info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Risks Digest 32.76
54 views
Skip to first unread message
RISKS List Owner
Jul 10, 2021, 3:14:59 PM7/10/21
to ri...@csl.sri.com
RISKS-LIST: Risks-Forum Digest Saturday 10 July 2021 Volume 32 : Issue 76
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.76>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
RFI on scientific integrity (White House OSTP)
A code grabber is a device that can capture a radio signal from a vehicle's
key fob, analyze it and replicate (geoff goodfellow)
Social-credit score system for Germany (Vorausschau)
Developer Infinidash joke ends up as job requirement (The Register)
Europe makes the case to ban biometric surveillance (Matt Burgess)
Some locals say a bitcoin mining operation is ruining one of the Finger
Lakes. Here's how. (NBC News)
Researchers examine burden of electronic health record on primary care
clinicians (medicalxpress.com)
How California's new Digital Vaccine Records can be easily abused (EFF)
NY's "Excelsior" vaccine "passport" is a mess (TechReview)
Microsoft's Emergency Patch Fails to Fully Fix PrintNightmare RCE
Vulnerability (MS)
Human Risk Management /HRM/ is the FIX. (The Hacker News)
Kaseya Left Customer Portal Vulnerable to 2015 Flaw in its Own Software
(Krebs on Security)
Cell phones and cancer: New UC Berkeley study suggests cell phones sharply
increase tumor risk (KTVU)
GOP Congressman in leaked video: "We want chaos and inability to get things
done for the next 18 months!" (Common Dreams)
Re: Supreme Court sides with credit agency (Richard Stein, Stanley Chow)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Mon, 5 Jul 2021 19:56:58 PDT
From: Peter G Neumann <neu...@csl.sri.com>
Subject: RFI on scientific integrity (White House OSTP)
[For the entire history of the ACM Risks Forum, we have sought integrity
and trustworthiness in scientific and engineering efforts, and what we
might be able to do to ensure it. This may be first government RFI to be
included in RISKS, but it seems to be exactly in our wheelhouse. I
believe our International audience might want to respond, as well as those
in the U.S. PGN]
The White House Office of Science and Technology Policy (OSTP) seeks
information by 28 July 2021 to help improve the effectiveness of Federal
scientific integrity policies to enhance public trust in science. The
January 27, 2021 Presidential Memorandum on Restoring Trust in Government
Through Scientific Integrity and Evidence-Based Policymaking (Memorandum)
directs OSTP to convene an inter-agency task force under the National Science
and Technology Council to review the effectiveness of policies developed
since the issuance of the Presidential Memorandum on scientific integrity
issued on March 9, 2009 in preventing improper political interference in the
conduct of scientific research and the collection of data; preventing the
suppression or distortion of findings, data, information, conclusions, or
technical results; supporting scientists and researchers of all genders,
races, ethnicities, and backgrounds; and advancing the equitable delivery of
the Federal Government's programs. To support this assessment, OSTP seeks
information about: (1) The effectiveness of Federal scientific integrity
policies and needed areas of improvement; (2) good practices Federal
agencies could adopt to improve scientific integrity, including in the
communication of scientific information, addressing emerging technologies
and evolving scientific practices, supporting professional development of
Federal scientists, and promoting transparency in the implementation of
agency scientific integrity policies; and (3) other topics or concerns that
Federal scientific integrity policies should address. Please note the
purpose of this RFI is not to receive reports on alleged offenses that are
in violation of Federal scientific integrity policies. If you have witnessed
or experienced any harmful acts that may undermine scientific integrity and
you would like to report these allegations, please contact the Scientific
Integrity Officer or Office of the Inspector General at the relevant Federal
agency.
https://www.federalregister.gov/documents/2021/06/28/2021-13640/request-for-information-to-improve-federal-scientific-integrity-policies
------------------------------
Date: Mon, 5 Jul 2021 12:37:23 -1000
From: geoff goodfellow <ge...@iconia.com>
Subject: A code grabber is a device that can capture a radio signal from a
vehicle's key fob, analyze it and replicate
And here is the code grabber hidden in the Game Boy case.
https://twitter.com/it4sec/status/1411902542993412096
------------------------------
Date: Mon, 5 Jul 2021 08:46:32 +0200
From: Thomas Koenig <tko...@netcologne.de>
Subject: Social-credit score system for Germany (Vorausschau)
The German ministry for education and science (BMBF) has published a study
in which it puts forward a Chinese-style social credit system for Germany.
A translated quote from the long version on an official BMBF
https://www.vorausschau.de/vorausschau/de/home/home_node.html#zukuenfte (the
web site's design is atrocious, trying to find the information is quite
difficult).
``Highly controversial at the beginning, the bonus point system is largely
accepted in the 2030s. It establishes new norms in everyday life that
were not possible before. The participatory development of the rules also
ensures greater acceptance among the population. Approval of the bonus
system is growing, particularly in view of the increasing dynamics of
climate change. A point-based evaluation, for example, the of ecological
footprint -- helps to make the polluter-pays principle transparent.''
Participation in the point system would be voluntary in the sense that not
participating would bring very real drawbacks. Another quote:
``The bonus system is also helpful for the labor market, which continues
to suffer from a shortage of skilled workers. system is helpful. It helps
to identify qualification potential and efficiently organize the spatial
mobility of the workforce.''
So, not participating would lead to lower chances of getting a job.
China is explicitly mentioned as a role model.
------------------------------
Date: Mon, 5 Jul 2021 11:18:19 +0200
From: Peter Houppermans <pe...@houppermans.net>
Subject: Developer Infinidash joke ends up as job requirement (The Register)
>From https://www.theregister.com/2021/07/05/infinidash/
``A tweeted musing that merely mentioning a new AWS product would be
enough to see it appear in job ads has come true — even though the product
mentioned is made up.''
Amusingly, enough people picked up the joke and ran with it (my personal
favourite was the announcement of an *O RLY* book) for it to indeed expose
quite a few bandwagons, not in the least the aforementioned job specs which
have long demonstrated a remarkable ability to remain disconnected from
reality.
Entertaining - and educational.
------------------------------
Date: Thu, 8 Jul 2021 19:40:11 PDT
From: Peter G Neumann <neu...@csl.sri.com>
Subject: Europe makes the case to ban biometric surveillance (Matt Burgess)
Matt Burgess, WiReD, 7 Jul 2021
Companies are racing to track your emotions, how you walk and your
voiceprint. Should Europe ban biometric tracking entirely?
Your body is a data goldmine. From the way you look to how you think and
feel, firms working in the burgeoning biometrics industry are developing new
and alarming ways to track everything we do. And, in many cases, you may not
even know you're being tracked. But the biometrics business is on a
collision course with Europe's leading data protection experts. Both the
European Data Protection Supervisor, which acts as the EU's independent data
body, and the European Data Protection Board, which helps countries
implement GDPR consistently, have called for a total ban on using AI to
automatically recognise people. [...]
https://www.wired.co.uk/article/europe-ai-biometrics
------------------------------
Date: Tue, 6 Jul 2021 15:07:19 -0700
From: "Lauren Weinstein" <lau...@vortex.com>
Subject: Some locals say a bitcoin mining operation is ruining one of the
Finger Lakes. Here's how. (NBC News)
[Why is this still legal?]
https://www.nbcnews.com/science/environment/some-locals-say-bitcoin-mining-operation-ruining-one-finger-lakes-n1272938?cid=sm_npd_nn_tw_ma
------------------------------
Date: Sat, 10 Jul 2021 09:43:30 +0800
From: "Richard Stein" <rms...@ieee.org>
Subject: Researchers examine burden of electronic health record on primary
care clinicians (medicalxpress.com)
https://medicalxpress.com/news/2021-07-burden-electronic-health-primary-clinicians.html
Health record data entry by physicians interferes with patient quality of
care. Data entry streamlines healthcare billing, but should it be
prioritized over positive patient outcome? Apparently yes.
What can be done to mitigate this conflict?
"Virtual or AI-powered scribes could reduce the burden of note-taking across
primary care specialties and can be evaluated in future studies, the authors
state. Interventions that streamline messaging and placing orders are also
research priorities."
Naturally enough, these medical incidents are known to arise from
old-fashioned, hands-on medicine. How common are these medical errors?
The abstract from "Your Health Care May Kill You: Medical Errors," via
https://pubmed.ncbi.nlm.nih.gov/28186008/ from Stud Health Technol Inform
2017;234:13-17.
"Recent studies of medical errors have estimated errors may account for as
many as 251,000 deaths annually in the United States (U.S)., making medical
errors the third leading cause of death. Error rates are significantly
higher in the U.S. than in other developed countries such as Canada,
Australia, New Zealand, Germany and the United Kingdom (U.K)."
I wonder if AI-driven prescriptions will go haywire? Or the wrong diagnostic
procedure will be ordered and performed? Fortunately, the
pneumoencephalogram (https://en.wikipedia.org/wiki/Pneumoencephalography)
has been retired.
[I almost misread this as pneumann ... has been retired. PNeumann]
------------------------------
Date: Thu, 8 Jul 2021 13:18:34 -0700
From: "Lauren Weinstein" <lau...@vortex.com>
Subject: How California's new Digital Vaccine Records can be easily abused
(EFF)
https://www.eff.org/deeplinks/2021/06/decoding-californias-new-digital-vaccine-records-and-potential-dangers
------------------------------
Date: Wed, 7 Jul 2021 08:34:15 -0700
From: "Lauren Weinstein" <lau...@vortex.com>
Subject: NY's "Excelsior" vaccine "passport" is a mess (TechReview)
Just say no. -L
https://www.technologyreview.com/2021/07/06/1027770/vaccine-passport-new-york-excelsior-pass/
------------------------------
Date: Wed, 7 Jul 2021 19:03:09 -1000
From: geoff goodfellow <ge...@iconia.com>
Subject: Microsoft's Emergency Patch Fails to Fully Fix PrintNightmare RCE
Vulnerability (MS)
Even as Microsoft *expanded patches*
https://docs.microsoft.com/en-us/windows/release-health/windows-message-center
for the so-called PrintNightmare vulnerability for Windows 10 version 1607,
Windows Server 2012, and Windows Server 2016, it has come to light that the
patch for the remote code execution exploit in the Windows Print Spooler
service can be bypassed in certain scenarios, effectively defeating the
security protections and permitting attackers to run arbitrary code on
infected systems.
On Tuesday, the Windows maker issued an *emergency out-of-band update*
<https://thehackernews.com/2021/07/microsoft-issues-emergency-patch-for.html>
to address *CVE-2021-34527*
<https://thehackernews.com/2021/07/microsoft-warns-of-critical.html> (CVSS
score: 8.8) after the flaw was accidentally disclosed by researchers from
Hong Kong-based cybersecurity firm Sangfor late last month, at which point
it emerged that the issue was different from another bug — tracked as
CVE-2021-1675 -- that was patched by Microsoft on June 8.
<https://thehackernews.com/2021/06/researchers-leak-poc-exploit-for.html>
"Several days ago, two security vulnerabilities were found in Microsoft
Windows' existing printing mechanism," Yaniv Balmas, head of cyber-research
at Check Point, told The Hacker News. "These vulnerabilities enable a
malicious attacker to gain full control on all windows environments that
enable printing."
"These are mostly working stations but, at times, this relates to entire
servers that are an integral part of very popular organizational networks.
Microsoft classified these vulnerabilities as critical, but when they were
published they were able to fix only one of them, leaving the door open for
explorations of the second vulnerability," Balmas added. [...]
https://thehackernews.com/2021/07/microsofts-emergency-patch-fails-to.html
------------------------------
Date: Thu, 8 Jul 2021 11:01:15 -1000
From: geoff goodfellow <ge...@iconia.com>
Subject: Human Risk Management /HRM/ is the FIX. (The Hacker News)
Humans are an organization's strongest defence against evolving
cyber-threats, but security awareness training alone often isn't enough to
transform user behaviour.
Human Risk Management (HRM) is the FIX.
Checkout this new guide from @getusecure: [...]
https://thehackernews.com/2021/07/security-awareness-training-is-broken.html
via
https://twitter.com/TheHackersNews/status/1413158374057730052
------------------------------
Date: Thu, 8 Jul 2021 11:03:15 -1000
From: geoff goodfellow <ge...@iconia.com>
Subject: Kaseya Left Customer Portal Vulnerable to 2015 Flaw in its Own
Software (Krebs on Security)
Last week cybercriminals deployed ransomware to 1,500 organizations that
provide IT security and technical support to many other companies. The
attackers exploited a vulnerability in software from *Kaseya*, a
Miami-based company whose products help system administrators manage large
networks remotely. Now it appears Kaseya’s customer service portal was left
vulnerable until last week to a data-leaking security flaw that was first
identified in the same software six years ago.
On July 3, the REvil ransomware affiliate program
<https://krebsonsecurity.com/?s=revil> began using a zero-day security hole
(CVE-2021-30116
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30116>) to deploy
ransomware to hundreds of IT management companies running Kaseya’s remote
management software — known as the *Kaseya Virtual System Administrator*
(VSA).
According to this entry for CVE-2021-30116
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30116>, the
security flaw that powers that Kaseya VSA zero-day was assigned a
vulnerability number on April 2, 2021, indicating Kaseya had roughly three
months to address the bug before it was exploited in the wild
<https://csirt.divd.nl/2021/07/04/Kaseya-Case-Update-2/>.
Also on July 3, security incident response firm *Mandiant* notified Kaseya
that their billing and customer support site —*portal.kaseya.net
<http://portal.kaseya.net>* — was vulnerable to CVE-2015-2862
<https://nvd.nist.gov/vuln/detail/CVE-2015-2862>, a “directory traversal”
vulnerability in Kaseya VSA that allows remote users to read any files on
the server using nothing more than a Web browser.
As its name suggests, CVE-2015-2862 was issued in July 2015. Six years
later, Kaseya’s customer portal was still exposed to the data-leaking
weakness. [...]
https://krebsonsecurity.com/2021/07/kaseya-left-customer-portal-vulnerable-to-2015-flaw-in-its-own-software/
------------------------------
Date: Wed, 7 Jul 2021 08:37:59 -1000
From: geoff goodfellow <ge...@iconia.com>
Subject: Cell phones and cancer: New UC Berkeley study suggests cell phones
sharply increase tumor risk (KTVU)
New UC Berkeley research draws a strong link between cell phone radiation
and tumors, particularly in the brain.
Researchers took a comprehensive look at statistical findings from 46
different studies around the globe and found that the use of a cell phone
for more than 1,000 hours, or about 17 minutes a day over a ten year
period, increased the risk of tumors by 60 percent.
Researchers also pointed to findings that showed cell phone use for 10 or
more years doubled the risk of brain tumors.
*Joel Moskowitz* <https://publichealth.berkeley.edu/people/joel-moskowitz/>,
<https://publichealth.berkeley.edu/people/joel-moskowitz/> director of the
Center for Family and Community Health with the
<https://publichealth.berkeley.edu/people/joel-moskowitz/>*UC Berkeley
School of Public Health* <https://publichealth.berkeley.edu/> conducted the
research in partnership with Korea’s National Cancer Center, and Seoul
National University. Their analysis took a comprehensive look at
statistical findings from case control studies from 16 countries including
the U.S., Sweden, United Kingdom, Japan, Korea, and New Zealand. [...]
https://www.ktvu.com/news/new-uc-berkeley-study-draws-strong-link-between-cell-phone-use-and-cancer
------------------------------
Date: Wed, 7 Jul 2021 15:32:43 -0700
From: "Lauren Weinstein" <lau...@vortex.com>
Subject: GOP Congressman in leaked video: "We want chaos and inability to
get things done for the next 18 months!" (Common Dreams)
https://www.commondreams.org/news/2021/07/07/leaked-video-gop-congressman-admits-his-party-wants-chaos-and-inability-get-stuff
------------------------------
Date: Mon, 5 Jul 2021 13:20:58 +0800
From: "Richard Stein" <rms...@ieee.org>
Subject: Re: Supreme Court sides with credit agency (WashPost, RISKS-32.75)
[Hi Steven -- My concern was only hypothetical.]
Suppose the TransUnion data breached, and certain parties had chosen to
weaponize or exploit it?
Those unfortunate 8K folks might experience palpable consequences: reduced
job eligibility, stigmatization, etc. until or unless they could exonerate
themselves by attempting to restore reputation.
Gives one pause about profiling activities in general, and the lists of
values/attribute labels contained in profiles.
History suggests the global data breach pandemic is unlikely to subside.
Consequences and risks compound with each case.
------------------------------
Date: Mon, 5 Jul 2021 10:52:28 -0400
From: "Stanley Chow" <stanle...@pobox.com>
Subject: Re: Supreme Court sides with credit agency (Klein, RISKS-32.75)
In Risks 32.75, Steve Klein points out that we shouldn't get excited about
the U.S. Supreme court decision siding with the credit agency for SOME
PEOPLE -- because "... faulty records that were never shared ... could not
have suffered any damages."
I am not a lawyer and have not read the decision, but it sounds like:
1. Someone has a loaded gun pointed to my head.
2. The trigger will be pulled - as soon as some random user pays $10
(or whatever fee they charge).
3. The courts cannot do anything until the trigger is pulled.
4. So, after I am dead (or my life is ruined), the courts MAY fine the
credit agency some nominal amount.
Is this as f**ked up as it sounds?
------------------------------
Date: Mon, 1 Aug 2020 11:11:11 -0800
From: RISKS-...@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
=> SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!
=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume/previous directories
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 32.76
************************
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.76>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
RFI on scientific integrity (White House OSTP)
A code grabber is a device that can capture a radio signal from a vehicle's
key fob, analyze it and replicate (geoff goodfellow)
Social-credit score system for Germany (Vorausschau)
Developer Infinidash joke ends up as job requirement (The Register)
Europe makes the case to ban biometric surveillance (Matt Burgess)
Some locals say a bitcoin mining operation is ruining one of the Finger
Lakes. Here's how. (NBC News)
Researchers examine burden of electronic health record on primary care
clinicians (medicalxpress.com)
How California's new Digital Vaccine Records can be easily abused (EFF)
NY's "Excelsior" vaccine "passport" is a mess (TechReview)
Microsoft's Emergency Patch Fails to Fully Fix PrintNightmare RCE
Vulnerability (MS)
Human Risk Management /HRM/ is the FIX. (The Hacker News)
Kaseya Left Customer Portal Vulnerable to 2015 Flaw in its Own Software
(Krebs on Security)
Cell phones and cancer: New UC Berkeley study suggests cell phones sharply
increase tumor risk (KTVU)
GOP Congressman in leaked video: "We want chaos and inability to get things
done for the next 18 months!" (Common Dreams)
Re: Supreme Court sides with credit agency (Richard Stein, Stanley Chow)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Mon, 5 Jul 2021 19:56:58 PDT
From: Peter G Neumann <neu...@csl.sri.com>
Subject: RFI on scientific integrity (White House OSTP)
[For the entire history of the ACM Risks Forum, we have sought integrity
and trustworthiness in scientific and engineering efforts, and what we
might be able to do to ensure it. This may be first government RFI to be
included in RISKS, but it seems to be exactly in our wheelhouse. I
believe our International audience might want to respond, as well as those
in the U.S. PGN]
The White House Office of Science and Technology Policy (OSTP) seeks
information by 28 July 2021 to help improve the effectiveness of Federal
scientific integrity policies to enhance public trust in science. The
January 27, 2021 Presidential Memorandum on Restoring Trust in Government
Through Scientific Integrity and Evidence-Based Policymaking (Memorandum)
directs OSTP to convene an inter-agency task force under the National Science
and Technology Council to review the effectiveness of policies developed
since the issuance of the Presidential Memorandum on scientific integrity
issued on March 9, 2009 in preventing improper political interference in the
conduct of scientific research and the collection of data; preventing the
suppression or distortion of findings, data, information, conclusions, or
technical results; supporting scientists and researchers of all genders,
races, ethnicities, and backgrounds; and advancing the equitable delivery of
the Federal Government's programs. To support this assessment, OSTP seeks
information about: (1) The effectiveness of Federal scientific integrity
policies and needed areas of improvement; (2) good practices Federal
agencies could adopt to improve scientific integrity, including in the
communication of scientific information, addressing emerging technologies
and evolving scientific practices, supporting professional development of
Federal scientists, and promoting transparency in the implementation of
agency scientific integrity policies; and (3) other topics or concerns that
Federal scientific integrity policies should address. Please note the
purpose of this RFI is not to receive reports on alleged offenses that are
in violation of Federal scientific integrity policies. If you have witnessed
or experienced any harmful acts that may undermine scientific integrity and
you would like to report these allegations, please contact the Scientific
Integrity Officer or Office of the Inspector General at the relevant Federal
agency.
https://www.federalregister.gov/documents/2021/06/28/2021-13640/request-for-information-to-improve-federal-scientific-integrity-policies
------------------------------
Date: Mon, 5 Jul 2021 12:37:23 -1000
From: geoff goodfellow <ge...@iconia.com>
Subject: A code grabber is a device that can capture a radio signal from a
vehicle's key fob, analyze it and replicate
And here is the code grabber hidden in the Game Boy case.
https://twitter.com/it4sec/status/1411902542993412096
------------------------------
Date: Mon, 5 Jul 2021 08:46:32 +0200
From: Thomas Koenig <tko...@netcologne.de>
Subject: Social-credit score system for Germany (Vorausschau)
The German ministry for education and science (BMBF) has published a study
in which it puts forward a Chinese-style social credit system for Germany.
A translated quote from the long version on an official BMBF
https://www.vorausschau.de/vorausschau/de/home/home_node.html#zukuenfte (the
web site's design is atrocious, trying to find the information is quite
difficult).
``Highly controversial at the beginning, the bonus point system is largely
accepted in the 2030s. It establishes new norms in everyday life that
were not possible before. The participatory development of the rules also
ensures greater acceptance among the population. Approval of the bonus
system is growing, particularly in view of the increasing dynamics of
climate change. A point-based evaluation, for example, the of ecological
footprint -- helps to make the polluter-pays principle transparent.''
Participation in the point system would be voluntary in the sense that not
participating would bring very real drawbacks. Another quote:
``The bonus system is also helpful for the labor market, which continues
to suffer from a shortage of skilled workers. system is helpful. It helps
to identify qualification potential and efficiently organize the spatial
mobility of the workforce.''
So, not participating would lead to lower chances of getting a job.
China is explicitly mentioned as a role model.
------------------------------
Date: Mon, 5 Jul 2021 11:18:19 +0200
From: Peter Houppermans <pe...@houppermans.net>
Subject: Developer Infinidash joke ends up as job requirement (The Register)
>From https://www.theregister.com/2021/07/05/infinidash/
``A tweeted musing that merely mentioning a new AWS product would be
enough to see it appear in job ads has come true — even though the product
mentioned is made up.''
Amusingly, enough people picked up the joke and ran with it (my personal
favourite was the announcement of an *O RLY* book) for it to indeed expose
quite a few bandwagons, not in the least the aforementioned job specs which
have long demonstrated a remarkable ability to remain disconnected from
reality.
Entertaining - and educational.
------------------------------
Date: Thu, 8 Jul 2021 19:40:11 PDT
From: Peter G Neumann <neu...@csl.sri.com>
Subject: Europe makes the case to ban biometric surveillance (Matt Burgess)
Matt Burgess, WiReD, 7 Jul 2021
Companies are racing to track your emotions, how you walk and your
voiceprint. Should Europe ban biometric tracking entirely?
Your body is a data goldmine. From the way you look to how you think and
feel, firms working in the burgeoning biometrics industry are developing new
and alarming ways to track everything we do. And, in many cases, you may not
even know you're being tracked. But the biometrics business is on a
collision course with Europe's leading data protection experts. Both the
European Data Protection Supervisor, which acts as the EU's independent data
body, and the European Data Protection Board, which helps countries
implement GDPR consistently, have called for a total ban on using AI to
automatically recognise people. [...]
https://www.wired.co.uk/article/europe-ai-biometrics
------------------------------
Date: Tue, 6 Jul 2021 15:07:19 -0700
From: "Lauren Weinstein" <lau...@vortex.com>
Subject: Some locals say a bitcoin mining operation is ruining one of the
Finger Lakes. Here's how. (NBC News)
[Why is this still legal?]
https://www.nbcnews.com/science/environment/some-locals-say-bitcoin-mining-operation-ruining-one-finger-lakes-n1272938?cid=sm_npd_nn_tw_ma
------------------------------
Date: Sat, 10 Jul 2021 09:43:30 +0800
From: "Richard Stein" <rms...@ieee.org>
Subject: Researchers examine burden of electronic health record on primary
care clinicians (medicalxpress.com)
https://medicalxpress.com/news/2021-07-burden-electronic-health-primary-clinicians.html
Health record data entry by physicians interferes with patient quality of
care. Data entry streamlines healthcare billing, but should it be
prioritized over positive patient outcome? Apparently yes.
What can be done to mitigate this conflict?
"Virtual or AI-powered scribes could reduce the burden of note-taking across
primary care specialties and can be evaluated in future studies, the authors
state. Interventions that streamline messaging and placing orders are also
research priorities."
Naturally enough, these medical incidents are known to arise from
old-fashioned, hands-on medicine. How common are these medical errors?
The abstract from "Your Health Care May Kill You: Medical Errors," via
https://pubmed.ncbi.nlm.nih.gov/28186008/ from Stud Health Technol Inform
2017;234:13-17.
"Recent studies of medical errors have estimated errors may account for as
many as 251,000 deaths annually in the United States (U.S)., making medical
errors the third leading cause of death. Error rates are significantly
higher in the U.S. than in other developed countries such as Canada,
Australia, New Zealand, Germany and the United Kingdom (U.K)."
I wonder if AI-driven prescriptions will go haywire? Or the wrong diagnostic
procedure will be ordered and performed? Fortunately, the
pneumoencephalogram (https://en.wikipedia.org/wiki/Pneumoencephalography)
has been retired.
[I almost misread this as pneumann ... has been retired. PNeumann]
------------------------------
Date: Thu, 8 Jul 2021 13:18:34 -0700
From: "Lauren Weinstein" <lau...@vortex.com>
Subject: How California's new Digital Vaccine Records can be easily abused
(EFF)
https://www.eff.org/deeplinks/2021/06/decoding-californias-new-digital-vaccine-records-and-potential-dangers
------------------------------
Date: Wed, 7 Jul 2021 08:34:15 -0700
From: "Lauren Weinstein" <lau...@vortex.com>
Subject: NY's "Excelsior" vaccine "passport" is a mess (TechReview)
Just say no. -L
https://www.technologyreview.com/2021/07/06/1027770/vaccine-passport-new-york-excelsior-pass/
------------------------------
Date: Wed, 7 Jul 2021 19:03:09 -1000
From: geoff goodfellow <ge...@iconia.com>
Subject: Microsoft's Emergency Patch Fails to Fully Fix PrintNightmare RCE
Vulnerability (MS)
Even as Microsoft *expanded patches*
https://docs.microsoft.com/en-us/windows/release-health/windows-message-center
for the so-called PrintNightmare vulnerability for Windows 10 version 1607,
Windows Server 2012, and Windows Server 2016, it has come to light that the
patch for the remote code execution exploit in the Windows Print Spooler
service can be bypassed in certain scenarios, effectively defeating the
security protections and permitting attackers to run arbitrary code on
infected systems.
On Tuesday, the Windows maker issued an *emergency out-of-band update*
<https://thehackernews.com/2021/07/microsoft-issues-emergency-patch-for.html>
to address *CVE-2021-34527*
<https://thehackernews.com/2021/07/microsoft-warns-of-critical.html> (CVSS
score: 8.8) after the flaw was accidentally disclosed by researchers from
Hong Kong-based cybersecurity firm Sangfor late last month, at which point
it emerged that the issue was different from another bug — tracked as
CVE-2021-1675 -- that was patched by Microsoft on June 8.
<https://thehackernews.com/2021/06/researchers-leak-poc-exploit-for.html>
"Several days ago, two security vulnerabilities were found in Microsoft
Windows' existing printing mechanism," Yaniv Balmas, head of cyber-research
at Check Point, told The Hacker News. "These vulnerabilities enable a
malicious attacker to gain full control on all windows environments that
enable printing."
"These are mostly working stations but, at times, this relates to entire
servers that are an integral part of very popular organizational networks.
Microsoft classified these vulnerabilities as critical, but when they were
published they were able to fix only one of them, leaving the door open for
explorations of the second vulnerability," Balmas added. [...]
https://thehackernews.com/2021/07/microsofts-emergency-patch-fails-to.html
------------------------------
Date: Thu, 8 Jul 2021 11:01:15 -1000
From: geoff goodfellow <ge...@iconia.com>
Subject: Human Risk Management /HRM/ is the FIX. (The Hacker News)
Humans are an organization's strongest defence against evolving
cyber-threats, but security awareness training alone often isn't enough to
transform user behaviour.
Human Risk Management (HRM) is the FIX.
Checkout this new guide from @getusecure: [...]
https://thehackernews.com/2021/07/security-awareness-training-is-broken.html
via
https://twitter.com/TheHackersNews/status/1413158374057730052
------------------------------
Date: Thu, 8 Jul 2021 11:03:15 -1000
From: geoff goodfellow <ge...@iconia.com>
Subject: Kaseya Left Customer Portal Vulnerable to 2015 Flaw in its Own
Software (Krebs on Security)
Last week cybercriminals deployed ransomware to 1,500 organizations that
provide IT security and technical support to many other companies. The
attackers exploited a vulnerability in software from *Kaseya*, a
Miami-based company whose products help system administrators manage large
networks remotely. Now it appears Kaseya’s customer service portal was left
vulnerable until last week to a data-leaking security flaw that was first
identified in the same software six years ago.
On July 3, the REvil ransomware affiliate program
<https://krebsonsecurity.com/?s=revil> began using a zero-day security hole
(CVE-2021-30116
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30116>) to deploy
ransomware to hundreds of IT management companies running Kaseya’s remote
management software — known as the *Kaseya Virtual System Administrator*
(VSA).
According to this entry for CVE-2021-30116
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30116>, the
security flaw that powers that Kaseya VSA zero-day was assigned a
vulnerability number on April 2, 2021, indicating Kaseya had roughly three
months to address the bug before it was exploited in the wild
<https://csirt.divd.nl/2021/07/04/Kaseya-Case-Update-2/>.
Also on July 3, security incident response firm *Mandiant* notified Kaseya
that their billing and customer support site —*portal.kaseya.net
<http://portal.kaseya.net>* — was vulnerable to CVE-2015-2862
<https://nvd.nist.gov/vuln/detail/CVE-2015-2862>, a “directory traversal”
vulnerability in Kaseya VSA that allows remote users to read any files on
the server using nothing more than a Web browser.
As its name suggests, CVE-2015-2862 was issued in July 2015. Six years
later, Kaseya’s customer portal was still exposed to the data-leaking
weakness. [...]
https://krebsonsecurity.com/2021/07/kaseya-left-customer-portal-vulnerable-to-2015-flaw-in-its-own-software/
------------------------------
Date: Wed, 7 Jul 2021 08:37:59 -1000
From: geoff goodfellow <ge...@iconia.com>
Subject: Cell phones and cancer: New UC Berkeley study suggests cell phones
sharply increase tumor risk (KTVU)
New UC Berkeley research draws a strong link between cell phone radiation
and tumors, particularly in the brain.
Researchers took a comprehensive look at statistical findings from 46
different studies around the globe and found that the use of a cell phone
for more than 1,000 hours, or about 17 minutes a day over a ten year
period, increased the risk of tumors by 60 percent.
Researchers also pointed to findings that showed cell phone use for 10 or
more years doubled the risk of brain tumors.
*Joel Moskowitz* <https://publichealth.berkeley.edu/people/joel-moskowitz/>,
<https://publichealth.berkeley.edu/people/joel-moskowitz/> director of the
Center for Family and Community Health with the
<https://publichealth.berkeley.edu/people/joel-moskowitz/>*UC Berkeley
School of Public Health* <https://publichealth.berkeley.edu/> conducted the
research in partnership with Korea’s National Cancer Center, and Seoul
National University. Their analysis took a comprehensive look at
statistical findings from case control studies from 16 countries including
the U.S., Sweden, United Kingdom, Japan, Korea, and New Zealand. [...]
https://www.ktvu.com/news/new-uc-berkeley-study-draws-strong-link-between-cell-phone-use-and-cancer
------------------------------
Date: Wed, 7 Jul 2021 15:32:43 -0700
From: "Lauren Weinstein" <lau...@vortex.com>
Subject: GOP Congressman in leaked video: "We want chaos and inability to
get things done for the next 18 months!" (Common Dreams)
https://www.commondreams.org/news/2021/07/07/leaked-video-gop-congressman-admits-his-party-wants-chaos-and-inability-get-stuff
------------------------------
Date: Mon, 5 Jul 2021 13:20:58 +0800
From: "Richard Stein" <rms...@ieee.org>
Subject: Re: Supreme Court sides with credit agency (WashPost, RISKS-32.75)
[Hi Steven -- My concern was only hypothetical.]
Suppose the TransUnion data breached, and certain parties had chosen to
weaponize or exploit it?
Those unfortunate 8K folks might experience palpable consequences: reduced
job eligibility, stigmatization, etc. until or unless they could exonerate
themselves by attempting to restore reputation.
Gives one pause about profiling activities in general, and the lists of
values/attribute labels contained in profiles.
History suggests the global data breach pandemic is unlikely to subside.
Consequences and risks compound with each case.
------------------------------
Date: Mon, 5 Jul 2021 10:52:28 -0400
From: "Stanley Chow" <stanle...@pobox.com>
Subject: Re: Supreme Court sides with credit agency (Klein, RISKS-32.75)
In Risks 32.75, Steve Klein points out that we shouldn't get excited about
the U.S. Supreme court decision siding with the credit agency for SOME
PEOPLE -- because "... faulty records that were never shared ... could not
have suffered any damages."
I am not a lawyer and have not read the decision, but it sounds like:
1. Someone has a loaded gun pointed to my head.
2. The trigger will be pulled - as soon as some random user pays $10
(or whatever fee they charge).
3. The courts cannot do anything until the trigger is pulled.
4. So, after I am dead (or my life is ruined), the courts MAY fine the
credit agency some nominal amount.
Is this as f**ked up as it sounds?
------------------------------
Date: Mon, 1 Aug 2020 11:11:11 -0800
From: RISKS-...@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
=> SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!
=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume/previous directories
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 32.76
************************
0 new messages