RISKS Forum mailing list archives

Risks Digest 31.57

From: RISKS List Owner <risko () csl sri com>
Date: Mon, 10 Feb 2020 17:15:13 PST

RISKS-LIST: Risks-Forum Digest  Monday 10 February 2020  Volume 31 : Issue 57

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/31.57>
The current issue can also be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
Backhoes, squirrels, and woodpeckers as DoS vectors (Richard Forno)
Benjamin Netanyahu's election app potentially exposed data for every Israeli
  voter (WashPost)
The app that broke the Iowa caucus, an inside look (CNET)
Tesla Remotely Removes Autopilot Features From Customer's Used Tesla
  Without Any Notice (Clean Technica)
Recent Car Thefts May Be Related To Carsharing App Getaround, Warns
  D.C. Attorney General (DCist)
SSL Certificates are expiring... (Cryptography)
Nasty Linux, macOS sudo bug found and fixed (ZDNet)
Cisco Flaws Put Millions of Workplace Devices at Risk (WiReD)
Data leakage from portable versions of Open Office and Libre Office
  (Arthur T.)
Facebook's Bug Bounty Caught a Data-Stealing Spree (WiReD)
The `manosphere' is getting more toxic as angry men join the incels
  (MIT Tech Review)
Explainable AI (Chris Els=C3=A4sser)
Read the FBI's Damning Case Against the Recently Arrested Nintendo Hacker
  (Vice)
Who owns your feelings? Short doc shows how big tech uses AI to track
  emotions (CBC)
Photo Roulette on the App Store (Gabe Goldberg)
The 'race to 5G' is a myth (WEForum)
Not all fun and memes: What's the trouble with TikTok? (CBC)
The Night Sky Will Never Be the Same (The Atlantic)
Boeing's Starliner space capsule suffered a second software
  glitch during December test flight (WashPost)
Boeing Refuses to Cooperate With New Inquiry into Deadly Crash (NYTimes)
NASA Shares Initial Findings from Boeing Starliner Orbital Flight Test
  Investigation (NASA)
Re: Boeing 737s can't land facing west (Terje Mathisen)
Re: 99 smartphones ... (3daygoaty, JC Cantrell)
Re: Artificial intelligence-created medicine to be used on humans for
  first time (Mark Thorson)
Re: AI-created medicine to be used on humans (Henry Baker)
Re: Election Security At The Chip Level (John R. Levine)
Re: Should Automakers Be Responsible for Accidents? (Gabe Goldberg)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Mon, 10 Feb 2020 08:53:28 -0500
From: Richard Forno <rforno () infowarrior org>
Subject: Backhoes, squirrels, and woodpeckers as DoS vectors

[The video shows] a wireless antenna in California. Network coverage was
disrupted by an Acorn woodpecker, a 3-ounce bird stashing an estimated 35-50
gallons/300lbs of acorns.

http://twitter.com/gunsnrosesgirl3/status/1226715791443148800

  Social media have been attributing this to squirrels for a long time.  I
  of course try to correct people anytime I see this.  It just proves that
  attribution can be really difficult.  RF

  [We have had numerous squirrel and a few notable backhoe stories in the
  RISKS archives.  But woodpeckers also have had their opportunities, e.g.,
  in RISKS-17.16: ``Woodpeckers could delay shuttle.''  Furthermore, I note
  that the quote "If builders built houses the way programmers write
  programs, the first woodpecker that came along would destroy
  civilization." managed to peck its way into *three* different issues,
  RISKS-10.07 (June 1990), 23.74 (Feb 2005), and 28.21 (August 2014), so
  they keep coming back.  A hardy bunch, these woodpeckers.  They really get
  around.  Indeed, they really get a round hole where there are not even any
  square pegs. PGN]

------------------------------

Date: Mon, 10 Feb 2020 08:36:47 -0800
From: Lauren Weinstein <lauren () vortex com>
Subject: Benjamin Netanyahu's election app potentially exposed data for
  every Israeli voter (WashPost)

https://www.washingtonpost.com/world/middle_east/benjamin-netanyahus-election-app-potentially-exposed-data-for-every-israeli-voter/2020/02/10/98f606c0-4bfe-11ea-967b-e074d302c7d4_story.html

------------------------------

Date: Thu, 6 Feb 2020 16:45:00 -0700
From: geoff goodfellow <geoff () iconia com>
Subject: The app that broke the Iowa caucus, an inside look (CNET)

*A cybersecurity company got hold of the code for Shadow, the app used in
the Iowa caucus, and spoke to CNET about what it found*

EXCERPT:

Results from Monday's Iowa caucus were delayed for days because of problems
with a smartphone app used to tabulate and report results, causing chaos and
frustration among campaigns and voters. A reported coding issue caused the
app to only report out partial data, Iowa Democratic Chairman Troy Price
said in a statement.

<https://www.cnet.com/news/as-iowa-caucuses-arrive-facebook-has-a-trust-problem/>
<https://www.cnet.com/news/iowa-caucus-results-delayed-due-to-reporting-inconsistencies-after-switching-to-new-tech-system/>
<https://www.cnet.com/news/iowa-caucus-app-debacle-what-went-wrong/>

Cybersecurity company Blue Hexagon obtained a copy of the app, created by a
company called Shadow, Inc. Blue Hexagon's head of cyberthreat intelligence
and operations, Irfan Asrar, spoke with CNET's Dan Patterson about what went
wrong and the overarching cybersecurity concerns this presents for the rest
of the 2020 election.
<https://www.cbsnews.com/video/cyber-experts-weigh-in-on-the-app-that-crashed-the-iowa-caucus/>
<https://www.zdnet.com/article/the-scariest-hacks-and-vulnerabilities-of-2019/>

Blue Hexagon is still diagnosing exactly why the app failed. But the final
version of the app has several problems within the code, including links to
people's personal websites, Asrar said.  "What we believe is, this is an
oversight, and an example of the app being rushed into production," he
added.  The larger concern is that the app was so easy to obtain, which
means anyone could access the infrastructure supporting it and potentially
cause damage, Asrar said.

Watch the video for the full interview
<https://www.cnet.com/videos/inside-shadow-an-exclusive-look-at-the-mobile-app-that-broke-the-iowa-caucus/>
and more insight into the Shadow, Inc. app. [...]
https://www.cnet.com/news/the-app-that-broke-the-iowa-caucus-an-inside-look/

  [The whole situation smells of gross incompetence, trust in flaky
  outsourcing, lack of assurance, testing, and many other problems long
  considered in RISKS.  If every computer system is simply badly conceived
  and ultimately flawed and compromisable internally or externally, why
  would you expect anything else here?

  In addition to all of the above, Rachel Maddow had on her 6 Feb 2020 show
  a reprise of the massive denial of service in 2002 in the New Hampshire
  election for Sununu that disrupted telephone banks intending to get out
  the vote for Democrats.  This exact DoS was repeated by the Reps in 2020
  to totally disrupt the Iowa caucus after the Dems turned to phone lines to
  call in the results.  This kind of disruption is clearly out of control,
  even with the Dem's having overprovisioned their servers.  PGN]

------------------------------

Date: Mon, 10 Feb 2020 08:54:45 -0700
From: geoff goodfellow <geoff () iconia com>
Subject: Tesla Remotely Removes Autopilot Features From Customer's Used
  Tesla Without Any Notice (Clean Technica)

EXCERPT:

One of the less-considered side effects of car features moving from
hardware to software is that important features and abilities of a car can
now be removed without any actual contact with a given car. Where once
de-contenting involved at least a screwdriver (or, if you were in a hurry,
a hammer), now thousands of dollars of options can vanish with the click of
a mouse somewhere. And that's exactly what happened to one Tesla owner,
and, it seems many others.

Alec (I'll withhold his last name for privacy reasons) bought a 2017 Tesla
Model S on December 20 of last year, from a third-party dealer who bought
the car directly from Tesla via auction on November 15, 2019. The car was
sold at auction as a result of a California Lemon Law buyback, as the car
suffered from a well-known issue where the center-stack screen developed a
noticeable yellow border.
<https://cleantechnica.com/2019/07/06/tesla-rolls-out-uv-light-fix-for-yellowing-screen-border/>

When the dealer bought the car at auction from Tesla on November 15, it was
optioned with both Enhanced Autopilot and Tesla's confusingly-named Full
Self Driving Capability
together, these options totaled $8,000. You can see them right on the
Monroney sticker for the car:...
<https://jalopnik.com/tesla-is-still-using-the-phrase-full-self-driving-to-de-1835012651>
https://jalopnik.com/tesla-remotely-removes-autopilot-features-from-customer-1841472617

------------------------------

Date: Wed, 5 Feb 2020 18:05:36 -0500
From: Gabe Goldberg <gabe () gabegold com>
Subject: Recent Car Thefts May Be Related To Carsharing App Getaround,
  Warns D.C. Attorney General (DCist)

“Vehicles listed on Getaround could be at increased risk of theft because
keys are left inside of the car and the car’s location is visible to anyone
searching the platform,” according to a release from the OAG.

https://dcist.com/story/20/02/05/recent-car-thefts-may-be-related-to-carsharing-app-getaround-warns-d-c-attorney-general/

Ya think?

------------------------------

Date: February 1, 2020 at 9:08:55 AM GMT+9
From: Henry Baker <hbaker1 () pipeline com>
Subject: SSL Certificates are expiring... (Cryptography)

``Forget the Y2K bug, "things" are starting to break as SSL Certificates
start expiring.''

Several authority certificates are expiring:
  5/30/2020
  6/21/2020
  9/22/2020
  12/31/2020

IoT -- Internet of Expired Certificates.

Perfectly good HW, but with firmware that can't be updated.

I just hope that implantable medical devices can have their builtin
certificates updated!

I wonder how many "smart" *cars* will stop running when their builtin SSL
certificates expire?

Problems: bad hash functions (MDx,SHA1) are also causing certificate
problems even though the RSA algorithm -- even at 1024 bits -- still seems
to be holding.

------------------------------

Date: Wed, 5 Feb 2020 01:02:54 -0500
From: Gabe Goldberg <gabe () gabegold com>
Subject: Nasty Linux, macOS sudo bug found and fixed (ZDNet)

Sudo is a very popular, very simple Unix-system sysadmin application. It
enables users to switch identities for the purpose of running a single
command. Usually, but not always, it lets you run a command as the root,
system administrator, user. Sudo's easy to abuse, but it's so darn useful,
until it's not. A recently discovered sudo bug once more spells out why you
should be wary of this command.

In this latest security hole, CVE-2019-18634, Apple Information Security
researcher Joe Vennix discovered that if the "pwfeedback" option is enabled
in your sudoers configuration file, any user, even one who can't run sudo or
is listed in the sudoers file, can crack a system.

https://www.zdnet.com/article/nasty-linux-macos-sudo-bug-found-and-fixed/

------------------------------

Date: Fri, 7 Feb 2020 10:32:15 -0500
From: Gabe Goldberg <gabe () gabegold com>
Subject: Cisco Flaws Put Millions of Workplace Devices at Risk (WiReD)

To exploit the bugs, attackers would first need a foothold inside a target's
network, but from there they could fan out quickly, compromising one
vulnerable Cisco device after another to bore deeper into a system. And once
attackers controlled a switch or router they could start to intercept
unencrypted network data, like files and some communications, or access a
company's *active directory*, which manages authentication for users and
devices.

``It's still hop by hop. As a hacker, you still need an initial attack vector
into the network,'' says Ang Cui, founder of the IoT security firm Red
Balloon, who has disclosed numerous Cisco bugs. ``But once you’re there, at
each hop you have the same vulnerability present -- all the switches,
firewalls, and routers in a network could be affected by this.  So you're
going to have to own a lot of devices, but once you own all of them you've
literally taken over every single piece of the network.''

https://www.wired.com/story/cisco-cdp-flaws-enterprise-hacking/

------------------------------

Date: Fri, 07 Feb 2020 01:06:34 -0500
From: "Arthur T." <risks202002.6.atsjbt () xoxy net>
Subject: Data leakage from portable versions of Open Office and Libre Office

Note: this post is Windows-centric. I'm not sure if a similar problem occurs
on other platforms.

Many people run the portable version of Office (Open or Libre) from a
specific location (such as a thumb drive) in order to keep all data off of
other locations (such as the C: drive). This might not be working as
expected.

One of the first things one does in such a case is verify the locations of
default files, temp files, etc. The temp files location is a few directories
down from %temp% (or maybe %tmp%) and probably on C:. So one changes it to a
directory on the same drive where Office resides.  Unfortunately, that
doesn't work. More unfortunately, Office doesn't tell you that it didn't
work.

My first indication was that when I restarted the program, its temp
directory had reverted to within %temp%. I thought that, even though it
remembered other changes, it somehow wasn't remembering that one.

In fact, it's more sinister. Not only is it not remembering it, it's not
using the updated location. When it starts, it immediately creates files in
its temp directory, and it keeps using that same directory until Office is
closed, regardless of what you type in as an override once the program is
running. Really, it shouldn't let you type an override in for that
directory, so you'd know it can't be overridden.

I use Open Office, but web searches suggest: that Libre Office has the same
problem, that it has existed for a long time, and that it has not been
fixed.

For myself, I created a .bat file to reset temp and tmp before starting Open
Office, and that appears to fix the problem. My .bat file to run Office from
drive E: is:

setlocal
set tmp=e:\temp
set temp=e:\temp
start "Open Office on E" "e:\Program
Files\OpenOffice\OpenOfficePortable.exe"
endlocal

------------------------------

Date: Sun, 9 Feb 2020 21:29:23 -0500
From: Gabe Goldberg <gabe () gabegold com>
Subject: Facebook's Bug Bounty Caught a Data-Stealing Spree (WiReD)

A few months ago, the company disclosed that apps were siphoning data from
up to 9.5 million of its users. It only found out thanks to a bug bounty
submission.

https://www.wired.com/story/facebook-bug-bounty-app-data-stealing/

------------------------------

Date: Sat, 8 Feb 2020 11:42:35 -0500
From: Monty Solomon <monty () roscom com>
Subject: The `manosphere' is getting more toxic as angry men join the incels
  (MIT Tech Review)

Men from the less extreme end of the misogynistic spectrum are drifting
toward groups that espouse violence against women, a new study suggests.

https://www.technologyreview.com/s/615155/the-manosphere-is-getting-more-toxic-as-angry-men-join-the-incels/

------------------------------

From: Chris Els=C3=A4sser <chris.elsaesser () comcast net>
Date: Thu, Feb 6, 2020 at 11:55 AM
Subject: Explainable AI

Geoff, Looking over your recent posts on IS & RISKS, I noticed this at the end
(probably from MIT Tech Review):

Ehsan is part of a small but growing group of researchers trying to make AIs
better at explaining themselves, to help us look inside the black box.  The
aim of so-called interpretable or explainable AI (XAI) is to help people
understand what features in the data a neural network is actually learning
-- and thus whether the resulting model is accurate and unbiased.  [=A6]

Once again, AI is reinvented!

But first, it would be nice if the Tech Review writer (Douglas Heaven) knew
that *interpretable* and *explainable* are not the same thing.

Second, it would be nice if the writer looked at the extensive literature on
explanation in AI systems; goes back to the great-grandparent of AI systems,
MYCIN, and its explanation subsystem. [note: MYCIN's `certainty factors'
were soon supplanted at Stanford by Bayes networks]

Per Geoff Hinton, Deep learning NNs are approximations of (full) Bayesian
classifiers. Explanation of Bayesian inference has long been seen to be in
need of `explanation' (or perhaps `convincing' :-)) because human reason
under uncertainty has often been found to deviate from Bayesian inference
(which is provably optimal).

The earliest reference to explanation of Bayesian inference I've found is
the following (and it should be obvious why I looked no further ;-)):

Elsaesser, Christopher (1987) Explanation of Probabilistic Inference for
Decision Support Systems *Proceedings of the Third Conference on
Uncertainty in Artificial Intelligence (UAI-87),* Morgan Kaufmann, San
Francisco, CA.

That paper reported work I did for my PhD thesis at Carnegie Mellon. My
techniques were substantially improved and extended by Merek Druzdzel. For
example:

Henrion, M. and M. J. Druzdzel (1990). Qualitative and linguistic
explanations of probabilistic reasoning in belief networks. Proceedings of
the Sixth Conference on Uncertainty in Artificial Intelligence, pages 10-20
Cambridge, MA, Association for Uncertainty in AI.

NOT that re-invention is not worthwhile. Just that at least in this case
its nothing new.  :-)

------------------------------

Date: Tue, 4 Feb 2020 18:03:22 -0500
From: Monty Solomon <monty () roscom com>
Subject: Read the FBI's Damning Case Against the Recently Arrested Nintendo
  Hacker (Vice)

The hacker who stole from Nintendo for years bragged about it online, and
didn't even try to hide his real name or activities.

https://www.vice.com/en_us/article/akwkk5/read-the-fbis-damning-case-against-the-recently-arrested-nintendo-hacker

------------------------------

Date: Thu, 6 Feb 2020 18:55:58 -0700
From: "Matthew Kruk" <mkrukg () gmail com>
Subject: Who owns your feelings? Short doc shows how big tech uses AI to
  track emotions (CBC)

https://www.cbc.ca/news/canada/montreal/stealing-ur-feelings-1.5362954

Watching Noah Levenson's short documentary Stealing Ur Feelings is
undoubtedly intended to be an uncomfortable experience.

The short film, which premiered in Montreal as part of the International
Documentary Festival this week, explains how big business has the capacity
to use artificial intelligence programs and facial recognition software to
track and monitor the emotions of its users.

But he does this by using the same technology against the viewers of the
film.  "It uses facial emotion recognition AI to watch you back. So it
analyzes your face as you react to content it shows you," explained
Levenson.

"So, the film uses the camera in your device to make you the star of the
film."

------------------------------

Date: Wed, 5 Feb 2020 00:58:38 -0500
From: Gabe Goldberg <gabe () gabegold com>
Subject: Photo Roulette on the App Store

In Photo Roulette you compete with your friends to quickly guess whose photo
is shown! Play with random photos from you (sic) and your friends' phones in
this social and exciting Photo Roulette game! Feel the thrill before each
picture and share the hilarious moments that occur with the pictures of your
friends and family!

https://apps.apple.com/us/app/photo-roulette/id1050443738

Nevermind someone hacking your phone for pictures, play the game and see
what's distributed.

------------------------------

Date: Fri, 7 Feb 2020 12:26:13 -0700
From: geoff goodfellow <geoff () iconia com>
Subject: The 'race to 5G' is a myth (WEForum)

EXCERPT:

Telecommunications providers relentlessly extol the power of
fifth-generation (5G) wireless technology. Government officials and policy
advocates fret that the winner of the "5G race" will dominate the Internet
of the future, so America cannot afford to lose out. Pundits declare that 5G
will revolutionize the digital world.

<https://www.weforum.org/agenda/2018/01/the-world-is-about-to-become-even-more-interconnected-here-s-how/>
<https://www.cnn.com/2020/01/24/perspectives/america-china-5g-race/index.html>
<https://www.weforum.org/agenda/2019/01/here-s-how-5g-will-revolutionize-the-digital-world/>

It all sounds very thrilling. Unfortunately, the hype has gone too far.  5G
systems will, over time, replace today's 4G, just as next year's iPhone 12
will improve on this year's 11. 5G networks offer significantly greater
transmission capacity. However, despite all the hype, they won't represent a
radical break from the current mobile experience.  First of all, the "race
to 5G" is a myth. 5G is a marketing term for a family of technologies, which
carriers can stretch to cover a variety of networks. The technical standards
are still under development
<https://www.brookings.edu/research/5g-in-five-not-so-easy-pieces/>, so what
counts as "true" 5G is arguable. As with 4G, the 5G rollout will take years,
as carriers upgrade their networks with new gear and users buy new
phones. Just as they do today, connections will fall back to slower speeds
when users aren't near enough to a tower, or if the network is overloaded.
There's no magic moment when a carrier, or a nation, "has" 5G.

Even if there was a race, it's over: South Korea and China have already
built <https://www.cnn.com/2019/11/01/tech/5g-china/index.html> much more
extensive 5G networks than the United States. But that shouldn't be cause
for panic. Customers in those countries may have a leg up on faster
connections, but that doesn't necessarily create a sustainable strategic
advantage. Romania is one of 10 countries with significantly faster
<https://www.speedtest.net/global-index> average fixed broadband connections
than America today, yet no one in Washington seems concerned that will give
Romanian firms a dominant advantage. The major tech platforms delivering
innovative digital services to the world are still based in the United
States and China. There are important concerns
<https://www.cnn.com/2019/12/05/tech/huawei-us-ban-lawsuit/index.html> about
the Chinese networking firm Huawei creating backdoors for surveillance or
tilting the carrier equipment market toward Chinese-defined standards. Your
5G user experience, however, won't depend on who makes the gear in the guts
of the network.  The overheated rhetoric is based on the misconception that
5G heralds a new era of services for end-users. In reality, the claimed
performance -- hundreds of megabits or even gigabits per second
-- is misleading. Averages and ideal numbers mask huge variations
depending <https://www.cnn.com/2019/08/09/tech/5g-review/index.html> on
distance to an antenna, obstructions, weather and other factors. The fastest
speeds require "millimeter wave" spectrum, which doesn't penetrate walls or
foliage well, and is generally less reliable than the lower frequencies used
today. Millimeter wave requires a much denser network of antennas, which
could be cost-prohibitive outside dense urban areas. Even if that hurdle is
overcome, a gigabit per second to millions of phones requires a network able
to move traffic at that speed end-to-end, which doesn't exist today. [...]

https://www.cnn.com/2020/02/03/perspectives/5g-disruption/index.html

------------------------------

Date: Thu, 6 Feb 2020 18:57:47 -0700
From: "Matthew Kruk" <mkrukg () gmail com>
Subject: Not all fun and memes: What's the trouble with TikTok? (CBC)

https://www.cbc.ca/news/technology/tiktok-criticism-expansion-in-canada-1.5336375
It's been a bad week for TikTok.

The Chinese-owned video-sharing app, wildly popular with teens, was forced
to issue a rare public statement about its data security practices and
whether it censors content on behalf of Beijing.

In short, TikTok said it can be trusted with its users' data and that it
doesn't delete videos just because of "sensitivities related to China." But
that's done little to quiet the app's increasingly vocal critics who worry
the platform, with its short lip-sync and comedy videos, is the latest
example of Beijing's overseas intelligence-gathering operation.

Toronto-based privacy advocate Ann Cavoukian told CBC News she is skeptical
of TikTok's defence, because "surveillance among the Chinese is non-stop."

------------------------------

Date: Fri, 7 Feb 2020 12:25:16 -0700
From: geoff goodfellow <geoff () iconia com>
Subject: The Night Sky Will Never Be the Same (The Atlantic)

*If Elon Musk has his way, thousands of bright artificial lights will
streak through the dark*
EXCERPT:

Last year, Krzysztof Stanek got a letter from one of his neighbors. The
neighbor wanted to build a shed two feet taller than local regulations
allowed, and the city required him to notify nearby residents. Neighbors,
the notice said, could object to the construction. No one did, and the shed
went up.

Stanek, an astronomer at Ohio State University, told me this story not
because he thinks other people will care about the specific construction
codes of Columbus, Ohio, but rather because it reminds him of the network of
satellites SpaceX is building in the space around Earth.  ``Somebody puts up
a shed that might obstruct my view by a foot, I can protest.  But somebody
can launch thousands of satellites in the sky and there's nothing I can do?
As a citizen of Earth, I was like, *Wait a minute*.''

Since last spring, SpaceX has launched into orbit dozens of small
satellites -- the beginnings of Starlink, a floating scaffold that the
company's founder, Elon Musk, hopes will someday provide high-speed
Internet to every part of the world.
<https://www.theatlantic.com/science/archive/2019/05/spacex-satellites-starlink/590269/>

SpaceX sent a letter too, in a way. After filing for permission to build
its constellation in space, federal regulators held the required comment
period, open to the public, before the first satellites could launch.

These satellites have turned out to be far more reflective than anyone, even
SpaceX engineers, expected. Before Starlink, there were about 200 objects in
orbit around Earth that could be seen with the unaided eye. In less than a
year, SpaceX has added another 240.  ``These are brighter than probably 99
percent of existing objects in Earth orbit right now,'' says Pat Seitzer, a
professor emeritus at the University of Michigan who studies orbital
debris. For months, astronomers have shared images online of their
telescopes' fields of view with diagonal white streaks cutting across the
darkness, the distinct appearance of Starlink satellites. More satellites
are now on the way, both from SpaceX and other companies. If, as Musk hopes,
these satellites number in the tens of thousands, ignoring them will be
difficult, whether you're an astronomer or not.

In some ways, these satellites pose a familiar problem, a matter of managing
the competing interests that scientists, commercial companies, and the
public might have in a limited natural resource. But the use of outer space
-- particularly the part in close vicinity to our planet -- has never been
tested quite like this before. For most of history, scientists, particularly
those who observe the cosmos on visible wavelengths, have had relatively
little competition for access to the sky. Passing satellites were considered
nuisances and sometimes wrecked data, but they were rare.  Some astronomers
are now calling for legal action but even those who wouldn't push that far
describe Starlink's satellites as a wake-up call: What happens when new and
powerful neighbors have a distinct -- and potentially disruptive -- plan for
a place you value?...
<https://room.eu.com/news/legal-action-could-be-used-to-stop-starlink-ruining-the-night-say-astronomers>,

[...]
https://www.theatlantic.com/science/archive/2020/02/spacex-starlink-astronomy/606169/

------------------------------

Date: Fri, 7 Feb 2020 11:14:15 -0500
From: Monty Solomon <monty () roscom com>
Subject: Boeing's Starliner space capsule suffered a second software
  glitch during December test flight (WashPost)

Boeing's Starliner space capsule suffered a second software glitch during
December test flight

https://www.washingtonpost.com/technology/2020/02/06/boeings-starliner-space-capsule-suffered-second-software-glitch-during-december-test-flight/

------------------------------

Date: Thu, 6 Feb 2020 14:33:07 -0500
From: Monty Solomon <monty () roscom com>
Subject: Boeing Refuses to Cooperate With New Inquiry into Deadly Crash
  (NYTimes)

https://www.nytimes.com/2020/02/06/business/boeing-737-inquiry.html

In both the Max accidents and the 2009 crash, which involved a 737 NG,
Boeing’s design decisions allowed a single malfunctioning sensor to trigger
a powerful computer command, even though the plane was equipped with two
sensors. For both models, the company had determined that if a sensor
failed, pilots would recognize the problem and recover the plane. But Boeing
did not provide pilots with key information that could have helped them
counteract the automation error.

After the 2009 crash, regulators required airlines to install a software
update for the NG that allowed comparison of data from the two available
sensors — much the same fix that Boeing has now proposed for the Max. In the
case of the NG, Boeing had developed a software update before the 2009
accident, but it wasn't compatible with all existing models, including the
jet that crashed near Amsterdam.

------------------------------

Date: Mon, 10 Feb 2020 08:17:07 -0500
From: Jan Wolitzky <jan.wolitzky () gmail com>
Subject: NASA Shares Initial Findings from Boeing Starliner Orbital Flight
  Test Investigation (NASA)

https://blogs.nasa.gov/commercialcrew/2020/02/07/nasa-shares-initial-findings-from-boeing-starliner-orbital-flight-test-investigation/

------------------------------

Date: Wed, 5 Feb 2020 11:04:31 +0100
From: Terje Mathisen <terje.mathisen () tmsw no>
Subject: Re: Boeing 737s can't land facing west (RISKS-31.54)

I think this data item, along with the very limited number of identified
problematic runways provide a strong clue:

The flight software splits the circle into quadrants, then for at least one
quadrant boundary the logic to determine which one is broken, i.e.
something like

   if (angle < 270.0) quadrant = 3;
   else if (angle > 270.0) quadrant = 4;

For these particular runways, the planners had enough freedom to be allowed
to place each runway exactly where they wanted and decided to draw a
perfectly straight line <E-W> using RTK GPS surveying so that the actual
direction is 270 degrees exactly, while on all the other "Runway 27"s
(approx) in the world which have been certified for 737 landings, there is a
small but sufficient angular offset.

I would have expected such an error to also happen in the opposite direction
though, that's why I'm guessing at individual code for each boundary.

------------------------------

From: "3daygoaty" <threedaygoaty () gmail com>
Date: Wed, 5 Feb 2020 11:11:12 +1100
Subject: Re: 99 smartphones ... (RISKS-31.56)

This involved 99 real smart phones running the Google maps app.  Can the
same effect be achieved by simulating the phones on fewer- or one- physical
device(s)?  How easy is it then to tell Google Maps you are somewhere you
actually aren't?

The hack looks like it could be used to flock self-driving cars away from
some route or alternatively, funnel them into some sort of trap.
Self-driving cars likely being rather posh cars might be desirable for car
jacking, say.

The service that allows the authorities to get all green lights driving
across the city for the movement of sensitive freight, high profile people
or prisoners - I would presume their route is fixed and not subject to
traffic?  Gerry Adams came to Melbourne.  They organised 5 routes from the
airport to a certain Irish pub.  At the last minute they picked one of
them.  Can I use the above hack to route Gerry where I want him?

------------------------------

Date: Wed, 05 Feb 2020 23:18:06 -0500
From: JC Cantrell <jc () cantrell2 org>
Subject: Re: 99 smartphones ,,, (RISKS-31.56)

I smell a small business opportunity here.

Got too much traffic on your street? Waze leading others to contribute to
your traffic headaches?

Hire me! I have the wagon, can get the old phones and, for the right price,
will walk your streets at rush hour! Guaranteed to reduce traffic by 10, 20,
or even 30 percent!

Now I just have to subcontract this, but being in California with recent
independent contractor classification troubles, let's just call the whole
thing off.

Another one of my grand schemes shot down.

------------------------------

Date: Thu, 6 Feb 2020 11:40:31 -0800
From: Mark Thorson <eee () dialup4less com>
Subject: Re: Artificial intelligence-created medicine to be used on humans
  for first time (RISKS-31.56)

AI assisted with a small part of drug discovery, not quite the breakthrough
suggested by the press.

https://blogs.sciencemag.org/pipeline/archives/2020/01/31/another-ai-generated-drug

------------------------------

Date: Tue, 04 Feb 2020 16:07:52 -0800
From: Henry Baker <hbaker1 () pipeline com>
Subject: Re: AI-created medicine to be used on humans (Stein, R 31.56)

Perhaps they should run the first tests on another AI.

"Typically, drug development takes about five years to get to trial"; here
"trial" means the first class action suit.

Remember the principle: "An AI for an AI".

  [Richard Stein replied:

    Henry -- A good aphorism. Nothing like algorithmic retribution --
    recursive payback.  I favor "Dog Fooding" in this case. Would the
    pharmaceutical company's investors or employees subject their children
    to the clinical trial if they qualified as candidates?  RS]

------------------------------

Date: 4 Feb 2020 17:43:54 -0500
From: "John R. Levine" <johnl () iecc com>
Subject: Re: Election Security At The Chip Level (SemiEngineering, RISKS-31.56)

Where I live, they have the info you provided when you registered which
includes your signature and usually height and eye color which the election
officials check.  (I used to be one.) The officials are mostly retired local
folks, and often know who you are anyway.  Very low tech but pretty
effective.

Despite endless disinformation to the contrary, in-person voter fraud is not
a problem and never has been.  If you think about it for two minutes, it's
about the worst possible way to steal an election, one vote at a time with
each vote subject to challenge.  Sensible people steal an election by
bribing the officials so when the polls close they stuff the box full of
enough ballots to ensure that the correct candidate wins.

For an excellent discussion of this technique, read Robert Caro's "Means of
Ascent" which is mostly about how Lyndon Johnson won the 1948 primary that
put him in the Senate.  It includes a long interview with the guy who had
the ballot box.

------------------------------

Date: Tue, 4 Feb 2020 22:22:53 -0500
From: Gabe Goldberg <gabe () gabegold com>
Subject: Re: Should Automakers Be Responsible for Accidents? (Levine,
  RISKS-31.56)

And parking tickets imposing automaker liability:

Sorry sir, we've remotely disabled your car, now that it's legally parked in
your garage. Please complete the attached agreement committing to better
behavior, so that we may restore your driving privileges at the end of next
month.

On 2/4/2020 5:07 PM, John Levine wrote:

In article <16.CMM.0.90.4.1580237212.risko () chiron csl sri.com7592> you write:

What a strange scheme:

Automaker enterprise liability would have useful incentives that driver
liability law misses.
https://www.cato.org/sites/cato.org/files/serials/files/regulation/2019/3/regulation-v42n1-1.pdf

I can hardly wait:

   "Sorry, sir, you've had three moving violations so we'll have to ask
   you to leave the showroom now."

------------------------------

Date: Mon, 14 Jan 2019 11:11:11 -0800
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest.  Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
 subscribe and unsubscribe:
   http://mls.csl.sri.com/mailman/listinfo/risks

=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that
   includes the string `notsp'.  Otherwise your message may not be read.
 *** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 *** Contributors are assumed to have read the full info file for guidelines!

=> OFFICIAL ARCHIVES:  http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
  http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
  Also,  ftp://ftp.sri.com/risks for the current volume
     or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
  If none of those work for you, the most recent issue is always at
     http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
  Lindsay has also added to the Newcastle catless site a palmtop version
  of the most recent RISKS issue and a WAP version that works for many but
  not all telephones: http://catless.ncl.ac.uk/w/r
  ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
  Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 31.57
************************

Current thread:

Risks Digest 31.57 RISKS List Owner (Feb 10)