AT2k Design BBS Message Area
Casually read the BBS message area using an easy to use interface. Messages are categorized exactly like they are on the BBS. You may post new messages or reply to existing messages! You are not logged in. Login here for full access privileges. |
Previous Message | Next Message | Back to Computer Support/Help/Discussion... <-- <--- | Return to Home Page |
|
||||||
From | To | Subject | Date/Time | |||
Sean Dennis | All | RISKS Digest 31.17 |
April 10, 2019 5:39 PM * |
|||
RISKS-LIST: Risks-Forum Digest Tuesday 9 April 2019 Volume 31 : Issue 17 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/31.17> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt&... Contents: Additional software problem detected in Boeing 737 Max flight control system, officials say (WashPost) Not Just Airplanes: Why The Government Often Lets Industry Regulate Itself (npr.org) Makers of self-driving cars should study Boeing crashes (The Straits Times) Major US airlines hit by delays after glitch at vendor (The Boston Globe) Simulated Engine Failure Led To Crash (Russ Niles) Eyes on the Road: Your Car Is Watching (NYTimes) Covert data-scraping on watch as EU DPA lays down 'radical' GDPR red-line Hospital viruses: Fake cancerous nodes in CT scans, created by malware, trick radiologists (WashPost) The Newest AI-Enabled Weapon: Deep-Faking Photos of the Earth? (Defense One) Backdoor vulnerability in open-source tool exposes thousands of apps to remote code execution (Cyberscoope) Security analyst finds fake cell carrier apps are tracking iPhone location and listening in on phone calls (9to5 Mac) UK to keep social networks in check with Internet safety regulator (CNET) Should cybersecurity be more chameleon, less rhino? (bbc.com) This is not how the secret service should examine a USB stick (TechCrunch) Report: Official forgot secret arms-deal file at airport (Times of Israel) Hospital says patient info exposed after phishing incident (Boston Globe) DHS tech manager admits stealing data on 150,000 internal investigations, nearly 250,000 workers (WashPost) Online credit-card skimmer (WarbyParker) The engineering of living organisms could soon start changing everything (The Economist) Social media are divisive (WSN/NBC poll) The future of news is conversation in small groups with trusted voices (Chikai Ohazama) Why It's So Easy for a Bounty Hunter to Find You (NYTimes) Identity Theft -- Act Now to Protect Yourself (Kiplinger) Re: Are We Ready For An Implant That Can Change Our Moods? (Wol) Re: How a 50-year-old design came back (Wol) Re: New Climate Books Stress We Are Already Far Down The Road To A Different Earth (Wol, Amos Shapir) Re: Researchers Find Google Play Store Apps Were Actually Government Malware Amos Shapir) Re: Huawei's code is a steaming pile... (Amos Shapir) Re: According to this bank, password managers are bad (Andrew Duane) Re: Is curing patients, a sustainable business model? (Toby Douglass, Chris Drewe) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Thu, 4 Apr 2019 21:26:18 -0400 From: Monty Solomon <monty@roscom.com> Subject: Additional software problem detected in Boeing 737 Max flight control system, officials say (WashPost) The findings of the preliminary report in last month's airline crash increase the pressure on Boeing, which has announced the imminent rolling out of a new software fix for its most popular passenger plane. The grounding of the 737 Max 8 following similar crashes in Ethiopia and Indonesia has been a massive blow to one [...] https://www.washingtonpost.com/world/africa/e... ngs-recommendations-to-stop-doomed-aircraft-from-diving-urges-review-of-737-max -flight-control-system/2019/04/04/3a125942-4fec-11e9-bdb7-44f948cc0605_story.ht ml ------------------------------ Date: Fri, 5 Apr 2019 14:49:02 +0800 From: Richard Stein <rmstein@ieee.org> Subject: Not Just Airplanes: Why The Government Often Lets Industry Regulate Itself (npr.org) https://www.npr.org/2019/04/04/709431845/faa-... to-self-regulate "In fact, the acting director of the FAA told Congress it would take nearly $2 billion and 10,000 new employees for the agency to end its reliance on aircraft manufacturers to conduct their own certification tests." Carbon-extraction (oil/gas), chemicals, railroads, medical devices, food, surface vehicles, pharmaceuticals, aircraft, etc. are largely self-certifying industries subject to minimal Federal inspection and oversight: Uncle Sam finds proactive risk avoidance engagement to be too expensive. In the US, under a self-certification framework, financial and legal penalties are apparently sufficient to deter unsafe product sales or from capricious corporate operations that endanger public health and safety. "Peter Van Doren, a senior fellow at the libertarian CATO Institute, argues self-regulation has largely gone on unnoticed, because, with a few exceptions, it has been a success. 'In effect, the delegation of all this to experts and the lack of second-guessing about all this occurred because it was working.'" "Was working" is certainly correct in Boeing's case. Which self-regulating US industry will be next to earn the "was working" label and who will bear the lesson's burden? It is certainly true that "there is only so much risk avoidance you can do" per http://catless.ncl.ac.uk/Risks/18/19%23subj7.... For Boeing's 737 MAX, the risk avoidance practice was ineffective and failed. In contrast, the EU applies "precautionary measures" for regulation. See "Why Does the U.S. Tolerate So Much Risk?" in https://www.nytimes.com/2019/03/15/opinion/fe... ng.html "As European policymakers have grown more willing to regulate risks on precautionary grounds, increasingly skeptical American policymakers have called for higher levels of scientific certainty before imposing additional regulatory controls on business," David Vogel, a political scientist at the University of California, Berkeley, wrote in a 2012 book on the divide, "The Politics of Precaution." ------------------------------ Date: Fri, 5 Apr 2019 10:34:08 +0800 From: Richard Stein <rmstein@ieee.org> Subject: Makers of self-driving cars should study Boeing crashes (The Straits Times) Brooke Masters byline in https://www.straitstimes.com/opinion/makers-o... oeing-crashes and via https://www.ft.com/content/d2c905d8-5473-11e9... Both behind paywalls. "The two disasters...should serve as a warning in other areas where technology is taking over part, though not all, of crucial tasks from human experts." As in-vehicle distractions multiply, drivers are challenged to maintain safe operation. Self-driving cars are supposed to eliminate distractions by relieving drivers of their operational role, save for command instructions like "Take me to the nearest supermarket." Masters suggests that human driving skills atrophy from neglect and disuse. Self-driving vehicle technology deployments will accelerate carbon-based driver skill erosion. Even supplemental, partial automation such as the Tesla "autopilot" feature, contributes to driving skill erosion. 'The chief executive of Volvo Cars, Mr. Hakan Samuelsson, warned last week that introducing such semi-automation can be "irresponsible" and cause accidents when misplaced confidence leads to "over-reliance" by consumers.' In contrast, https://www.nytimes.com/2019/03/23/opinion/su... argues that with a manual transmission, both of the driver's hands and feet are actively occupied: no free digits for dialing, texting, audio tuning, environment adjustment, or navigation system interfacing. Vehicle manufacturers are phasing out manual transmission equipment options, replacing them with computerized continuously variable mechanisms. Long live the Four-on-the-Floor! ------------------------------ Date: Thu, 4 Apr 2019 09:02:56 -0400 From: Monty Solomon <monty@roscom.com> Subject: Major US airlines hit by delays after glitch at vendor https://www.boston.com/travel/travel/2019/04/... -delays-for-airlines ------------------------------ Date: Thu, 4 Apr 2019 23:56:36 -0400 From: Gabe Goldberg <gabe@gabegold.com> Subject: Simulated Engine Failure Led To Crash (Russ Niles) [The risk? Testing a risk...] The NTSB says a simulated engine failure on takeoff that turned into the real thing led to the crash of a STOL Aircraft UC-1 Twin Seabee into a house in Winter Haven, Florida, 23 Feb 2019. The crash killed instructor James Wagner while student pilot Timothy Sheehey was slightly injured and a young woman in the house was seriously hurt. Sheehey, a commercial pilot training for a mult-engine seaplane rating, told NTSB investigators that before takeoff, Wagner said he was going to reduce the power on one engine. When he chopped the power, the engine quit, the prop feathered and the engine couldn't be restarted. The report said Wagner headed for an emergency landing spot but determined he couldn't make it and turned left to land on a lake instead. He lost control and the airplane ended up tail-up vertically in the house. The impact knocked the woman in the house through an interior wall. The aircraft is based on the original single-engine Seabee but equipped with two wing-mounted Lycoming IO-360 engines. ------------------------------ Date: Thu, 4 Apr 2019 23:14:17 -0400 From: Monty Solomon <monty@roscom.com> Subject: Eyes on the Road: Your Car Is Watching https://www.nytimes.com/2019/03/28/business/a... html As more technology creeps into the front seat to help drivers, so too will systems that eavesdrop on and monitor them. ------------------------------ Date: Wed, 3 Apr 2019 09:22:04 -0400 From: Monty Solomon <monty@roscom.com> Subject: Covert data-scraping on watch as EU DPA lays down 'radical' GDPR red-line https://techcrunch.com/2019/03/30/covert-data... down-radical-gdpr-red-line/ ------------------------------ Date: Thu, 4 Apr 2019 16:38:39 +0800 From: Richard Stein <rmstein@ieee.org> Subject: Hospital viruses: Fake cancerous nodes in CT scans, created by malware, trick radiologists (WashPost) https://www.washingtonpost.com/technology/201... erous-nodes-ct-scans-created-by-malware-trick-radiologists/ "Researchers in Israel created malware to draw attention to serious security weaknesses in medical imaging equipment and networks." Risks: Misdiagnosis from hacked image artifact interpretation. Additional diagnostic radiation procedures elevate cancer potential. Unnecessary surgical procedures initiated by "ghost" tumors. X-ray film capture avoids digital image hacks, but operational logistics (storage and supplychain) apparently deter radiology from a technological rollback. If CT scans (and presumably MRI, PET, etc.) images are vulnerable to malware image hacks, shouldn't providers adopt mitigating strategies? ------------------------------ Date: Wed, 3 Apr 2019 08:45:39 -1000 From: geoff goodfellow <geoff@iconia.com> Subject: The Newest AI-Enabled Weapon: Deep-Faking Photos of the Earth? *Step 1: Use AI to make undetectable changes to outdoor photos. * *Step 2: release them into the open-source world and enjoy the chaos.* EXCERPT: Worries about deep fakes machine-manipulated videos of celebrities and world leaders purportedly saying or doing things that they really didn't -- are quaint compared to a new threat: doctored images of the Earth itself. <https://www.defenseone.com/technology/2017/08... -fight-it-well/140075/> China is the acknowledged leader in using an emerging technique called generative adversarial networks to trick computers into seeing objects in landscapes or in satellite images that aren't there, says Todd Myers, automation lead and Chief Information Officer in the Office of the Director of Technology at the National Geospatial-Intelligence Agency. ``The Chinese are well ahead of us. This is not classified info,'' Myers said Thursday at the second annual Genius Machines <https://www.defenseone.com/feature/genius-mac... summit, hosted by *Defense One* and *Nextgov*. ``The Chinese have already designed; they're already doing it right now, using GANs -- which are generative adversarial networks -- to manipulate scenes and pixels to create things for nefarious reasons.'' For example, Myers said, an adversary might fool your computer-assisted imagery analysts into reporting that a bridge crosses an important river at a given point. ``So from a tactical perspective or mission planning, you train your forces to go a certain route, toward a bridge, but it's not there. Then there's a big surprise waiting for you,'' he said. First described in 2014 https://arxiv.org/pdf/1406.2661.pdf GANs represent a big evolution in the way neural networks learn to see and recognize objects and even detect truth from fiction... [...] http://www.nextgov.com/emerging-tech/2019/04/... ng-photos-earth/155962/ ------------------------------ Date: April 6, 2019 at 00:57:40 EDT From: geoff goodfellow <geoff@iconia.com> Subject: Backdoor vulnerability in open-source tool exposes thousands of apps to remote code execution Roughly 28 million users have downloaded a malicious version of a popular open-source framework that masquerades as the real thing, but in fact gives a hackers a back door into applications. A compromised version of the website development tool bootstrap-sass was published to the official RubyGems repository, a hub where programmers can share their application code. The open source security firm Snyk alerted developers to the issue Wednesday, advising users to update their systems away from the infected framework (version 3.2.0.3). ``That doesn't mean there are something like 27 million apps out there using this,'' said Chris Wysopal, chief technology officer at app security company Veracode. ``[But] when you're using open source packages to build your applications, you're inheriting many of the vulnerabilities. But bootstrap-sass is a popular component used by enterprises and startups so there's potentially thousands of applications affected by this.'' While the vulnerability is serious -- hackers can exploit it for remote code execution -- the issue also highlights how pervasive such flaws can become if they're not fixed quickly, according to application security experts. The 2017 data breach at Equifax was possible because the company did not act to resolve a flaw in the open source Apache Struts framework... https://www.cyberscoop.com/bootstrap-sass-inf... ------------------------------ Date: April 9, 2019 at 01:11:01 EDT From: geoff goodfellow <geoff@iconia.com> Subject: Security analyst finds fake cell carrier apps are tracking iPhone location and listening in on phone calls EXCERPT: In yet another abuse of the enterprise distribution program, security analyst Lookout has identified apps (via Techcrunch) that were pretending to be published by cell carriers in Italy and Turkmenistan. The apps were available for iPhone users to download through Safari as they were signed by an enterprise certificate. These apps used carrier branding and pretended to offer utilities for the users' cell plans when in reality they would ask for every permission they could to track location, collect contact, photos, and more, and had the capability to listen in on users' phone conversations. Apps using enterprise certificates are not available through the App Store, but malicious criminals can target iOS users through Safari (perhaps with a phishing attack-esque email) and get people to download the app over the web, outside of the purview of the App Store review process. Essentially, when an app is distributed with an enterprise certificate, there is no accountability over what the app can do. When a developer applies for an enterprise certificate, Apple makes it plain that apps should only be delivered to employees of the enterprise and not used elsewhere. However, as it stands, there is very little Apple can do to enforce this beyond the policy of advisory language. This year, we have seen countless abuses of the enterprise system, including high-profile cases like operations at Facebook and Google. Apple revokes the certificate when it becomes aware of individual cases, but it's clear the company does not have the overall enterprise certificate program under control. In a future software version of iOS, Apple may impose stricter requirements to tighten the security screws on the enterprise program. The company is yet to commit to any such plans however. Certificates are often stolen or sold on, so licenses to the enterprise developer program that were once used legitimately are now being used nefariously. In the case of the app highlighted by Lookout, it appears to be linked to similar malware that existed on Android called `Exodus'... https://9to5mac.com/2019/04/08/iphone-trackin... https://techcrunch.com/2019/04/08/iphone-spyw... ------------------------------ Date: April 8, 2019 at 1:14:01 AM EDT From: geoff goodfellow <geoff@iconia.com> Subject: UK to keep social networks in check with Internet safety regulator (CNET) Facebook, Twitter, YouTube and a whole bunch of smaller platforms will face huge fines if they fail to live up to their "duty of care" to Internet users. EXCERPT: The UK government is taking a hard line when it comes to online safety, appointing what it claims is the world's first independent regulator to keep social media companies in check. Companies that fail to live up to requirements will face huge fines, with senior directors who are proven to have been negligent of their responsibilities being held personally liable. They may also find access to their sites blocked. The new measures, designed to make the Internet a safer place, were announced jointly by the Home Office and Department of Culture, Media and Sport. The introduction of the regulator is the central recommendation of the highly anticipated government white paper, published early Monday morning in the UK. The regulator will be tasked with ensuring social media companies are tackling a range of online problems, including: * Inciting violence and spreading violent content (including terrorist content) * Encouraging self-harm or suicide * The spread of disinformation and fake news * Cyber bullying * Children accessing inappropriate material * Child exploitation and abuse content As well as applying to the major social networks, such as Facebook, YouTube and Twitter, the requirements will also have to be met by file-hosting sites, online forums, messaging services and search engines. "For too long these companies have not done enough to protect users, especially children and young people, from harmful content," said Prime Minister Theresa May in a statement. "We have listened to campaigners and parents, and are putting a legal duty of care on Internet companies to keep people safe."... https://www.cnet.com/news/uk-to-keep-social-n... ety-regulator/ ------------------------------ Date: Tue, 9 Apr 2019 16:19:34 +0800 From: Richard Stein <rmstein@ieee.org> Subject: Should cybersecurity be more chameleon, less rhino? (bbc.com) https://www.bbc.com/news/business-47724438 Crypto-splitting or Morphisec. "Morphisec -- born out of research done at Ben-Gurion University -- has developed what it calls 'moving target security'. It's a way of scrambling the names, locations and references of each file and software application in a computer's memory to make it harder for malware to get its teeth stuck in to your system." Sounds like a kind of parallel random access machine, though the difference is static resource references (files, hard/soft links, URLs, etc.) are hashed, and randomized inside a virtual and possibly distributed address space pool to prevent malware detection and then manipulating the application or data for fun and profit. Risk: The malware can learn to do the same thing as the morphisec stack. Alternatively, reverse engineer the run-time stack with Ghidra. Perhaps Mayhem can be trained for this purpose? ------------------------------ Date: Tue, 9 Apr 2019 11:27:21 +0100 From: Neil Youngman <neil.youngman@youngman.org.uk> Subject: This is not how the secret service should examine a USB stick It seems that the secret service are not advised to avoid plugging unknown/suspicious USB sticks into their laptops. The risks are all too obvious. https://techcrunch.com/2019/04/08/secret-serv... ------------------------------ Date: Tue, 9 Apr 2019 10:44:38 -0400 From: Gabe Goldberg <gabe@gabegold.com> Subject: Report: Official forgot secret arms-deal file at airport (The Times of Israel) https://www.timesofisrael.com/report-official... irport/ Oops -- better repeat Tradecraft 101. ------------------------------ Date: Tue, 9 Apr 2019 05:47:39 -0400 From: Monty Solomon <monty@roscom.com> Subject: Hospital says patient info exposed after phishing incident (Boston Globe) https://www.boston.com/news/local-news/2019/0... posed-after-phishing-incident ------------------------------ Date: Thu, 4 Apr 2019 21:33:01 -0400 From: Monty Solomon <monty@roscom.com> Subject: DHS tech manager admits stealing data on 150,000 internal investigations, nearly 250,000 workers (WashPost) A Virginia woman pleaded guilty to conspiring with a former DHS acting inspector general. https://www.washingtonpost.com/local/legal-is... ing-data-on-150000-internal-investigations-nearly-250000-workers/2019/04/04/da0 53180-56eb-11e9-9136-f8e636f1f6df_story.html ------------------------------ Date: Mon, 8 Apr 2019 20:33:27 -0700 From: "Ralph Barone" <ralph.barone@shaw.ca> Subject: Online credit-card skimmer (WarbyParker) This online optician has an interesting online way to measure your pupillary distance online. You just take a picture of yourself with a magstrip equipped card beneath your nose, and their algorithms will compare the distance between your pupils to the known width of the card (85.60 mm) and tell you how far apart your pupils are. However, you are also very likely sending them a picture of the back of your credit card, with the embossed numbers and expiration date clearly visible, as well as your signature and CVV code for the card. So what do you figure the risk/benefit ratio is for that? <https://ca.warbyparker.com/pd/instructions ------------------------------ Date: Mon, 8 Apr 2019 19:58:57 +0800 From: Richard Stein <rmstein@ieee.org> Subject: The engineering of living organisms could soon start changing everything (The Economist) https://www.economist.com/technology-quarterl... ving-organisms-could-soon-start-changing-everything The syn-bio field offers substantial promise for healthcare: effective cancer treatments, less expensive pharmaceuticals, etc. Carbon-neutral fuel sources (biofuels from bacteria) was an early investment target. The biofuel startups nose-dived on oil price decline. "That made investors very cautious about synthetic biology. But the field attracted a bit of support from some governments, such as those of Britain and Singapore. In America the Pentagon's far-out-ideas department, DARPA, which had taken an early interest, created a new office of biology in 2013. Two years later it launched a programme that paid for leading laboratories in the field to put together pathways which could produce 1,000 molecules never created biologically before." Easy to imagine "The Andromeda Strain" arising from a syn-bio experiment gone wrong courtesy of a "repressilator" specification error or a synthesis programming error or malware assault. ------------------------------ Date: Fri, 5 Apr 2019 12:13:12 PDT From: "Peter G. Neumann" <neumann@csl.sri.com> Subject: Social media are divisive Social-media services such as Facebook and Twitter do more to divide Americans than bring them together, according to a solid majority of respondents in a WSJ/NBC poll: https://www.wsj.com/articles/americans-agree-... ep-using-it-11554456600 ------------------------------ Date: April 9, 2019 at 07:53:19 EDT From: Dewayne Hendricks <dewayne@warpspeed.com> Subject: The future of news is conversation in small groups with trusted voices (Chikai Ohazama) Techcrunch, Apr 7 2019 <https://techcrunch.com/2019/04/07/stuck-at-th... When I first came out to California, one of my favorite places to go for sushi was in downtown Mountain View. They had these little boats that would float around the bar, each carrying some sushi on a small plate. You just sat down and started picking out the ones you liked, and began eating -- very efficient and also a little bit of fun. I feel like my news consumption these days is like those sushi boats. I sit down and the news just streams by and I pick out the articles I like and read them. Very efficient and also a little bit of fun. But I've been stuck at the sushi boat bar of news for far too long, watching the same imitation crab rolls go by. I need a better way to consume better information. As you probably guessed, that ``sushi boat bar of news'' is Facebook, Twitter and the like. The algorithmic nature of news feeds tends to target the lowest common denominator, and it can often pander to people's baser instincts. That being said, it does have its place, and provides a glimpse into what is capturing the general public's attention -- but it can't be the whole meal, and that is what it has become. It's like people who eat McDonald's for breakfast, lunch and dinner. It's tasty, addictive, but very unhealthy in the long term. So what can you do about it, how can you make a change? Email newsletters have been making a resurgence in popularity, but they are hard to manage and sort through. Christopher Mims of The Wall Street Journal tweeted about this problem: * If everyone has an email newsletter and someone gets the brilliant idea to consolidate them in one place where they can easily be followed or unfollowed wouldn't that realize the dream of an open standards-based, surveillance-free alternative to Facebook? And then Steven Sinofsky had a witty response: And let us name it is RSS. Indeed, another `old' technology like email that people have been gravitating toward as an alternative to get their daily news. Wired has proclaimed that ``It's time for an RSS revival'' and it has resonated with well-respected thought leaders like Brad Feld. But RSS has had a tumultuous past, mainly used by professionals who need to keep up with their respective industries, not by the average consumer. If email newsletters or RSS were to become the replacement, it would need a new approach or framework, not just a rehashing of past products. But that is only half the problem. In this day and age, we have become accustomed to having our friends and other people around when we read the news. Even if you don't make any comments yourself, news exists in a public conversation and people's reactions, whether they be from your friends or celebrities, are often part of the news itself. Now these public conversations can be very toxic and are the very reason people are fleeing and looking for alternatives, but I don't think people want to turn the dial to zero and go back to the days of reading the newspaper by yourself over breakfast. I think people still want others around -- they just want it to be safe and free from trolls. When the web first started taking off, information propagated via the web and hyperlinks, and that world was dominated by Google web search. As Facebook and Twitter grew into prominence, information started to propagate via social networks. And now people are starting to get more and more of their information via messaging, which is looking to be the next step in the progression. You can already see this transition happening in places like India with WhatsApp, where it is becoming a major source of misinformation. And there are interesting experiments out there like Naveen Selvadurai's README on Telegram, where he posts articles into a Telegram group. But for the most part there hasn't been much evolution or progress on the messaging side of the equation to adapt it to become more of an information propagation medium. It's still mainly about casual conversation and has little overlap with the ``news feed'' use case. But given how things are changing, now may be a good time to push the boundaries of what messaging could become. I think people are seeking relief from the barrage of social media, not knowing who to trust any more and wanting a better channel to the truth. I'm pretty confident that closing the circle to a closer, trusted group would be welcome by most people. It doesn't necessarily mean just friends, but it could include trusted experts or voices in the community that can help shepherd people through the noise and distractions. [...] ------------------------------ Date: Tue, 2 Apr 2019 23:08:35 -0400 From: Monty Solomon <monty@roscom.com> Subject: Why It's So Easy for a Bounty Hunter to Find You (NYTimes) Wireless companies sell your location data. Federal regulators should stop them. https://www.nytimes.com/2019/04/02/opinion/fc... ------------------------------ Date: Sun, 7 Apr 2019 10:56:46 PDT From: "Peter G. Neumann" <neumann@csl.sri.com> Subject: Identity Theft -- Act Now to Protect Yourself (Kiplinger) Identity thieves are more skilled at their nefarious craft than ever, more sophisticated. As new research on identity theft continues to roll in, it paints an unsettling picture of how good crooks are getting at their craft. Although the number of U.S. breaches fell in 2018, the number of records exposed containing sensitive, personally identifiable information (such as Social Security and financial-account numbers) spiked by 126% from the year before, according to a report from the Identity Theft Resource Center. ``That tells us thieves aren't committing less crime -- they're just getting better at it,'' says Eva Velasquez, president and CEO of the ITRC. One of the largest breaches disclosed last year was at Marriott International, which admitted in November that its Starwood guest reservation database had been hacked starting in 2014. That exposed up to 383 million guest records (though the number of guests affected is likely smaller because of multiple records). Many records contained data such as passport numbers, addresses, dates of birth and, in some cases, customers' payment-card information. Quora, an online question-and-answer platform, also discovered a breach of account information including names, e-mail addresses and passwords of up to 100 million users. Hackers may try to enter stolen usernames and passwords into other sites -- say, those of banks or retailers -- in hopes that some customers reuse their log-in details across several accounts. ``The chances that some of those credentials will work on one or more other websites are exceptionally high,'' says Velasquez. Fortunately, none of those 2018 breaches involved Social Security numbers -- a key piece of information a thief can use to run away with someone else's identity. But the 2017 Equifax data breach exposed the names, Social Security numbers, birth dates and other sensitive data of more than 145 million Americans. Those bits of info are permanent pieces of your identity, and they may sit idle for years before a criminal puts them to work. The overall number of fraud victims fell significantly last year from 2017, thanks largely to a decline in fraud against existing credit and debit cards, according to a Javelin Strategy & Research report. But in both 2017 and 2018, the number of victims who faced some liability for fraud more than doubled from 2016, and so did the victims' out-of-pocket costs. Incidents of fraud in which criminals open new financial accounts in a victim's name or take over existing non-card accounts, such as brokerage or retirement accounts, were well above historical levels in 2017 and 2018 and ``are much more difficult, and frequently expensive, for victims to resolve,'' says Javelin. https://www.kiplinger.com/article/credit/T048... to-protect-yourself.html ------------------------------ Date: Sun, 7 Apr 2019 08:10:30 +0100 From: Wols Lists <antlists@youngman.org.uk> Subject: Re: Are We Ready For An Implant That Can Change Our Moods? (npr.org, RISKS-31.16) On 06/04/19 22:46, RISKS List Owner wrote: > Without a randomized control trial to validate device efficacy, a cranial > implant faces significant obstacles to achieve regulatory approval, gain > widespread acceptance, and become commercially viable. Volunteers will > be > difficult to attract. Such devices already have approval, and are part of the neurologist's standard arsenal. And volunteers who feel they have nothing to lose are not hard to attract. Deep Brain Stimulation is a recognised treatment for Parkinsons Dyskinesia -- indeed one of my friends has an implant -- and can be very effective. It has massively improved my friend's quality of life. Using it like a mind-enhancing drug to trigger mood-swings, though -- that's a very different kettle of fish. I can't imagine that being approved other than for people who suffer severe and sudden or uncontrollable depression - life-threatening depression. ------------------------------ Date: Sun, 7 Apr 2019 08:30:20 +0100 From: Wols Lists <antlists@youngman.org.uk> Subject: Re: How a 50-year-old design came back (Broadbeck, RISKS-31.16) > This is true of most fighter aircraft designed since the mid-70s, > although > it doesn't exactly have to do with shape complexity. A perfect example of this (although not a fighter aircraft) is the Hawker Harrier. Look at pretty much any aircraft from the 50s and earlier. The wings all slope upwards and outwards (dihedral) from the body. As the aircraft rolls, this increases the lift from the dropping wing, and counteracts the roll. Then look at the Harrier. Its wings slope DOWNward (anhedral), which means if it starts rolling, the roll will accelerate. This is typically countered by strong dihedral on the tail to give an aircraft minimum stability rather than negative stability as this gives best performance. But a very early example of this sort of thing is the Sopwith Camel, from 1917. While it involved the engine, not the wings, level flight required firm left rudder. This killed a lot of novices who didn't realise that as soon as the aircraft lifted off it would promptly try and dive to the right, but in the hands of an ace they would nearly always turn right because even if you wanted to turn left it was far faster to go three-quarters right. ------------------------------ Date: Sun, 7 Apr 2019 09:45:52 +0100 From: Wols Lists <antlists@youngman.org.uk> Subject: Re: New Climate Books Stress We Are Already Far Down The Road To A Different Earth (TPR, RISKS-31.16) > So, when Wallace-Wells talks of economic impacts, he cites a study > linking > 3.7 degrees of warming to over $550 trillion of climate-related > damage. Since $550 trillion is twice today's global wealth, the > conclusion > is that eventually rebuilding from the "n-th" superstorm will stop. We'll > just abandon our cities or live within the ruin. I've been told it's impossible, but I'm afraid of a new "Noah's Flood". The probable explanation of the original story is that, 10,000 years ago the Rhine flowed into the Atlantic somewhere between Scotland and Norway, Britain was part of Europe, and farming was new-fangled technology in the fertile Indus plain between Europe and Asia. Then an ice dam in Canada failed due to global warming. A few short *months* later, the English Channel had appeared, the Rhine Estuary had become the North Sea, and the Indus plain had become the Black Sea. Farming spread rapidly because all the farmers had been evicted from their Garden of Eden, and they took the story of the flood with them. At the moment, a huge amount of Antarctic ice is held back by the -- I think -- Weddel ice sheet. It might not take much of rise in sea-level to make that float such that it no longer holds back the glaciers, and a huge amount of ice could slide in to the ocean. The recent Japanese tsunami breached a defense designed to withstand a 10m surge. What would happen if the world suffered not a 10m surge, but a 10m rise over a couple of months? London would be gone. New York would be gone. Most international shipping would be gone -- the ports would be underwater. Much international communication would be gone -- how much critical infrastructure is located close to the coast? We wouldn't have to worry about the international refugee crisis -- most people wouldn't be able to flee far. I expect civilisation would recover from such a disaster pretty quickly, but part of the recovery would be lethal epidemics that make the Black Death look a picnic -- that took out a third of Europe's population. If the world went down to 2 or 3 billion, those that were left could live very comfortably. And the world would hopefully recover as our ability to mine fossil fuels will have been severely curtailed. ------------------------------ Date: Mon, 8 Apr 2019 10:27:04 +0300 From: Amos Shapir <amos083@gmail.com> Subject: Re: New Climate Books Stress We Are Already Far Down The Road To A Different Earth (TPR, RISKS-31.16) The trouble with such books is that when the most extreme scenario does not happen (or is rather bad, but not outright catastrophic), there would be a lot of deniers who'd use it to declare "Global Warming is a hoax, we can go on polluting as usual". [That argument merely contributes to the hoax that "Global Warming is a hoax." However, there is a difference between anticipating the future and chronicling the past -- as in new findings on evolution, dinosaur extinctions, the effects of the monster meteor strike on the climate based on geological evidence, But those don't hinder the deniers. PGN] ------------------------------ From: Amos Shapir <amos083@gmail.com> Date: Mon, 8 Apr 2019 10:28:51 +0300 Subject: Re: Researchers Find Google Play Store Apps Were Actually Government Malware (Motherboard, RISKS-31.16) This gives new meaning to "hidden in plain site"... ------------------------------ Date: Mon, 8 Apr 2019 10:54:46 +0300 From: Amos Shapir <amos083@gmail.com> Subject: Re: Huawei's code is a steaming pile... (Henry Baker, RISKS-31.16) The main fault of memcpy() and strcpy()-like functions is that they believe their input; but that might be dangerous only if such input originates externally and is not sanitized before use. IMHO most of the thousands of calls mentioned process data internal to the program, which is sure not to cause overflow or to have been injected with malicious code, and in any case in under the programmer's control and cannot be modified by external sources. But in some cases, it might take very sophisticated software analysis tools to identify the few truly risky calls. ------------------------------ Date: Mon, 8 Apr 2019 09:45:57 -0400 From: Andrew Duane <e91.waggin@gmail.com> Subject: Re: According to this bank, password managers are bad (Sheps, RISKS-31.16) My company, a very high-tech established company, has a similar requirement for passwords: incredibly complex rules and length requirements and an absolutely mandated 6-month change period (else you get locked out of everything). Repeated attempts to get our IT security group to understand that multiple frequent change requirements are incompatible with developing good secure passwords have failed. Luckily, they are silent on password managers, which everyone here uses. ------------------------------ Date: Sun, 7 Apr 2019 21:30:40 +0300 From: Toby Douglass <risks@winterflaw.net> Subject: Re: Is curing patients, a sustainable business model? (RISKS-31.???) > In a country which has some form of democracy, the public have the means > to pressurise the Government to improve the health care system. I may be wrong, but I do not see this occurring in the world now or in the past for at least some decades. In the UK, the NHS has been providing poor care, and has been a political football, for as long as I can remember. In the US, tax relief on employer provided insurance, which I think a profoundly discouraging factor for patient health care, began around the same time, originating if the chain of events is fully followed to the wage freezes imposed by the State in the USA in WW2. I suspect they both persist for essentially the same reason. It may be extremely arrogant and egoistic to say this, and I may be utterly wrong, but I think in general people do not understand the nature and necessity of competition, and so when in situations where they receive an immediate benefit for the removal of competition ("free" health care in the UK, tax relief in the US) they prefer that benefit. The population as a whole is unable then to pressure the Government to improve the situation because they do not understand the situation, either to know what to do instead, or to have reason to bear the cost of the loss of the immediate benefit. The Government in turn cannot change the situation to improve competition, because people would lose their immediate benefit, and they get unhappy about that. Attempts by the State in the UK to change the NHS have been political suicide. Democracy, if it works by mass will, only works when that will has enough knowledge and intelligence to act effectively. > On the other hand, if a company has a monopoly on a particular drug or > treatment, then they can charge "whatever the market will bear". There > is > nowhere else for the sufferer to go. Yes and yes. Monopoly however is almost always enforced by the State. In the absence of patents, or excessively long patents, other companies rapidly introduce similar products. I see this as being an example of ordinary people being forced to endure. Patents were originally intended to last only for four years. > The best way to get good health care is to take people who are passionate > about caring for others (fortunately there are many such people to be > found) and give them the freedom to do what they love doing. How does one choose these particular people? how does one choose the choosers? Setting this side, to give them freedom, you must be giving them money. Where does the money come from? If it comes from the State, by taxation, then the State, by controlling the money, controls the health care system. That system will necessarily come to prioritize the needs of State -- all care primarily for the needs and concerns of those who pay their salaries and control their job security. Voters only very, very weakly control the State. Taxation is mandatory, and all they can do is every few years vote, which may switch between one party and one other party. Their influence over the practise of medicine, transmitted through the State, is both minimal and although I may be wrong, I think *also* mis-directed, given a lack of understanding of the necessity of competition, and in some cases, such as the UK and US, the loss of immediate benefit were competition to be introduced. The State, where it controls funding, will inexorably, inevitably, unavoidably, impose its own wishes upon the practise of medicine, and those wishes will reflect, in proportion to their strength and importance to the State, its own self-interest, politics often partisan, the self-interest of large companies with lobbying power, and the interest, I think often mis-directed, of the voting public. ------------------------------ Date: Mon, 08 Apr 2019 22:13:40 +0100 From: Chris Drewe <e767pmk@yahoo.co.uk> Subject: Re: Is curing patients, a sustainable business model? (R-31,13-16) As a Brit who 'enjoys' the National Health Service ("the envy of the world", which I haven't needed to make much use of, I'm inclined to agree with this view. The good thing about the NHS is that we can be ill without having to worry about paying medical bills. The bad thing is that health treatment is something that we have done to us, with little say in the matter; the NHS can do a great job, but with the efficiency and user-friendliness expected of a taxpayer-funded monopoly. No matter how rich or poor we are, or how serious our medical problem is, we have to wait in line with everybody else for whatever service the NHS deigns to offer. As well as endless arguments about funding, the big difficulty with a free-on-demand service is the lack of a customer/supplier relationship as exists in other fields. Everybody needs something to eat and something to wear, but I've never heard a good argument that food and clothing should be issued to the populace free of charge by a government agency, and indeed groceries and garment sales are among the most dynamic sectors of the retail environment. In particular, people who work in supermarkets are not superhuman but are generally helpful and professional -- they have to be, because they know that keeping their jobs relies on customers wanting to buy stuff. By contrast, in the Stakhanovite world of non-commercial monopolies, everything depends on goodwill. [...] it can take a lot of time and effort to change government policy (this has been called "the long route of accountability" -- better to allow people to have a choice of service providers. ------------------------------ Date: Mon, 14 Jan 2019 11:11:11 -0800 From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an => alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00 Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 31.17 ************************ --- GoldED+/LNX 1.1.5-b20170303 * Origin: Outpost BBS * Limestone, TN, USA (618:618/1) |
||||||
|
Previous Message | Next Message | Back to Computer Support/Help/Discussion... <-- <--- | Return to Home Page |
Execution Time: 0.045 seconds If you experience any problems with this website or need help, contact the webmaster. VADV-PHP Copyright © 2002-2024 Steve Winn, Aspect Technologies. All Rights Reserved. Virtual Advanced Copyright © 1995-1997 Roland De Graaf. |