Risks Digest 33.29

Skip to first unread message

RISKS List Owner

Jun 20, 2022, 1:41:17 PMJun 20
to ri...@csl.sri.com
RISKS-LIST: Risks-Forum Digest Thursday 16 June 2022 Volume 33 : Issue 29

Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
The current issue can also be found at

Self-driving car crashes (NHTSA bia Monty Solomon)
Musk Achs: Twitter, Tesla, and SpaceX (Lauren Weinstein via PGN)
Two Israeli intel soldiers and a teenager charged with exposing classified
information online (Haaretz)
Crypto's Price Plunge Exposes Industry's Unstable Roots (NYTimes)
Physics-Based Cryptocurrency Transmits Energy Through Blockchain (LLNL)
The NSA Says that There are No Known Flaws in NIST's Quantum-Resistant
Algorithms (Bruce Schneier)
The "Sentient AI" story (Lauren Weinstein)
DVFS and Hertzbleed (Cliff Kilby)
Facebook Is Receiving Sensitive Medical Information from Hospital Websites
(The Markup)
Facebook plans to show content mainly from strangers (The Verge)
BEREC network neutrality guidelines (Barbara via Schewick via LW)
Privacy bill would set out rules on use of personal data, artificial
intelligence (CBC)
Executive Order 14028 and the death knell of jSCH (Cliff Kilby)
Re: How Henry Ford Would Deal With Today's Supply Chain Upheaval
(Amos Shapir)
Re: Long-term planning and Optimization (Dick Mills, Amos Shapir)
Re: The Billionaires Seeking a U.S. Chip-Making Revival (Arthur Flatau))
Re: 5GSec Convergence Accelerator Proposal (Cliff Kilby)
Abridged info on RISKS (comp.risks)


Date: Wed, 15 Jun 2022 22:04:32 -0400 From: Monty Solomon <mo...@roscom.com>
Subject: Self-driving car crashes (NHTSA)

[3 items PGN-merged]

NHTSA: 'Self-driving' cars were linked to 392 crashes in 10 months

NHTSA report shows Tesla Autopilot led the pack in crashes, but
the data has gaps (techcrunch)

NHTSA data shows Teslas using Autopilot crashed 273 times in less than a year


Date: Thu, 16 Jun 2022 11:04:18 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Musk Achs: Twitter, Tesla, and SpaceX

[PGN retitled with German grunt-pun, combining several contributions from
Lauren into a single RISKS item. PGN

* More Musk
Musk essentially told Twitter employees that it's OK for Twitter to
become a cesspool of hate speech and disinformation, so long as
Twitter doesn't promote it and individuals can block any given sender.
This would still turn Twitter into a hellhole. Hate campaigns could
drive individuals off the platform, unable to block so many senders.
Crazies would spread hate amongst themselves. And all of this conflicts
with the push to monitor social media for law enforcement purposes.
A total mess.

* Musk vs. the EU
Twitter operates internationally. Any given tweet thread may have
participants from anywhere in the world. The EU is rapidly ramping up
prohibitions on hate speech and disinformation. Think about it.

* Elon Musk, Tesla and SpaceX Hit With $258 Billion Dogecoin Lawsuit


Date: Wed, 15 Jun 2022 18:14:15 +0300
From: Amos Shapir <amo...@gmail.com>
Subject: Two Israeli intel soldiers and a teenager charged with exposing
classified information online (Haaretz)

State prosecutors charge a reserve soldier and a service soldier of the
Intelligence Corps, and a teenager, with publishing classified military
information online. According to charges, one of the soldiers used his
access to secret information to share it with the other, who shared it with
the teenager, who posted it on social media.



Date: Wed, 15 Jun 2022 11:37:24 PDT
From: Peter Neumann <neu...@csl.sri.com>
Subject: Crypto's Price Plunge Exposes Industry's Unstable Roots (NYTimes)

David Yaffe-Bellany and Erin Griffith
*The New York Times*. 15 Jun 2022, National Edition front page +A13

A global industry worth hundreds of billions of dollars rose up practically
overnight. Now it is crashing down.

For years [cryptocurrencies] have been marketed as a hedge against inflation
caused by central banks flooding the economy with money. ... But now, with
stocks crashing, interest rates soaring and inflation high, cryptocurrency
prices are also collapsing, showing they have become tied to the overall

p.A13 summary fragment:
Companies are laying off staff and freezing withdrawals.

[Coinbase layoffs were noted briefly in RISKS-33.28, and extensively
in this *Times* article. PGN]


Date: Wed, 15 Jun 2022 12:01:04 -0400 (EDT)
From: ACM TechNews <technew...@acm.org>
Subject: Physics-Based Cryptocurrency Transmits Energy Through Blockchain

Anne M. Stark, Lawrence Livermore National Laboratory, 13 Jun 2022,
via ACM TechNews, 15 Jun 2022

Researchers at the U.S. Department of Energy's Lawrence Livermore National
Laboratory (LLNL) have developed E-Stablecoin, a physics-based
cryptocurrency that connects electrical energy with blockchain technology.
LLNL's Maxwell Murialdo and Jon Belof said the energy-information link
supports the generation of a cryptocurrency token directly backed by and
convertible into one kilowatt-hour of electricity, making E-Stablecoin the
first digital token to be collateralized by a physical asset. Said Belof,
"Through thermodynamic reversibility -- to the extent that it is allowed by
a modern understanding of statistical mechanics -- we envision a future
blockchain that is not only rooted in real-life assets like energy usage,
but also is a more responsible steward of our natural resources in support
of the economy."


[Tom Berson's reaction to this item was helpful:
I was surprised to be told that a kWh of electricity is a physical
asset. It is 3.6 megajoules of energy. I suppose it is convertible to
mass by Einstein's equation. I was also surprised that the cost of
generating a kWh is somehow stable. These cryptocurrency folk will stop
at nothing. TB]

[What could possibly go wrong? We need more stewards who are actually
responsible, but today's stewards are running everything into the
ground, particularly with respect to climate change. How much energy is
wasted in trying to make this link? Also, we may need a Skewered
Steward to assuredly pin the blockchain to statistical mechanics. We
may also need an E-Stable to house the blockchained E-horses that
E-touts are betting will win the race (overseen by trusted racing
E-stewards) for the best and most stable cryptocurrency, once they are
let free from their blockchains and converted to real-world constraints.
But this LLNL item seems seriously overhyped, way beyond the inherent
limitations of already overhyped cryptocurrencies. Hyperbolic in the
over-the-top sense, or on a nonconverging infinite hyperbolic geometry
curve? PGN]


Date: Wed, 15 Jun 2022 06:25:17 +0000
From: Bruce Schneier <schn...@schneier.com>
Subject: The NSA Says that There are No Known Flaws in NIST's
Quantum-Resistant Algorithms

Excerpt from CRYPTO-GRAM, 15 Jun 2022

Bruce Schneier, Fellow and Lecturer, Harvard Kennedy School
schn...@schneier.com, https://www.schneier.com

NSA says there are no known flaws in NIST's quantum-resistant algorithms
16 May 2022


Rob Joyce, the director of cybersecurity at the NSA, said so in an

``The NSA already has classified quantum-resistant algorithms of its own
that it developed over many years. But it didn't enter any of its own in
the contest. However, the agency's mathematicians worked with NIST to
support the process, trying to crack the algorithms in order to test their

``Those candidate algorithms that NIST is running the competitions on all
appear strong, secure, and what we need for quantum resistance. We've
worked against all of them to make sure they are solid, The purpose of the
open public international scrutiny of the separate NIST algorithms is to
build trust and confidence.''

I believe him. This is what the NSA did with NIST's candidate algorithms for
AES and then for SHA-3. NIST's Post-Quantum Cryptography Standardization
Process looks good.

I still worry about the long-term security of the submissions, though. In
2018 in an essay titled Cryptography After the Aliens Land
I wrote:

...there is always the possibility that those algorithms will fall to
aliens with better quantum techniques. I am less worried about symmetric
cryptography (where Grover's algorithm is basically an upper limit on
quantum improvements than I am about public-key algorithms based on number
theory) which feel more fragile. It's possible that quantum computers will
someday break all of them, even those that today are quantum resistant.

It took us a couple of decades to fully understand von Neumann computer
architecture. I'm sure it will take years of working with a functional
quantum computer to fully understand the limits of that architecture. And
some things that we think of as computationally hard today will turn out not
to be.

EDITED TO ADD (6/14): Since I wrote this, flaws were found in at least four


Date: Tue, 14 Jun 2022 20:35:54 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: The "Sentient AI" story

My email load is now significantly people asking me about the "Sentient
Google AI" story. I have boilerplate now to explain in lay terms why there's
no sentience involved, but it's clear that corporate comms around AI in
general leave much to be desired. -L


Date: Wed, 15 Jun 2022 16:57:05 -0400
From: Cliff Kilby <cliff...@gmail.com>
Subject: DVFS and Hertzbleed

After reading about the M1 speculation issue in ARM (Risks 33.28) I was
reminded I had read something similar previously. My recollection was wrong,
but it did eventually get to a point. https://www.hertzbleed.com/
demonstrated a side channel attack against most popular x86 chips. I don't
specialize in chipsets, and tend towards having to believe when I ask the
silicon for (1 | 0 ) it will almost never answer 2, or give give my private
key to someone strolling by. Seems like the industry was already aware
there were some side channel issues in DVFS, as CLKSCREW demonstrated as
early as 2017.

So is Hertzbleed new? I'd ask my computer but it seems to be saying "We've
been trying to reach you about your auto warranty."


Date: Thu, 16 Jun 2022 07:16:25 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Facebook Is Receiving Sensitive Medical Information from Hospital
Websites (The Markup)



Date: Wed, 15 Jun 2022 16:32:11 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Facebook plans to show content mainly from strangers (The Verge)


What could go wrong?


Date: Wed, 15 Jun 2022 23:04:31 +0000
From: Barbara van Schewick <sche...@stanford.edu>
Subject: BEREC network neutrality guidelines

[via Lauren Weinstein's Network Neutrality Squad distribution]

EU top telecom regulator BEREC just issued new net neutrality
that ban zero-rating plans that exempt specific apps or categories of apps
from people's monthly data caps.

This is a big deal. The decision revolutionizes the treatment of zero-rating
in Europe and affects millions of Europeans. I haven't seen a lot of
reporting yet, so thought I would share. Links to two blog posts and two
Twitter threads below.

As I explain
the new guidelines are a huge win for Europeans and for the open Internet,
and for the consumer groups, civil society groups, and academics that have
fought so long for these changes.

The new guidelines respond to three 2021 decisions by Europe's top court,
which had found that discriminatory zero-rating violates Europe's net
neutrality law. Big carriers & platforms such as Facebook & Google had
pressured BEREC to ignore the rulings or interpret them narrowly.

That's not surprising. Discriminatory zero-rating plans disproportionately
benefited big platforms like Apple, Google & Facebook, while small companies
& European startups were left out.

Following the recommendation of ETNO, the large telecom companies' trade
association, BEREC's earlier draft guidelines had not clearly prohibited
three kinds of harmful zero-rating practices, including carriers zero-rating
their own apps & requiring apps to pay for zero-rating.

That was a problem because:

(1) in the past carriers have only stopped bad practices when they were
unequivocally prohibited; and

(2) these practices are even more harmful than the ones that were clearly

The new net neutrality guidelines close this loophole. They unequivocally
prohibit all zero-rating offers that exempt select apps or categories of
apps from people's monthly data caps. The ban applies whether the app pays
to be included or not. (See the quote from para. 40b below.)

BEREC also rejected all other attempts by the large telecom companies to water down the draft guidelines. (For details, see BEREC's report on the outcome of the consultation<https://berec.europa.eu/eng/document_register/subject_matter/berec/reports/10278-report-on-the-outcome-of-public-consultation-on-the-update-to-the-berec-guidelines-on-the-implementation-of-the-open-internet-regulation>.)

Read more: More on the new guidelines (also copied below):
How we got here and why it matters:

Two Twitter threads:
https://twitter.com/vanschewick/status/1537046411186798598 (on the new guidelines and why they matter)
https://twitter.com/vanschewick/status/1537181737582665729 (how BEREC closed the loopholes in the draft guidelines despite intense pressure by large carriers and platforms)

European Regulators Just Stopped Facebook, Google and Big Telecoms' Net
Neutrality Violations

By Barbara van Schewick on June 15, 2022
URL: https://cyberlaw.stanford.edu/blog/2022/06/european-regulators-just-stopped-facebook-google-and-big-telecoms-net-neutrality

On Wednesday, European top telecom regulator BEREC, which consists of the
national telecom regulators from across the EU, published its revised net
guidelines<https://berec.europa.eu/eng/document_register/subject_matter/berec/regulatory_best_practices/guidelines/10280-berec-guidelines-on-the-implementation-of-the-open-internet-regulation>. The
guidelines now prohibit broadband providers' zero-rating offers that benefit
select apps or categories of apps, whether they do so for free or require
apps to pay to be included.

Zero-rating is a practice where a carrier does not count some online
activity against a customer's monthly data cap. For example, many European
carriers offer plans that don't count the data you use on Facebook or
WhatsApp against your data cap.

BEREC's previous net neutrality guidelines did not categorically ban
selective zero-rating programs or category-based ones that, e.g., offer to
zero-rate all music or video apps. So carriers across the EU took advantage
and collectively launched hundreds of zero-rating
programs<https://epicenter.works/document/1522>. These often exempted the
carriers' own services and disproportionately benefited big
like Apple, Google, and Facebook, while small companies and European
startups were left out.

BEREC has now banned those.

Here is my statement:

"BEREC's new net neutrality guidelines are a great win for Europeans who
will get more data to use as they choose, and they give a big, much-needed
boost to online competition.

Despite intense lobbying from big carriers and giant platforms, BEREC voted
to clearly ban zero-rating offers that benefit select apps or categories of
apps by exempting them from people's monthly data caps. The ban applies
whether the app pays to be included or not, closing a loophole in the draft

This is good news for Internet users. When harmful zero-rating plans are
banned, users get much more data for the same price. Carriers are no longer
able to limit how people can use their data or push them to use apps from
the dominant platforms.

We just saw this in Germany. After the German regulator
Deutsche Telekom's and Vodafone's discriminatory zero-rating plans, Vodafone
gave affected customers up to 25% more data for the same
price<https://www.computerbild.de/artikel/cb-News-Handy-Vodafone-GigaMobil-Tarife-32649151.html>. Earlier
this month, Deutsche Telekom boosted some affected customers' monthly data
volume from 24GB to 40GB for the same

Additionally, smaller apps and websites no longer have to fight to be
included in these kinds of zero-rating plans and can compete with the giant
platforms on an equal footing.

BEREC revised its guidelines after the European Court of Justice
in September 2021 that discriminatory zero-rating plans violated net
neutrality. The court ruled that such plans violated the net neutrality
law's requirement to treat all data equally, and that it did not matter
whether the different treatment was technical, such as a fast lane, or
economic, like selective zero-rating.

The guidelines wisely allow carriers to offer non-discriminatory zero-rating
programs that treat all data the same. Your carrier can still not count data
usage against your cap at certain times of day or as a promotion; it just
can't force you to use that data on a specific site. Carriers in other
countries that have banned discriminatory zero-rating have
with offers such as unmetered data from midnight to 6 a.m. or letting users
choose hours per month where their data usage is

I expect that carriers across the EU will soon end their discriminatory
zero-rating plans and offer customers of those plans significantly more data
for the same price."

Barbara van Schewick is one of the world's leading experts on net neutrality, a professor at Stanford Law School, and the director of Stanford Law School's Center for Internet and Society.


* You can read more on how we got here and why it matters in my earlier blog
post: Facebook, Google & Big Telecoms Want To Keep Violating Net Neutrality
In Europe. Regulators Should Stop

* BEREC's report on its decision
* BEREC's new
(Para. 40b. "BEREC considers any differentiated pricing practices which are
not application-agnostic to be inadmissible for IAS offers, such as applying
a zero price to ISPs' own applications or CAPs subsidizing their own data.")

Barbara van Schewick, M. Elizabeth Magill Professor of Law
Professor, by Courtesy, of Electrical Engineering
Director, Center for Internet and Society, Stanford Law School

Author of "Internet Architecture and Innovation," MIT Press 2010
URL: http://cyberlaw.stanford.edu/about/people/barbara-van-schewick
Twitter: @vanschewick<https://twitter.com/vanschewick>
E-Mail: sche...@stanford.edu<mailto:sche...@stanford.edu%0b>
Phone: 650-723 8340


Date: Thu, 16 Jun 2022 06:56:20 -0600
From: Matthew Kruk <mkr...@gmail.com>
Subject: Privacy bill would set out rules on use of personal data,
artificial intelligence (CBC)


The federal Liberals plan to introduce privacy legislation today to give
Canadians more control over their personal data and introduce new rules for
the use of artificial intelligence.

The bill, to be presented by Innovation Minister Francois-Philippe
Champagne, aims to fulfill his mandate to advance the federal digital
charter, strengthen privacy protections for consumers and provide clear
rules for fair competition in the online marketplace.

The digital charter spells out 10 principles that range from ensuring
control over information to meaningful penalties for misuse of data.


Date: Thu, 16 Jun 2022 12:11:25 -0400
From: Cliff Kilby <cliff...@gmail.com>
Subject: Executive Order 14028 and the death knell of jSCH

Java is a popular middleware/backend programming language. It does not
include a native library for SSH. This drives developers who use secure
file transfer like sftp or scp to use a library to provide this function.
There are only 3 main libraries for this available to the general public.
jSCH, Jscape, and MINA.

MINA is not well accepted, and jscape has recently undergone an acquisition
and now has a burdensome license, driving users away from that project.

jSCH is the direction most developers end up taking. This is evident in
Apache's own file transfer library, vfs2. It does not use MINA as a SSH
client, it links to jSCH.

Jcraft's implementation of jSCH was written for Java 1.2 and has seen few
updates since. The last release was 4 years ago.

I believe this represents the existence of a widely distributed, but either
abandoned, or poorly supported library that is in wide use for critical
middleware/backend systems. There is a chance that this software is just
abnormally stable, but I have yet to find any such indications with the
associated projects. Per EO 14028, this software may meet the definition for
"critical to trust".


Date: Wed, 15 Jun 2022 18:26:55 +0300
From: Amos Shapir <amo...@gmail.com>
Subject: Re: How Henry Ford Would Deal With Today's Supply Chain Upheaval

The trouble is that since deregulation, stock values are decoupled from the
true value of companies. Many companies made more money out of trading
their stocks than of actual production. Companies are no longer committed
to their product, not even committed to their customers, but only committed
to their shareholders; and in this environment, those shareholders expect to
get ever increasing returns on their investments, or else they take their
money elsewhere.

The result is that IBM is no longer a computer company, and Ford is no
longer a car company; both are stock traders who use computers or cars as
an excuse. It's difficult to make any improvement on production (or
produce anything at all) in such an environment.


Date: Wed, 15 Jun 2022 17:38:22 -0400
From: Dick Mills <dickandl...@gmail.com>
Subject: Re: Long-term planning and Optimization (RISKS-33.28)

The long-term view of climate and other finite resource problems is that
overpopulation is the root cause. The green/brown behavior of the populace
is secondary. Banning fossil fuels results from short-term thinking.
Population reduction is the only possible long-term solution.


Date: Wed, 15 Jun 2022 18:16:30 +0300
From: Amos Shapir <amo...@gmail.com>
Subject: Re: Long-term planning and optimization (RISKS-33.28)

The trouble is, for politicians "long term planning" means this evening's
8pm TV news.


Date: Wed, 15 Jun 2022 10:46:17 -0500
From: Arthur Flatau <fla...@acm.org>
Subject: Re: The Billionaires Seeking a U.S. Chip-Making Revival

I think this is not at all the best example of problems with outsourcing.
The costs of developing new processes technology are huge. Developing
leading edge process technology is very difficult, look at the example of
Intel, which has fallen behind. With the exceptions of Samsung and Intel,
most companies do not have the resources to be able develop new process
technology in a timely fashion, if at all.

No doubt, it should have been obvious that putting most of the high end
fabs on an island that is not that geologically stable and is subject to
political disputes was not the best idea.


Date: Wed, 15 Jun 2022 11:40:34 -0400
From: Cliff Kilby <cliff...@gmail.com>
Subject: Re: 5GSec Convergence Accelerator Proposal (RISKS-33.28)

Variations on a Theme!!!

Microsoft is in the news for allowing users to query internal coordination
software, as noted in RISKS-33.28.

Root cause? According to NIST:
"Improper Neutralization of Argument Delimiters in a Command ('Argument

I guess that Microsoft is probably a little salty about that.


Date: Mon, 1 Aug 2020 11:11:11 -0800
From: RISKS-...@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)

The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:

=> SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
*** Contributors are assumed to have read the full info file for guidelines!

=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume/previous directories
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-33.00
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:


End of RISKS-FORUM Digest 33.29

Reply all
Reply to author
0 new messages