The RISKS Digest
Forum on Risks to the Public in Computers and Related Systems
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
Volume 30 Issue 96
Wednesday 12 December 2018
Contents
- A note on submissions to RISKS
- PGN
- The War on Truth Spreads
- NYTimes
- Annoyed Baltimore Drivers Want City To Crack Down On ‘Squeegee Kids’
- npr.org
- Your apps know where you were last night, and they’re not keeping it secret
- NYTimes
- The ‘Weird Events’ That Make Machines Hallucinate
- Linda Geddes
- Barclays customers can now ‘switch off’ spending
- bbc.com
- Ships infected with ransomware, USB malware, worms
- Catalin Cimpanu
- Taylor Swift tracked stalkers with facial recognition tech at her concert
- The Verge
- What Happens When You Reply All to 22,000 State Workers[?]
- NYTimes
- U.S. border officers don’t always delete collected traveler data
- Engadget.com
- Marriott Data Breach Is Traced to Chinese Hackers as U.S. Readies Crackdown on Beijing
- NYTimes
- Starwood Hotels
- PGN via Mabry Tyson
- Why I’m done with Chrome / A Few Thoughts on Cryptographic Engineering
- Cryptography Engineering
- Screen Time Changes Structure of Kids’ Brains: Groundbreaking study
- Bloomberg
- Re: Teen electrocuted while using headphones on plugged-in mobile phone
- Richard M Stein
- Re: Toronto auto theft …
- Steve Lamont
- Re: Rudy Giuliani Says Twitter Sabotaged His Tweet
- Amos Shapir
- Info on RISKS (comp.risks)
A note on submissions to RISKS
"Peter G. Neumann" <neumann@csl.sri.com>Mon, 10 Dec 2018 11:11:14 PST
- BEGIN RANT - OK, RISKS readers, “I'm mad as hell, and I'm not going to take it any more.'' I'm really fed up with trying to edit what some of you send me, trying to produce nice clean readable issues of RISKS, without errors. I'm not giving up on putting out RISKS issues, but the time it takes to put out each issue has recently been escalating. Please don't bother to complain about characters that are garbled. It's wasting your time. I'm not perfect. From the very early RISKS issues in 1985, I have expressed a desire to receive messages with ASCII characters; later on, I made a plea to completely avoid attachments in Word, pdf, html, or even encoded ASCII. I process RISKS e-mail with an archaic ASCII-happy mail system, because it hugely simplifies my ability to delete more than 80% of the incoming mail sight unseen (lots of spam), and then trying to cull out and lightly edit your *good* contributions. Nevertheless, I still get smart quotes and smart apostrophes from Mac users, encodings of spaces as underscores (or some weird unprintable character) and equal signs from Windows systems that insist on encoding certain ASCII characters as non-ascii characters, rampant =E2=80 encodings, long lines split with an equal sign at the end of each line, non-ASCII From: addresses (e.g., from Mateo), copies of entire RISKS issues as attachments when you are responding to an item in a previous issue, the entire ASCII text of your would-be contributions completely duplicated in horribly fulsome html, rampant extra junk appended (from Richard Stein *), URLs that come out with %3A%2F%2F encodings, and more. UTF-8 might help a little, but is primarily useful for attachments that use it consistently. Then, for your ease of reading, I try to unscramble overly long URLs and verify my attempts at creating shorter ones, and remove all the extra cruft created by Office-365-safelinks URL enscramblings that evidently offer no real security anyway. Furthermore, I do not have time to cope with alternative approaches, such as your putting jpeg files on your website for me to view with a browser. Perhaps needless to say, I would greatly appreciate if you can spend just a few more moments in your submissions to have a little more concern for my own well-being. ASCII is ASCII, and emacs is emacs, and I will remain a troglodyte in order to continue to moderate RISKS for you. I am sorry that I do not readily handle all of your special characters. Clearly, if RISKS had to deal with submissions in Cyrillic, Kanji, Farsi, Arabic or whatever, I would have to do things very differently—or simply completely give up running a seriously moderated digested new group (where you can create your own undigestifier if you prefer). However, if you think you have a better solution, please let me know. THANKS in advance for your consideration. - END RANT - [* Footnote from each of Richard Stein's contributions in this issue: MDAwMDAwMCAgIGggICB0ICAgdCAgIHAgICBzICAgOiAgIC8gICAvICAgdyAgIHcgICB3ICAg ... ad finitum—for 77 lines of similar meaningless garbage. PGN] Let's see who gags on this issue, where I have intentionally left in a few outliers.
The War on Truth Spreads (NYTimes)
"Peter G. Neumann" <neumann@csl.sri.com>Mon, 10 Dec 2018 12:33:42 PST
An editorial with the above caption in the 10 Dec 2018 issue of *The New York Times* considers systemic incursions on freedom of the news media around the world, including the Philippines. Hungary. Saudi Arabia. Turkey, China, Russia. and even the U.S. Internet censorship and Internet misuse have both played significant roles. In short, we have vastly transcended even the horrors of George Orwell's *1984*.
Annoyed Baltimore Drivers Want City To Crack Down On ‘Squeegee Kids’ (npr.org)
Richard Stein <rmstein@ieee.org>Mon, 10 Dec 2018 10:39:01 +0800
https://www.npr.org/2018/12/09/667155718/annoyed-baltimore-drivers-want-city-to-crack-down-on-squeegee-kids How will an autonomous vehicle will address a squeegee bum assault? A horn toot? Redirection of windshield sprayers?
Your apps know where you were last night, and they’re not keeping it secret (NYTimes)
geoff goodfellow <geoff@iconia.com>Mon, 10 Dec 2018 08:55:07 -1000
Every moment of every day, mobile phone apps collect detailed location data.Data reviewed by The New York Times shows over 235 million locations captured from more than 1.2 million unique devices during a three-day period in 2017. Dozens of companies use smartphone locations to help advertisers and even hedge funds. They say it's anonymous, but the data shows how personal it is. EXCERPT: The millions of dots on the map trace highways, side streets and bike trails -- each one following the path of an anonymous cellphone user. One path tracks someone from a home outside Newark to a nearby Planned Parenthood, remaining there for more than an hour. Another represents a person who travels with the mayor of New York during the day and returns to Long Island at night. Yet another leaves a house in upstate New York at 7 a.m. and travels to a middle school 14 miles away, staying until late afternoon each school day. Only one person makes that trip: Lisa Magrin, a 46-year-old math teacher. Her smartphone goes with her. An app on the device gathered her location information, which was then sold without her knowledge. It recorded her whereabouts as often as every two seconds, according to a database of more than a million phones in the New York area that was reviewed by The New York Times. While Ms. Magrin's identity was not disclosed in those records, The Times was able to easily connect her to that dot... [...] https://www.nytimes.com/interactive/2018/12/10/business/location-data-privacy-apps.html
The ‘Weird Events’ That Make Machines Hallucinate (Linda Geddes)
ACM TechNews <technews-editor@acm.org>Mon, 10 Dec 2018 11:36:58 -0500
Linda Geddes, BBC News, 5 Dec 2018 via ACM TechNews, 10 Dec 2018 Computers can be tricked into misidentifying objects and sounds, raising issues about the real-world use of artificial intelligence (AI); experts call such glitches `adversarial examples' or `weird events'. Said the Massachusetts Institute of Technology (MIT)'s Anish Athalye, “We can think of them as inputs that we expect the network to process in one way, but the machine does something unexpected upon seeing that input.'' In one experiment, Athalye's team slightly modified the texture and coloring of certain physical objects to fool machine learning AI into thinking they were something else. MIT's Aleksander Madry said the problem may be rooted partly in the tendency to engineer machine learning frameworks to optimize their performance on average. Neural networks might be fortified against outliers by feeding them more challenging examples of whatever scientists are trying to teach them. https://orange.hosting.lsoft.com/trk/click%3Fref%3Dznwrbbrs9_6-1d7a4x219197x069560%26
Barclays customers can now ‘switch off’ spending (bbc.com)
Richard Stein <rmstein@ieee.org>Tue, 11 Dec 2018 13:13:05 +0800
https://www.bbc.com/news/business-46512030 “The idea is to help vulnerable customers, particularly problem gamblers, or those in serious debt.'' Cellphones, while generally indispensable for communication purposes, are gateway devices that can enable addictive behaviors. A compulsive gambler smart enough to configure a cellphone application should recognize that professional counseling and therapy is more effective than a voluntary, and easily overridden, videogame context configuration setting. A flick of the cellphone application switch precludes a bank debt card from being used for problematic and harmful purposes at certain `classes' of vendors: “Groceries and supermarkets, restaurants, takeaways, pubs and bars, petrol stations, gambling - including websites, betting shops and lottery tickets, premium rate websites and phone lines, including TV voting, competitions and adult services.'' Risk: Financial/lifestyle surveillance and profile disclosure via data breach or explicit sale. That a financial institution, not widely known for their altruism, promotes this application implies that an intimate profile of an addict as customer arises from consolidated spending patterns. Difficult to assess how this business intelligence might be exploited internally, or by a 3rd party if terms of service stipulate sale and reuse conditions.
Ships infected with ransomware, USB malware, worms (Catalin Cimpanu)
Gene Wirchenko <genew@telus.net>Wed, 12 Dec 2018 11:38:44 -0800
Catalin Cimpanu for Zero Day, 12 Dec 2018 https://www.zdnet.com/article/ships-infected-with-ransomware-usb-malware-worms/ Ships infected with ransomware, USB malware, worms Ships are the victims of cyber-security incidents more often than people think. Industry groups publish cyber-security guidelines to address issues. selected text: For example, the guidelines include the case of a mysterious virus infection of the Electronic Chart Display and Information System (ECDIS) that ships use for sailing. A new-build dry bulk ship was delayed from sailing for several days because its ECDIS was infected by a virus. The ship was designed for paperless navigation and was not carrying paper charts. [No backup!] Ships were also impacted by ransomware, sometimes directly, while in other incidents the ransomware hit backend systems and servers used by ships already in their voyage at sea. For example, in an incident detailed in the report, a shipowner reported not one, but two ransomware infections, both occurring due to partners, and not necessarily because of the ship's crew. [And there are other examples given.]
Taylor Swift tracked stalkers with facial recognition tech at her concert (The Verge)
=?utf-8?Q?Jos=C3=A9=20Mar=C3=ADa=20Mateos?= <chema@rinzewind.org>Wed, 12 Dec 2018 15:13:09 -0500
https://www.theverge.com/2018/12/12/18137984/taylor-swift-facial-recognition-tech-concert-attendees-stalkers Taylor Swift held a concert at California's Rose Bowl this past May that was monitored by a facial recognition system. The system's target? Hundreds of Swift's stalkers. Swift's facial recognition system was built into a kiosk that displayed highlights of her rehearsals, which would secretly record onlookers' faces. According to Rolling Stone, which spoke with a concert security expert who observed the kiosk, attendees who looked at the kiosk were immediately scanned. Afterward, the data was sent to a `command post' in Nashville, Tennessee that attempted to match hundreds of images to a database of her known stalkers. José María (Chema) Mateos
What Happens When You Reply All to 22,000 State Workers[?] (NYTimes)
Monty Solomon <monty@roscom.com>Tue, 11 Dec 2018 01:26:32 -0500
https://www.nytimes.com/2018/12/10/us/reply-all-utah-state-workers.html Reply All, the scourge that has afflicted office workers everywhere, has hit 22,000 government employees in Utah.
U.S. border officers don’t always delete collected traveler data (Engadget.com)
Richard Stein <rmstein@ieee.org>Wed, 12 Dec 2018 16:39:58 +0800
https://www.engadget.com/2018/12/11/cbp-officers-fail-to-delete-traveler-data “Privacy advocates aren't just concerned about warrantless device searches at the border because of the potential for deliberate abuse—it's that the officials might be reckless. And unfortunately, there's evidence this is the case in the U.S. Homeland Security's Office of the Inspector General has released audit findings showing that Customs and Border Protection (CBP) officers didn't properly follow data handling procedures in numerous instances, increasing the chances for data leaks and hurting accountability.'' Assembled and maintained by CBP, this honeypot of mobile device contacts, photos, downloads, browser history, call logs, and credit card/app profiles will likely attract ex-filtration attempts. A comprehensive repository of personal data that can be correlated against many other dark-net sources, and maliciously exploited for profit or criminal intent.
Marriott Data Breach Is Traced to Chinese Hackers as U.S. Readies Crackdown on Beijing (NYTimes)
Monty Solomon <monty@roscom.com>Wed, 12 Dec 2018 10:07:20 -0500
An editorial with the above caption in the 10 Dec 2018 issue of *The New York Times* considers systemic incursions on freedom of the news media around the world, including the Philippines. Hungary. Saudi Arabia. Turkey, China, Russia. and even the U.S. Internet censorship and Internet misuse have both played significant roles. In short, we have vastly transcended even the horrors of George Orwell's *1984*.
Starwood Hotels
"Peter G. Neumann" <neumann@csl.sri.com>Wed, 12 Dec 2018 16:19:45 -0800
An editorial with the above caption in the 10 Dec 2018 issue of *The New York Times* considers systemic incursions on freedom of the news media around the world, including the Philippines. Hungary. Saudi Arabia. Turkey, China, Russia. and even the U.S. Internet censorship and Internet misuse have both played significant roles. In short, we have vastly transcended even the horrors of George Orwell's *1984*.
Why I’m done with Chrome / A Few Thoughts on Cryptographic Engineering (Cryptography Engineering)
Dan Jacobson <jidanni@jidanni.org>Wed, 12 Dec 2018 02:45:00 +0800
An editorial with the above caption in the 10 Dec 2018 issue of *The New York Times* considers systemic incursions on freedom of the news media around the world, including the Philippines. Hungary. Saudi Arabia. Turkey, China, Russia. and even the U.S. Internet censorship and Internet misuse have both played significant roles. In short, we have vastly transcended even the horrors of George Orwell's *1984*.
Screen Time Changes Structure of Kids’ Brains: Groundbreaking study (Bloomberg)
the keyboard of geoff goodfellow <geoff@iconia.com>Sun, 9 Dec 2018 16:13:57 -1000
An editorial with the above caption in the 10 Dec 2018 issue of *The New York Times* considers systemic incursions on freedom of the news media around the world, including the Philippines. Hungary. Saudi Arabia. Turkey, China, Russia. and even the U.S. Internet censorship and Internet misuse have both played significant roles. In short, we have vastly transcended even the horrors of George Orwell's *1984*.
Re: Teen electrocuted while using headphones on plugged-in mobile phone (Lesher, RISKS-30.95)
Richard M Stein <rmstein@ieee.org>Sun, 9 Dec 2018 16:37:24 +0800
An editorial with the above caption in the 10 Dec 2018 issue of *The New York Times* considers systemic incursions on freedom of the news media around the world, including the Philippines. Hungary. Saudi Arabia. Turkey, China, Russia. and even the U.S. Internet censorship and Internet misuse have both played significant roles. In short, we have vastly transcended even the horrors of George Orwell's *1984*.
Re: Toronto auto theft … (RISKS-30.95)
Steve Lamont <spl@tirebiter.org>Tue, 11 Dec 2018 14:43:59 -0800
An editorial with the above caption in the 10 Dec 2018 issue of *The New York Times* considers systemic incursions on freedom of the news media around the world, including the Philippines. Hungary. Saudi Arabia. Turkey, China, Russia. and even the U.S. Internet censorship and Internet misuse have both played significant roles. In short, we have vastly transcended even the horrors of George Orwell's *1984*.
Re: Rudy Giuliani Says Twitter Sabotaged His Tweet (RISKS-30.95)
Amos Shapir <amos083@gmail.com>Mon, 10 Dec 2018 09:43:10 +0200
An editorial with the above caption in the 10 Dec 2018 issue of *The New York Times* considers systemic incursions on freedom of the news media around the world, including the Philippines. Hungary. Saudi Arabia. Turkey, China, Russia. and even the U.S. Internet censorship and Internet misuse have both played significant roles. In short, we have vastly transcended even the horrors of George Orwell's *1984*.
6
Please report problems with the web pages to the maintainer
Top