Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit precedence: bulk Subject: Risks Digest 32.69 RISKS-LIST: Risks-Forum Digest Sunday 30 May 2021 Volume 32 : Issue 69 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at as The current issue can also be found at Contents: U.S. nuclear weapon secrets revealed in cloud flash-card apps (Bellingcat) U.S. nuclear weapon bunker security secrets spill from online (The Register via Tom Van Vleck) Surviving an in-flight anomaly: what happened on Ingenuity's sixth flight (NASA) "Rule of 48" redux concerning airborne spread of pathogens, a reminder with wide applicability to all research (WiReD) A Never-Before-Seen Wiper Malware Is Hitting Israeli Targets (WiReD) Secret Chats Show How Cybergang Became a Ransomware Powerhouse (NYTimes) Why GitHub Refuses to Provide Key Evidence to a Man on Death Row (Gizmodo) Several Organizations Protest Facebook, Sign Public Complaints Against Platform (Broadband Breakfast) An FTC Lawsuit Says Frontier Lied About Internet Speeds (WiReD) Scatalogical appliances (Medicalxpress.com) A new replication crisis: Research that is less likely to be true is cited more (phys.org) "Hobbit" house renamed due to lawsuit threat (Rob Slade) Florida governor signs law to block *deplatforming* of Florida politicians (The Verge) D.C. Attorney General Karl A. Racine brings antitrust lawsuit against Amazon (The Washington Post) Microsoft Tips Generational Update for Windows 10 (PCMag) NFTs and tokenization: How crypto could help regular people become real-estate tycoons (Fortune) Security of the IMPs (Bernie Cosell) SolarWinds hackers are back with a new mass campaign, Microsoft says (NYTimes) Canada Post says 950,000 customers exposed in data breach (CBC) A New Line of Attack that Evades Spectre Defenses (WiReD) As Congress Dithers, States Step In to Set Rules for the Internet (NYTimes) Colonial Pipeline accused of negligence in proposed class action (Bloomberg Law) Truth, Lies, and Automation (Georgetown) That Salesforce outage: Global DNS downfall started by one engineer trying a quick fix (The Register) For First Time, Microsoft Integrating GPT-3 Into Its Software (EnterpriseAI) Caltech Prof Helps Solve Hindenburg Disaster (NOVA via Henry Baker) Re: Just 12 People Are Behind Most Vaccine Hoaxes On Social Media (Toebs Douglass) Sharing lock-picking information on RISKS (Jay Libove) NoScript is immoral? (Martin Ward) Re: freemium for all, was A mom panicked (John Levine) June 2021 CACM Inside Risks column and video (David Roman) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Sat, 29 May 2021 15:04:54 -0700 From: Rob Wilcox Subject: U.S. nuclear weapon secrets revealed in cloud flash-card apps (Bellingcat) Flash cards are a common memorization tool. They can be simply written on pieces of paper and easily be carried for use in spare moments. Military personnel in Europe used public flash-card apps to memorize exact locations, previously secret, and the precise security details to keep those nuclear weapons from unintended use. The data uncovered by reporters spanned 2013 to the present. When NATO was asked to comment, the data was taken down. Let's hope the archives too! There is a good argument that human foibles make us unsuitable for tools too powerful. Full report via the Bellingcat investigative journalist group at https://www.bellingcat.com/news/2021/05/28/us-soldiers-expose-nuclear-weapons-secrets-via-flashcard-apps/ ------------------------------ Date: Sat, 29 May 2021 10:39:55 -0400 From: Tom Van Vleck Subject: U.S. nuclear weapon bunker security secrets spill from online flashcards since 2013 (The Register) https://www.theregister.com/2021/05/28/flashcards_military_nuclear/ Seems like this problem is the result of people not understanding simple consequences. Either they didn't know some facts, or they didn't draw logical conclusions. Some things the missile workers should have been told: - Phones and servers holding classified data must be approved for storing such data. - Your cellphone is not secure. the flashcard servers are not secure. - Even if it says 'secure' on the box, that doesn't make it secure. The Three Questions apply. - Have we made this error anywhere else? - If we make a simple fix, what problem will we encounter next? - How can we make this kind of problem impossible? ACM SIGSOFT Software Engineering Notes, vol 14 no 5 July 1989, pp 62-63 (https://multicians.org/thvv/threeq.html, has cartoon also) ------------------------------ Date: Sat, 29 May 2021 10:57:31 -0400 From: Monty Solomon Subject: Surviving an in-flight anomaly: what happened on Ingenuity's sixth flight (NASA) https://mars.nasa.gov/technology/helicopter/status/305/surviving-an-in-flight-anomaly-what-happened-on-ingenuitys-sixth-flight/ ------------------------------ Date: Sat, 29 May 2021 07:54:01 -0400 From: Bob Gezelter Subject: "Rule of 48" redux concerning airborne spread of pathogens, a reminder with wide applicability to all research The "Rule of 48" mentioned in Michael Crichton's "Andromeda Strain" is a more general phenomenon affecting all fields of research. The "Rule of 48" refers to a 1936 citation reporting the number of human chromosomes as 48. Decades later, the original microscope photographs were examined, and the count was confirmed as 46. Wired published "The 60-Year-Old Scientific Screwup That Helped Covid Kill", describing recent research into the airborne spread of virus particles, including SARS-CoV-2/COVID-19. The article documents how a questionable number became embedded in the medical and public health communities. An interesting read, applicable to many areas other than medicine and public health. https://www.wired.com/story/the-teeny-tiny-scientific-screwup-that-helped-covid-kill/ ------------------------------ Date: Fri, 28 May 2021 14:52:24 -0400 From: Gabe Goldberg Subject: A Never-Before-Seen Wiper Malware Is Hitting Israeli Targets (WiReD) The malicious code, which masquerades as ransomware, appears to come from a hacking group with ties to Iran. https://www.wired.com/story/never-before-seen-wiper-malware-hitting-israeli-targets/ ------------------------------ Date: Sun, 30 May 2021 13:43:34 -0600 From: "Matthew Kruk" Subject: Secret Chats Show How Cybergang Became a Ransomware Powerhouse (NYTimes) https://www.nytimes.com/2021/05/29/world/europe/ransomware-russia-darkside.html As the ransomware industry exploded, a Russian-speaking outfit called DarkSide offered would-be computer crooks not just the tools, but also customer support. We got an inside look. ------------------------------ Date: Fri, 28 May 2021 14:26:28 -0400 From: Gabe Goldberg Subject: Why GitHub Refuses to Provide Key Evidence to a Man on Death Row (Gizmodo) As a result of the law enforcement exception, Facebook alone honors hundreds of thousands of government requests for user data annually -- roughly 296,000 in 2020. Meanwhile, social media companies have spent years fending off defendants' court-approved subpoenas, even when they're aware that the consequence could be a death sentence. In 2019, a Superior Court judge who approved one such subpoena in a murder trial excoriated the companies. Facebook and Twitter appear to be misusing their immense resources to manipulate the judicial system in a manner that deprives two indigent young men facing life sentences of their constitutional right to defend themselves at trial, Judge Charles Crompton wrote. Facebook and Twitter have made it clear that they are unwilling to alter their behavior, regardless of the harm to others -- or the rulings of this court.'' Crompton found them in contempt of court for disobeying a lawful order, and the companies simply ate the maximum $1,000 fines, a penalty that was likely cheaper than paying their lawyers to do another hour of work. If the Supreme Court decides to hear the case and rules in Colone's favor, it could stand to not only potentially save Colone's life but spare countless underprivileged people years of unjust incarceration. https://gizmodo.com/a-death-row-inmate-has-waited-years-for-github-to-provi-1846976389 ------------------------------ Date: Thu, 27 May 2021 15:17:17 -0400 From: Gabe Goldberg Subject: Several Organizations Protest Facebook, Sign Public Complaints Against Platform (Broadband Breakfast) Organizations signed a formal list of 70 public complaints against the social media giant. May 26, 2021 -- ``Representatives from a coalition of organizations gathered outside Facebook's lobbying headquarters in Washington, D.C. Tuesday to protest the company's alleged abuse of the American people and announce a formal list of 70 public complaints against the social media platform. Robert Weissman, president of the consumer rights advocacy group and think tank Public Citizen, accused Facebook of political indifference and subverting democracy, saying ``the American people and people of the world will no longer tolerate Facebook's abuses. This is a company out of control. It is literally out of the control of our democracy.'' The organizations present hold Facebook responsible for the alleged spreading of misinformation that influences elections, limiting users' access to competing ideas, and wielding unjust amounts of political power. With the support of the agreeing organizations present, Weissman expressed a lack of confidence in Facebook's ability to manage itself, claiming its leaders had given up control to algorithms the company leaders didn't understand. They called on the government to regulate the industry, break up the company, and hold its executives legally accountable for the damages done against the world. https://broadbandbreakfast.com/2021/05/several-organizations-protest-facebook-sign-public-complaints-against-platform/ ------------------------------ Date: Sun, 23 May 2021 14:56:55 -0400 From: Gabe Goldberg Subject: An FTC Lawsuit Says Frontier Lied About Internet Speeds (WiReD) https://www.wired.com/story/ftc-lawsuit-says-frontier-lied-about-internet-speeds/ I'm shocked that an ISP would lie about such an important matter. ------------------------------ Date: Mon, 24 May 2021 10:24:03 +0800 From: Richard Stein Subject: Scatalogical appliances (Medicalxpress.com) https://medicalxpress.com/news/2021-05-smart-toilet-stool-health-problems.html "An artificial intelligence tool under development at Duke University can be added to the standard toilet to help analyze patients' stool and give gastroenterologists the information they need to provide appropriate treatment, according to research that was selected for presentation at Digestive Disease Week (DDW) 2021. The new technology could assist in managing chronic gastrointestinal issues such as inflammatory bowel disease (IBD) and irritable bowel syndrome (IBS)." This gizmo uses images to decide. Would an olfactory cross-reference elevate diagnostic efficacy? Risk: False negative/positive detection [Don't be bow(e)led over by this item. It's just another questionable application for the Internet-of-Stinks. Risks? just more potential disruptive features of improperly protected online access. PGN] ------------------------------ Date: Mon, 24 May 2021 10:32:58 +0800 From: Richard Stein Subject: A new replication crisis: Research that is less likely to be true is cited more (phys.org) https://phys.org/news/2021-05-replication-crisis-true-cited.html Non-reproducible publications that are not retracted can be weaponized via social media, and are used to promote falsehoods that jeopardize public health and promote incivility. "The influence of an inaccurate paper published in a prestigious journal can have repercussions for decades. For example, the study Andrew Wakefield published in The Lancet in 1998 turned tens of thousands of parents around the world against the measles, mumps and rubella vaccine because of an implied link between vaccinations and autism. The incorrect findings were retracted by The Lancet 12 years later, but the claims that autism is linked to vaccines continue." ------------------------------ Date: Mon, 24 May 2021 12:13:11 -0700 From: Rob Slade Subject: "Hobbit" house renamed due to lawsuit threat (Rob Slade) Well, I thought Disney was the "Gold Standard" in terms of threatening lawsuits over any possible trademark infringement, but Warner Brothers seems to be trying to make their mark in the field. Warner Brothers, distributor of the Hobbit movie franchise, has threatened a lawsuit over the "Hobbit Mountain Hole" house. the owner, not interested in lawsuits, has renamed it the "Second Breakfast Hideaway." https://vancouversun.com/news/local-news/b-c-hobbit-house-renamed-after-threat-of-lawsuit-from-warner-bros A couple of points: I wonder if Warner is going to go after over the "second breakfast" reference. Also, wouldn't it be the Tolkien estate that would have the real rights to "Hobbit" references? (Actually, you could probably defend the use of the term "hobbit" on the basis of prior art: the word was in use before Tolkien wrote about it ...) ------------------------------ Date: Mon, 24 May 2021 19:20:13 -0400 From: Gabe Goldberg Subject: Florida governor signs law to block *deplatforming* of Florida politicians (The Verge) Skeptics say the law is *clearly unconstitutional* https://www.theverge.com/2021/5/24/22451425/florida-social-media-moderation-facebook-twitter-deplatforming Good luck with that. Maybe deplatform Florida entirely. Or provide a list setting I've long wished for "Set bozo mode" for a subscriber, so bozo sees own posts, thinks they're broadcasting, but nobody else does. ------------------------------ Date: Wed, 26 May 2021 01:11:13 -0400 From: Gabe Goldberg Subject: D.C. Attorney General Karl A. Racine brings antitrust lawsuit against Amazon (The Washington Post) D.C. Attorney General Karl A. Racine on Tuesday brought an antitrust complaint against Amazon, alleging that the e-commerce giant wields monopoly power that has resulted in higher prices for consumers. https://www.washingtonpost.com/technology/2021/05/25/dc-ag-antitrust/ Shocking. ------------------------------ Date: Wed, 26 May 2021 19:33:39 -0400 From: Gabe Goldberg Subject: Microsoft Tips Generational Update for Windows 10 (PCMag) At Build, Microsoft CEO Satya Nadella calls the update the 'next generation of Windows,' and promises to share more details soon. During his keynote at Tuesday's Build developer conference, CEO Satya Nadella teased that major changes are in store for the operating system. ``Soon we will share one of the most significant updates to Windows of the past decade to unlock greater economic opportunity for developers and creators. I've been self-hosting it over the past several months, and I'm incredibly excited about the next generation of Windows.'' [...] Nadella didn't reveal much else, except to tease that the updated OS will benefit software developers everywhere. ``Our promise to you is this: we will create more opportunity for every Windows developer today and welcome every creator who is looking for the most innovative, new, open platform to build and distribute and monetize applications. We look forward to sharing more very soon,'' Nadella said. The comment might be connected to how Redmond is reportedly developing a new version of the Microsoft App Store for Windows 10. According to Windows Central, the company is refreshing the store with a new interface while also relaxing the rules on how developers can publish apps on the platform. This includes giving developers the option to use any third-party payment solution to charge customers. https://www.pcmag.com/news/microsoft-tips-generational-update-for-windows-10 This is supposed to be good news? As it's aimed to benefit developers? And inflicted on everyone? ------------------------------ Date: Thu, 27 May 2021 15:48:00 -0400 From: Gabe Goldberg Subject: NFTs and tokenization: How crypto could help regular people become real-estate tycoons (Fortune) By using technologies online from the cryptocurrency world, like tokens and blockchains, regular people could participate in real estate transactions that are too unwieldy in the analog world. For example, a hot new idea is using NFTs, or non-fungible tokens -- digital certificates that convey exclusive rights to something. Although NFTs are just starting to be applied to real estate, supporters say they will become standard in the industry. https://fortune.com/2021/05/20/real-estate-crypto-nfts-what-is-an-nft-tokenization-non-fungible-token-houses/ ------------------------------ Date: Fri, 21 May 2021 22:02:15 -0400 From: "Bernie Cosell" Subject: Security of the IMPs A colleague recently asked me how the teletype stuff worked in the old ARPAnet IMP. [Tech short answer: it used a two-layer co-routine. tricky and a bit obscure but small and fast]. How it works was that there were two fake [i.e., internal] hosts in the IMP: one for the tty and one for a simple DDT-like debugger. when the first two IMPs were installed [UCLA & SRI], while the host systems were working on their hardware and software,, the IMP-guys there had the communication- lines up and working right away and knew it was OK because they connected their TTYs to each other and could what-we'd-call-today "DM" each other, so we knew the message machinery, line machinery, routing machinery worked.. and we were just waiting for the hosts to send an external-host-to-external-host message [the TTY and DDT used the *exact* same host machinery/software so we were pretty sure the IMP stuff was OK] And I was horrified what a huge risk that machinery was. I realized [for the first time in 50+ years] how poorly designed that functionality was. In particular , since the DDT used the normal host machinery, ANY host on the network could send commands and probes to ANY IMP [indeed we did that from the NCC on IMP 5 to manage the IMPs]. BUT: ANY host. no protections. At the time, for example, I believe that the MIT ITS system allowed just anyone to [anonymously] access the ARPAnet. All it would've taken is ONE hacker knowing what I knew [damn.. and had implemented] to cause utter chaos [untraceably!!!] on the ARPAnet. E.g., could could every now and then tweak the routing table, or tell an IMP to restart or disable some functionality. In musing about this I was thinking that many of our current woes are due to the fact that ARPAnet was built with not a single thought to security [I can attest our primary/only concern was , really, that it *work*]. that then oozed into the host protocols and so we are, to this day, have to deal with things like SNMP which should have been hardened, if not scrapped, before the network was let loose out from ARPA's thumb. I wonder how the ARPAnet/Internet might have been different if we'd thought about security and making the protocols robust right from the start. ------------------------------ Date: Sat, 29 May 2021 01:44:05 -0400 From: Monty Solomon Subject: SolarWinds hackers are back with a new mass campaign, Microsoft says (NYTimes) Russia Appears to Carry Out Hack Through System Used by U.S. Aid Agency https://www.nytimes.com/2021/05/28/us/politics/russia-hack-usaid.html SolarWinds hackers are back with a new mass campaign, Microsoft says https://arstechnica.com/gadgets/2021/05/microsoft-says-solarwinds-hackers-targeted-us-agencies-in-a-new-campaign/ ------------------------------ Date: Thu, 27 May 2021 20:06:45 -0600 From: "Matthew Kruk" Subject: Canada Post says 950,000 customers exposed in data breach (CBC) https://www.cbc.ca/news/business/canada-post-breach-1.6042602 Canada's national mail carrier says a malware attack on one of its suppliers has impacted 44 of its biggest corporate customers across the country, and potentially up to nearly one million people. Canada Post said in a statement Wednesday that one of its suppliers, Commport Communications, had its systems compromised in a cyberattack. ------------------------------ Date: Sat, 29 May 2021 07:51:04 -0400 From: Bob Gezelter Subject: A New Line of Attack that Evades Spectre Defenses (WiReD) The "Rule of 48" mentioned in Michael Crichton's "Andromeda Strain" is a more general phenomenon affecting all fields of research. The "Rule of 48" refers to a 1936 citation reporting the number of human chromosomes as 48. Decades later, the original microscope photographs were examined, and the count was confirmed as 46. WiReD published "The 60-Year-Old Scientific Screwup That Helped Covid Kill", describing recent research into the airborne spread of virus particles, including SARS-CoV-2/COVID-19. The article documents how a questionable number became embedded in the medical and public health communities. An interesting read, applicable to many areas other than medicine and public health. https://www.wired.com/story/the-teeny-tiny-scientific-screwup-that-helped-covid-kill/ ------------------------------ Date: Sat, 29 May 2021 01:44:08 -0400 From: Monty Solomon Subject: As Congress Dithers, States Step In to Set Rules for the Internet (NYTimes) As Congress Dithers, States Step In to Set Rules for the Internet Virginia, Florida, Arkansas and Maryland are among dozens of states that have introduced bills to curtail the power of Amazon, Google, Facebook and Twitter. https://www.nytimes.com/2021/05/14/technology/state-privacy-internet-laws.html ------------------------------ Date: Sat, 22 May 2021 10:55:50 +0800 From: Richard Stein Subject: Colonial Pipeline accused of negligence in proposed class action (Bloomberg Law) https://news.bloomberglaw.com/tech-and-telecom-law/colonial-pipeline-accused-of-negligence-in-proposed-class-action Schadenfreude emerges when inspecting CP's "General Terms & Conditions: https://colonialoilindustries.com/2018/wp-content/uploads/gtc.pdf See the last phrase beginning with "except to the extent proximately caused by..." "12. Indemnification. To the extent permitted by applicable law, Buyer agrees to indemnify, defend, hold harmless and reimburse Colonial for, from and/or against all claims, suits, judgments, costs, expenses, damages and/or liabilities of any nature or kind, including reasonable attorney's fees and costs, brought against or suffered, incurred or sustained by Colonial and arising or resulting in any way from (a) Buyer's breach of this Agreement or (b) any acts, omissions, events, occurrences, spills, releases, noncompliance with laws, rules or regulations, strict liability, explosions, fires or accidents of, involving, concerning or relating in any way to the product (whether relating to handling, storage, transfer, shipping, release or use thereof or otherwise) and which occur, take place or relate to any time after the time title passes to Buyer hereunder, except to the extent proximately caused by Colonial's negligent or willful wrongful acts." CP was advised a few years in advance about deficient internet defenses; they apparently did not invest to correct these deficiencies. The business operations platforms -- sales and inventory, customer profiling, etc -- were consequently assaulted. The US East Coast commuting population experienced significant inconvenience. Every for-profit shop with an internet footprint invokes indemnification to shield against lawsuits. Indemnification enables corporations to operate -- sell products, collect, and exploit sales data -- with commercial impunity. When the corporate brand is threatened by strategic operational mistake -- a failure proactively mitigate auspicious infosec weaknesses -- there's almost no legal cover. Expect a monetary settlement, a "non-admission of corporate guilt statement," and a deferred prosecution agreement that waives employee imprisonment subject to CP's promise to prevent recurrence. I'll wait for my free gasoline voucher. ------------------------------ Date: Sat, 22 May 2021 08:36:00 -1000 From: geoff goodfellow Subject: IS: Truth, Lies, and Automation *How Language Models Could Change Disinformation* Growing popular and industry interest in high-performing natural language generation models has led to concerns that such models could be used to generate automated disinformation at scale. This report examines the capabilities of GPT-3--a cutting-edge AI system that writes text--to analyze its potential misuse for disinformation. A model like GPT-3 may be able to help disinformation actors substantially reduce the work necessary to write disinformation while expanding its reach and potentially also its effectiveness. For millennia, disinformation campaigns have been fundamentally human endeavors. Their perpetrators mix truth and lies in potent combinations that aim to sow discord, create doubt, and provoke destructive action. The most famous disinformation campaign of the twenty-first century -- the Russian effort to interfere in the U.S. presidential election -- relied on hundreds of people working together to widen preexisting fissures in American society. Since its inception, writing has also been a fundamentally human endeavor. No more. In 2020, the company OpenAI unveiled GPT-3, a powerful artificial intelligence system that generates text based on a prompt from human operators. The system, which uses a vast neural network, a powerful machine learning algorithm, and upwards of a trillion words of human writing for guidance, is remarkable. Among other achievements, it has drafted an op-ed that was commissioned by The Guardian, written news stories that a majority of readers thought were written by humans, and devised new internet memes. In light of this breakthrough, we consider a simple but important question: can automation generate content for disinformation campaigns? If GPT-3 can write seemingly credible news stories, perhaps it can write compelling fake news stories; if it can draft op-eds, perhaps it can draft misleading tweets. [...] https://cset.georgetown.edu/publication/truth-lies-and-automation/ ------------------------------ Date: Sat, 22 May 2021 07:56:04 -0700 From: Lauren Weinstein Subject: That Salesforce outage: Global DNS downfall started by one engineer trying a quick fix (The Register) Operational procedures should make this sort of error impossible for one person to do. So it's never just one person's fault. -L https://www.theregister.com/2021/05/19/salesforce_root_cause/ ------------------------------ Date: Wed, 26 May 2021 01:01:22 -0400 From: Gabe Goldberg Subject: For First Time, Microsoft Integrating GPT-3 Into Its Software (EnterpriseAI) MICROSOFT BUILD 2021 -- Eight months after licensing the GPT-3 natural language AI model from OpenAI last September, Microsoft is integrating the language generator into its Microsoft Power Apps software to make it easier for enterprise workers to build no-code applications. [...] Once GPT-3 is integrated with Microsoft Power Apps, non-technical employees will be able to build a no-code Power Apps application by entering conversational language and then have it automatically transformed into the needed code using GPT-3, according to Microsoft. https://www.enterpriseai.news/2021/05/25/for-first-time-microsoft-integrating-gpt-3-into-its-software/ Taking the old joke about, "Write your program in FORTRAN or write a story about your program in COBOL" to new levels of storytelling. Funny, announcement doesn't describe how non-technical employees will debug or enhance their stories. ------------------------------ Date: Sat, 29 May 2021 08:02:01 -0700 From: Henry Baker Subject: Caltech Prof Helps Solve Hindenburg Disaster (NOVA) I just watched the PBS NOVA program in which a Caltech professor provides experimental evidence of how the Hindenburg Zeppelin burned and crashed in 1937 -- a NTSB-like investigation 84 years in the making. As a trained electrical engineer, I agree with the conclusions, but the PBS story excessively convoluted the relatively simple argument. Here's my version on one slide: * Hydrogen had been leaking from the tail section for some time -- enough so that it was almost impossible to 'trim' the zeppelin so that the tail wouldn't touch the ground first. * The skin and the frame of the zeppelin were electrically insulated from one another, so that they formed a giant capacitor (called a 'condenser' in 1937); every capacitor has a 'break down' voltage at which it 'shorts out' -- sometimes in a spectacular fashion. * During the zeppelin flight, both 'plates' (skin, frame) of this capacitor acquired a large charge relative to the ground, but with no voltage drop between them. * When the landing ropes were dropped, the charge from the frame leaked down the somewhat wet ropes to the ground over a 4-minute period determined by the 'RC time constant', where R=rope resistance and C=skin/frame capacitance. * The charge on the skin 'plate' remained, however, and thus the voltage drop between the skin and the frame increased until the breakdown voltage limit was reached, at which point numerous sparks all over the skin led to hydrogen ignition near the tail. History's Mysteries: Caltech Professor Helps Solve Hindenburg Disaster Emily Velasco, 17 May 2021 https://www.caltech.edu/about/news/historys-mysteries-caltech-professor-helps-solve-hindenburg-disaster [Very long item omitted for RISKS. However, it is worth reading in its entirety, PGN] ------------------------------ Date: Sat, 22 May 2021 18:44:18 +0200 From: Toebs Douglass Subject: Re: Just 12 People Are Behind Most Vaccine Hoaxes On Social Media, Research Shows (RISKS-32.68) The NPR article begins with this statement; "Researchers have found just 12 people are responsible for the bulk of the misleading claims and outright lies about COVID-19 vaccines that proliferate on Facebook, Instagram and Twitter." The NPR article explains nothing; it has an early paragraph stating a claim, and a link to a PDF which is the basis for that claim, and then the rest of the article goes on about how harmful this all is. Reading the PDF, I'm finding it rather difficult to pick out what was actually done, and so what is actually claimed. What I'm come up with is this; The investigators examined 10 private and 20 public anti-vaccine groups on Facebook, over a period of six weeks, and from this selected 483 pieces of anti-vaccine content which they considered representative (no basis for selection was given). They found over Facebook as a whole, these 483 pieces of anti-vaccine content had been posted or shared about 690,000 times, and that of these posts, 73% were of content which came from a group of twelve individuals. I don't think it's stated how many of the 483 pieces of anti-vaccine content actually came from these twelve individuals. Obviously, if say 90% of them came from those twelve individuals, then selection bias at that point will strongly influence the later findings. Also, it seems to me that the number 690,000 is a very low number of posts for all of Facebook for six weeks on such a topical matter. Given how few posts there are, I would also like to know how many of those posts were in fact part of those 30 anti-vaccine groups. In any event, generalizing from this to the entirety to Facebook, Instagram and Twitter is wholly improper. (Indeed, in the PDF, Instagram is in fact not investigated at all. It is mentioned as being a platform these individuals use, but the content was not examined - only Facebook and Twitter.) I think the large majority of the PDF is emotive activism to censorship, including an actual and fairly lengthy profile of each of the accused, with a small and I have to say I found rather confusingly presented, and rather unexplained (too many "we choose as representative") part being the investigation that was performed. There may be something in this, but taken as it is, right now, this seems to me to be a means to an end - indeed, not entirely unlike the very disinformation it seeks to discredit in others. The origin is the "Center for Countering Digital Hate", so we can imagine they're coming at this from a particular point of view. ------------------------------ Date: Sat, 22 May 2021 05:01:55 +0000 From: Jay Libove Subject: Sharing lock-picking information on RISKS [was: Re: A mom panicked when her 4-year-old bought $2,600 in SpongeBob, Popsicles (RISKS-32.65)] Interesting note by PGN, and interesting comment be Bernie. My eyes barely twitched when I read the original post which described how to bypass the Washington Post paywall. (I just open WaPo articles in an InPrivate/Incognito browser and re-accept the cookie and "You have three free articles left" notice). Should we share information about how to pick locks? I'm pretty sure we do that. Every day, in announcing vulnerabilities and the devilishly clever technology steps taken to exploit them. And, even better, in a timeless SciFi way, by theorizing from where a next class of such vulnerabilities will come, and how they may be used (for good and ill). Of course, there's a responsible way to do that (and in my decades reading RISKS the posts here have always fallen on the responsible side; thank you, moderators). What constitutes responsible disclosure of "Site 's paywall can be bypassed?" For that matter, what constitutes *ethics* in such a situation? I'm a paying subscriber to at least four major news publications across three countries on two continents, and on all of them I *still* have to repeatedly deal with cookie (re-)notices, to re-log in too frequently (despite the "remember me" box having been ticked), and to suffer a raft of other repetitive, intrusive technology and user experience design failures. Where is the ethos that says that, especially for the paying customer, site has to do a good enough job to avoid repeatedly interfering with my paid use of their product, and stop wasting my time? Two wrongs don't make a right (Despite that sometimes three lefts do ...), but, NOT talking about the-secret-that-everyone-knows which isn't even so much a symptom of "I don't want to pay for it"-it is but really "it's broken and everyone knows it but why won't anyone actually fix it" .. is that even unethical, in fact? Or is it a needed prod to fix these services? With all that background, plus of course the broad availability of browser plugins, etc, meant explicitly to bypass paywalls, cookie banners, etc, I didn't see any reason why RISKS shouldn't allow such an item to be posted, and I'm unsurprised that the moderators didn't get much feedback about it. Bernie, I'm glad you raised it, because I think that a *risk* that maybe we haven't discussed enough in recent years is the aggregated societal cost in wasted time and increased stress from poor user experience caused by a combination of incompetence, excessive intent to continue selling (even to those who have already bought), and failures to understand/ excessive(?) fear of regulatory action provoking excessive "security" and "compliance" friction in daily Internet use. [This is a very useful response. I do not endorse schemes to get around paywalls. For many years, I have tried to invoke fair use and *not* to not run pay-walled items without seriously abridging them or PGN-ed-ing them into my own words, and encouraging interested readers to dig out the originals as appropriate. In running the original item, I was hoping to trigger some constructive discussion that is respectful of paywalls but also warning that we are increasingly living in a world where almost everything is becoming monetized. I am delighted with the responses from both Bernie and Jay. PGN] ------------------------------ Date: Sat, 22 May 2021 12:09:13 +0100 From: Martin Ward Subject: NoScript is immoral? (Re: RISKS-32.69) I have been running NoScript to block all Javascript by default on all but a few websites for many years and have been reading the occasional article from the Washington Post for many years. I would not have even *known* about their javascript block if I hadn't run the experiment of turning off NoScript on the web site. Note that the Post hands out and displays the complete article, along with some javascript that waits a few moments, and then covers up the article with a request for a subscription. If the javascript is not executed, then the article is not covered up. For all I know, there may be dozens of other web sites that do the same! A real world analogy: The Washington Post says, "I have an article about XYZ, would you like to read it?", You reply "OK, I'll have a look at it". *The Washington Post* hands you the article and you start reading. Then *The Washington Post* hands you a piece of cardboard and says "Please cover the article I just gave you with this cardboard". You ask "Why?" and WP answers "So that I can ask you to pay me money to take the cardboard away again". You say "How about I just decide *not* to cover the article with the cardboard and carry on reading?". "THIEF!!!" Except in my case, I didn't even *hear* the request to cover the article with the card. Am I still a thief? Is it really morally wrong to choose *not* to execute by default every piece of code that is handed to you by any web site that you decide to visit? ------------------------------ Date: 21 May 2021 21:50:31 -0400 From: "John Levine" Subject: Re: freemium for all, was A mom panicked It appears that Bernie Cosell said: >How handy! We needed a forum on how to "share" things that we ought to pay >for. Next fun activity on RISKS -- how to get ATMs to spit out money. > >NB: I don't mean to start a fight but I don't think that kind of "help" is >appropriate for RISKS. For anyone familiar with the way that the web works, it should be obvious that freemium sites that let you view a few articles and then ask you to pay use a browser cookie to keep the article count. If you set your browser not to accept cookies from a site, there is no counter and in most cases you can see all the articles you want. A few sites are pickier and check to see if you're doing that, but mostly they don't bother, on the reasonable assumption that anyone trying that hard to bypass the paywall is unlikely ever to pay, and the harder they try to block freeloaders, the more likely they'll also accidentally block legit users. Those of us from the previous millennium remember software on copy protected floppy disks, same idea to allow some kinds of use typical of paying customers but not other kinds typical of non-payors. The software industry eventually stopped doing that, because the copy protection annoyed the legit users, and the people who might be deterred by copy protection were unlikely to turn into paying customers. There was even a plausible argument that a certain amount of copying led to more sales as people with illicit copies found they liked the software enough to pay for documentation (there were these paper things called "manuals") and support (using a now-forgotten kind of telephone that you couldn't lose because it was attached to the wall with a wire.) As I've noted before, newspaper reporters like to eat, and subscriptions are a big part of how they do that. So if you tweak your browser to bypass the paywall, that has nothing to do with "freedom". You're just being cheap. PS: Next rant: why I don't waste a lot of time chasing down pirate PDFs of my books. But when people write and say your book is expensive, send me a PDF for free, sorry, no, that's what libraries are for. ------------------------------ Date: Mon, 24 May 2021 20:16:00 +0000 From: David Roman Subject: June 2021 CACM Inside Risks column and video "The Risks of Election Believability (or Lack Thereof)," the Inside Risks column in the June 2021 Communications of the ACM (CACM), and its related video, by Rebecca T. Mercuri and Peter G. Neumann, have been published online at https://cacm.acm.org/magazines/2021/6/252836-the-risks-of-election-believability-or-lack-thereof/fulltext. The video alone is at https://vimeo.com/552504677. [David's ACM URLs are likely to be behind the ACM paywall. The article is also up on the Inside Risks website at http://www.csl.sri.com/neumann/insiderisks251.pdf PGN] ------------------------------ Date: Mon, 1 Aug 2020 11:11:11 -0800 From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume/previous directories or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00 ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: ------------------------------ End of RISKS-FORUM Digest 32.69 ************************