Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit precedence: bulk Subject: Risks Digest 32.19 RISKS-LIST: Risks-Forum Digest Friday 14 August 2020 Volume 32 : Issue 19 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at as The current issue can also be found at Contents: The Iconic Arecibo Telescope Goes Quiet After Major Damage (WiReD) The Tragic Physics of the Deadly Explosion in Beirut (WiReD) North Korean Hacking Group Attacks Israeli Defense Industry (NYTimes) Researchers discovered significant vulnerability in Amazon's Alexa (The Hill) Bald eagle attacks government drone and sends it to bottom of Lake Michigan (The Guardian) Vulnerabilities in Qualcomm Chips Expose Billions of Devices to Attacks (You Tube) Snapdragon chip flaws put >1 billion Android phones at risk of data theft (Ars Techica) Flaws in Samsung Phones Exposed Android Users to Remote Attacks (The Hacker News) Microsoft plugs at least 120 Windows security holes (Krebs on Security) Coming Next: The Greater Recession (Paul Krugman via Randall Head) Social media and misinformation (Rob Slade) Deepfakes or not??? (Mark Thorson) A protester tried to ID a police officer on Twitter. Now he faces a felony -- along with four who retweeted him. (WashPost) Scientists rename human genes to stop Microsoft Excel from misreading them as dates (The Verge) You do know you are being tracked, right? (WSJ) Thousands of cases went unreported in California when a computer server failed (NYTimes) Blackstone to acquire Ancestry.com for $4.7 billion (Oguh) USG Contractor Embedded Software in Apps to Track Phones (WSJ) Illiterate cell phone user experience (Dan Jacobson) Photoshop Will Help ID Images That Have Been Photoshopped (WiReD) Is it the AI That's Racist, or is it the Humans That Create the AI? (AI Daily) AI bias detection ... (PGN) Leaked Documents Reveal What TikTok Shares with Authorities -- in the U.S. (The Intercept via Richard Forno) Why & Where You Should You Plant Your Flag (Krebs on Security) Postal Service warns 46 states their voters could be disenfranchised by delayed mail-in ballots (WashPost) Mailer To DC Voters Prompts Widespread Confusion (DCist) Trump's lapdog Postmaster General wants to more than double costs for states to mail ballots to voters! Crooked through and through. (Law and Crime) Unwanted Truths: Inside Trump's Battles With U.S. Intelligence Agencies (NYTimes) The quest to liberate $300,000 of bitcoin from an old ZIP file (Ars Technica) Risk of driving while Black in conjunction with computer risks (anon) Why climate change is about to make your bad commute worse (WashPost) Chrome will start hiding most of URLs, but you can opt-out -- AND YOU SHOULD! (Lauren Weinstein) How romance scams are thriving during quarantine. (The Verge) No to Blockchain Credentials of COVID-19 Test Results for Entry to Public Spaces (EFF) Virginia launches contact-tracing app COVIDWISE using Apple, Google technology (WashPost) The nuclear mistakes that could have ended civilisation (bbc.com) Re: Omniviolence Is Coming and the World Isn't Ready (Eric Sosman) Re: Blackbaud breach (A Michael W Bacon) Re: City outage (A Michael W Bacon) Re: Beirut explosion (A Michael W Bacon) Re: Beirut Blast (3daygoaty) Re: Tom's Hardware goes dark/side/ (Steve Singer) Re: When tax prep is free, you may be paying with your privacy (David Damerell) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Wed, 12 Aug 2020 15:52:12 -0400 From: Gabe Goldberg Subject: The Iconic Arecibo Telescope Goes Quiet After Major Damage (WiReD) A cable cut a large gash into the radio telescope this week and it's uncertain when it will be back in working order. https://www.wired.com/story/the-iconic-arecibo-telescope-goes-quiet-after-major-damage/ ------------------------------ Date: Sat, 8 Aug 2020 21:14:45 -0400 From: Gabe Goldberg Subject: The Tragic Physics of the Deadly Explosion in Beirut (WiReD) A blast injury specialist explores the chemistry -- and history -- of explosions like the one captured in videos that swept across the world. https://www.wired.com/story/tragic-physics-deadly-explosion-beirut/ ------------------------------ Date: Wed, 12 Aug 2020 20:56:34 -0400 From: Monty Solomon Subject: North Korean Hacking Group Attacks Israeli Defense Industry (NYTimes) Israel says the attack was thwarted, but a cybersecurity firm says it was successful. Some officials fear that classified data stolen by North Korea could be shared with Iran. https://www.nytimes.com/2020/08/12/world/middleeast/north-korea-hackers-israel.html ------------------------------ Date: Thu, 13 Aug 2020 13:38:45 -1000 From: geoff goodfellow Subject: Researchers discovered significant vulnerability in Amazon's Alexa (The Hill) Researchers at cybersecurity provider Check Point uncovered a flaw in Amazon's Alexa virtual assistant that left owner's personal information vulnerable before it was patched in June. The researchers detailed the vulnerability in a report released Thursday, saying potential hackers could have hijacked the voice assistant devices using malicious Amazon links. Once those links were clicked, hackers would be able to install or remove "Skills" -- essentially apps -- from Alexa devices. They would also be able to access the user's voice history with their device as well as personal information as sensitive as banking data and home addresses. [...] https://thehill.com/policy/technology/511746-researchers-discovered-significant-vulnerability-in-amazons-alexa Also: https://www.wired.com/story/amazon-alexa-bug-exposed-voice-history-hackers/ ------------------------------ Date: Fri, 14 Aug 2020 11:24:48 -0700 From: Peter Neumann Subject: Bald eagle attacks government drone and sends it to bottom of Lake Michigan (The Guardian) There is something appropriately symbolic in this .... https://www.theguardian.com/us-news/2020/aug/14/eagle-drone-attack-lake-michigan ------------------------------ Date: Mon, 10 Aug 2020 12:10:10 -1000 From: geoff goodfellow Subject: Vulnerabilities in Qualcomm Chips Expose Billions of Devices to Attacks (You Tube) *Security researchers have identified hundreds of vulnerabilities that expose devices with Qualcomm Snapdragon chips to attacks.* During a presentation at DEF CON last week, Check Point security researcher Slava Makkaveev revealed how vulnerabilities in the compute digital-signal processor (DSP) -- a subsystem that enables the processing of data with low power consumption -- could open the door for Android applications to perform malicious attacks. The proprietary subsystem is licensed for programming to OEMs and a small number of application developers, and the code running on DSP is signed, but the security researchers have identified ways to bypass Qualcomm's signature and run code on DSP. Vendors can build software for DSP using the Hexagon SDK, and serious security flaws in the development kit itself have resulted in hundreds of vulnerabilities being introduced in code from Qualcomm and partner vendors. According to Makkaveev, almost all of the DSP executable libraries that come embedded in Qualcomm-based smartphones are exposed to attacks through the issues identified in the Hexagon SDK. The discovered flaws, over 400 in total, are tracked as CVE-2020-11201, CVE-2020-11202, CVE-2020-11206, CVE-2020-11207, CVE-2020-11208 and CVE-2020-11209 and have already been acknowledged by Qualcomm. Check Point has yet to publish technical details on these vulnerabilities, but says that attackers able to exploit them would require no user interaction to exfiltrate large amounts of information, including users' photos and videos, and GPS and location data, or to spy on users by recording calls or turning on the microphone. Denial of service attacks are also possible, with the device remaining permanently unresponsive, thus making the information stored on it unavailable. Furthermore, malicious code installed on the device could hide activities entirely and become unremovable. With Qualcomm's chips present in approximately 40% of the smartphones out there, including high-end devices from Google, LG, OnePlus, Samsung, Xiaomi, and others, at least 1 billion mobile users are affected by these vulnerabilities. [...] https://www.securityweek.com/vulnerabilities-qualcomm-chips-expose-billions-devices-attacks ------------------------------ Date: Sun, 9 Aug 2020 14:57:23 -0400 From: Monty Solomon Subject: Snapdragon chip flaws put >1 billion Android phones at risk of data theft (Ars Techica) There's no word on when Google and phone makers will incorporate fix from Qualcomm. A billion or more Android devices are vulnerable to hacks that can turn them into spying tools by exploiting more than 400 vulnerabilities in Qualcomm's Snapdragon chip, researchers reported this week. The vulnerabilities can be exploited when a target downloads a video or other content that's rendered by the chip. Targets can also be attacked by installing malicious apps that require no permissions at all. From there, attackers can monitor locations and listen to nearby audio in real time and exfiltrate photos and videos. Exploits also make it possible to render the phone completely unresponsive. Infections can be hidden from the operating system in a way that makes disinfecting difficult. ... https://arstechnica.com/information-technology/2020/08/snapdragon-chip-flaws-put-1-billion-android-phones-at-risk-of-data-theft/ ------------------------------ Date: Thu, 13 Aug 2020 13:37:45 -1000 From: geoff goodfellow Subject: Flaws in Samsung Phones Exposed Android Users to Remote Attacks (The Hacker News) New research disclosed a string of severe security vulnerabilities in the 'Find My Mobile' -- an Android app that comes pre-installed on most Samsung smartphones -- that could have allowed remote attackers to track victims' real-time location, monitor phone calls, and messages, and even delete data stored on the phone. Portugal-based cybersecurity services provider Char49 revealed its findings on Samsung's Find My Mobile Android app at the DEF CON conference last week and shared details with the Hacker News. "This flaw, after setup, can be easily exploited and with severe implications for the user and with a potentially catastrophic impact: permanent denial of service via phone lock, complete data loss with factory reset (SD card included), serious privacy implication via IMEI and location tracking as well as call and SMS log access," Char49's Pedro Umbelino said in technical analysis. The flaws, which work on unpatched Samsung Galaxy S7, S8, and S9+ devices, were addressed by Samsung after flagging the exploit as a "high impact vulnerability." Samsung's Find My Mobile service allows owners of Samsung devices to remotely locate or lock their smartphone or tablet, back up data stored on the devices to Samsung Cloud, wipe local data, and block access to Samsung Pay. According to Char49, there were four different vulnerabilities in the app that could have been exploited by a malicious app installed on the targeted device, thus creating a man-in-the-disk attack to hijack communication from the backend servers and snoop on the victim. [...] https://thehackernews.com/2020/08/samsung-find-my-phone-hacking.html ------------------------------ Date: Tue, 11 Aug 2020 16:40:45 -1000 From: geoff goodfellow Subject: Microsoft plugs at least 120 Windows security holes (Krebs on Security) Microsoft today released updates to plug at least 120 security holes in its Windows operating systems and supported software, including two newly discovered vulnerabilities that are actively being exploited. Yes, good people of the Windows world, it's time once again to backup and patch up! [...] https://krebsonsecurity.com/2020/08/microsoft-patch-tuesday-august-2020-edition/ ------------------------------ Date: August 8, 2020 at 8:48:42 PM EDT From: Randell Head Subject: Coming Next: The Greater Recession (Paul Krugman) [Via Dewayne Hendricks] Paul Krugman, *The New York Times*, 6 Aug 2020 The suspension of federal benefits would create damage almost as terrifying as the economic effects of the coronavirus. "Greater Recession"? Dr. K is too shy by a long shot. Pretty much every multi-tenant office building and almost all shopping malls in this country are owned by REITs, almost exactly all of which are mortgaged to the limits of their bankers' tolerance. Those mortgages are based on the assessed value of the real estate. Those assessments assume a roughly 80% occupancy rate. The malls are undergoing a calamity of their own, which everyone knows about - Shopped at Sears, lately? But the office buildings - ah, the office buildings! Many of their tenants will not survive. Of those who do survive, all will have noticed how much cheaper it is to give every employee a laptop and cable modem than it is to pay rent on those downtown or suburban office towers. Yeah, perhaps most of them will keep some sort of office, but when it comes time to renew the leases, they will be able to point to the hundreds of thousands of square feet of empty space in the neighboring towers, so they will reduce their leased space and they will largely get a lower price per square foot. (If they don't get a reduction, they need to fire whoever is negotiating on their behalf). This means the office buildings are assessed too high. If they are reassessed, most of the loans against them are suddenly unsecured. Those REITs I mentioned? THey're not going to be able to make their mortgage payments, once 25% of their tenants go under or break (or fail to renew) their leases, which means that the banks and hedge funds which hold those mortgages are suddenly insolvent. Few people have any sympathy for hedge funds, thinking no one they know has any money with them, but a very large percentage of pension funds have some money with hedge funds. That's not the big deal, though. The big deal is the insolvent banks. Remember the early days of the 2008 Crash? Banks were refusing to make Guaranteed Student Loans. Reading this, I assumed that was just your usual "Rich Folks, sticking up the government" scam, but I was wrong - they didn't make Guaranteed Student Loans because they COULDN'T -- insolvent banks can't lend any money, not even when they have the Full Faith and Credit of the US Government backing the loans. A middling-sized bank which in January had twenty billion dollars of commercial loans, secured by liens against $25B of office towers and shopping malls, now has twenty billion dollars of commercial loans, secured by liens against $18B of real property. Sure, the property is still assessed at $25B, but what would it bring on the open market? $18B is probably too generous. If you thought it was fun, bailing out the FSLIC, you're gonna *love* bailing out the FDIC, especially when every advanced economy on the planet is busy bailing out its own banks. ------------------------------ Date: Sat, 8 Aug 2020 17:41:05 -0700 From: Rob Slade Subject: Social media and misinformation This article provides laudable and important sentiments: https://www.pressreader.com/canada/the-london-free-press/20200808/281711206997706 And the authors are dangerously over-optimistic. I've been waiting 40 years (since before the Internet was called the Internet) for people to wake up, and it hasn't happened yet. ------------------------------ Date: Sat, 8 Aug 2020 12:07:19 -0700 From: Mark Thorson Subject: Deepfakes or not??? I have noticed a lack of tight synchronization between the audio and picture on commercial over-the-air broadcast television is surprisingly common, and I'm wondering whether this may be a marker for video that has been faked. I first noticed this around the time of conversion from analog to digital, when one channel was particularly annoying with its poor synchronization. The problem becomes more obvious when you develop some ability to read lips. Certain sounds, especially "p" and "b", require the lips to come together, and they make tracking the audio against the picture much simpler. It does not take much practice to become proficient, though I still can't tell what words are being said from the picture alone. Any video passing through Zoom cannot be analyzed this way because there isn't enough temporal resolution to make this comparison. An argument against deepfakes is that this phenomenon is very widespread. I can't give you anything approaching a number based on data, but my impression is at least 20% of all broadcast television exhibits this problem -- including a large amount for which there would be no obvious motive. Why would you fake the talking heads on a news broadcast or the presentation of a comedy routine? I suspect it may be a weakness of the digital video standard, though I suppose there may be other explanations. It's either that, or we are awash in fake video. ------------------------------ Date: Fri, 7 Aug 2020 17:42:11 -0400 From: Monty Solomon Subject: A protester tried to ID a police officer on Twitter. Now he faces a felony -- along with four who retweeted him. (WashPost) Kevin Alfaro and four people who retweeted the post have been charged with cyber harassment, a 4th degree felony with up to 18 months of incarceration and a $10,000 fine. https://www.washingtonpost.com/nation/2020/08/07/black-lives-matter-tweet-police-felony/ ------------------------------ Date: Fri, 7 Aug 2020 15:13:47 -0700 (PDT) From: Thomas Dzubin Subject: Scientists rename human genes to stop Microsoft Excel from misreading them as dates (The Verge) "Excel is a behemoth in the spreadsheet world and is regularly used by scientists to track their work and even conduct clinical trials. But its default settings were designed with more mundane applications in mind, so when a user inputs a gene's alphanumeric symbol into a spreadsheet, like "MARCH1" which is short for "Membrane Associated Ring-CH-Type Finger 1", Excel converts that into a date: "1-Mar" https://www.theverge.com/2020/8/6/21355674/human-genes-rename-microsoft-excel-misreading-dates And yes, I know that people can set the formatting of cells, rows & columns of cells to be 'don't change what I entered' format, it's the defaults that are supposed to make our lives easier which is breaking things. ------------------------------ Date: Thu, 13 Aug 2020 11:37:28 +0200 From: Anthony Thorn Subject: You do know you are being tracked, right? (WSJ) "The Wall Street Journal." 7 Aug 2020 https://www.wsj.com/articles/u-s-government-contractor-embedded-software-in-apps-to-track-phones-11596808801 "U.S. Government Contractor Embedded Software in Apps to Track Phones Anomaly Six has ties to military, intelligence agencies and draws location data from more than 500 apps with hundreds of millions of users The U.S. government is using app-generated marketing data based on the movements of millions of cellphones around the country for some forms of law enforcement. We explain how such data is being gathered and sold. WASHINGTON -- A small U.S. company with ties to the U.S. defense and intelligence communities has embedded its software in numerous mobile apps, allowing it to track the movements of hundreds of millions of mobile phones world-wide, according to interviews and documents reviewed by The Wall Street Journal. Anomaly Six LLC a Virginia-based company founded by two U.S. military veterans with a background in intelligence, said in marketing material it is able to draw location data from more than 500 mobile applications, in part through its own software development kit, or SDK, that is embedded directly in some of the apps. An SDK allows the company to obtain the phone's location if consumers have allowed the app containing the software to access the phone's GPS coordinates. App publishers often allow third-party companies, for a fee, to insert SDKs into their apps. The SDK maker then sells the consumer data harvested from the app, and the app publisher gets a chunk of revenue. But consumers have no way to know whether SDKs are embedded in apps; most privacy policies don't disclose that information. Anomaly Six says it embeds its own SDK in some apps, and in other cases gets location data from other partners. Anomaly Six is a federal contractor that provides global-location-data products to branches of the U.S. government and private-sector clients. The company told The Wall Street Journal it restricts the sale of U.S. mobile phone movement data only to nongovernmental, private-sector clients. Numerous agencies of the U.S. government have concluded that mobile data acquired by federal agencies from advertising is lawful. Several law-enforcement agencies are using such data for criminal-law enforcement, the Journal has reported, while numerous U.S. military and intelligence agencies also acquire this kind of data." ------------------------------ Date: Sat, 8 Aug 2020 21:29:21 -0400 From: Monty Solomon Subject: Thousands of cases went unreported in California when a computer server failed. (NYTimes) https://www.nytimes.com/2020/08/07/world/covid-19-news.html As California surpassed 10,000 coronavirus deaths this week, the head of the state's Health and Human Services Agency, Dr. Mark Ghaly, said a breakdown in the main disease reporting system had undercounted as many as 300,000 test results. ``Our data system failed, and that failure led to inaccurate case numbers.'' The malfunctions in the data system were compounded in recent days by huge backlogs in testing -- in some California counties results are taking more than two weeks to process -- muddying the overall picture of the virus's progression in the nation's most populous state. ------------------------------ Date: August 6, 2020 20:36:27 JST From: Richard Forno Subject: Blackstone to acquire Ancestry.com for $4.7 billion (Oguh) (You likely do NOT want your genetic data owned by China *or* a private equity firm, even one based in America. --rick) Chibuike Oguh, Reuters, Blackstone to acquire Ancestry.com for $4.7B https://www.reuters.com/article/us-ancestry-m-a-blackstone-group/blackstone-to-acquire-ancestry-com-for-4-7-billion-idUSKCN2512ES (Reuters) - Blackstone Group Inc (BX.N) said on Wednesday it agreed to acquire genealogy provider Ancestry.com Inc from private equity rivals for $4.7 billion, including debt, placing a big bet on family-tree chasing as well as personalized medicine. Ancestry.com is the world's largest provider of DNA services, allowing customers to trace their genealogy and identify genetic health risks with tests sent to their home. Blackstone is hoping that more consumers staying at home amid the COVID-19 pandemic will turn to Ancestry.com for its services. ``We believe Ancestry has significant runway for further growth as people of all ages and backgrounds become increasingly interested in learning more about their family histories and themselves,'' David Kestnbaum, a Blackstone senior managing director, said in a statement. The deal is Blackstone's first acquisition out of Blackstone Capital Partners VIII, the largest-ever private equity fund that raised $26 billion from investors last year. Ancestry.com has more than 3 million paying customers in about 30 countries, and earns more than $1 billion in annual revenue. Launched in 1996 as a family history website, it harnessed advances in DNA testing and mobile phone apps in the following two decades to expand its offerings. Blackstone is buying Ancestry.com from private equity firms Silver Lake, Spectrum Equity and Permira. Singapore's sovereign wealth fund GIC, another Ancestry.com investor, said it will continue to maintain a significant minority stake in the company. The acquisition's price tag represents a significant jump to Ancestry.com's valuation from four years ago, when Silver Lake and GIC invested in the Lehi, Utah-based company at a $2.6 billion valuation. ------------------------------ Date: Mon, 10 Aug 2020 9:33:38 PDT From: "Peter G. Neumann" Subject: USG Contractor Embedded Software in Apps to Track Phones (WSJ) *The Wall Street Journal*, 7 Aug 2020 Anomaly Six has ties to military, intelligence agencies and draws location data from more than 500 apps with hundreds of millions of users Consumers have no way of knowing whether software-development kits that can track their locations are embedded in their apps. https://www.wsj.com/articles/u-s-government-contractor-embedded-software-in-apps-to-track-phones-11596808801 Washington -- A small U.S. company with ties to the U.S. defense and intelligence communities has embedded its software in numerous mobile apps, allowing it to track the movements of hundreds of millions of mobile phones world-wide, according to interviews and documents reviewed by The Wall Street Journal. ------------------------------ Date: Thu, 13 Aug 2020 07:26:20 +0800 From: Dan Jacobson Subject: Illiterate cell phone user experience A web search finds lots of articles about illiterate cellphone users. Usually the elderly or people in undeveloped countries. My first experience instructing one over the phone: "OK, under my picture there should be a Add Friend button." "Probably red and green buttons... push the green one." They said: "Oops, I already pushed the red one." (Which blocked me. The block list being within a menu that they needed to be literate to find. Alas...) ------------------------------ Date: Thu, 13 Aug 2020 18:36:54 -0400 From: Gabe Goldberg Subject: Photoshop Will Help ID Images That Have Been Photoshopped (WiReD) Adobe is adding technology to tag images with metadata, part of an effort to identify deepfakes and other efforts at manipulation. https://www.wired.com/story/photoshop-id-images-photoshopped-deepfake/ ------------------------------ Date: Tue, 11 Aug 2020 16:38:45 -1000 From: geoff goodfellow Subject: Is it the AI That's Racist, or is it the Humans That Create the AI? (AI Daily) Racism is a poison in our society, one which until recently, AI was thought immune to. Underlying this is the notion that AI are incapable of conscious thought, so they cannot consciously discriminate. However, much like humans can have unconscious bias, so can AI. Over the last decade there have been countless examples of racial bias displayed in AI algorithms, or AI learning racism through machine learning. As a mixed-race individual, I want to know where AI has been racist and why this was the case. MIT were embarrassed in July this year, when they were forced to take offline an AI training data-set which, following an investigation by *The Register*, was found to be describing people with racist, misogynistic and discriminatory language. The data-set had been used to train machine learning models to identify people and items in images. However, the descriptions of those people were often highly derogatory and contained highly offensive language. The issue here was, due to a lack of oversight, that the models were accidentally trained using discriminatory data. While this problem is easily rectified once identified, it does highlight the risk that machine learning algorithms with poorly constructed data-sets pose, especially if the *racism* in those data-sets is more subtle, such as an machine learning algorithm which scores negative points for *non-British names* on CVs. Google was forced to apologise in April after its *Vision AI*, an algorithm which labels images based on their content, was found to come up with very different results dependent on the skin colour of people in the image. This is demonstrable by the image below, where when a black person holds a thermometer, it is labeled as a *gun* but when a white person holds the same thermometer, it is labeled as a *tool*. This result purports the racial stereotype that black people are violent, leading to concerns that the algorithm was racially biased. Yet again, we see an issue with a poor dataset used to train the algorithm unintentionally leading to racial bias, which further affirms just how important it is that the datasets are properly curated before training. [...] https://aidaily.co.uk/articles/is-the-ai-racist-or-is-it-the-humans-that-create-it ------------------------------ Date: Sat, 8 Aug 2020 11:24:48 -0700 From: Peter Neumann Subject: AI bias detection ... (RISKS-32.18) I had a complaint out of band, which applies to all items that deal broadly with specific aspects of AI: It would be very nice if the people who post numbers like these would provide the definition of *AI* that they are using. A definition that allows us to look at a program and tell whether it is AI or not is necessary to make such numbers meaningful. More generally, I think it is difficult to argue about trustworthiness of AI overall, especially when the systems in which it is embedded are not trustworthy. PGN ------------------------------ Date: August 11, 2020 8:52:32 JST From: Richard Forno Subject: Leaked Documents Reveal What TikTok Shares with Authorities -- in the U.S. [Via Dave Farber] A glimpse at what the social media platform does in the U.S. underscores that data privacy issues extend beyond China. https://theintercept.com/2020/08/10/blueleaks-tiktok-law-enforcement-privacy/ ------------------------------ Date: Thu, 13 Aug 2020 13:36:41 -1000 From: geoff goodfellow Subject: Why & Where You Should You Plant Your Flag (Krebs on Security) Several stories here have highlighted the importance of creating accounts online tied to your various identity, financial and communications services before identity thieves do it for you. This post examines some of the key places where everyone should plant their virtual flags. As KrebsOnSecurity observed back in 2018 , many people -- particularly older folks -- proudly declare they avoid using the Web to manage various accounts tied to their personal and financial data -- including everything from utilities and mobile phones to retirement benefits and online banking services. From that story: ``The reasoning behind this strategy is as simple as it is alluring: What's not put online can't be hacked. But increasingly, adherents to this mantra are finding out the hard way that if you don't plant your flag online, fraudsters and identity thieves may do it for you.'' ``The crux of the problem is that while most types of customer accounts these days can be managed online, the process of tying one's account number to a specific email address and/or mobile device typically involves supplying personal data that can easily be found or purchased online -- such as Social Security numbers, birthdays and addresses.'' In short, although you may not be required to create online accounts to manage your affairs at your ISP, the U.S. Postal Service, the credit bureaus or the Social Security Administration, it's a good idea to do so for several reasons. Most importantly, the majority of the entities I'll discuss here allow just one registrant per person/customer. Thus, even if you have no intention of using that account, establishing one will be far easier than trying to dislodge an impostor who gets there first using your identity data and an email address they control. Also, the cost of planting your flag is virtually nil apart from your investment of time. In contrast, failing to plant one's flag can allow ne'er-do-wells to create a great deal of mischief for you, whether it be misdirecting your service or benefits elsewhere, or canceling them altogether. Before we dive into the list, a couple of important caveats. Adding multi-factor authentication (MFA) at these various providers (where available) and/or establishing a customer-specific personal identification number (PIN) also can help secure online access. For those who can't be convinced to use a password manager, even writing down all of the account details and passwords on a slip of paper can be helpful, provided the document is secured in a safe place. [...] https://krebsonsecurity.com/2020/08/why-where-you-should-you-plant-your-flag/ ------------------------------ Date: Fri, 14 Aug 2020 12:11:57 -0700 From: Lauren Weinstein Subject: Postal Service warns 46 states their voters could be disenfranchised by delayed mail-in ballots [as desired by Trump] https://www.washingtonpost.com/local/md-politics/usps-states-delayed-mail-in-ballots/2020/08/14/64bf3c3c-dcc7-11ea-8051-d5f887d73381_story.html?utm_campaign=wp_main&utm_source=twitter&utm_medium=social ------------------------------ Date: Thu, 13 Aug 2020 19:36:49 -0400 From: Gabe Goldberg Subject: Mailer To DC Voters Prompts Widespread Confusion (DCist) A mailer from the DC Board of Elections was supposed to help registered voters confirm that their address was correct. Instead, it has prompted confusion over how exactly voters can notify the board that their address has changed or that a person listed at their address no longer lives there. And that could raise additional concerns ahead of the city's plan to mail every registered voter -- there are more than 460,000 of them on file -- a ballot ahead of November's election. The mailer started hitting mailboxes across D.C. in recent days, and seemed straightforward enough. People who received it at the address where they live did not need to take further action -- that's where the ballot will be sent in the coming weeks. But it was flummoxing for people who need to update their address (if, for instance, they want the ballot forwarded elsewhere, or would be moving in the coming weeks) or want to let the elections board know the mailer was sent to someone who once lived at the address but is no longer there. The instructions prompt voters to fill out one half of the mailer, detach it from the other half, and send it back to the elections board. But some voters started noticing that in so doing, they'd be sending the board the part of the mailer that has no information identifying who it was sent to to begin with. That's because that information -- the recipient's name, address and a unique barcode -- is on the half of the mailer that isn't supposed to be sent back in. ... Terrible design by [the D.C. Board of Elections] that is going to cause a lot of problems. Do they not test/review these?'' tweeted Southwest D.C. resident Stacy Cloyd. Rachel Coll, a spokeswoman for the elections board, said in an email that problem was a ``design flaw'' from an outside vendor that produced the mailers. She said the board had already gotten at least 100 of the mailers back from voters with no issues, but the board was forced to tweet out new instructions on Wednesday. ... This isn't the first time the elections board has had issues with official documents it has mailed to voters. Earlier this year, the board sent new voter registration cards to more than 25,000 voters with the wrong primary date listed on them. In 2018, it failed to notify absentee voters that they had to include postage on their envelopes to send ballots back in. And in a particularly infamous error in 2014, the board sent out hundreds of thousands of official voter guides with an upside-down D.C. flag --- commonly known as a sign of distress -- on the cover. https://dcist.com/story/20/08/13/dc-elections-board-mailer-confusion/ ------------------------------ Date: Sat, 8 Aug 2020 10:00:38 -0700 From: Lauren Weinstein Subject: Trump's lapdog Postmaster General wants to more than double costs for states to mail ballots to voters! Crooked through and through. https://lawandcrime.com/opinion/if-trumps-postmaster-general-raises-mail-in-ballot-stamp-price-that-could-be-an-unconstitutional-poll-tax/ ------------------------------ Date: Sat, 8 Aug 2020 23:24:37 -0600 From: "Matthew Kruk" Subject: Unwanted Truths: Inside Trump's Battles With U.S. Intelligence Agencies (NYTimes) Last year, intelligence officials gathered to write a classified report on Russia's interest in the 2020 election. An investigation from the magazine uncovered what happened next. https://www.nytimes.com/2020/08/08/magazine/us-russia-intelligence.html?action=click&module=Top%20Stories&pgtype=Homepage ------------------------------ Date: Sun, 9 Aug 2020 19:00:12 -0400 From: Monty Solomon Subject: The quest to liberate $300,000 of bitcoin from an old ZIP file (Ars Technica) A few quintillion possible decryption keys stand between a man and his cryptocurrency. In October, Michael Stay got a weird message on LinkedIn. A total stranger had lost access to his bitcoin private keys -- and wanted Stay's help getting his $300,000 back. https://arstechnica.com/information-technology/2020/08/the-quest-to-liberate-300000-of-bitcoin-from-an-old-zip-file/ https://www.wired.com/story/quest-to-liberate-bitcoin-from-old-zip-file/ ------------------------------ Date: Sun, 9 Aug 2020 10:50:07 PDT From: "Peter G. Neumann" Subject: Risk of driving while Black in conjunction with computer risks [This was submitted by someone who did not want to be identified. PGN] An automated scanner recorded a vehicle's plate number but the scanner determines neither the issuing state nor the type of vehicle. The plate number was flagged because just the number matched a USA national list of stolen vehicles. Computer risk 1 is a device by design gathering less than the full set of data needed. In this case the police user of scanner data is allocated the task of checking the further details of the plate, i.e., comparing the state on the theft report *Montana* with the state on the plate of the scanned vehicle *Colorado* and comparing the sort of vehicle on the report *motorcycle* with the vehicle observed *passenger car*. This design assumption is computer risk 2. The manual comparison reportedly did not occur. The driver said she asked the police to compare her name on her driver licence to her name on the car registration but the police continued to assume that the car was stolen. Perhaps the usual blind faith in the computer (risk 3). The woman's children, as young as six years, were in the car and were ordered to lie on the street facedown. Two were handcuffed. The family is black. The risk here is not a computer risk but rather being black while driving. https://www.denverpost.com/2020/08/04/aurora-police-handcuff-children-video/ Note that the Denver Post newspaper's site does not allow using a private or incognito mode of a browser. It litters the browser with cookies, a file system, database storage, local storage, service workers. It will attempt to sign up the browser for notification spam. ------------------------------ Date: Sun, 9 Aug 2020 15:24:20 -0400 From: Gabe Goldberg Subject: Why climate change is about to make your bad commute worse (WashPost) ``Everything that is built around you is built with some consideration for how much environmental exposure it's going to be able to tolerate,'' Chester explained. ``When it comes to roads, for example, the American Association of State Highway and Transportation Officials has guidelines that say asphalt should be engineered to withstand the hottest week on record during a certain historical period — say, 1970 and 2000. In Arizona, that might be 115 degrees, and in Chicago, it might be 105 degrees.'' The problem is, thanks to climate change, past is no longer prologue. ``We're not going to shut off CO2 emissions overnight, so the climate is going to continue changing. The question is, by how much and in which direction?'' Chester said. ``Let's say you design a road in Chicago for the hottest week on record, which might be 105 degrees. Well, the hottest week going forward might be 108 degrees, or it could be 120 degrees,'' he said. Faced with uncertainty, civil engineers can do little but guess. And the wrong guess could be costly. https://www.washingtonpost.com/local/trafficandcommuting/why-climate-change-is-about-to-make-your-bad-commute-worse/2020/08/08/7ad97ba8-d5b6-11ea-aff6-220dd3a14741_story.html ------------------------------ Date: Fri, 14 Aug 2020 09:35:20 -0700 From: Lauren Weinstein Subject: Chrome will start hiding most of URLs, but you can opt-out -- AND YOU SHOULD! Google is moving ahead with what I've long considered to be a poorly-conceived plan to hide most of Chrome brower URLs by default. My original blog posts regarding this issue began two years ago, at: https://lauren.vortex.com/2018/07/10/chrome-is-hiding-url-details-and-its-confusing-people-already and you can read those posts to see my discussion of the problems involved with this move. The current situation is summarized in: Google resumes its attack on the URL bar, hides full addresses on Chrome 86 https://www.androidpolice.com/2020/08/13/google-resumes-its-senseless-attack-on-the-url-bar-hides-full-addresses-on-chrome-canary/#2 The one saving grace is that reportedly (at least for now) a right click menu item will provide an opt-out for this behavior, and I'd urge you to take advantage of that opt-out when these versions of the browser reach you. Unfortunately, the users most at risk from this new default behavior are also probably the most unlikely to ever hear about this opt-out or use it. ------------------------------ Date: Fri, 14 Aug 2020 16:09:31 -0400 From: Monty Solomon Subject: How romance scams are thriving during quarantine https://www.theverge.com/21366576/dating-app-scams-romance-women-quarantine-coronavirus-scheme ------------------------------ Date: Sun, 9 Aug 2020 20:27:17 -0400 From: Monty Solomon Subject: No to Blockchain Credentials of COVID-19 Test Results for Entry to Public Spaces (EFF) An ill-conceived California bill endorses a blockchain-based system that would turn COVID-19 test results into permanent records that could be used to grant access to public places. https://www.eff.org/deeplinks/2020/08/no-blockchain-credentials-covid-19-test-results-entry-public-spaces ------------------------------ Date: Sun, 9 Aug 2020 15:21:22 -0400 From: Gabe Goldberg Subject: Virginia launches contact-tracing app COVIDWISE using Apple, Google technology (WashPost) ``If enough Virginians use this app, we can identify cases early and slow the spread of this virus. We have to continue to fight #COVID19 from every possible angle -- COVIDWISE is another tool we have to protect ourselves, our families, and our communities during this pandemic.'' The reaction: ``Not falling for this one? keep your tracker!'' read one response. ``Why would I willingly give the VDH permission to track who I have spent 15 minutes with?'' read another, using the initials for the Virginia Department of Health. ``No thanks, Hard pass. I value both my privacy and liberty.'' ``This is ridiculous,'' read yet another. ``Never gonna happen here.'' ... And yet, people are still refusing to put a slip of cloth over their faces because they'd rather make a political statement than protect the most vulnerable around them. They'd rather immediately dismiss an app as an invasion of their privacy than take a moment to consider that maybe it will help keep some people around them from getting sick or worse. https://www.washingtonpost.com/local/a-new-app-offers-virginians-the-chance-to-show-the-country-how-to-contain-coronavirus-cases-will-they-blow-it/ ------------------------------ Date: Mon, 10 Aug 2020 09:27:06 +0800 From: Richard Stein Subject: The nuclear mistakes that could have ended civilisation (bbc.com) https://www.bbc.com/future/article/20200807-the-nuclear-mistakes-that-could-have-ended-civilisation "From invading animals to a faulty computer chip worth less than a dollar, the alarmingly long list of close calls shows just how easily nuclear war could happen by mistake." ------------------------------ Date: Mon, 10 Aug 2020 18:02:11 -0400 From: Eric Sosman Subject: Re: Omniviolence Is Coming and the World Isn't Ready (Nautilus) In RISKS 32.18, Richard Stein quotes Nautilus concerning the possibility of using bomb-carrying drones against populations: "A [mini-quadcopter] can carry a one-or two-gram shaped charge [...] You can drive up I-95 with three trucks and have 10 million weapons attacking New York City." How much does it cost to acquire, program, and arm ten million drones? Perhaps the RISK here is not so much the damage New York might suffer, but the attackers' likely bankruptcy, plus the dangers inherent in fitting ten million bombs to ten million drones ... Maybe the lure of technological overkill (sorry) is not really a RISK, but a mitigation? Probably not: Attackers aren't *that* stupid, and will likely seek cheaper and deadlier weapons. ------------------------------ Date: Sun, 9 Aug 2020 13:29:22 +0100 From: A Michael W Bacon Subject: Re: Blackbaud breach (RISKS-32.18) Writing about the Blackbaud breach, Gabe Goldberg cites a notification email from "the Freedom Forum and our affiliates, the Newseum and the Freedom Forum Institute". I was amused by this part: 'Blackbaud is the global market leader in not-for-profit software, and their products are commonly used to manage relationships and communications with constituents and donors'; the style of which is (rather predictably) emerging as the excuse: "Don't blame us; they are the 'global market leader' so we didn't bother validating their security." ------------------------------ Date: Sun, 9 Aug 2020 13:30:24 +0100 From: A Michael W Bacon Subject: Re: City outage (RISKS-32.18) In 'Cyberattack causes Lafayette, CO city computer outage', Jim Reisert AD1C asks, "Does this mean that the attackers requested too little ransom for the key to unlock the data?" Maybe one should wonder whether the "kidnappers" are estimating the cost of the disruption and rebuilding, and asking below that figure to encourage payment. ------------------------------ Date: Sun, 9 Aug 2020 13:31:32 +0100 From: A Michael W Bacon Subject: Re: Beirut explosion (RISKS-32.18) Although details of the immediate events leading to the detonation of some 2,750 tons of Ammonium Nitrate (AN) are unclear, and might remain so, some facts are established. The AN was unloaded from a Russian-owned ship the MV Rhosus, following the owner's inability to pay mooring and other fees. Out of Batumi, Georgia, in late September 2013 the Rhosus was loaded with AN and reportedly bound for Beira, Mozambique. The vessel stopped in Athens for some four weeks while the owner sought additional carbo to pay the fee for the Suez Canal. It then detoured to Beirut to pick up one such new cargo, road-making equipment. However, the 27-year old ship was poorly-maintained and the rusting deck hatches began to buckle under the weight of a road-roller. That cargo was then refused loading by the worried captain. Captain Prokoshev decided to head for Cyprus to sort things out with the owner, Cyprus-based Russian businessman, Igor Grechushkin. But before the MV Rhosus could set sail, the Lebanese authorities intervened and seized it on 4 February 2014, with unpaid bills reportedly totaling 100,000 USD. The aging Rhosus was by now taking on water that had to be bailed out every day. After a lengthy court process, the remaining crew closed all the compartments, locked them and handed the keys to immigration at the port, and Prokoshev and his colleagues left Beirut in September 2014, one year after the ship's arrival. Some [as yet unclear] time afterward, with the Rhosus deteriorating further and taking on more water, the authorities unloaded the cargo into a dockside warehouse, the port authorities of Beirut forbid the unloading or reloading of cargo from one vessel to another. Reportedly, the vessel subsequently sank, but its resting-place is unclear. Fast forward to 4 August 2020 and the currently revealed facts are that a fire was burning for some time near, on or in the warehouse, some flashes were observed, then there was the detonation. What started the fire remains speculation. The Lebanese government moved quickly to announce they would find whoever was responsible, but later began to raise the spectre of a deliberate attack by rocket or bomb ... possibly once they realised they were responsible for the AN being stored there. The ensuing denials of responsibility reminded me inversely (and perversely) of British Nuclear Fuel's claim following the 'Act of God' explosion in the late, great Douglas Adam's book, The Long Dark Teatime of the Soul. ------------------------------ Date: Sat, 8 Aug 2020 13:58:23 +1000 From: 3daygoaty Subject: Re: Beirut Blast (RISKS-32.18) Nice back story covering a range of processes and risks that led to the blast. To me it looks like the judiciary failing to grant permission to move the chemical in a timely manner greatly increased the risk. https://www.bbc.com/news/extra/x2iutcqf1g/beirut-blast ------------------------------ Date: Fri, 7 Aug 2020 21:01:04 -0400 From: Steve Singer Subject: Re: Tom's Hardware goes dark/side/ (RISKS-32.18) If one follows Forno's / Farber's link with NoScript enabled on Firefox, the following message appears: AD BLOCKER INTERFERENCE DETECTED Thank you for visiting this site. Unfortunately we have detected that you might be running custom adblocking scripts or installations that might interfere with the running of the site. We don't mind you running adblocker, but could you please either disable these scripts or alternatively whitelist the site, in order to continue. Thanks for your support! It's possible to work around this, but not worth the risk or bother to me. My Tom's Hardware bookmark: poof! ------------------------------ Date: Mon, 10 Aug 2020 12:14:46 +0100 From: David Damerell Subject: Re: When tax prep is free, you may be paying with your privacy. (Drewe, RISKS-32.18) He omits mentioning that around 2/3 of UK taxpayers never interact with the complications. Of the UK's circa 32 million taxpayers, only around 10 million fill out tax returns. An ordinary employee has tax deducted and sent to HMRC by their employer, and has nothing to do save read their payslips. Furthermore, those 10 million are disproportionately likely to be wealthy (the criteria for self-assessment include earning over £100,000 per annum); and while legend may say the system here is the most complicated, I'm told by friends fortunate enough to be in that group that they do not find it difficult to fill out their own forms, whereas I understand the process is nightmarish in the US. Hence I think essentially no-one is being put in the position of being snooped on by "free" tax preparation services because they need a service but cannot afford it. ------------------------------ Date: Mon, 1 Aug 2020 11:11:11 -0800 From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume/previous directories or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00 ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: ------------------------------ End of RISKS-FORUM Digest 32.19 ************************