Risks Digest 30.95

[RISKS List Owner <risko () csl sri com>]

RISKS-LIST: Risks-Forum Digest  Saturday 8 December 2018  Volume 30 : Issue 95

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/30.95>
The current issue can also be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
Deadly Soul of a New Machine: Bots, AI, and Algorithms (Timothy Egan)
How to train an AI (Mark Thorson)
Texas straight-ticket voters report ballot concerns
  (Austin American Statesman)
O2 outage: more than 30m mobile customers unable to get online
  (The Guardian et al.)
Homeland Security Will Let Computers Predict Who Might Be a Terrorist
  on Your Plane -- Just Don't Ask How It Works (The Intercept)
A Dark Consensus About Screens and Kids Begins to Emerge in Silicon Valley
  (NYTimes)
Rudy Giuliani Says Twitter Sabotaged His Tweet. Actually, He Did It
  Himself. (NYTimes)
Teen electrocuted while using headphones on plugged-in mobile phone
  (yahoo.com)
Auto theft on the rise in Toronto area, and a security expert thinks he
  knows why (CBC News)
Starbucks and passwords ... (Rob Slade)
New Attack Could Make Website Security Captchas Obsolete (ACM Tech News)
Teachers Say There's a Disconnect in Computer Science Education
  (Tina Nazerian)
Banks Adopt Military-Style Tactics to Fight Cybercrime (NYTimes)
The backdrop of Jamal Khashoggi's killing: A chilling cyberwar (WashPost)
Re: EU data rules have not stopped spam emails (DJC)
Re: "Human intelligence is needed." Want to Purge Fake News?
  Try Crowdsourcing (Tom Russ)
Re: Risks of Airport Wi-Fi (Jay Libove)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Sat, 8 Dec 2018 10:09:43 PST
From: "Peter G. Neumann" <neumann () csl sri com>
Subject: Deadly Soul of a New Machine: Bots, AI, and Algorithms
  (Timothy Egan)

Timothy Egan, *The New York Times*, 8 Dec 2018,
  op-ed below the main editorial

At what point is control lost and the creations take over?
How about now?

This mentions the Lion Air Flight 610, where the pilots did not realize
that what they needed to do was to disable the autopilot.  It concludes:

  As haunting as those final moments inside the cockpit of Flight 610 were,
  it's equally haunting to grasp the full meaning of what happened.  The
  system overrode the humans and killed everyone.  Our invention.  Our
  folly.

------------------------------

Date: Wed, 5 Dec 2018 16:46:05 -0800
From: Mark Thorson <eee () dialup4less com>
Subject: How to train an AI

The obvious solution is a training signal.

http://www.smbc-comics.com/comics/1543932715-20181204.png

------------------------------

Date: Sat, 27 Oct 2018 08:07:15 -0500
From: Arthur Flatau <flataua () acm org>
Subject: Texas straight-ticket voters report ballot concerns
  (Austin American Statesman)

The idea that using hitting a button or other control while a screen is
rendering is a user error is astounding.  If the machine incorrectly
interprets user input it is a bug plain and simple.

Amid scattered complaints by straight-ticket early voters of both parties
that their ballots did not, at first, correctly record their choice of
either Democrat Beto O'Rourke or Republican Ted Cruz for U.S. Senate, state
and local election officials are cautioning voters to take their time in
voting and check the review screen for accuracy before casting ballots.

The elections officials say the problems resulted from user error in voting
on the Hart eSlate machines widely used in Texas -- including in Travis,
Hays and Comal counties -- and are not the result of a machine glitch or
malfunction.

``The Hart eSlate machines are not malfunctioning,'' said Sam Taylor,
communications director for the Texas secretary of state's office.  ``The
problems being reported are a result of user error -- usually voters hitting
a button or using the selection wheel before the screen is finished
rendering.''

Taylor said the office is aware of a handful of complaints and that the
voters were able to correct their ballots before casting their votes.

3Dhttps://www.statesman.com/news/20181026/texas-straight-ticket-voters-report-ballot-concerns

------------------------------

Date: Fri, 7 Dec 2018 21:13:07 -0500
From: Monty Solomon <monty () roscom com>
Subject: O2 outage: more than 30m mobile customers unable to get online
  (The Guardian et al.)

Users of Tesco Mobile and Sky Mobile also hit as O2 blames supplier’s
software glitch
https://www.theguardian.com/business/2018/dec/06/o2-customers-unable-to-get-online

O2 announces goodwill gestures after millions hit by data outage
Provider repeats apology for customers’ loss of connection and offers
compensation.
https://www.theguardian.com/business/2018/dec/07/o2-services-restored-after-millions-hit-by-data-outage

Ericsson apologises for O2 network outage
The data network crash, which affected millions of people worldwide, was
caused by an expired software certificate.
https://www.computing.co.uk/ctg/news/3067847/ericsson-apologises-for-o2-network-outage

Update on software issue impacting certain customers
https://www.ericsson.com/en/press-releases/2018/12/update-on-software-issue-impacting-certain-customers

SoftBank Apology for Mobile Communication Service Troubles
https://www.softbank.jp/en/corp/group/sbm/news/press/2018/20181206_02/

------------------------------

Date: Wed, 5 Dec 2018 15:30:49 +0800
From: Richard Stein <rmstein () ieee org>
Subject: Homeland Security Will Let Computers Predict Who Might Be a
  Terrorist on Your Plane -- Just Don't Ask How It Works (The Intercept)

https://theintercept.com/2018/12/03/air-travel-surveillance-homeland-security/

Among the data items the DHS's GTAS (Global Travel Assessment System) will
consume when augmented by Virgina-based DataRobot's stack are:

"...the software's predictions must be able to function 'solely' using data
gleaned from ticket records and demographics -- criteria like origin
airport, name, birthday, gender, and citizenship. The software can also draw
from slightly more complex inputs, like the name of the associated travel
agent, seat number, credit card information, and broader travel itinerary."

"If you ask DHS, this is a categorical win-win for all parties involved.
Foreign governments are able to enjoy a higher standard of security
screening; the United States gains some measure of confidence about the
millions of foreigners who enter the country each year; and passengers can
drink their complimentary beverage knowing that the person next to them
wasn't flagged as a terrorist by DataRobot's algorithm. But watchlists,
among the most notorious features of post-9/11 national security mania, are
of questionable efficacy and dubious legality. A 2014 report by The
Intercept pegged the U.S. Terrorist Screening Database, an FBI data set from
which the no-fly list is excerpted, at roughly 680,000 entries, including
some 280,000 individuals with 'no recognized terrorist group affiliation.'

Risk: Security by obscurity.

What historical data, beyond watch list name match, will tip the algorithm
into flagging a ticketed passenger for a pre-board interrogation? Perhaps a
preference for pretzels over peanuts?

------------------------------

Date: Mon, 29 Oct 2018 21:53:57 +0800
From: Richard Stein <rmstein () ieee org>
Subject: A Dark Consensus About Screens and Kids Begins to Emerge in
  Silicon Valley (NYTimes)

https://www.nytimes.com/2018/10/26/style/phones-children-silicon-valley.html

Mental illness traced to wireless mobile device (WMD) addiction has a label:
The 'iDisorder.'  See a book review:
https://www.nytimes.com/2012/05/13/business/in-idisorder-a-look-at-mobile-device-addiction-review.html

Excessive mobile device usage, induced by applications that easily
captivate, is unhealthy. Children are especially susceptible to overuse.
While there's no equivalent to the US Surgeon General's "Smoking causes
cancer" warning, strictly enforced mobile device access restrictions for
adolescents constitute wise parental guidance.

The National Institutes for Health archives several studies on the
physiological effects arising from excessive mobile device usage.

"The Potential Impact of Internet and Mobile Use on Headache and Other
Somatic Symptoms in Adolescence. A Population-Based Cross-Sectional Study"
published JUL2016 at https://www.ncbi.nlm.nih.gov/pubmed/27255862.

"Conclusion: Results highlighted the potential impact of excessive internet
and mobile use, which ranges from different types of headache to other
somatic symptoms. Further studies are needed to confirm these findings and
to determine if there is a need for promoting preventive health
interventions, especially in school setting."

"Evaluation of mobile phone addiction level and sleep quality in university
students" published JUL-AUG2013 at
https://www.ncbi.nlm.nih.gov/pmc/articles/PMC3817775/.

"Conclusion: The sleep quality worsens with increasing addiction level.  It
was concluded that referring the students with suspected addiction to
advanced healthcare facilities, performing occasional scans for early
diagnosis and informing the students about controlled mobile phone use would
be useful."

------------------------------

Date: Thu, 6 Dec 2018 11:51:05 -0500
From: Gabe Goldberg <gabe () gabegold com>
Subject: Rudy Giuliani Says Twitter Sabotaged His Tweet. Actually, He Did It
  Himself. (NYTimes)

A tweet from Mr. Giuliani now links to an anti-Trump page. The president’s
lawyer blamed Twitter, but the culprit was his own typo (plus a prankster in
Atlanta).

https://www.nytimes.com/2018/12/05/us/politics/rudy-giuliani-twitter-links.html

Risks? Technology + Giuliani.

------------------------------

Date: Wed, 5 Dec 2018 16:03:11 +0800
From: Richard Stein <rmstein () ieee org>
Subject: Teen electrocuted while using headphones on plugged-in mobile phone
  (yahoo.com)

https://sg.news.yahoo.com/teen-electrocuted-while-using-headphones-053237666.html

"Injuries and accidents caused by power surges while mobile phones are
charging are not uncommon, and by now we should all know a few tips to keep
us safe while using mobile devices. Namely, try not to use your charging
phone. Plugged into a wall, the live socket could deliver up to 230 volts of
electric charge, which could be leaked by a loose cable, or inferior quality
charger than the one the manufacturer gave you."

The "stuff that comes out of the wall" in Malaysia is 230 volts @ 50Hz.

 From Brazil, a similar event was reported 20FEB2018 at
https://www.thesun.co.uk/news/5626441/girl-17-electrocuted-with-headphones-melted-in-her-ears-while-using-her-mobile-that-was-charging/

------------------------------

Date: Wed, 05 Dec 2018 15:33:07 -0500
From: Jose Maria Mateos <chema () rinzewind org>
Subject: Auto theft on the rise in Toronto area, and a security expert
  thinks he knows why (CBC News)

https://www.cbc.ca/news/canada/toronto/car-thefts-rising-1.4930890

According to Bates, many of these thieves are using a method called "relay
theft."  Key fobs are constantly broadcasting a signal that communicates
with a specific vehicle, he said, and when it comes into a close enough
range, the vehicle will open and start.  "The way that the thieves are
getting around this is they're essentially amplifying that low power signal
coming off of the push start fob," he said.  "They will prey upon the
general consensus that most people are leaving their key fobs close to the
front door of their home and the vehicle will be in the driveway."

The thief will bring a device close to the home's door, close to where most
keys are sitting, to boost the fob's signal.  They leave another device near
the vehicle, which receives the signal and opens the car.  Many people don't
realize it, Bates said, but the thieves don't need the fob in the car to
drive it away.

------------------------------

Date: Thu, 6 Dec 2018 09:57:45 -0800
From: Rob Slade <rmslade () shaw ca>
Subject: Starbucks and passwords ...

For me, Starbucks is not the religious experience it is for those who call
it St. Arbucks.  But somebody gave me a Starbucks card, and I thought I'd
try out their registration and rewards program.

OK, I'm quitting the Starbucks rewards program.  I don't drink enough coffee
to justify it anyway, but I've got lots of other accounts lying around the
Net that I just let go dormant.  The thing is, I can't use the Starbucks
system.  Literally.  I can't sign back in.

The system refuses to let me use my existing password.  It tells me that
password is invalid.  When I try to reset my password, Starbucks sends me
email with a link.  It is some kind of weird formatting, because it won't
show as a link on that email system, and I have to read the raw message and
HTML and try to find the link.

Having found the link, I try to reset and set it to the one I have used when
I created the account.  But the system tells me I can't use it since I've
used it before.  But if I try to log in with it, the system tells me it is
invalid.

Starbucks also has one of those huge lists of requirements for passwords.
It's gotta be mixed case.  It's gotta have numbers.  It's gotta have
symbols.  It can't have certain symbols.  It's gotta have emojis.  It's
gotta have your favourite Star wars character.  (Regardless of whether or
not your even know what Star Wars is.)

I suppose I could figure out how to create a password acceptable to their
system, and hope that the system doesn't forget the new one like it did the
old one, but, frankly, Starbucks just isn't that important ...

------------------------------

Date: Fri, 7 Dec 2018 11:41:40 -0500
From: ACM TechNews <technews-editor () acm org>
Subject: New Attack Could Make Website Security Captchas Obsolete

Lancaster University (12/05/18) via ACM TechNews

Researchers at Lancaster University in the U.K., Northwest University, and
Peking University in China have demonstrated a deep learning algorithm that
could render captcha security and authentication redundant. The algorithm
solves captchas with substantially greater accuracy than earlier captcha
attack systems, and successfully cracks captcha versions that defeated
previous hacks. The system uses a generative adversarial network (GAN),
educating a captcha generator to produce large numbers of training captchas
that are indistinguishable from actual captchas. These are employed to
quickly train a solver, which is tested against real captchas; the algorithm
only needs 500 genuine captchas, rather than the millions required to train
a conventional attack program. Lancaster's Zheng Wang said, "Our work shows
that the security features employed by the current text-based captcha
schemes are particularly vulnerable under deep learning methods."

https://orange.hosting.lsoft.com/trk/click%3Fref%3Dznwrbbrs9_6-1d719x2190f8x069241%26

------------------------------

Date: Fri, 7 Dec 2018 11:41:40 -0500
From: ACM TechNews <technews-editor () acm org>
Subject: Teachers Say There's a Disconnect in Computer Science Education
  (Tina Nazerian)

Tina Nazerian, EdSurge (CA) (3 Dec 2018 via ACM TechNews

Eighty-eight percent of teachers said computer science is critical for
students' success in the workplace, but two in 10 said their students are
not taught any computer science, according to a survey of 540 K-12 teachers
in the U.S. that was commissioned by Microsoft. The teachers attributed the
gap to computer science not being part of their schools' curricula, a lack
of funding for it, and computer science not being a subject on which
students are tested. Microsoft's Mark Sparvell said, "Computer science is
clearly in high demand. Teachers see it as a priority, parents see it as a
priority from previous research. And yet, it's in low supply." Sheena
Vaidyanathan, a computer science integration specialist in the Los Altos
School District in California, said computer science should be part of the
core U.S. education curriculum, like math and reading, rather than being
dependent on funding and involvement from tech companies.

https://orange.hosting.lsoft.com/trk/click%3Fref%3Dznwrbbrs9_6-1d719x2190fex069241%26

------------------------------

Date: Mon, 22 Oct 2018 16:50:22 -0400
From: Gabe Goldberg <gabe () gabegold com>
Subject: Banks Adopt Military-Style Tactics to Fight Cybercrime (NYTimes)

Like many cybersecurity bunkers, IBM’s foxhole has deliberately theatrical
touches. Whiteboards and giant monitors fill nearly every wall, with
graphics that can be manipulated by touch.

“You can’t have a fusion center unless you have really cool TVs,” quipped
Lawrence Zelvin, a former Homeland Security official who is now Citigroup's
global cybersecurity head, at a recent cybercrime conference. “It’s even
better if they do something when you touch them.  It doesn’t matter what
they do. Just something.”

Security pros mockingly refer to such eye candy as “pew pew” maps, an
onomatopoeia for the noise of laser guns in 1980s movies and video
arcades. They are especially useful, executives concede, to put on display
when V.I.P.s or board members stop by for a tour. Two popular “pew pew” maps
are from FireEye and the defunct security vendor Norse, whose video
game-like maps show laser beams zapping across the globe.  Norse went out of
business two years ago, and no one is sure what data the map is based on,
but everyone agrees that it looks cool.

https://www.nytimes.com/2018/05/20/business/banks-cyber-security-military.html

Of course, a comment on the article has the solution:

BLOCKCHAIN Software guarantees a valid trail of corrupted files, preserving
the data. I wonder how long it will be until even that system is
defeated. What BlockChain software the power is its distributive system,
meaning that the data is stored in multiple private computers.  Whether that
system meets legal requirements for privacy is another question. But the
logic is clear: if data is distributed according to a randomizing algorithm,
that makes it a lot more complicated for intruders to be able to follow data
and to corrupt the system to a point where it shuts down. Or worse, becomes
subject to malware that results in ransom or other maneuvers of financial
plundering. it is, no doubt, the bane of our digital world that the
vulnerabilities are incomprehensible to the lay person and difficult if not
impossible for the experts to protect fully. Things may not be at the point
where investors are advised to purchase gold and hide under a mattress. But
we may well be headed in that direction.

------------------------------

Date: Fri, 7 Dec 2018 22:19:30 -0500
From: Monty Solomon <monty () roscom com>
Subject: The backdrop of Jamal Khashoggi's killing: A chilling cyberwar
  (WashPost)

Inside the 21st-century battle of ideas waged by the fearful crown prince
and a conniving courtier.

https://www.washingtonpost.com/opinions/global-opinions/how-a-chilling-saudi-cyberwar-ensnared-jamal-khashoggi/2018/12/07/f5f048fe-f975-11e8-8c9a-860ce2a8148f_story.html

------------------------------

Date: Tue, 4 Dec 2018 10:12:59 +0100
From: DJC <djc () resiak org>
Subject: Re: EU data rules have not stopped spam emails

I get spam and phishing mail in English, many different accents of broken
English, Chinese, Korean, Spanish, Serbian, German, French, and Hungarian;
and perhaps I've forgotten a couple.  The originating systems can be
anywhere on the net, lately with an unusual concentration of personal
systems in South America, probably infected, plus lots of Russian systems.

The GDPR doesn't seem likely to touch this business, and I can't imagine why
people ever thought it would.  The GDPR does, however, impede a nonprofit I
work with from helping many of our signed-up email recipients actually get
the mail they want from us.

You might say it could use more thinking and more work.

------------------------------

Date: Tue, 4 Dec 2018 11:36:27 -0800
From: Tom Russ <taruss () google com>
Subject: Re: "Human intelligence is needed." Want to Purge Fake News?
  Try Crowdsourcing (RISKS-30.94)

It seems that a major problem with the fake news epidemic has been the use
of bot networks to promote articles. It seems like any sort of
crowd-sourcing of news validation will just cause the bad actors to move
their botnets to the new feedback buttons to swamp the real users in the
voting process.  The "wisdom of the crowd" presumes that you have some
reasonable sample of people and not an auditorium packed with your paid
shills.

------------------------------

Date: Tue, 4 Dec 2018 08:48:06 +0000
From: Jay Libove <libove () felines org>
Subject: Re: Risks of Airport Wi-Fi (RISKS-30.94)

Responding to Geoff Goodfellow's posting about an LA Times article about the
risks of airport Wi-Fi, I've never understood why we consider this such a
high threat.  All mobile devices which ever sit outside of very strongly
secured networks (which is basically all mobile devices) must be their own
security perimeters. We must assume, and appropriately configure our devices
to work securely in the case, that the Internet connection is being
monitored, DNS can be hijacked, and unencrypted data sessions may be
monitored or even tampered with.  On that basis, an airport or coffee shop
or any other Wi-Fi or 3G mobile or hotel or friend's home or any other
network at all is no different than computing/networking in the general use
case.  So why do we continue to raise flags about "insecure WiFi" and evil
twins, rather than push for secure-enough general configurations?

------------------------------

Date: Tue, 5 May 2018 11:11:11 -0800
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest.  Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
 subscribe and unsubscribe:
   http://mls.csl.sri.com/mailman/listinfo/risks

=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that
   includes the string `notsp'.  Otherwise your message may not be read.
 *** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 *** Contributors are assumed to have read the full info file for guidelines!

=> OFFICIAL ARCHIVES:  http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
  http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
  Also,  ftp://ftp.sri.com/risks for the current volume
     or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
  If none of those work for you, the most recent issue is always at
     http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-30.00
  Lindsay has also added to the Newcastle catless site a palmtop version
  of the most recent RISKS issue and a WAP version that works for many but
  not all telephones: http://catless.ncl.ac.uk/w/r
  ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
  <http://the.wiretapped.net/security/info/textfiles/risks-digest/>
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
  Apologies for what Office365 and SafeLinks have done to URLs.  I have
  tried to extract the essence.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 30.95
************************