precedence: bulk
Subject: Risks Digest 29.41
RISKS-LIST: Risks-Forum Digest Tuesday 29 March 2016 Volume 29 : Issue 41
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/29.41.html>
The current issue can be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
MedStar Washington Health turning away patients because computers shut down
(WashPost)
Japanese space agency loses track of $265 million satellite (CSMonitor)
Dangerous drone incidents up to 100 per month (FAA)
FBI Unlocks San Bernardino Attacker's iPhone Without Apple;s Help,
Ending Court Case (Various sources)
Law enforcement investigators seek out private DNA databases (WTOP)
Beating Ransomware with backup restore (Alister Wm Macintyre)
Driverless delivery robots could be hitting D.C. sidewalks soon
(Gabe Goldberg)
American Tech Giants Face Fight in Europe Over Encrypted Data (NYTimes)
Cyber Edge CTDR (Data Breach Today)
Why Doesn't AT&T Require Email Verification Before Sending Sensitive Account
Information? (Consumerist via Gabe Goldberg)
US gov annual cyber security report (Al Mac)
Netflix Is No Net-Neutrality Hypocrite for Slowing Down Video (WiReD)
Microsoft keeps Google search terms (Erling Kristiansen)
We're More Honest With Our Phones Than With Our Doctors (NYTimes)
Amazon Echo's next frontier is banking -- yes, banking (Business Insider)
Hacker Says He Printed Anti-Semitic and Racist Fliers at Colleges Across
U.S. (NYTimes)
Cybersecurity vendor statistics (Stiennon's Security Scorecard)
Re: NAND mirroring (Harlan Rosenthal)
Re: France demands right to be *global* Google censor (Chris Drewe)
Re: "How one yanked JavaScript package wreaked havoc" (Michael Kohne)
Re: Andy Grove's Warning to Silicon Valley (Teresa Tritch)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Tue, 29 Mar 2016 13:10:38 -0400
From: Jeremy Epstein <jeremy.j.epstein@gmail.com>
Subject: MedStar Washington Health turning away patients because computers
shut down
On Monday, *The WashPost* reported that MedStar had "shut down its email and
vast records database" after a virus got into their systems. Reports were
that medical staff were going back to paper & pencil medical charts.
https://www.washingtonpost.com/local/virus-infects-medstar-health-systems-computers-hospital-officials-say/2016/03/28/480f7d66-f515-11e5-a3ce-f06b5ba21f33_story.html
On Tuesday, they reported that MedStar is still without their computer
systems, and is turning away patients.
https://www.washingtonpost.com/local/medstar-health-turns-away-patients-one-day-after-cyberattack-on-its-computers/2016/03/29/252626ae-f5bc-11e5-a3ce-f06b5ba21f33_story.html
The risks are obvious - reliance on vulnerable systems without adequate
backup/recovery processes.
Whether this was a deliberate or accidental case is unclear to me. But the
fact that it's Washington DC area hospitals being affected seems to
emphasize the risk - although I'm biased, being a Washingtonian (well,
actually a suburbanite).
------------------------------
Date: Tue, 29 Mar 2016 08:40:21 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Japanese space agency loses track of $265 million satellite
http://m.csmonitor.com/Science/2016/0328/Japanese-space-agency-loses-track-of-265-million-satellite
------------------------------
Date: Sun, 27 Mar 2016 16:43:10 -0500
From: "Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Subject: Dangerous drone incidents up to 100 per month (FAA)
US regulation strategy is wait until they catch someone violating a
regulation, then punish violators severely, expecting news coverage to put a
chilling impact to discourage others. That approach does not work in many
cases, especially when there are new regulations coming out all the time,
not well covered by the news media. At what age do children start watching
the news? There is no minimum age to operate a drone, they are getting
cheaper, dangerous incidents are growing.
We are now up to 100 reports / month to the FAA, about drones flying
illegally close to manned flight.
Before long we can expect to read about 100+ people killed in an airline
crash caused by illegal and irresponsible drone usage.
The FAA just released a report of dangerous drone incidents from Aug-22,
2015 thru Jan 31, 2016, in the USA.
http://www.faa.gov/news/updates/?newsId=85229
http://www.faa.gov/uas/law_enforcement/uas_sighting_reports/
http://www.faa.gov/uas/media/UAS_Sightings_report_21Aug-31Jan.xlsx
Reported UAS Sightings (August 2015-January 2016) (MS Excel)
http://www.faa.gov/uas/media/UASEventsNov2014-Aug2015.xls
Reported UAS Sightings (November 2014-August 2015) (MS Excel)
I believe the authorities should attempt to get outfits, which are selling
drones, to include a heads up to purchasers that:
* There are federal registration requirements for various drone sizes, uses,
and locations.
* Flying drones in violation of federal regulations can result in fines of $
10,000 per day of violation, and prison time for some offenses.
* There are also laws governing drone use, in most every state in the USA.
* Here's where to go, to learn what the rules are, so you can stay out of
trouble.
Under current US laws, regulations, and court precedents, drones are
considered to be aircraft, and it is illegal to interfere with an aircraft
in flight, by any means, with penalty being many years in prison. I hope
that Congress can change that law, to lower penalties for interfering with a
drone whose activity is violating people's privacy, or engaged in other
illegal or dangerous activity.
------------------------------
Date: Mon, 28 Mar 2016 15:13:53 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: FBI Unlocks San Bernardino Attacker's iPhone Without Apple;s Help,
Ending Court Case
http://losangeles.cbslocal.com/2016/03/28/fbi-unlocks-san-bernardino-attackers-iphone-without-apples-help-ending-court-case/
The U.S. government said Monday afternoon it has unlocked the iPhone owned
by one of the terrorists involved in the San Bernardino massacre, ending
the legal battle pitting Apple against the government over whether the
tech giant should be required to help the FBI unlock the device.
- - -
Nobody is saying outright, but reading between the lines it sounds like
nothing of major significance was found on there.
[See also Danny Yadron, US ends case against Apple after pulling data from
San Bernadino iPhone, *The Guardian*, 28 Mar 2016
http://www.theguardian.com/technology/2016/mar/28/apple-fbi-case-dropped-san-bernardino-iphone
Joel Rubin and James Queally, *L.A. Times*, 28 Mar 2016
http://www.latimes.com/local/lanow/la-me-ln-fbi-drops-fight-to-force-apple-to-unlock-san-bernardino-terrorist-iphone-20160328-story.html
Also, see Bruce Schneier's *WashP* Op-ed today. Bruce makes a nice
distinction between Apple's handling of the iMessage flaw (which was
detected by Matt Green's team and reported privately to Apple for
remediation -- see RISKS-29.37) and the San Bernadino phone situation
(where the FBI is apparently trying to keep the successful technique
secret so that it can be reused as needed).
https://www.washingtonpost.com/posteverything/wp/2016/03/29/your-iphone-just-got-a-lot-less-secure-and-the-fbi-is-to-blame/
PGN]
------------------------------
Date: Sat, 26 Mar 2016 08:57:12 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Law enforcement investigators seek out private DNA databases
http://wtop.com/science/2016/03/law-enforcement-investigators-seek-out-private-dna-databases/
Investigators are broadening their DNA searches beyond government
databases and demanding genetic information from companies that do
ancestry research for their customers. Two major companies that research
family lineage for fees around $200 say that over the last two years, they
have received law enforcement demands for individual's genetic information
stored in their DNA databases.
- - -
Also see: https://www.youtube.com/watch?v=k5VZjT0JE70 (3 seconds).
------------------------------
Date: Sun, 27 Mar 2016 12:30:55 -0500
From: "Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Subject: Beating Ransomware with backup restore
Amid stories of many institutions faced with ransomware demands, and having
to pay to stay in business, here is a story of a place which could stay in
business without paying, because they had competent backup. Before
restoring to backup, they had to wipe their hard drives. I don't know how
they know no data was taken in the attack.
http://www.campussafetymagazine.com/article/canadian_hospital_effectively_responds_to_ransomware_attack#t
http://ottawacitizen.com/news/local-news/ottawa-hospital-hit-with-ransomware-information-on-four-computers-locked-down
------------------------------
Date: Mon, 28 Mar 2016 11:34:41 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Driverless delivery robots could be hitting D.C. sidewalks soon
Ground drones have fewer security implications than flying ones, which have
been touted as a potential delivery breakthrough. There are some concerns an
airborne delivery could potentially "go over the White House fence," she
said. But "this would stop at the fence. It seems so much more benign and
easy to control."
As for run-of-the-mill thieves and vandals, Martinson said he's not
worried. A hitchhiking robot was destroyed in Philadelphia last year,
bumming out the Canadian researchers who built it. But Starship's machines
have 9 cameras, stream live video back to their base, and can easily call
for police, or other, backup, Martinson said.
"We can send other robots in the area. They would come to help the robot in
distress," Martinson said.
https://www.washingtonpost.com/news/dr-gridlock/wp/2016/03/23/driverless-delivery-robots-could-be-hitting-d-c-sidewalks-soon/
What could go wrong? There's nothing about them being weaponized so who's
afraid of a posse of 4 MPH robots? How many will go missing how soon?
They're autonomous but can be remotely guided -- how will they authenticate
intended recipient? Are they hackable? Can they open doors, climb stoops,
summon elevators, ring doorbells, tip doormen? Plenty fun to be had.
Gabriel Goldberg, Computers and Publishing, Inc. gabe@gabegold.com
3401 Silver Maple Place, Falls Church, VA 22042 (703) 204-0433
------------------------------
Date: Sun, 27 Mar 2016 12:56:50 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: American Tech Giants Face Fight in Europe Over Encrypted Data
NYTimes via NNSquad
http://www.nytimes.com/2016/03/28/technology/american-tech-giants-face-fight-in-europe-over-encrypted-data.html
This week, French lawmakers are expected to debate proposals to toughen
laws, giving intelligence services greater power to get access to personal
data. The battle has pitted Europe's fears about the potential for
further attacks against concerns from Apple and other American technology
giants like Google and Facebook that weakening encryption technologies may
create so-called back doors to people's digital information that could be
misused by European law enforcement officials, or even intelligence
agencies of unfriendly countries. The recent attacks have pushed many
Europeans to favor greater powers for law enforcement over privacy. But
opponents say such measures should not undermine the region's tough data
protection rules that enshrine privacy on par with other rights like
freedom of expression. This balance between national security and privacy
has put major countries in the region on opposite sides of the debate,
with Germany and the Netherlands dismissing new encryption laws being
considered by Britain and France.
------------------------------
Date: Mon, 28 Mar 2016 01:53:14 -0500
From: "Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Subject: Cyber Edge CTDR (Data Breach Today)
Various outfits come out with annual reports on various aspects of cyber
security.
We can download the 2016 Cyber Threat Defense Report (CTDR) from Cyber Edge
Research. (1.5 Meg PDF 36 page)
http://f6ce14d4647f05e937f4-4d6abce208e5e17c2085b466b98c2083.r3.cf1.rackcdn.com/2016-cyberthreat-defense-report-pdf-5-w-2279.pdf
This includes: (some highlights I found)
* Results of a survey of what threats are being faced by 1,000 people
working in IT cyber security, at companies with 500 or more employees
in 19 industries across 10 nations.
* These people think Mobile devices and social media applications are IT
security's weakest links (2015), which is rather different from what was
found via the latest Verizon DBIR.
http://catless.ncl.ac.uk/Risks/29.40.html#subj15
* [Garbled] of them suffered one or more successful cyber attacks in the
past 12 months.
* Pessimism, about their company's ability to resist the next
attacks, is rising.
* Only 1/3 have the tools they need to protect their companies.
* Cyber Security defense expenditures are on the increase.
* An assessment of the respondents' perception of the effectiveness of
their investments and strategies relative to the prevailing threat
landscape.
* The types and sources of cyber threats that concern today's organizations
the most.
* Tactics to help organizations reduce their attack surface.
* The network, endpoint, mobile, and application security technologies
planned for acquisition in 2016,
* What % of the companies are doing various protection measures are graphed.
For example 80% of companies, in health care, regularly backup laptops of
mobile users -- that's the highest score. One of the lowest is 10% in
France do regular backups of mobile user=92s laptops, and then only 80% of
them.
Data Breach Today supplies links to many such downloadable cyber security
reports.
That's where I found the link to download the above.
http://www.databreachtoday.com/whitepapers.php
------------------------------
Date: Fri, 25 Mar 2016 18:41:06 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Why Doesn't AT&T Require Email Verification Before Sending
Sensitive Account Information?
There's a reason why companies that handle sensitive billing information may
ask customers to verify their email addresses before sending any
communications. It's to prevent customers from seeing things they
shouldn't. So why doesn't AT&T have such a safeguard in place for its
customers?
https://consumerist.com/2016/03/24/why-doesnt-att-require-email-verification-before-sending-sensitive-account-information/
The risks? Described in nice detail.
Gabriel Goldberg, Computers and Publishing, Inc. gabe@gabegold.com
3401 Silver Maple Place, Falls Church, VA 22042 (703) 204-0433
------------------------------
Date: Mon, 28 Mar 2016 10:52:21 -0500
From: "Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Subject: US gov annual cyber security report
The White House says US gov agencies reported 77,183 cyber incidents in
fiscal 2015, up 10% from 2014.
Section 3553 of the Federal Information Security Modernization Act (FISMA)
of 2014 (P.L. 113-283), requires the Office of Management and Budget (OMB)
to submit an annual report to Congress on the effectiveness of information
security policies and practices during the preceding fiscal year and a
summary of the evaluations conducted by agency Inspectors General.
Here is that report:
https://www.whitehouse.gov/sites/default/files/omb/assets/egov_docs/final_fy
_2015_fisma_report_to_congress_03_18_2016.pdf
(95 page PDF 3.5 Meg) The US gov fiscal year runs from Oct to Sept.
There's a lot of data here to digest, complicated by the phenomena of high
acronym density common with many gov reports.
Several appendixes spell out agency names in full, then what is the
abbreviation or acronym used for them, sequenced by the text name.
Appendix 7 has other stuff alphabetized by acronym.
Figure 2 shows 363 known active critical vulnerabilities on Federal systems,
reduced to 3 by Dec 2015.
As impressive as that progress is, later charts in the report, show progress
various agencies have made in providing cyber security defense against
various threats. As the GAO would say "Progress has been made, but there is
room for improvement" massive improvement for some agencies.
Table 2 provides definitions for 11 different categories of cyber incident,
then Table 3 has a bar chart with how many of each of them occurred, color
coded for the fiscal years 2013-grey 2014-green 2015-red.
The highest bar for 2015 is 25,765 "Other" or 34% of FY 2015 incidents, 77%
increase over 2014. scans, probes and attempted access, incidents under
investigation, and incidents categorized as miscellaneous. Approximately 59%
of 'Other' incidents fall within the attempted access subcategory due to the
high volume of scans and probes.
Second highest bar is Non-Cyber, which includes incidents involving the
mishandling of sensitive information without a cyber security component,
such as the loss of hard copy PII records. This category represented 12,217,
or 16% of reported incidents.
The third most reported category was Policy Violations, which represent
10,408 reported incidents, or 14% of total incidents reported.
The report also breaks this down by gov agency, with very different graph
appearances.
* Dept of Agriculture is dominated by malware and equipment challenges.
* Dept of Defense biggest problem is policy violations.
* Many have problems all over the place.
Some of the incidents were classified secret. Here is where we may find
info on the unclassified ones.
https://www.archives.gov/cui
Every new technology brings with it new cyber security challenges. The US
gov recognizes that this is the case with smart phones, so during FY 2015,
NIST published Special Publication (SP) 800-163, "Vetting the Security of
Mobile Applications," along with open source test code and guidance for
constructing a mobile application-testing program. These guidelines describe
vulnerabilities and poor programming practices for both Android and iOS
devices, which entities can mitigate through other described security
technologies. NIST also addressed the issue of Strong Authentication with
mobile devices through the release of SP 800-157, "Guidelines for Derived
Personal Identity Verification Credentials."
http://www.nextgov.com/cybersecurity/2016/03/white-house-says-agencies-exper
ienced-77200-cyber-incidents-2015/126810/
------------------------------
Date: Sat, 26 Mar 2016 21:09:56 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Netflix Is No Net-Neutrality Hypocrite for Slowing Down Video
http://www.wired.com/2016/03/netflix-no-net-neutrality-hypocrite-slowing-video/
------------------------------
Date: Sat, 26 Mar 2016 08:24:37 +0100
From: Erling Kristiansen <erling.kristiansen@xs4all.nl>
Subject: Microsoft keeps Google search terms
In a TedTalk about interaction of different medicines, I found this:
We said, well, what do you do?
You're taking a medication, one new medication or two, and you get a funny
feeling.
What do you do?
You go to Google and type in the two drugs you're taking, or the one drug
you're taking, and you type in "side effects."
What are you experiencing?
So we said OK, let's ask Google if they will share their search logs with
us, so that we can look at the search logs and see if patients are doing
these kinds of searches.
Google, I am sorry to say, denied our request.
So I was bummed.
I was at a dinner with a colleague who works at Microsoft Research
and I said, "We wanted to do this study,
Google said no, it's kind of a bummer."
He said, "Well, we have the Bing searches."
(Laughter)
Yeah. That's great.
Now I felt like I was talking to Nick
[Nick is the patient discussed in the talk] again.
He works for one of the largest companies in the world,
and I'm already trying to make him feel better.
But he said, "No, Russ -- you might not understand.
We not only have Bing searches, but if you use Internet Explorer
to do searches at Google, Yahoo, Bing, any ...
Then, for 18 months, we keep that data for research purposes only."
I said, "Now you're talking!"
This was Eric Horvitz, my friend at Microsoft.
[The remainder of the talk addresses what they did with this data, so it
is clear that they actually got the Google data from Microsoft]
http://www.ted.com/talks/russ_altman_what_really_happens_when_you_mix_medications
------------------------------
Date: Sun, 27 Mar 2016 22:30:54 -0400
From: Monty Solomon <monty@roscom.com>
Subject: We're More Honest With Our Phones Than With Our Doctors
How health-tracking apps reveal new truths about our bodies.
http://www.nytimes.com/2016/03/27/magazine/were-more-honest-with-our-phones-than-with-our-doctors.html
------------------------------
Date: Mon, 28 Mar 2016 09:10:01 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Amazon Echo's next frontier is banking -- yes, banking
Amazon Echo's next frontier is banking
http://www.businessinsider.com/amazon-echo-capital-one-integration-2016-3
------------------------------
Date: Tue, 29 Mar 2016 09:27:40 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Hacker Says He Printed Anti-Semitic and Racist Fliers at Colleges
Across U.S.
http://www.nytimes.com/2016/03/29/nyregion/hacker-weev-says-he-printed-anti-semitic-and-racist-fliers-at-colleges-across-us.html
A computer hacker who goes by the name of Weev said he sent the fliers last
week to all publicly accessible printers in North America, but it is not
clear whether he could face charges.
------------------------------
Date: Tue, 29 Mar 2016 15:02:58 -0500
From: "Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Subject: Cybersecurity vendor statistics
IT Security Vendor Industry Statistics, are possibly off-topic.
Stiennon's Security Scorecard
<http://www.csoonline.com/blog/stiennons-security-scorecard>
. 1,325 of them world wide and growing
. 854 (60%) in USA
. 144 in Israel
. 82 UK
. 48 Canada
. 33 Germany
Of those in USA
. 325 California
. 91 DC area
. 69 Massachusetts
. 52 Texas
. 42 NY
There is no consolidation. There is an out pouring of start ups. If this
was a mature industry, there would be 4 big vendors period.
The industry is growing by about 24% per year, estimated to be 6 times as
large in 7 years.
Market size reports <http://www.ith-research.com/> available for $ 500 -
1,500. But a lot of the totals are at the other links here.
How long until market saturation = when every outfit and individual, who
ought to be protected, is protected, or there has been successful effort to
chop down the very successful cyber criminal industry?
https://www.linkedin.com/pulse/entire-security-space-richard-stiennon
------------------------------
Date: Fri, 25 Mar 2016 21:31:38 -0500 (CDT)
From: Harlan Rosenthal <harlan.rosenthal@verizon.net>
Subject: Re: NAND mirroring (RISKS-29.40)
Newer SOC processors have protection that will not allow copying through the
JTAG port, or through code executing in RAM. The description in the
article is unlikely to work -- you can't simply copy the internals that
easily.
Perhaps the main storage is an external chip, with a simple SPI port; in
that case, if Apple has encrypted it, even using standard SSL, it can be
cracked in a few centuries ...
From ST Micro:
http://www.st.com/web/en/resource/technical/document/application_note/DM00075930.pdf
Flash code protection
The STM32 microcontroller family is provided with the following code
protection features:
1. Global Read-out Protection (RDP)
2. Write protection
3. Proprietary Code Read Out Protection (PCROP)
These features are meant to protect the intellectual property of the
embedded firmware code, which represents an increasing interest for complex
embedded systems.
------------------------------
Date: Mon, 28 Mar 2016 22:19:59 +0100
From: Chris Drewe <e767pmk@yahoo.co.uk>
Subject: Re: France demands right to be *global* Google censor (RISKS-29.40)
> Google handed EUR100,000 fine by French data regulator
> France wants to censor search results GLOBALLY -- not just to users in
> France but for everyone on the planet. And if France gets their way EVERY
> COUNTRY ON THE PLANET will demand the right to remove search results they
> don't like. Imagine what Putin, Chinese leaders, and other tyrants will do
> with such power. I've been predicting this slippery slope all along. IT MUST
> BE STOPPED.
Good luck. In the UK there's been a scandal over last winter in which the
police have been investigating allegations of historic child sexual abuse
(the 'Nick' case) by various senior politicians and other establishment
figures; the authorities have been accused of being too casual about acting
on similar allegations in the past, so this time enquiries have been done in
an aggressive, high-profile way (e.g. house searches with plenty of
publicity), along with the usual feeding frenzy on social networking web
sites of course. The investigation has reportedly been closed without
finding anything worthwhile, but it's left a lot of collateral damage in
terms of wrecked reputations, lingering suspicions, loss of trust, and so
forth.
One of the politicians questioned but not arrested or charged quite
reasonably wants better protection for those in the same position as him,
but wrote in a newspaper last week: "... Google and other Internet providers
should... be regarded as publishers and brought within the the same laws of
defamation. Free speech is not free if it allows people to defame others
with impunity. These companies should be 'publishing' within a fair legal
framework."
Loads of problems here which have been discussed in RISKS before, e.g. what
about information on other countries' sites (it's called the World Wide Web
for a reason), and why do so many people assume that Google somehow runs the
Internet? However, if enough irritated politicians get together, it's easy
to see how they could pass laws attempting to regulate what goes on line, or
at least have somebody legally liable who could be sued, and probably
include right-to-be-forgotten measures as well.
------------------------------
Date: Sat, 26 Mar 2016 07:56:56 -0400
From: Michael Kohne <mhkohne@kohne.org>
Subject: Re: "How one yanked JavaScript package wreaked havoc" (Yegulalp,
RISKS-29.40)
> ... it broke dependencies for many other projects ...
I'm sorry, but I have to disagree a little bit -- this has NOTHING to do
with any presumed 'fragility' of open source, but rather has to do with the
paucity of thought on the part of the developers in question.
They depended on a package, and instead of insuring that they had their
dependencies under control, they simply referenced it's URL.
The problem here is developers who have no idea how to do development
properly being allowed (by their peers) to handle packages that become
important.
(For the record, I write software for medical monitoring systems. We run on
top of Linux, and pull copies of the relevant distribution repos so that we
can go back to the source packages if things go wrong).
------------------------------
Date: March 28, 2016 at 1:15:39 PM EDT
From: Steven Schear <steven.schear@googlemail.com>
Subject: Re: Andy Grove's Warning to Silicon Valley (Teresa Tritch)
[Forwarded by Dewayne Hendricks. PGN]
Beginning in early 2000s, I witnessed first hand what happens when Silicon
Valley tech companies, focused almost exclusively on the near-term
bottom-line, bringing in massive numbers of guest workers as a prelude to
offshoring later development and manufacture.
Cypress Semi was a leader in convincing Congress that there weren't enough
domestic engineers to meet their needs. In fact, there were but many had
families and weren't willing to work, day-in-and-day-out, the often very
long hours some SV companies desired and even for those that were amenable
companies weren't willing to offer adequately compensation. Companies also
weren't willing to adequately encourage education and grooming of domestic
engineers. Instead, they got the H1B visa program greatly expanded at the
same time senior domestic engineers were furloughed many never to work again
in tech.
These foreign engineers, mostly new graduates working (in overtime exempt
positions) through jobs shops, were (as required by law) paid the same as
the domestic engineers they had replaced but they forced to work more hours
(often nearly double). For years I would watch these workers on their way
back to their flats in the East Bay late into the evening on BART. In this
way tech companies were able to stay within the letter of the law (equal pay
to domestic workers) while exacting many more labor hours than they
otherwise could. Many of these foreign engineers would later return (not all
by choice) to their countries where SV companies had set up subsidiaries or
made arrangements with local industry to continue follow-on design,
development or manufacture.
> Andy Grove's Warning to Silicon Valley
> Teresa Tritch, Editorial Observer, *The New York Times*, 25 Mar 2016
> <http://www.nytimes.com/2016/03/26/opinion/andy-groves-warning-to-silicon-valley.html>
------------------------------
Date: Mon, 17 Nov 2014 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
if possible and convenient for you. The mailman Web interface can
be used directly to subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
Alternatively, to subscribe or unsubscribe via e-mail to mailman
your FROM: address, send a message to
risks-request@csl.sri.com
containing only the one-word text subscribe or unsubscribe. You may
also specify a different receiving address: subscribe address= ... .
You may short-circuit that process by sending directly to either
risks-subscribe@csl.sri.com or risks-unsubscribe@csl.sri.com
depending on which action is to be taken.
Subscription and unsubscription requests require that you reply to a
confirmation message sent to the subscribing mail address. Instructions
are included in the confirmation message. Each issue of RISKS that you
receive contains information on how to post, unsubscribe, etc.
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines.
=> .UK users may contact <Lindsay.Marshall@newcastle.ac.uk>.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you NEVER send mail!
=> SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line.
*** NOTE: Including the string `notsp' at the beginning or end of the subject
*** line will be very helpful in separating real contributions from spam.
*** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
or ftp://ftp.sri.com/VL/risks for previous VoLume
http://www.risks.org takes you to Lindsay Marshall's searchable archive at
newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
<http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's historical Illustrative Risks summary of one liners:
<http://www.csl.sri.com/illustrative.html> for browsing,
<http://www.csl.sri.com/illustrative.pdf> or .ps for printing
is no longer maintained up-to-date except for recent election problems.
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 29.41
************************