Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit precedence: bulk Subject: Risks Digest 32.26 RISKS-LIST: Risks-Forum Digest Sunday 13 September 2020 Volume 32 : Issue 26 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at as The current issue can also be found at Contents: Insecure satellite Internet is threatening ship and plane safety (Ars Technica) The Hubble Space Telescope Still Works Great, Except When It Doesn't (npr.org) SpaceX's Dark Satellites Are Still Too Bright for Astronomers (Scientific American) Man vs. machine: Pentagon plans 2024 dogfight between human pilot, artificial intelligence (WashTimes) Weakened Encryption: The Threat to America's National Security (Third Way) Why Do Voting Machines Break on Election Day? (The Markup) Why human brains are bad at assessing the risks of pandemics (WashPost) First Pandemic, Now Ransomware: Attack Forces Hartford to Postpone School (NYTimes) Website Crashes and Cyberattacks Welcome Students Back to School (NYTimes) 44 Square Feet: A School-Reopening Detective Story (WiReD) Creepy Geofence Finds Anyone Who Went Near a Crime Scene (WiReD) Apple postpones iOS 14 privacy update following Facebook uproar (Business Insider) How Big Oil Misled The Public Into Believing Plastic Would Be Recycled (npr.org) New Raccoon Attack Could Let Attackers Break SSL/TLS Encryption (The Hacker News) Ericsson spotlights open RAN security risks (MobileWorldLive) Re: Intel Slips, and a High-Profile Supercomputer Is Delayed (Phil Martel) Re: Humans Take a Step Closer to Flying Car (Amos Shapir) Re: Leap-seconds (John Stockton) Re: Happy National Poll Worker Recruitment Day (Richard A. DeMattia) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Tue, 8 Sep 2020 15:33:22 -1000 From: geoff goodfellow Subject: Insecure satellite Internet is threatening ship and plane safety (Ars Technica) Attacks that worked 10 years ago have only gotten worse despite growing use. More than a decade has passed since researchers demonstrated serious privacy and security holes in satellite-based Internet services. The weaknesses allowed attackers to snoop on and sometimes tamper with data received by millions of users thousands of miles away. You might expect that in 2020 -- as satellite Internet has grown more popular -- providers would have fixed those shortcomings, but you'd be wrong. In a briefing delivered on Wednesday at the Black Hat security conference online, researcher and Oxford PhD candidate James Pavur presented findings that show that satellite-based Internet is putting millions of people at risk, despite providers adopting new technologies that are supposed to be more advanced. Over the course of several years, he has used his vantage point in mainland Europe to intercept the signals of 18 satellites beaming Internet data to people, ships, and planes in a 100 million-square-kilometer swath that stretches from the United States, Caribbean, China, and India. What he found is concerning. A small sampling of the things he observed include: - A Chinese airliner receiving unencrypted navigational information and potentially avionics data. Equally worrisome, that data came from the same connection passengers used to send email and browse webpages, raising the possibility of hacks from passengers. - A system administrator logging in to a wind turbine in southern France, some 600 kilometers away from Pavur, and in the process exposing a session cookie used for authentication. - The interception of communications from an Egyptian oil tanker reporting a malfunctioning alternator as the vessel entered a port in Tunisia. Not only did the transmission allow Pavur to know the ship would be out of commission for a month or more, he also obtained the name and passport number of the engineer set to fix the problem. - A cruise ship broadcasting sensitive information about its Windows-based local area network, including the log-in information stored in the Lightweight Directory Access Protocol database - Email a lawyer in Spain sent a client about an upcoming case. - The account reset password for accessing the network of a Greek billionaire's yacht. Hacking satellite communications at scale. [...] https://arstechnica.com/information-technology/2020/08/insecure-satellite-internet-is-threatening-ship-and-plane-safety/ ------------------------------ Date: Tue, 8 Sep 2020 11:07:11 +0800 From: Richard Stein Subject: The Hubble Space Telescope Still Works Great, Except When It Doesn't (npr.org) https://www.npr.org/2020/09/07/909199421/the-hubble-space-telescope-still-works-great-except-when-it-doesnt "This is an aging telescope, after all. Back in 2018, when a gyroscope on Hubble failed, researchers activated one of its on-board spares -- the so-called gyroscope 3. It's been glitchy from the get-go." A flaky gyroscope causes the Hubble's aim to wander -- non-deterministic axial guidance disables reliable observation. Astronomers are forced to roll dice. The Ace Satellite Repair Company closed in MAY2009. Doubtful a robotic repair attempt would be funded. Unknown if there are available standby gyroscopes on-board to replace the bad actor. Hubble's cupboard may be "empty down to the cat" on that resource. ------------------------------ Date: Fri, 11 Sep 2020 10:16:36 +0800 From: Richard Stein Subject: SpaceX's Dark Satellites Are Still Too Bright for Astronomers (Scientific American) https://www.scientificamerican.com/article/spacexs-dark-satellites-are-still-too-bright-for-astronomers/ "These results show that DarkSat is essentially a dead end, says Jonathan McDowell, a researcher at the Center for Astrophysics at Harvard University and the Smithsonian Institution, who has run computer simulations of megaconstellation effects on astronomical observations. Nevertheless, he says, the investigation by Tregloan-Reed's team is an important step. 'This study is notable as one of the first significant observational studies of a Starlink satellite, something that the community is now organizing to do on a much bigger scale,' McDowell adds. He cautions that if the satellites continue to be launched without a fix, 'the impact would be huge.'" Prior comp.risks submissions on Starlink and satellite megaconstellations impact on astronomical observations: 1) https://catless.ncl.ac.uk/Risks/31/28#subj1.1 2) https://catless.ncl.ac.uk/Risks/31/51#subj4.1 3) https://catless.ncl.ac.uk/Risks/31/57#subj18.1 ------------------------------ Date: Thu, 10 Sep 2020 16:03:14 -1000 From: geoff goodfellow Subject: Man vs. machine: Pentagon plans 2024 dogfight between human pilot, artificial intelligence (WashTimes) AI programs have bested human pilots so far in flight simulations The Pentagon is planning a 2024 showdown between an F-16 piloted by a human and one controlled by artificial intelligence, a man versus machine matchup that military officials believe could represent a key turning point in technological development. Defense Secretary Mark Esper announced the 2024 contest during a speech on AI development Wednesday at the Pentagon. The Defense Advanced Research Projects Agency, or DARPA, already has held numerous combat simulations between human pilots and machines. In the most recent round, officials said the AI-controlled system easily defeated the human. [...] https://www.washingtontimes.com/news/2020/sep/10/pentagon-2024-fight-pilot-artificial-intelligence/ ------------------------------ Date: Thu, 10 Sep 2020 10:03:55 PDT From: "Peter G. Neumann" Subject: Weakened Encryption: The Threat to America's National Security (Third Way) https://www.thirdway.org/report/weakened-encryption-the-threat-to-americas-national-security ------------------------------ Date: Fri, 11 Sep 2020 16:57:13 +0000 From: "Fleming, Cody [M E]" Subject: Why Do Voting Machines Break on Election Day? (The Markup) https://themarkup.org/ask-the-markup/2020/09/10/broken-voting-machines-election-day I guess one problem is figuring out how just many risks there are now with respect to elections. Too many to count? ------------------------------ Date: Sun, 13 Sep 2020 00:18:31 -0400 From: Gabe Goldberg Subject: Why human brains are bad at assessing the risks of pandemics (WashPost) https://www.washingtonpost.com/lifestyle/magazine/why-human-brains-are-bad-at-assessing-the-risks-of-pandemics/2020/09/03/7395321c-dd9d-11ea-b205-ff838e15a9a6_story.html Cause or effect, beliefs are tribal. ------------------------------ Date: Tue, 8 Sep 2020 17:48:50 -0400 From: Jan Wolitzky Subject: First Pandemic, Now Ransomware: Attack Forces Hartford to Postpone School (NYTimes) https://www.nytimes.com/2020/09/08/nyregion/hartford-schools-ransomware.html ------------------------------ Date: Tue, 8 Sep 2020 20:29:24 -0400 From: Monty Solomon Subject: Website Crashes and Cyberattacks Welcome Students Back to School (NYTimes) With many districts across the country opting for online learning, a range of technical issues marred the first day of classes. https://www.nytimes.com/2020/09/08/us/school-districts-cyberattacks-glitches.html ------------------------------ Date: Sat, 12 Sep 2020 22:30:07 -0400 From: Gabe Goldberg Subject: 44 Square Feet: A School-Reopening Detective Story (WiReD) Author writes: Schools -- but not public health officials -- across the US are making it a rule: Every student needs to have 44 sq. ft. of space. I tried to find out why. [...] Two days later I was on the phone with Mary Filardo, executive director of the NCSF, a nonprofit that supports K-12 school facilities officials in more than 25 states. I walked her through the mystery at hand -- the school plan, the consultant, the Education Week guide, and, finally, the diagram credit pointing back to her. My knee was bouncing, fingers at the ready at my keyboard for transcription. At last, the enigma would be no more. But before I could even finish asking the question, she interrupted in a tone that was equal parts alarm, annoyance, and puzzlement. ``That's way off!'' she cried. ``No wonder you're confused.'' After we hung up, I placed what seemed to be the final pin on my crazy wall : My school district had gotten the all-important number 44 from a consultant who'd found it in an /Education Week/ article that had somehow bungled the advice from an educational nonprofit. But there was still another layer below. It wasn't clear, from talking to Filardo, how the NCSF came up with 44 square feet as the lower-bound approximation. The depth of my rabbit hole was approaching the Earth's mantle. I could feel the heat of magma burbling just beyond. https://www.wired.com/story/44-square-feet-a-school-reopening-detective-story/ ...thus transmuting questionable assumptions and math into nonsense. ------------------------------ Date: Tue, 8 Sep 2020 00:37:43 -0400 From: Gabe Goldberg Subject: Creepy Geofence Finds Anyone Who Went Near a Crime Scene (WiReD) Police increasingly ask Google and other tech firms for data about who was where, when. Two judges ruled the investigative tool invalid in a Chicago case. https://www.wired.com/story/creepy-geofence-finds-anyone-near-crime-scene/ ------------------------------ Date: Wed, 9 Sep 2020 13:52:28 -0400 From: Gabe Goldberg Subject: Apple postpones iOS 14 privacy update following Facebook uproar (Business Insider) Apple is giving developers some breathing space to get ready for an update to iOS 14 that will let users opt out of being tracked for advertising purposes. The update was supposed to be released as part of iOS 14, which is expected to roll out this month. In a statement on Thursday, however, Apple said it was delaying this particular part of the update until 2021. "We want to give developers the time they need to make the necessary changes, and as a result, the requirement to use this tracking permission will go into effect early next year," Apple said in blog post on Thursday. When Apple announced the privacy update, it drew the rancor of developers who said it could wreak havoc on their ad-revenue streams. Facebook said the update could slash revenues from its Audience Network by up to 50%. The company added that the change might even lead it to stop developing its Audience Network for iOS altogether. https://www.businessinsider.com/apple-ios-14-update-postponed-14-2020-9 What a shame that wouldn't be -- hurting Facebook revenue in the interest of privacy. ------------------------------ From: Richard Stein Date: Sat, 12 Sep 2020 10:49:40 +0800 Subject: How Big Oil Misled The Public Into Believing Plastic Would Be Recycled (npr.org) [Not computer-related; an environmental life cycle issue impacting Earth's ecosystem.] https://www.npr.org/2020/09/11/897692090/how-big-oil-misled-the-public-into-believing-plastic-would-be-recycled "We found that the industry sold the public on an idea it knew wouldn't work -- that the majority of plastic could be, and would be, recycled -- all while making billions of dollars selling the world new plastic." Epidemic plastic pollution threatens the environment, food chain and public health. A serious global problem in search of an urgent, effective solution. How to proactively mitigate pervasive plastic pollution? Let nature take its course? Earthworms or bacteria partially digest certain plastics. Does this effluent enhance the environment and diminish the pollution risk? Would a master settlement agreement compel industry to act on a clean up? Recall the Tobacco MSA https://en.wikipedia.org/wiki/Tobacco_Master_Settlement_Agreement to compensate US States for medical expenses. An agreement of this scope would likely motivate a industrial regulatory arbitrage exercise -- shift operations to a lower-cost jurisdiction, and export products. https://en.wikipedia.org/wiki/Plastic_pollution#Effects_on_humans identifies plastic pollution impact on human thyroid and reproductive hormones from BPA (bisphenol A). See https://catless.ncl.ac.uk/Risks/31/08#subj22 by Goodfellow. Risk: Groupthink. Carbon-extraction industrial interests conspire to misinform regulatory oversight and political leadership about product risk. Again. ------------------------------ Date: Thu, 10 Sep 2020 15:57:43 -1000 From: geoff goodfellow Subject: New Raccoon Attack Could Let Attackers Break SSL/TLS Encryption (The Hacker News) A group of researchers has detailed a new timing vulnerability in Transport Layer Security (TLS) protocol that could potentially allow an attacker to break the encryption and read sensitive communication under specific conditions. Dubbed "Raccoon Attack ," the server-side attack exploits a side-channel in the cryptographic protocol (versions 1.2 and lower) to extract the shared secret key used for secure communications between two parties. "The root cause for this side channel is that the TLS standard encourages non-constant-time processing of the DH secret," the researchers explained their findings in a paper. "If the server reuses ephemeral keys, this side channel may allow an attacker to recover the premaster secret by solving an instance of the Hidden Number Problem." However, the academics stated that the vulnerability is hard to exploit and relies on very precise timing measurements and on a specific server configuration to be exploitable. A Timing Attack to Leak Secret Keys [...] https://thehackernews.com/2020/09/raccoon-ssl-tls-encryption.html ------------------------------ Date: Fri, 11 Sep 2020 08:21:22 -1000 From: geoff goodfellow Subject: Ericsson spotlights open RAN security risks (MobileWorldLive) Ericsson dampened open RAN enthusiasm, arguing more work needs to be done to address key security risks associated with the technology. In a blog, head of security for network product solutions Jason Boswell highlighted several areas of vulnerability, including new and expanded risks from the use of fresh interfaces and third-party network applications. Added security measures are also needed to address new threats presented by the decoupling of hardware and software functions, and vendors should carefully scrutinise open source code they plan to use, he said. Boswell stressed ``security cannot be an afterthought,'' advocating the importance of a risk-based approach. [...] https://www.mobileworldlive.com/featured-content/top-three/ericsson-spotlights-open-ran-security-risks ------------------------------ Date: Mon, 7 Sep 2020 22:15:06 -0400 From: Phil Martel Subject: Re: Intel Slips, and a High-Profile Supercomputer Is Delayed (Stein, RISKS-32.25) > The exascale computer: 1E9 GFLOP == 10^15 FLOPs, or 1 exaFLOP (1 EFLOP?), > double-precision FLOPS @ 64-bit per IEEE-754-2008. Of course, 1E9 GFLOP = 1E18 FLOP [Also noted by Eric Sosman, who seems to be about three orders of magnitude off. FLOP inflation, maybe? Or G deflation? Or exa-sensory deception? ES] ------------------------------ Date: Fri, 11 Sep 2020 13:23:47 +0300 From: Amos Shapir Subject: Re: Humans Take a Step Closer to Flying Car (RISKS-32.25) Flying cars have appeared in almost all future technology predictions since the early 20th century; yet despite many other predictions since then having materialized, flying cars never actually took off (excuse the pun). The reason for that becomes evident when one considers what could an actual flying car be used for: the only benefit is not having to switch vehicles when reaching an airport -- and even that is greatly diminished by some flying car models which require configuration changes at the airport, or VTOL models which do not require driving to an airport anyway. OTOH, a flying car would always have to lug around a lot of unused hardware, whether traveling on a road or flying; it could never become as efficient as a single-purpose car nor as an airplane. ------------------------------ Date: Tue, 8 Sep 2020 14:10:43 +0100 From: John Stockton Subject: Re: Leap-seconds (Ross, RISKS-32.25) > "Leap-seconds are announced about 30 days in advance." My observations indicate that the announcement is normally over 5.5 months in advance, not 30 days. For example, see the current issue of Bulletin C at https://hpiers.obspm.fr/eoppc/bul/bulc/bulletinc.dat. Terje Mathisen, following, wrote "The 0200--0300 change is pretty much standard everywhere that uses daylight savings adjustments." The EU rules, which apply also in other nearby Western European countries, are that all the clocks should be altered simultaneously at 01:00 UTC on the chosen Sundays, Brussels Time, whatever the local time might be. My present understanding is that in the USA the clocks are altered, one way or the other, on reaching 02:00 local time. Canadian provinces in the past have altered their clocks at varied times of day; I don't know whether that is still the case. In Lord Howe Island, the clocks are altered by only half an hour - Wikipedia, and https://www.timeanddate.com/time/zone/australia/lord-howe-island . ------------------------------ Date: Mon, 7 Sep 2020 17:28:26 -0400 From: "Richard A. DeMattia" Subject: Re: Happy National Poll Worker Recruitment Day (RISKS-32.25) Poll worker recruitment might be a bit more effective if half-day shifts were permitted, unlike in Ohio where the work shift is from before 6am to probably 8pm or later, and no partial-shift volunteers accepted. ------------------------------ Date: Mon, 1 Aug 2020 11:11:11 -0800 From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume/previous directories or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00 ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: ------------------------------ End of RISKS-FORUM Digest 32.26 ************************