenous healthcare in Australia
Pharmaceutical Order Entry Systems
Introducing STAMP in Organizations
Prioritizing Scenarios
Linux Medical Application
Prof. Nancy Leveson, Aeronautics and Astronautics, MIT, Room 33-334
77 Massachusetts Ave., Cambridge, MA 02142
Email: lev...@mit.edu URL: http://sunnyday.mit.edu
------------------------------
Date: Wed, 19 May 2021 15:53:21 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Californian RoboCop Had To Deal With Its First Crime, And It Did
Not Go Well (IFLScience)
Picture a world where police robots roam the streets dealing with crime, and
I can pretty much guarantee you'll either think of a nightmarish
all-powerful police state where everything has gone horribly wrong and/or
Robocop.
But it turns out robot police are already here and it's nothing like either
of those options: They just don't really give a shit about citizens. [...]
Why no help from the robot, you may ask. Perhaps they have already turned on
humans and are only interested in robocrimes?
Well, it turns out that RoboCop is in no way connected to the actual
police. The calls instead go to the robots' creator, Knightscope, who leases
the robots to the police department.
Knightscope also made the robot security guard that famously "committed
suicide" in 2017.
It turns out, the robots' cameras, which are capable of recording 360-degree
high definition video and live-streaming it to police phones, are not
connected to the police yet, nor are its abilities to read license plates
and track cell phone use in the area. Police Chief Cosme Lozano told NBC
News that the robot is there on a trial basis, and will eventually be fully
connected to the department's dispatch center.
But for the moment if you see RoboCop you can be assured it doesn't actually
do anything. It just potters around LA, tells citizens worried about crime
to get out of the way, and sometimes, just sometimes, chats to Elon Musk on
Twitter. At a cost of $60,000-$70,000 a year.
https://www.iflscience.com/technology/californian-robocop-had-to-deal-with-its-first-crime-and-it-did-not-go-well/
From October 2019
------------------------------
Date: Mon, 17 May 2021 15:27:11 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: The United States should make cybercrime a high priority (WashPost)
The May 11 editorial: *The ransomware emergency is here* failed to point out
that American computer experts can break any encryption scheme at any time
anywhere in the world. The United States, after all, is home to more than
100 supercomputers, the fastest of which is operated by the Energy
Department. Russia, in contrast, has only three supercomputers in the entire
country. Americans should perhaps assign a higher priority to defeating
cyber criminals in general and ransomware criminals in particular.
https://www.washingtonpost.com/opinions/letters-to-the-editor/the-united-states-should-make-cyber-crime-a-high-priority/2021/05/14/5237a4d6-b373-11eb-bc96-fdf55de43bef_story.html
...and assign higher priority to developing minimal technology literacy
among citizens and newspaper editors.
------------------------------
Date: Wed, 19 May 2021 15:59:50 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Mob Violence Against Palestinians in Israel Is Fueled by Groups on
WhatsApp (NYTimes)
Mob Violence Against Palestinians in Israel Is Fueled by Groups on WhatsApp
https://www.nytimes.com/2021/05/19/technology/israeli-clashes-pro-violence-groups-whatsapp.html
Of course, as comments note, it's used in the other direction as well.
------------------------------
Date: Wed, 19 May 2021 16:05:37 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Coinbase is down for some users as Bitcoin sees massive sell-off
(CNBC)
Crypto-exchange Coinbase said its site and app resumed service after a brief
outage earlier in the day.
Coinbase was down for some users Wednesday morning as digital coins plunged.
Several social media users seemed frustrated at the app and site's error
while cryptocurrencies were plunging, looking to buy the dip.
Coinbase is down for some users as Bitcoin sees massive sell-off
<https://www.cnbc.com/2021/05/19/coinbase-is-down-for-some-users.html?__sourceiosappshare%7Ccom.apple.UIKit.activity.Mail>
------------------------------
Date: Wed, 19 May 2021 19:04:03 -0400
From: "Robert Mathews (OSIA)" <mat...@hawaii.edu>
Subject: Dutch civil servants used social media to spy on citizens, says
study (EuroNews)
Hebe Campbell & Matthew Holro, EURONEWS, 19 May 2021
https://www.euronews.com/2021/05/19/dutch-civil-servants-used-social-media-to-spy-on-citizens-says-study
------------------------------
Date: Thu, 20 May 2021 02:14:23 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: How to Solve Captchas -- and Why They've So Hard to Solve (WiReD)
https://www.wired.com/story/im-not-a-robot-why-captchas-hard-to-solve/
Headline lies -- no tips here.
------------------------------
Date: Thu, 20 May 2021 02:23:04 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Cracking the Code of Letterlocking (Atlas Obscura)
A tale of Black Chambers, lost correspondence, and high technology.
https://www.atlasobscura.com/articles/letterlocking-virtual-unfolding
Early message security...
------------------------------
Date: Mon, 1 Aug 2020 11:11:11 -0800
From: RISKS-...@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
=> SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!
=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume/previous directories
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 32.68
************************
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.68>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
Waymo self-driving taxi fumbles in construction Zone, Blocks Traffic
(Youtube)
Tesla's Autopilot Mode Crashed a Car Right Into a Washington State Cop Car
(Gizmodo)
Tesla Autopilot system was on during fatal California crash, adding to
self-driving safety concerns (WashPost)
Your Car Is Spying on You. A CBP Contract Shows the Risks. (The Intercept)
Get Ready for In-Car Ads (The Intercept via geoff goodfellow)
CNA paid $40M for ransomware (Bloomberg)
Irish Health Service hit by ransomware (BBC)
Technobabble, Libertrarian Derp and Bitcoin (Paul Krugman)
The Full Story of the Stunning RSA Hack Can Finally Be Told (WiReD)
Flaw in Japan vaccine reservation system leaves government red-faced
(The Japan Times)
Just 12 People Are Behind Most Vaccine Hoaxes On Social Media, Research
Shows (NPR)
Prosecutors probe Pennsylvania contact-tracing data breach
(Meadville Tribune)
Millions of fake commenters asked the FCC to end net neutrality.
*Astroturfing* is a business model. (WashPost)
Police Departments Adopting Facial Recognition Tech Amid Allegations of
Wrongful Arrests (60 Minutes)
The Disinformation Dozen (NPR via Rob Slade)
Magecart Hackers Now hide PHP-Based Backdoor In Website Favicons
(The Hacker News)
Lies on Social Media Inflame Israeli-Palestinian Conflict (NYTimes)
Tech audit of Colonial Pipeline found glaring' problems (AP)
'Extreme Reaction' By Colonial Pipeline Baffles Energy Experts
(Arlington VA Patch)
DarkSide group that attacked Colonial Pipeline drops from sight online
(NYTimes)
FBI leads investigation of RPI computer attack (Albany Times Union)
Microsoft Data Shows That The FCC's Broadband Maps Are Fantasy (TechDirt)
Cheating Charges Upend Dartmouth Medical School (NYTimes)
Bias Is a Big Problem. But So Is Noise. (NYTimes)
We Found Joe Biden's Secret Venmo. Here's Why That's A Privacy Nightmare
For Everyone (Buzzfeed News)
Open Source and Cybersecurity (ZDNet via Rebecca Mercuir)
U.S. Has Almost 500,000 Job Openings in Cybersecurity (CBS News)
Californian RoboCop Had To Deal With Its First Crime, And It Did Not Go Well
(IFLScience)
The United States should make cybercrime a high priority (WashPost)
Mob Violence Against Palestinians in Israel Is Fueled by Groups on WhatsApp
(NYTimes)
Coinbase is down for some users as Bitcoin sees massive sell-off (CNBC)
Dutch civil servants used social media to spy on citizens, says study
(EuroNews)
How to Solve Captchas -- and Why They've So Hard to Solve (WiReD)
Cracking the Code of Letterlocking (Atlas Obscura)
Re: Marvin hacked (Tom Van Vleck)
Re: RISKS and Zero Day (Kim Zetter)
Re: I have been pwned! -- but not really (Merlyn)
Re: A mom panicked when her 4-year-old bought $2,600 in SpongeBob, Popsicles
(Bernie Cosell)
MIT STAMP/STPA Virtual Workshop 2021 (Nancy Leveson)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Sun, 16 May 2021 19:06:41 +0300
From: Amos Shapir <amo...@gmail.com>
Subject: Waymo self-driving taxi fumbles in construction Zone, Blocks
Traffic (Youtube)
This clip posted by JJRicks, shows a ride on a Waymo autonomous taxi, which
got confused about the meaning of traffic cones:
https://www.youtube.com/watch?v=zdKCQKBvH-A
[Lauren Weinstein noted this:
Waymo robocar gets stuck, blocks traffic, then attempts to escape its
human overseers
https://youtu.be/zdKCQKBvH-A?t=757
PGN]
------------------------------
Date: Tue, 18 May 2021 10:45:53 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Tesla's Autopilot Mode Crashed a Car Right Into a Washington State
Cop Car (Gizmodo)
https://gizmodo.com/teslas-autopilot-mode-crashed-a-car-right-into-a-washin-1846916808
------------------------------
Date: Fri, 14 May 2021 19:23:24 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Tesla Autopilot system was on during fatal California crash, adding
to self-driving safety concerns (WashPost)
Tesla Autopilot system was on during fatal California crash, adding to
self-driving safety concerns
https://www.washingtonpost.com/technology/2021/05/14/tesla-california-autopilot-crash/?utm_campaign=wp_main&utm_source=twitter&utm_medium=social
------------------------------
Date: Mon, 17 May 2021 00:14:27 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Your Car Is Spying on You. A CBP Contract Shows the Risks.
(The Intercept)
A vehicle forensics kit can reveal where you've driven, what doors you
opened, and who your friends are.
U.S. Customs and Border Protection purchased technology that vacuums up
reams of personal information stored inside cars, according to a federal
contract reviewed by The Intercept, illustrating the serious risks in
connecting your vehicle and your smartphone.
The contract, shared with The Intercept by Latinx advocacy organization
Mijente, shows that CBP paid Swedish data extraction firm MSAB $456,073 for
a bundle of hardware including five vehicle forensics kits manufactured by
Berla, an American company. A related document indicates that CBP believed
the kit would be ``critical in CBP investigations as it can provide evidence
[not only] regarding the vehicle's use, but also information obtained
through mobile devices paired with the infotainment system.'' The document
went on to say that iVe was the only tool available for purchase that could
tap into such systems.
https://theintercept.com/2021/05/03/car-surveillance-berla-msab-cbp/
------------------------------
Date: Sun, 16 May 2021 17:48:26 -1000
From: geoff goodfellow <ge...@iconia.com>
Subject: Get Ready for In-Car Ads (The Intercept)
Because being bombarded with roadside signage while taking a leisurely
Sunday drive isn't enough, Ford has patented a new system that uses a
vehicle's cameras to detect billboards and then pull them up on a car's
infotainment display as inescapable in-vehicle advertisements.
<https://pdfaiw.uspto.gov/.aiw?docid=20210133810&SectionNum=1&IDKey=1E5A14DC9924&HomeUrl/>
<https://thenextweb.com/news/ford-new-patent-ruin-driving-forever-hell>
Billboards are an effective way to subliminally make a driver hungry for an
approaching fast food restaurant, or convince them they need to pull off the
road and visit a nearby outlet mall for some discount Reeboks. What
billboards aren't great at is providing detailed information like a phone
number, an address, or a website, as even large signage often isn't visible
long enough for a driver or passenger to memorize important details. That's
the problem Ford is trying to solve with this new system it's patenting --
although the larger potential here is concerning.
Many vehicles now come standard with built-in cameras that are either used
for autonomous driving features, security, or for providing a driver with a
view outside the vehicle to make parking easier. What Ford wants to do is
leverage those cameras to also keep an eye out for passing billboards, and
then use image recognition to put a copy of the advertisement on a vehicle's
infotainment screens so it's visible to the driver and passengers for
longer. The system would also intelligently analyze the content of the
billboard and generate hyperlinks, either for easily dialing a posted phone
number, or for bringing up a company's website to see additional information.
https://gizmodo.com/get-ready-for-in-car-ads-1846888390
[More distractions for the surrogate-driver in a driverless vehicle (who
is still supposed to be paying attention), or for the actual driver in a
conventional vehicle with already distracting electronic displays. This
is a really terrible idea. Perhaps it would inspire a renewed attempt at
"Smell-o-Vision", although the 1960 movie-theater attempt ran into
lingering scents that would not go away, and the concept was quickly
abandoned. That's my two-scents' worth. PGN]
------------------------------
Date: Fri, 21 May 2021 9:38:35 PDT
From: Peter Neumann <neu...@csl.sri.com>
Subject: CNA paid $40M for ransomware (Bloomberg)
[Re: Colonial paid $5m ransom which I noted in RISKS-32.67,
here's another case. PGN]
Insurance carrier CNA paid a $40 million dollar ransom after an attack in
March 2021,
https://www.bloomberg.com/news/articles/2021-05-20/cna-financial-paid-40-million-in-ransom-after-march-cyberattack
------------------------------
Date: Fri, 14 May 2021 10:56:46 PDT
From: Peter G Neumann <neu...@csl.sri.com>
Subject: Irish Health Service hit by ransomware (BBC)
https://www.bbc.com/news/world-europe-57111615
------------------------------
Date: Fri, 21 May 2021 9:55:56 PDT
From: Peter Neumann <neu...@csl.sri.com>
Subject: Technobabble, Libertrarian Derp and Bitcoin (Paul Krugman)
Paul Krugman, *The New York Times*, 21 May 2021
Rising asset prices don't mean that silly ideas necesarily make sense.
Last para:
The good news is that none of this matters very much. Because Bitcoin and
its relatives haven't managed to achieve any meaningful economic role,
what happens to their value is basically irrelevant to those of us not
playing the crypto game.
------------------------------
Date: Fri, 21 May 2021 00:43:38 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: The Full Story of the Stunning RSA Hack Can Finally Be Told (WiReD)
In 2011, Chinese spies stole the crown jewels of cybersecurity -- stripping
protections from firms and government agencies worldwide. Here's how it
happened.
https://www.wired.com/story/the-full-story-of-the-stunning-rsa-hack-can-finally-be-told/
------------------------------
Date: Tue, 18 May 2021 20:43:55 +0900
From: Dave Farber <far...@gmail.com>
Subject: Flaw in Japan vaccine reservation system leaves government
red-faced (The Japan Times)
A quote that should apply to all software systems:
``It would have been better if we had fixed it from the start,'' the
minister said, adding that the ministry does not plan to conduct a large
system overhaul.
Flaw in Japan vaccine reservation system leaves government red-faced
Japan Times, 18 May 2021
<https://www.japantimes.co.jp/news/2021/05/18/national/japan-vaccine-reservation-flaw/>
<https://cdn-japantimes.com/wp-content/uploads/2021/05/np_file_87756-1.jpeg>
The Defense Ministry says it will fix a fault in the booking system for the
large vaccination centers it operates. | KYODO
The government said Tuesday it will fix a COVID-19 vaccine booking system
fault that allowed reservations to be made using nonexistent application
numbers.
The announcement came a day after the government started accepting online
bookings for older people to receive shots at large Self-Defense
Forces-staffed vaccination centers in Tokyo and Osaka as it attempts to ramp
up its inoculation rollout amid a fourth wave of infections.
The state-run booking system for the vaccination center in Tokyo was found
to accept municipality code numbers and vaccination ticket numbers that were
not issued by respective authorities.
"We plan on fixing (the system) so we can confirm the inputted data are
genuine information," Defense Minister Nobuo Kishi said at a news
conference.
"It would have been better if we had fixed it from the start," the minister
said, adding that the ministry does not plan to conduct a large system
overhaul.
The problem was reported Monday by major news organizations Asahi Shimbun
Publications Inc. and the Mainichi Shimbun, which signed up to test the
system using fictitious information. Both said in their reporting that they
had canceled reservations they created.
Kishi said he takes the actions of the companies "very seriously," calling
them "malicious and very regrettable" despite the significant flaws they
brought to light.
He asked the public not to make appointments using false information to
ensure slots are available to those who are eligible and so vaccines are not
wasted.
The problem with vaccination ticket numbers, issued to eligible individuals
by their municipality, was put down to a failure to cross-reference data in
the system with that from local municipalities, according to the Defense
Ministry.
"We did not think it appropriate for the Defense Ministry to retain private
information of every individual in the country subject to vaccination,"
Kishi said.
At a separate news conference, Chief Cabinet Secretary Katsunobu Kato warned
the government may consider taking legal action against people or groups
deemed to have taken advantage of the system failure in a malicious manner,
such as making many reservations using fictitious data.
Currently, residents of Tokyo's 23 wards and the city of Osaka age 65 or
older are able to make appointments via the Defense Ministry's website and
the Line messaging app but spots are filling up quickly with the launch of
online bookings.
The government moved to set up mass vaccination centers operated mostly by
Self-Defense Forces doctors and nurses to accelerate its vaccine rollout,
given only around 3% of its population of 126 million has received at least
one shot of a vaccine, the slowest vaccination rate among major economies.
Some municipalities that run local inoculation venues have experienced
problems processing appointments as phone lines and computer systems have
been overloaded.
According to the Defense Ministry, around 44,000 slots for the Tokyo center were booked by 7 a.m. Tuesday out of the 50,000 that had been made available between May 24 and May 30.
Additionally, all of the 25,000 slots for the Osaka center were filled
within 25 minutes on Monday afternoon, the ministry said.
Japan began inoculation of its older population of about 36 million in
mid-April after its vaccination effort for health care workers started in
February.
[Does anyone believe that the huge influx of counterfeit
proof-of-vaccination cards is going to increase herd immunity? I have not
heard the herd crying out for salvation. PGN]
------------------------------
Date: Fri, 14 May 2021 09:19:05 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Just 12 People Are Behind Most Vaccine Hoaxes On Social Media,
Research Shows ()
https://www.npr.org/2021/05/13/996570855/disinformation-dozen-test-facebooks-twitters-ability-to-curb-vaccine-hoaxes?utm_campaign=storyshare&utm_source=twitter.com&utm_medium=social
------------------------------
Date: Thu, 13 May 2021 14:51:12 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Prosecutors probe Pennsylvania contact-tracing data breach
(Meadville Tribune)
This impacted 72K people relative to COVID-19.
https://www.meadvilletribune.com/coronavirus/prosecutors-probe-pennsylvania-contact-tracing-data-breach/article_c97c5eb9-d364-52bd-a8d4-d85f8d3a129e.html
------------------------------
Date: Fri, 14 May 2021 21:53:30 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Millions of fake commenters asked the FCC to end net neutrality.
*Astroturfing'* is a business model. (WashPost)
The technology used this time may be new, but the business model has been
around for decades.
https://www.washingtonpost.com/politics/2021/05/14/millions-fake-commenters-asked-fcc-end-net-neutrality-astroturfing-is-business-model/
------------------------------
Date: Mon, 17 May 2021 12:34:06 -0400 (EDT)
From: ACM TechNews <technew...@acm.org>
Subject: Police Departments Adopting Facial Recognition Tech Amid
Allegations of Wrongful Arrests (60 Minutes)
Anderson Cooper, 60 Minutes 16 May 2021 via ACM TechNews, 17 May 2021
U.S. police departments are adopting facial recognition technology, despite
complaints of wrongful arrests resulting from its use. Clare Garvie at
Georgetown University Law's Center on Privacy and Technology thinks facial
recognition has been involved in hundreds of thousands of such cases, in
which users incorrectly assume the technology is faultless, given the
mathematical basis of its matches. The U.S. National Institute of Standards
and Technology's Patrick Grother evaluates prototype facial recognition
algorithms, and his team published a landmark study which determined that
many facial recognition algorithms found it difficult to distinguish between
Black, Asian, and female faces. Grother said false negatives arising from
such errors could lead to wrongful arrests. Since last summer, three Black
men have sued for wrongful arrest involving facial recognition; said Garvie,
"The fact that we only know of three misidentifications is more a product of
how little we know about the technology than how accurate it is."
https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2b09ax22b48bx069479&
------------------------------
Date: Fri, 14 May 2021 12:05:48 -0700
From: Rob Slade <rsl...@gmail.com>
Subject: The Disinformation Dozen (NPR)
An intriguing piece of research has found that the majority of antivax
disinformation is being distributed by only twelve people.
https://www.npr.org/2021/05/13/996570855/disinformation-dozen-test-facebooks-twitters-ability-to-curb-vaccine-hoaxes
On the downside, these few people are having a massively disproportionate
effect on public discourse and behaviour. Although only a dozen people are
the instigators, they use multiple accounts, get reposted by many others,
and use various ruses to try and avoid being banned by social media
platforms.
On the plus side, if this research holds true for other forms of
disinformation, it does indicate that a concerted effort could seriously
reduce the disinformation problem overall ...
------------------------------
Date: Fri, 14 May 2021 10:03:48 -1000
From: geoff goodfellow <ge...@iconia.com>
Subject: Magecart Hackers Now hide PHP-Based Backdoor In Website Favicons
(The Hacker News)
Cybercrime groups are distributing malicious PHP web shells disguised as a
favicon to maintain remote access to the compromised servers and inject
JavaScript skimmers into online shopping platforms with an aim to steal
financial information from their users.
"These web shells known as Smilodon or Megalodon are used to dynamically
load JavaScript skimming code via server-side requests into online stores,"
Malwarebytes J=C3=A9r=C3=B4me Segura said
<https://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/>
in a Thursday write-up. "This technique is interesting as most client-side
security tools will not be able to detect or block the skimmer."
Injecting web skimmers on e-commerce websites to steal credit card details
is a tried-and-tested modus operandi of Magecart, a consortium of different
hacker groups who target online shopping cart systems. Also known as
formjacking attacks, the skimmers take the form of JavaScript code that the
operators stealthily insert into an e-commerce website, often on payment
pages, with an intent to capture customers' card details in real-time and
transmit them to a remote server.
While injecting skimmers typically work by making a client-side request to
an external JavaScript resource hosted on an attacker-controlled domain when
a customer visits the online store in question, the latest attack is a
little different in that the skimmer code is introduced into the merchant
site dynamically at the server-side. [...]
https://thehackernews.com/2021/05/magecart-hackers-now-hide-php-based.html
------------------------------
Date: Fri, 14 May 2021 12:20:52 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Lies on Social Media Inflame Israeli-Palestinian Conflict (NYTimes)
https://www.nytimes.com/2021/05/14/technology/israel-palestine-misinformation-lies-social-media.html
------------------------------
Date: Sat, 15 May 2021 09:43:34 -1000
From: geoff goodfellow <ge...@iconia.com>
Subject: Tech audit of Colonial Pipeline found glaring' problems (AP)
An outside audit three years ago of the major East Coast pipeline company
hit by a cyberattack found *atrocious* information management practices and
``A Patchwork of poorly connected and secured systems,'' its author told The
Associated Press.
``We found glaring deficiencies and big problems,'' said Robert
F. Smallwood, whose consulting firm delivered an 89-page report in January
2018 after a six-month audit. ``I mean an eighth-grader could have hacked
into that system.''
How far the company, Colonial Pipeline, went to address the vulnerabilities
isn't clear. Colonial said Wednesday that since 2017, it has hired four
independent firms for cybersecurity risk assessments and increased its
overall IT spending by more than 50%. While it did not specify an amount, it
said it has spent tens of millions of dollars.
``We are constantly assessing and improving our security practices -- both
physical and digital,'' the privately held Georgia company said in response
to questions from the AP about the audit's findings. It did not name the
firms who did cybersecurity work but one firm, Rausch Advisory Services,
located in Atlanta near Colonial's headquarters, acknowledged being among
them. Colonial's chief information officer sits on Rausch's advisory board.
[...]
https://apnews.com/article/va-state-wire-technology-business-1f06c091c492c1630471d29a9cf6529d
------------------------------
Date: Sat, 15 May 2021 16:51:19 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: 'Extreme Reaction' By Colonial Pipeline Baffles Energy Experts
(Arlington VA Patch)
VIRGINIA -- The major East Coast pipeline behind the gasoline shortages in
the Southeast and mid-Atlantic is coming under scrutiny for its information
technology and cybersecurity practices.
Colonial Pipeline revealed Friday that it had been the target of a
cyberattack on its information technology system. The company said the
hackers stole nearly 100 gigabytes of data and encrypted at least a portion
of the company's information technology network.
The hackers, however, did not obtain access to the operational technology
side of the pipeline company's system. But Colonial Pipeline still decided
to shut down the entire pipeline system, which provides nearly 50 percent of
the gasoline and jet fuel to East Coast markets.
The decision to shut down the pipeline system has caused major shortages of
gasoline. In Virginia, 55 percent of gas stations had run dry of supplies as
of Thursday morning, according to GasBuddy, which tracks supply. In the
District of Columbia, about 51 percent of stations were out of gas. [...]
The cyberattack targeted the portion of Colonial Pipeline's technology
network that most of its employees use to check their email, review
contracts and write and distribute invoices, Bloomberg reported Wednesday.
Colonial Pipeline had no evidence that its operational technology systems,
which are not connected to its information technology system, had been
compromised in the attack, the company said. [...]
Pipeline system operations became more digital in the 1990s and 2000s.
According to an Associated Press report, though, an outside audit conducted
ç¢ree years ago of Colonial Pipeline found "atrocious" information
management practices and "a patchwork of poorly connected and secured
systems."
"We found glaring deficiencies and big problems," Robert F. Smallwood, whose
consulting firm completed a report in January 2018 after the audit, told the
AP. "I mean, an eighth grader could have hacked into that system."
The exact reason for Colonial Pipeline's decision to shut down the entire
pipeline system remains unclear. The company has acknowledged that the
cyberattack affected only a portion of its information technology system,
including the parts related to contracts and invoices.
https://patch.com/virginia/arlington-va/extreme-reaction-colonial-pipeline-baffles-energy-experts
------------------------------
Date: Fri, 14 May 2021 22:08:49 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: DarkSide group that attacked Colonial Pipeline drops from sight
online (NYTimes)
DarkSide group that attacked Colonial Pipeline drops from sight online
https://www.washingtonpost.com/technology/2021/05/14/darkside-ransomware-shutting-down/
https://www.nytimes.com/2021/05/14/business/darkside-pipeline-hack.html
------------------------------
Date: Fri, 14 May 2021 23:57:12 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: FBI leads investigation of RPI computer attack (Albany Times Union)
Albany Times Union, 12 May 2021
Malware has upended university operations during finals week
FBI and State Police cybersquads are investigating a malware attack that has
paralyzed computer systems at Rensselaer Polytechnic Institute since last
week.
Since it was detected on Friday, the cyberattack has disrupted nearly all of
the world-famous engineering and research school's operations officials
confirmed.
https://digital.olivesoftware.com/olive/ODN/AlbanyTimesUnion/shared/ShowArticle.aspx?doc=HATU%2F2021%2F05%2F12&entity=Ar00107&sk=D12A0898&mode=text#
------------------------------
Date: May 14, 2021 21:39:55 JST
From: Richard Forno <rfo...@infowarrior.org>
Subject: Microsoft Data Shows That The FCC's Broadband Maps Are Fantasy
(TechDirt)
https://www.techdirt.com/articles/20210511/07082546773/microsoft-data-shows-that-fccs-broadband-maps-are-fantasy.shtml
[via Dave Farber]
------------------------------
Date: Sun, 16 May 2021 01:25:27 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Cheating Charges Upend Dartmouth Medical School (NYTimes)
The university accused 17 students of cheating on remote exams, raising
questions about data mining and sowing mistrust on campus.
At the heart of the accusations is Dartmouth’s use of the Canvas system
to retroactively track student activity during remote exams without their
knowledge. In the process, the medical school may have overstepped by using
certain online activity data to try to pinpoint cheating, leading to some
erroneous accusations, according to independent technology experts, a review
of the software code and school documents obtained by The New York Times.
Online Cheating Charges Upend Dartmouth Medical School
https://www.nytimes.com/2021/05/09/technology/dartmouth-geisel-medical-cheating.html
------------------------------
Date: Sun, 16 May 2021 13:34:46 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Bias Is a Big Problem. But So Is Noise. (NYTimes)
The word *bias* commonly appears in conversations about mistaken judgments
and unfortunate decisions. We use it when there is discrimination, for
instance against women or in favor of Ivy League graduates. But the meaning
of the word is broader: A bias is any predictable error that inclines your
judgment in a particular direction. For instance, we speak of bias when
forecasts of sales are consistently optimistic or investment decisions
overly cautious.
Society has devoted a lot of attention to the problem of bias -- and rightly
so. But when it comes to mistaken judgments and unfortunate decisions, there
is another type of error that attracts far less attention: noise.
To see the difference between bias and noise, consider your bathroom
scale. If on average the readings it gives are too high (or too low), the
scale is biased. If it shows different readings when you step on it several
times in quick succession, the scale is noisy. (Cheap scales are likely to
be both biased and noisy.) While bias is the average of errors, noise is
their variability.
Although it is often ignored, noise is a large source of malfunction in
society. In a 1981 study, for example, 208 federal judges were asked to
determine the appropriate sentences for the same 16 cases. The cases were
described by the characteristics of the offense (robbery or fraud, violent
or not) and of the defendant (young or old, repeat or first-time offender,
accomplice or principal). You might have expected judges to agree closely
about such vignettes, which were stripped of distracting details and
contained only relevant information. ...
Once you become aware of noise, you can look for ways to reduce it. For
instance, independent judgments from a number of people can be averaged (a
frequent practice in forecasting). Guidelines, such as those often used in
medicine, can help professionals reach better and more uniform decisions. As
studies of hiring practices have consistently shown, imposing structure and
discipline in interviews and other forms of assessment tends to improve
judgments of job candidates.
No noise-reduction techniques will be deployed, however, if we do not first
recognize the existence of noise. Noise is too often neglected. But it is a
serious issue that results in frequent error and rampant
injustice. Organizations and institutions, public and private, will make
better decisions if they take noise seriously.
https://www.nytimes.com/2021/05/15/opinion/noise-bias-kahneman.html
------------------------------
Date: Sun, 16 May 2021 01:52:53 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: We Found Joe Biden's Secret Venmo. Here's Why That's A Privacy
Nightmare For Everyone (Buzzfeed News)
The peer-to-peer payments app leaves everyone from ordinary people to the
most powerful person in the world exposed.
BuzzFeed News found President Joe Biden's Venmo account after less than 10
minutes of looking for it, revealing a network of his private social
connections, a national security issue for the United States, and a major
privacy concern for everyone who uses the popular peer-to-peer payments app.
[...]
Privacy advocates and journalists have warned about Venmo's privacy problems
for years, yet the PayPal-owned app has persisted with features that can
place people -- including the president of the United States -- at risk.
While many critics have focused on how the app makes all transactions public
by default, Venmo's friend lists are arguably a larger privacy issue. Even
if a Venmo account is set to make payments private, its friend list remains
exposed. There is no setting to make this information private, which means
it can provide a window into someone's personal life that could be exploited
by anyone -- including trolls, stalkers, police, and spies.
https://www.buzzfeednews.com/article/ryanmac/we-found-joe-bidens-secret-venmo
------------------------------
Date: Sat, 15 May 2021 08:31:50 -0400
From: DrM <not...@mindspring.com>
Subject: Open Source and Cybersecurity
An interesting article:
https://www.zdnet.com/article/linux-and-open-source-communities-rise-to-bidens-cybersecurity-challenge/
------------------------------
Date: Fri, 21 May 2021 12:27:06 -0400 (EDT)
From: ACM TechNews <technew...@acm.org>
Subject: U.S. Has Almost 500,000 Job Openings in Cybersecurity (CBS News)
Khristopher J. Brooks, CBS News, 19 May 2021, via ACM TechNews, 21 May 2021
The U.S. Commerce Department's Cyber Seek technology job-tracking database
and the trade group CompTIA count about 465,000 current U.S. cybersecurity
jobs openings. Experts said private businesses and government agencies' need
for more cybersecurity staff has unlocked a prime opportunity for anyone
considering a job in that field. The University of San Diego's Michelle
Moore suggested switching to a cybersecurity career could be as simple as
obtaining a Network+ or Security+ certification, while an eight-week online
course could help someone gain an entry-level job earning $60,000 to $90,000
a year as a penetration tester, network security engineer, or incident
response analyst. Moore cited a lack of skilled cybersecurity personnel as a
problem, while CompTIA's Tim Herbert said only a small percentage of
computer science graduates pursue cybersecurity careers.
https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2b1dcx22b659x069602&
------------------------------
Date: Thu, 13 May 2021 17:42:18 -0700
From: Tom Van Vleck <th...@multicians.org>
Subject: Re: Marvin hacked (RISKS-32.67)
PGN suggested
> (Security was of course not in Turing's threat model.)
Yes, "security" is meaningful only relative to a model.
------------------------------
Date: Thu, 13 May 2021 20:07:34 -0700
From: Kim Zetter <kze...@gmail.com>
Subject: Re: RISKS and Zero Day
I noticed that you mis-credited CNN with the information that the Colonial
Pipeline had been shut down in part due to the fact that it's billing
system had been locked up by the ransomware. That information was first
reported by me four days ago in these two pieces (and CNN didn't give me
credit) published on my Zero Day substack publication:
https://zetter.substack.com/p/ransomware-infection-on-colonial
https://zetter.substack.com/p/biden-declares-state-of-emergency
Author: *Countdown to Zero Day: Stuxnet and the Launch of the World's First
Digital Weapon*
------------------------------
Date: Sat, 15 May 2021 15:11:03 -0700
From: mer...@stonehenge.com (Randal L. Schwartz)
Subject: Re: I have been pwned! -- but not really (Slade, RISKS-32.65)
I've had stonehenge.com since about the earliest possible time I could
register it. While I do get the expected misdirected pile of mail for that
big rock group in England, and the occasional mail for some other
stonehenge-like organization, the biggest breaches were back in the early
90s.
It seems that a large venture capital firm opened up, and although their
company name was something like Stonehenge Holdings Limited, every senior
staff member (and their assistants) seemed to think that their email address
was "some...@stonehenge.com". You have not seen misdirected email until
you've had complete business plans, various investment strategies, and other
private communications delivered to your inbox, all meant for people with
large sums of money to hand out.
I tried repeatedly to explain this to everyone I could find at the company,
but most of the time, they either apologized (and then forgot), or somehow
accused me of hacking. I could almost imagine that their business cards
might have even been wrong.
Thank goodness they eventually went out of business.
------------------------------
Date: Thu, 13 May 2021 20:59:14 -0400
From: "Bernie Cosell" <cos...@alum.mit.edu>
Subject: Re: A mom panicked when her 4-year-old bought $2,600 in
SpongeBob, Popsicles (RISKS-32.65)
On 13 May 2021 at 15:02, Martin Ward wrote:
> Install the NoScript Firefox extension and ensure that
> washingtonpost.com is blocked. You can then read all the articles
> without the annoying popup asking you to subscribe or login.
How handy! We needed a forum on how to "share" things that we ought to pay
for. Next fun activity on RISKS -- how to get ATMs to spit out money.
NB: I don't mean to start a fight but I don't think that kind of "help" is
appropriate for RISKS.
[I don't think so either, but ran that item as a sort of test, for which
you are the only one thus far who responded. However, perhaps we have
done The Post a service by noting the lacuna, or perhaps they know about
it and believe it helps business. Historically, you might remember the
lame encryption used in early online games that seems to have increased
business by alerting more people to the game. PGN]
------------------------------
Date: Tue, 18 May 2021 11:54:26 -0400
From: Nancy Leveson via Ata-watchers <ata-wa...@airlinersafety.info>
Subject: MIT STAMP/STPA Virtual Workshop 2021
The free MIT STAMP/STPA Workshop be held virtually again this year (maybe
next year we can meet in person) spread out over the period from June
21-June 30. In case you are not aware, STAMP is a new accident causality
model based on systems theory and systems thinking described in Nancy
Leveson's book *Engineering a Safer World*. STAMP integrates into
engineering analysis the causal factors in our increasingly complex systems
such as software, human-decision making and human factors, new technology,
social and organizational design, and safety culture. STPA is a powerful new
hazard/cybersecurity analysis technique based on STAMP while CAST is the
equivalent for accident/incident analysis. These tools are now used globally
in almost every industry.
Free tutorials or videos of tutorials from last year will be provided so
everyone can participate, regardless of experience with STAMP or the
STAMP-based analysis techniques. You can access the tutorials from last year
at the PSAS website (http://psas.scripts.mit.edu/home) as well as
presentations from previous workshops. You will also find more information
about this year's workshop at the PSAS website as it becomes available.
The workshop is free, but In order to avoid spamming people, this is the
only message we will send to those who have not registered. We will also
use the registration list to send out passwords for the workshop in order to
provide security and avoid zoom bombers. You can register at
http://psas.scripts.mit.edu/home/2021-stamp-workshop-registration/
If you are unable to get to the registration site, please send me (
lev...@mit.edu) the following information: Name, Email, Affiliation
(company, government agency, university, etc.), Country, Industry, and Level
of Experience with STAMP-based methods) and I will make sure you are
registered.
The program is below although we are still working out details about day and
time. There were a large number of abstracts submitted so we could accept
only 20% of those submitted. The exact days and times will be provided
later. We expect speakers and attendees worldwide from almost every time
zone (last year there were over 3000 attendees) so we are still trying to
optimize timing. The presentations on any day will be limited to avoid zoom
fatigue.
*Presentations*
*Effectiveness of CAST, 5M and HFACS in Accident Investigation and
Prevention*, KAEFER Guenter (Austrian Air Force), KOGLBAUER Ioana (Graz
University of Technology, Austria)
*Safety Analysis of a Low-cost Insulin Infusion Pump using STPA: A Case
Study with Brazilian Company*, Aldo Martinazzo (Federal University of
S=C3=A3o Paulo), Luiz Eduardo Martins (Federal University of S=C3=A3o
Paulo), Tatiana Cunha (Federal University of S=C3=A3o Paulo)
*STPA Evaluation of Potential Conflicts between Large Commercial Air
Traffic and Small Uncrewed Aircraft Systems in the Terminal Airspace*,
Paul Stanley (Boeing), Victor Arcos Barraquero (Boeing)
*STPA at Google*, Tim Falzone (Google)
*STPA Return on Investment -- An Industry Perspective*, Marc Nance (Boeing
Retired, STAMP Engineering Services), Mark Vernacchia (General Motors),
Lori Smith (Boeing Retired, STAMP Engineering Services)
*Leveraging STPA to Create a More Informed Risk Matrix*, Sam Yoo and Dro
Gregorian (MIT)
*Analyzing National Responses to COVID-19 Pandemic using STPA*, Shufeng
Chen (WMG, University of Warwick)
*STPA Analysis Self-Driving Vehicles on level crossings -- lessons
learned*, Elma Dijkerman (Movares), Gea Kolk (Movares), Ello Weits
(Movares)
*Safety analysis of interoperability conformance profiles in Medical
Information Exchange*, Jens Weber (University of Victoria)
*Key Safety Indicators using STPA*, Stuart Williams (University of
Strathclyde, Glasgow)
*Introducing STAMP to a Major Health Organisation*, Wallace Grimmett
(MATER)
*Applying STPA in Development of Autonomous Container Handling Machinery*,
Eetu Heikkil=C3=A4 (VTT Technical Research Centre of Finland Ltd.)
*STPA in Support of Next-Gen Automotive E/E Architecture Development*.
Sandro N=C3=BCesch (Huawei Technologies Duesseldorf GmbH), Christoph
Ainhauser (Huawei Technologies Duesseldorf GmbH), Gereon Hinz (STTech GmbH
)
*Lightning Talks*
*Consideration of STPA in Civil Aviation*, Linh Le (Federal Aviation
Administration), Eric M Peterson (Federal Aviation Administration)
*Discussion on STPA Validation, Replicability and Analyst Bias*, Idoaldo
Lima (RWTH Aachen)
*Cybersecurity Incident Analysis by CAST using the Report of Unauthorized
Access to the Information System*, Tomoko Kaneko, Ph.D. (Researcher of
National Institute of Informatics)
*Hazard Analysis of Teaming Systems*, Andrew Kopeikin (MIT)
*Using STPA to Address Challenges in Achieving SOTIF*, Amardeep Sidhu
(Independent)
*Safety Analysis for an In-wheel Electric Motor Powertrain*, Joaquim Maria
Castella Triginer (Virtual Vehicle), Helmut Martin (Virtual Vehicle)
*Incorporating STPA into DoD Acquisition Program*, Drake Mailes (USAF)
*Open STPA with RAAML and Gaphor*, Dan Yeaw (Ford Motor Company), Kyle Post
(Ford Motor Company)
*Applying CAST to Human Error Related Manufacturing Mishaps*, Jess Reid
(Boeing)
*STPA-sec Supporting Zero Trust Partners*, William Young (USAF)
*Using STPA to identify conflicts in coal mining safety procedures*,
Alicja Krzemien (GIG Research Institute), Stanislaw Prusek (GIG Research
Institute)
*Panel Sessions*
Panel sessions with expert industry practitioners will give participants a
chance to ask questions and learn how they were able to implement
STAMP-based methods successfully.
Introducing STPA and CAST into Organizations
Progress on Including STPA in Industry Standards
And more...
*Interesting Uses Spotlights*
These will be very short introductions to new and interesting applications
that are not complete enough yet for a regular presentation:
Machine Learning (AI)
Indigenous healthcare in Australia
Pharmaceutical Order Entry Systems
Introducing STAMP in Organizations
Prioritizing Scenarios
Linux Medical Application
Prof. Nancy Leveson, Aeronautics and Astronautics, MIT, Room 33-334
77 Massachusetts Ave., Cambridge, MA 02142
Email: lev...@mit.edu URL: http://sunnyday.mit.edu
------------------------------
Date: Wed, 19 May 2021 15:53:21 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Californian RoboCop Had To Deal With Its First Crime, And It Did
Not Go Well (IFLScience)
Picture a world where police robots roam the streets dealing with crime, and
I can pretty much guarantee you'll either think of a nightmarish
all-powerful police state where everything has gone horribly wrong and/or
Robocop.
But it turns out robot police are already here and it's nothing like either
of those options: They just don't really give a shit about citizens. [...]
Why no help from the robot, you may ask. Perhaps they have already turned on
humans and are only interested in robocrimes?
Well, it turns out that RoboCop is in no way connected to the actual
police. The calls instead go to the robots' creator, Knightscope, who leases
the robots to the police department.
Knightscope also made the robot security guard that famously "committed
suicide" in 2017.
It turns out, the robots' cameras, which are capable of recording 360-degree
high definition video and live-streaming it to police phones, are not
connected to the police yet, nor are its abilities to read license plates
and track cell phone use in the area. Police Chief Cosme Lozano told NBC
News that the robot is there on a trial basis, and will eventually be fully
connected to the department's dispatch center.
But for the moment if you see RoboCop you can be assured it doesn't actually
do anything. It just potters around LA, tells citizens worried about crime
to get out of the way, and sometimes, just sometimes, chats to Elon Musk on
Twitter. At a cost of $60,000-$70,000 a year.
https://www.iflscience.com/technology/californian-robocop-had-to-deal-with-its-first-crime-and-it-did-not-go-well/
From October 2019
------------------------------
Date: Mon, 17 May 2021 15:27:11 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: The United States should make cybercrime a high priority (WashPost)
The May 11 editorial: *The ransomware emergency is here* failed to point out
that American computer experts can break any encryption scheme at any time
anywhere in the world. The United States, after all, is home to more than
100 supercomputers, the fastest of which is operated by the Energy
Department. Russia, in contrast, has only three supercomputers in the entire
country. Americans should perhaps assign a higher priority to defeating
cyber criminals in general and ransomware criminals in particular.
https://www.washingtonpost.com/opinions/letters-to-the-editor/the-united-states-should-make-cyber-crime-a-high-priority/2021/05/14/5237a4d6-b373-11eb-bc96-fdf55de43bef_story.html
...and assign higher priority to developing minimal technology literacy
among citizens and newspaper editors.
------------------------------
Date: Wed, 19 May 2021 15:59:50 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Mob Violence Against Palestinians in Israel Is Fueled by Groups on
WhatsApp (NYTimes)
Mob Violence Against Palestinians in Israel Is Fueled by Groups on WhatsApp
https://www.nytimes.com/2021/05/19/technology/israeli-clashes-pro-violence-groups-whatsapp.html
Of course, as comments note, it's used in the other direction as well.
------------------------------
Date: Wed, 19 May 2021 16:05:37 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Coinbase is down for some users as Bitcoin sees massive sell-off
(CNBC)
Crypto-exchange Coinbase said its site and app resumed service after a brief
outage earlier in the day.
Coinbase was down for some users Wednesday morning as digital coins plunged.
Several social media users seemed frustrated at the app and site's error
while cryptocurrencies were plunging, looking to buy the dip.
Coinbase is down for some users as Bitcoin sees massive sell-off
<https://www.cnbc.com/2021/05/19/coinbase-is-down-for-some-users.html?__sourceiosappshare%7Ccom.apple.UIKit.activity.Mail>
------------------------------
Date: Wed, 19 May 2021 19:04:03 -0400
From: "Robert Mathews (OSIA)" <mat...@hawaii.edu>
Subject: Dutch civil servants used social media to spy on citizens, says
study (EuroNews)
Hebe Campbell & Matthew Holro, EURONEWS, 19 May 2021
https://www.euronews.com/2021/05/19/dutch-civil-servants-used-social-media-to-spy-on-citizens-says-study
------------------------------
Date: Thu, 20 May 2021 02:14:23 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: How to Solve Captchas -- and Why They've So Hard to Solve (WiReD)
https://www.wired.com/story/im-not-a-robot-why-captchas-hard-to-solve/
Headline lies -- no tips here.
------------------------------
Date: Thu, 20 May 2021 02:23:04 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Cracking the Code of Letterlocking (Atlas Obscura)
A tale of Black Chambers, lost correspondence, and high technology.
https://www.atlasobscura.com/articles/letterlocking-virtual-unfolding
Early message security...
------------------------------
Date: Mon, 1 Aug 2020 11:11:11 -0800
From: RISKS-...@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
=> SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!
=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume/previous directories
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 32.68
************************
0 new messages