Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
precedence: bulk
Subject: Risks Digest 31.02

RISKS-LIST: Risks-Forum Digest  Friday 11 January 2019  Volume 31 : Issue 02

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/31.02>
The current issue can also be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
Heathrow flights disrupted by yet another drone (Ars)
Gatwick and Heathrow buying anti-drone equipment (bbc.com)
Inaccurate Software for Brain Surgery (Medscape)
Can't connect to that *.gov website?  Here's why... (Micah Lee via
  danny burstein)
Denver was ground zero for CenturyLink's recent network outage
  ... and it can be explained by a Mickey Mouse movie (Aldo Svladi)
Astronaut sparks panic after accidentally dialing 911 from space
  sending NASA security teams into a frenzy (The Sun)
USB Type-C Authentication Program Officially Launches (EWeek)
Finally, Some Good News About the EU's Horrendous "Right To Be Forgotten"
  Law (Lauren Weinstein)
"Market volatility: Fake news spooks trading algorithms" (Tom Foremski)
Is it time for Linux? (Dave Crooke)
'Chipping' Is the Next Frontier for Biohackers (Fortune)
Facebook appending ?fbclid to links (Dan Jacobson)
US Air Force: 5G Dominance Critical to National Security (Security Now)
Marriott Concedes 5 Million Passport Numbers Lost to Hackers Were Not
  Encrypted (NYTimes)
Hackers Leak Details of German Lawmakers, Except Those on Far Right
  (NYTimes)
A DNS hijacking wave is targeting companies at an almost unprecedented scale
  (Ars)
Hot new trading site leaked oodles of user data, including login tokens
  (Ars)
The Risk of Twitter knowing all, telling all (Taipei Times)
Chinese phone maker Huawei punishes employees for iPhone tweet blunder
  (CNBC)
Los Angeles Accuses Weather Channel App of Covertly Mining User Data
  (NYTimes)
Could a Chinese-made Metro car spy on us? Many experts say yes. (WashPost)
Alexia really is a spy (The Register)
Kingpin Used Spyware to Obsessively Monitor His Wife and Mistress:
  El Chapo Trial (NYTimes)
T-Mobile, Sprint, and AT&T Are Selling Customers' Real-Time
  Location Data, And It's Falling Into the Wrong Hands (Motherboard)
For Owners of Amazon's Ring Security Cameras, Strangers May Have
  Been Watching (The Intercept)
Aging In Place Technology Watch (CES 2019)
Escalating Value of iOS Bug Bounties Hits $2M Milestone (EWeek)
Zeroday Exploit Prices Are Higher Than Ever, Especially for iOS
  and Messaging Apps (Dan Goodin)
Phone-staring warning after Wellingborough 'hit-and-run' (bbc.com)
Manafort Accused of Sharing Trump Campaign Data With Russian Associate
  (NYTimes)
Democrats Faked Online Push to Outlaw Alcohol in Alabama Race (NYTimes)
Google search results listings can be manipulated for propaganda
  (Catalin Cimpanu)
Disney, Apple and Facebook will be among your new streaming options
  in 2019 (WashPost)
What Happens When Facebook Goes the Way of Myspace? (NYTimes)
Hackers Target Chromecast Devices, Smart TVs With PewDiePie Message
  (Variety)
Taking the smarts out of smart TVs would make them more expensive
  (The Verge)
Why it pays to declutter your digital life (bbc.com)
Is Gamification Working in Security Training? (Channel Futures)
U.S. Announces Settlement With Fiat Chrysler Over Emissions (NYTimes)
Apple trolls Google at CES 2019 with massive iMessage privacy ad
  (Business Insider)
Re: New Zealand courts banned ... (Dimitri Maziuk)
Re: Huawei gives the US & allies security nightmares (Amos Shapir)
Re: USA Wants to Restrict AI Exports: A Stupid and Dangerous Idea
  (Amos Shapir)
The AI Winter is coming (Mark Thorson)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Tue, 8 Jan 2019 21:45:47 -0500
From: Monty Solomon <monty@roscom.com>
Subject: Heathrow flights disrupted by yet another drone (Ars)

https://arstechnica.com/tech-policy/2019/01/heathrow-flights-disrupted-by-yet-another-drone/

------------------------------

Date: Fri, 4 Jan 2019 18:08:10 +0800
From: Richard Stein <rmstein@ieee.org>
Subject: Gatwick and Heathrow buying anti-drone equipment (bbc.com)

https://www.bbc.com/news/uk-46754489

"The equipment, which can detect and jam communications between a drone and
its operator, was deployed by the RAF on a roof at Gatwick last month."

One trusts that this gear does not interfere with commercial aviation
signals or RF-dependent devices used for emergency service.

------------------------------

Date: Wed, 9 Jan 2019 15:39:59 -0500
From: Paul Burke <box1320@gmail.com>
Subject: Inaccurate Software for Brain Surgery (Medscape)

https://www.medscape.com/viewarticle/907429
https://www.fda.gov/MedicalDevices/Safety/ListofRecalls/ucm629348.htm

Some surgery is only possible with imaging software, but the software can
have bugs.

"The software monitor may show that the tip of the surgical tool has not
yet reached the planned target and may prevent the neurosurgeon from being
able to accurately see the location of surgical tools in the patient's
brain."

------------------------------

Date: Thu, 10 Jan 2019 22:13:18 -0500
From: danny burstein <dannyb@panix.com>
Subject: Can't connect to that *.gov website?  Here's why... (Micah Lee)

  [twitter]
  Micah Lee
  Verified account @micahflee

  Since the government shutdown started "more than 80 TLS certificates used
  by .gov websites have so far expired without being renewed"

  https://news.netcraft.com/archives/2019/01/10/gov-security-falters-during-u-s-shutdown.html

  Micah Lee Verified account  @micahflee
  I do computer security, open source software development, and journalism
  at the Intercept

------------------------------

Date: Fri, 11 Jan 2019 08:01:24 -0700
From: Jim Reisert AD1C <jjreisert@alum.mit.edu>
Subject: Denver was ground zero for CenturyLink's recent network outage
  ... and it can be explained by a Mickey Mouse movie (Aldo Svladi)

Aldo Svaldi, *The Denver Post*, 11 Jan 2019

https://www.denverpost.com/2019/01/11/centurylink-network-outage-denver/

For about 30 hours, from the early morning hours of Dec. 27 until late on
Dec. 28, chaos reigned on CenturyLink's system. Western states that depend
most heavily on the company's fiber-optic system were hardest hit, but
reports of outages and slower speeds came in from Alaska to Florida,
according to downdetector.com.

"CenturyLink experienced a network event on one of our six transport
networks beginning on December 27 that impacted voice, IP, and transport
services for some of our customers. The event also impacted CenturyLink’s
visibility into our network management system, impairing our ability to
troubleshoot and prolonging the duration of the outage," the company said in
a statement.

Technicians were left scrambling trying to pinpoint the root cause, and that
resulted in them losing time on fixes that didn't work. New Orleans as
ground zero was an early suspect, and then it was San Antonio, Texas. Teams,
which had to make physical site visits, went into action in Kansas City,
Mo., and then Atlanta, and so on.

But as they tried fixes in different areas, the problem didn't go away.
Making matters worse, the reporting system that gathered customer complaints
also failed.

The source of all that turmoil and hours of angst for affected customers
came down to one piece of equipment —- a faulty third-party network
management card in Denver, according to the company.

------------------------------

Date: Fri, 4 Jan 2019 23:23:48 -0500
From: Monty Solomon <monty@roscom.com>
Subject: Astronaut sparks panic after accidentally dialing 911 from space
  sending NASA security teams into a frenzy (The Sun)

https://www.thesun.co.uk/news/8116475/astronaut-calls-911-space-nasa-security/

------------------------------

Date: Fri, 4 Jan 2019 15:32:31 -0500
From: Gabe Goldberg <gabe@gabegold.com>
Subject: USB Type-C Authentication Program Officially Launches (EWeek)

The USB Type-C authentication standard is moving forward in an effort to
help protect systems against malicious USB devices.

http://www.eweek.com/security/usb-type-c-to-become-more-secure-with-authentication-standard

------------------------------

Date: Thu, 10 Jan 2019 08:42:46 -0800
From: Lauren Weinstein <lauren@vortex.com>
Subject: Lauren's Blog: Finally, Some Good News About the EU's Horrendous
  "Right To Be Forgotten" Law

via NNSquad
https://lauren.vortex.com/2019/01/10/finally-some-good-news-about-the-eus-horrendous-right-to-be-forgotten-law

I've been highly critical -- to say the least -- of the European Union's
insane global censorship regime -- "The Right To Be Forgotten" (RTBF) --
since well before it became actual, enacted law.

But there's finally some good news about RTBF -- in the form of a formal
opinion from EU Advocate General Maciej Szpunar, chief adviser at Europe's
highest court.

I'm not sure offhand when I first began writing about the monstrosity that
is RTBF, but a small subset of related posts includes:

The "Right to Be Forgotten": A Threat We Dare Not Forget (2/2012):
https://lauren.vortex.com/archive/000938.html

Why the "Right To Be Forgotten" is the Worst Kind of Censorship (8/2015):
https://lauren.vortex.com/archive/001119.html

RTBF was always bad, but it became a full-fledged dumpster fire when (as
many of us had predicted from the beginning) efforts were made to enforce
its censorship demands globally. This gave the EU effectively worldwide
censorship powers via RTBF's "hide the library index cards" approach,
creating a lowest common denominator "race to the bottom" of expanding mass,
government-directed censorship of search results related to usually
completely accurate and still published news and other information items.

In a nutshell, Maciej Szpunar's opinion -- which is not binding but is
likely to be a strong indicator of how related final decisions will turn out
-- is that global application of EU RTBF decisions is usually unreasonable.
While he doesn't rule out the possibility of global "enforcement" in
"certain situations" (an aspect that will need to be clarified), it's
obvious that he views routine global enforcement of EU RTBF demands to be
untenable.

This is of course only a first step toward reining in the RTBF monster, but
it's potentially an enormously important one, and we'll be watching further
developments in this arena with great interest indeed.

------------------------------

Date: Thu, 13 Dec 2018 09:00:56 -0800
From: Gene Wirchenko <genew@telus.net>
Subject: "Market volatility: Fake news spooks trading algorithms"
  (Tom Foremski)

ZDnet, 10 Dec 2018
Stock trading algorithms know how to read news headlines, but they don't

------------------------------

Date: Sat, 5 Jan 2019 08:40:25 -0600
From: Dave Crooke <dcrooke@gmail.com>
Subject: Is it time for Linux?

For decades, Microsoft products have been very vulnerable to viruses and
other exploits. This does not seem to be a solvable problem.

For over two decades, I have used Linux in some form as my primary laptop
or desktop OS, mostly because I'm old enough to have grown up with Unix and
VMS. Back in the day, I would use a Windows VM as a way to run products
like MS-Office, but now the open source alternatives have gotten to the
point where I never do so -- car diagnostic software is the only reason to
fire up the VM. LibreOffice is more compatible with MS-Office than
Microsoft's own Office:mac

Many years ago, Linux support for hardware was variable, now it's rarely a
concern. Installs and upgrades were awkward, now Ubuntu is very slick, and
easy for IT to manage centrally.

The need for Windows to support fat client business software is far less,
as most applications are now thin client requiring only a good browser
(Chrome) and indeed in the cloud.

Is it time for the security community to recommend "run Linux if you can?"

------------------------------

Date: Wed, 9 Jan 2019 18:05:09 -0500
From: Gabe Goldberg <gabe@gabegold.com>
Subject: 'Chipping' Is the Next Frontier for Biohackers (Fortune)

The incredibly promising business behind people injecting themselves with
microchips. Bye-bye keys, passwords, and tickets -- they're all on the chip.

Down a narrow side street in the Swedish city of Gothenburg sits the
Barbarella piercing parlor, a regular haunt for locals who decorate their
bodies with piercings and tattoos, and which claims to offer the area;s
finest collection of ear discs and nose rings. But on a frigid evening in
November, the shop is the setting for a very different kind of body
enhancement: biochips. As darkness falls on the port town of nearly 600,000
people, Jowan Ö\226sterlund wanders in, wearing a baseball cap and
T-shirt, to meet two new clients for his small startup, ­Biohax
International. From his backpack, he pulls plastic-wrapped syringes, each
containing a tiny, dark microchip that is barely visible from the
outside. Inside the unassuming package is Österlund's prized product, a
window into what today is a fringe tech obsession but which, he believes,
will one day be a giant industry. ``You are creating an entirely new type of
behavior and entirely new types of data that will be massively more valuable
than what we have now.  It is kind of a moonshot. But in the long run, this
is what is going to happen.''

http://fortune.com/longform/biochipping-biohax-microchip/

------------------------------

Date: Thu, 10 Jan 2019 13:44:26 +0800
From: Dan Jacobson <jidanni@jidanni.org>
Subject: Facebook appending ?fbclid to links

Facebook user sends another user a vital link about a disease:
https://www.cdc.gov.tw/home/Scrub_typhus
But because Facebook appends ?fbclid... to the link,
the second user cannot open it, and eventually perhaps dies.
Yup, some sites rightly do not expect random parameters randomly added...

------------------------------

Date: Wed, 9 Jan 2019 00:11:08 -0500
From: Gabe Goldberg <gabe@gabegold.com>
Subject: US Air Force: 5G Dominance Critical to National Security
  (Security Now)

https://www.securitynow.com/author.asp%3Fsection_id%3D706%26doc_id%3D748435%26

Lots of risks but not clear they justify the headline, nor are all related
to 5G.

------------------------------

Date: Fri, 4 Jan 2019 11:05:12 -0500
From: Monty Solomon <monty@roscom.com>
Subject: Marriott Concedes 5 Million Passport Numbers Lost to Hackers Were
  Not Encrypted (NYTimes)

https://www.nytimes.com/2019/01/04/us/politics/marriott-hack-passports.html

The overall number of guests affected by the hacking, in which Chinese
intelligence is the leading suspect, declined to 383 million. But the
passport data is critical to intelligence agencies.

------------------------------

Date: Fri, 4 Jan 2019 11:05:49 -0500
From: Monty Solomon <monty@roscom.com>
Subject: Hackers Leak Details of German Lawmakers, Except Those on Far Right
  (NYTimes)

https://www.nytimes.com/2019/01/04/world/europe/germany-hacking-politicians-leak.html

Twitter has shut down an account that had been posting personal data for
weeks.  Only the Alternative for Germany party appeared to be unscathed.

------------------------------

Date: Thu, 10 Jan 2019 23:54:14 -0500
From: Monty Solomon <monty@roscom.com>
Subject: A DNS hijacking wave is targeting companies at an almost
  unprecedented scale (Ars)

Clever trick allows attackers to obtain valid TLS certificate for hijacked
domains.

https://arstechnica.com/information-technology/2019/01/a-dns-hijacking-wave-is-targeting-companies-at-an-almost-unprecedented-scale/

------------------------------

Date: Thu, 10 Jan 2019 23:59:42 -0500
From: Monty Solomon <monty@roscom.com>
Subject: Hot new trading site leaked oodles of user data, including login
  tokens (Ars)

Data leaked by DX.Exchange would be "super easy" to criminalize.

https://arstechnica.com/information-technology/2019/01/hot-new-trading-site-leaked-oodles-of-user-data-including-login-tokens/

------------------------------

Date: Fri, 4 Jan 2019 12:52:37 -0800
From: Mark Thorson <eee@dialup4less.com>
Subject: The Risk of Twitter knowing all, telling all (Taipei Times)

Huawei's New Year's greeting was sent from their official account, tagged
"via Twitter for iPhone".  At least two employees have been demoted with
reduction of pay.

http://www.taipeitimes.com/News/biz/archives/2019/01/05/2003707357

------------------------------

Date: Fri, 4 Jan 2019 15:02:52 -0500
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Chinese phone maker Huawei punishes employees for iPhone tweet blunder
  (CNBC)

https://www.cnbc.com/2019/01/04/chinese-phone-maker-huawei-punishes-employees-for-iphone-tweet-blunder.html%3F__source%3Diosappshare%257Ccom.apple.UIKit.activity.Mail

The risk? Insufficient loyalty to house brand.

------------------------------

Date: Fri, 4 Jan 2019 11:08:28 -0500
From: Monty Solomon <monty@roscom.com>
Subject: Los Angeles Accuses Weather Channel App of Covertly Mining User Data
  (NYTimes)

https://www.nytimes.com/2019/01/03/technology/weather-channel-app-lawsuit.html

In a lawsuit on Thursday, the city attorney said tracking was used not just
for local forecasts but also for commercial purposes like targeted
marketing.

  [Gabe Goldberg noted this item as well:
    L.A. Sues IBM's Weather Company over 'Deceptive' Weather Channel App
      http://fortune.com/2019/01/04/la-ibm-weather-channel-app/
        The risk? Everything spies/leaks/sells personal data.
  PGN]

------------------------------

Date: Thu, 10 Jan 2019 12:08:30 +0800
From: Richard Stein <rmstein@ieee.org>
Subject: Could a Chinese-made Metro car spy on us? Many experts say yes.
  (WashPost)

https://www.washingtonpost.com/local/trafficandcommuting/could-a-chinese-made-metro-car-spy-on-us-many-experts-say-yes/2019/01/07/00304b2c-03c9-11e9-b5df-5d3874f1ac36_story.html

It would be quaint and surprising to learn about technology-enabled
transportation that DID NOT spy on passengers!

To counteract intrusive surveillance, each seat should have a built-in
personal "Cone of Silence" ala Mel Brooks' "Get Smart."

------------------------------

Date: Sat, 5 Jan 2019 20:24:53 +0100
From: Benoit Goas <goasben@hawk.iit.edu>
Subject: Alexia really is a spy (The Register)

If the risks of keeping a voice activated device at home were not obvious
enough, here are some more proofs: the recordings are kept for a while, and
may even be provided to the wrong user.

https://www.theregister.co.uk/2018/12/20/amazon_alexa_recordings_stranger/
pointing to
https://www.heise.de/downloads/18/2/5/6/5/3/9/6/ct.0119.016-018_engl.pdf

------------------------------

Date: Thu, 10 Jan 2019 05:15:28 -0500
From: Monty Solomon <monty@roscom.com>
Subject: Kingpin Used Spyware to Obsessively Monitor His Wife and Mistress:
  El Chapo Trial (NYTimes)

https://www.nytimes.com/2019/01/09/nyregion/el-chapo-trial.html

An IT expert working for the crime lord helped the FBI obtain dozens of
intimate -- and incriminating -- text messages he wrote to the women.

------------------------------

Date: Tue, 8 Jan 2019 23:51:43 -0500
From: Gabe Goldberg <gabe@gabegold.com>
Subject: T-Mobile, Sprint, and AT&T Are Selling Customers' Real-Time
  Location Data, And It's Falling Into the Wrong Hands (Motherboard)

He Gave a Bounty Hunter $300. Then He Located His Phone

T-Mobile, Sprint, and AT&T are selling access to their customers' location
data, and that data is ending up in the hands of bounty hunters and others
not authorized to possess it, letting them track most phones in the country.

https://motherboard.vice.com/en_us/article/nepxbz/i-gave-a-bounty-hunter-300-dollars-located-phone-microbilt-zumigo-tmobile

------------------------------

Date: Fri, 11 Jan 2019 17:44:33 -0500
From: Gabe Goldberg <gabe@gabegold.com>
Subject: For Owners of Amazon's Ring Security Cameras, Strangers May Have
  Been Watching (The Intercept)

The `smart home' [isn't] just supposed to be a monument to convenience,
weâre told, but also to protection, a Tony Stark-like bubble of vigilant
algorithms and Internet-connected sensors working ceaselessly to watch over
us.  But for some who've welcomed in Amazon's Ring security cameras, there
have been more than just algorithms watching through the lens, according to
sources alarmed by Ring's dismal privacy practices.

Ring has a history of lax, sloppy oversight when it comes to deciding who
has access to some of the most precious, intimate data belonging to any
person: a live, high-definition feed from around -- and perhaps inside --
their house. The company has marketed its line of miniature cameras,
designed to be mounted as doorbells, in garages, and on bookshelves, not
only as a means of keeping tabs on your home while you're away, but of
creating a sort of privatized neighborhood watch, a constellation of
overlapping camera feeds that will help police detect and apprehend burglars
(and worse) as they approach.  ``Our mission to reduce crime in
neighborhoods has been at the core of everything we do commemorate the
company's reported $1 billion acquisition payday from Amazon, a company with
its own recent history of troubling facial recognition practices. The
marketing is working; Ring is a consumer hit and a press darling.

Despite its mission to keep people and their property secure, the company's
treatment of customer video feeds has been anything but, people familiar
with the company's practices told The Intercept.  Beginning in 2016,
according to one source, Ring provided its Ukraine-based research and
development team virtually unfettered access to a folder on Amazon's S3
cloud storage service that contained every video created by every Ring
camera around the world. This would amount to an enormous list of highly
sensitive files that could be easily browsed and viewed. Downloading and
sharing these customer video files would have required little more than a
click. The Information, which has aggressively covered Ring's security
lapses, reported on these practices last month.

https://theintercept.com/2019/01/10/amazon-ring-security-camera/

  The risk? Believing advertising?

    [PGN's risk -- large number of garbled characters approximated
    from this and the next posting from Gabe.  Note `[??]' in the
    next item.]

------------------------------

Date: Fri, 11 Jan 2019 17:45:42 -0500
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Aging In Place Technology Watch (CES 2019)

Ten Technology Offerings

Bright Lights, thick smoke, constant walking and avoidance maneuvers.  After
taking a year or two off, returning to CES is a chore and a revelation -- it
clearly is the major event for new technology announcements. Gadgets, yes,
too many smart wearables, including underwear, too many near misses of being
run over by gangs of oblivious young guys staring at their phones. If there
was a key trend in all of this racket, Sleep has become a tech obsession,
the uptake of Digital Health is almost here, new variants of companions and
assistants were pervasive, including Google Assistant inside everything and
Amazon voice devices everywhere.

Self-service increasingly matters in unexpected health categories. As with
nearly every [?], we want to serve ourselves, no matter what.  One day soon,
onset of a stroke can be detected (Celloscope) when your smartphone watches
your face droop as you read your email. A robotics company, Intuition
Robotics, launches its cognitive AI Q[?] for 3rd-party companies to use as a
digital companion agent, for example, in a car. In subsequent posts, others
will be noted from the exhibit hall books, but for now, here are 10 other
new companies/new offerings in alphabetical order from CES 2019 with content
from the press releases/sites of the companies:

https://www.ageinplacetech.com/blog/ten-technology-offerings-ces-2019

The risks?  TBD

------------------------------

Date: Fri, 11 Jan 2019 16:39:41 -0500
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Escalating Value of iOS Bug Bounties Hits $2M Milestone (EWeek)

In the escalating market for security vulnerabilities, a new milestone has
been recorded early in the new year, with $2 million now being offered for a
remote Apple iOS exploit.

The $2 million award is being offered by vulnerability acquisition firm
Zerodium, which first achieved global notoriety for offering $1 million for
an iOS 9 zero-day exploit back in September 2015. In September 2016,
Zerodium increased its top iOS exploit award to a $1.5 million, which has
now been topped by the $2 million bounty.

http://www.eweek.com/security/escalating-value-of-ios-bug-bounties-hits-2m-threshold

------------------------------

Date: Tue, 8 Jan 2019 21:47:37 -0500
From: Monty Solomon <monty@roscom.com>
Subject: Zeroday Exploit Prices Are Higher Than Ever, Especially for iOS
  and Messaging Apps (Dan Goodin)

Dan Goodin, Ars Technica, 7 Jan 2019

Governments and police forces around the world are trying harder than ever
to exploit software that is becoming increasingly difficult to compromise.
Market-leading software exploit broker Zerodium recently said it would pay
up to $2 million for zero-click jailbreaks of Apple's iOS, $1.5 million for
one-click iOS jailbreaks, and $1 million for exploits that take over
security messaging apps WhatsApp and iMessage. These prices are up about
$500,000 from previous levels, an indication that the demand for them
continues to grow, and that reliable exploitation of these targets is
becoming increasingly difficult. Zerodium said it sells the exploits only to
lawful governments, although it has never provided details to verify those
claims.

https://arstechnica.com/information-technology/2019/01/zeroday-exploit-prices-continue-to-soar-especially-for-ios-and-messaging-apps/

  [MISPLACED ONLY PGN-ed above.  See my long-ago analysis of that problem:
     http://www.csl.sri.com/neumann/only.html
  PGN]

------------------------------

Date: Sat, 5 Jan 2019 20:22:03 +0800
From: Richard Stein <rmstein@ieee.org>
Subject: Phone-staring warning after Wellingborough 'hit-and-run' (bbc.com)

https://www.bbc.com/news/uk-england-northamptonshire-46762571

A woman has warned of the dangers of looking at phones while crossing roads
after being hit by a vehicle in a suspected hit-and run.  Olivia Keane, 20,
was knocked unconscious while walking across Butts Road in Wellingborough,
Northamptonshire, on New Year's Eve.  Police believe she was hit by a
vehicle that failed to stop.  Miss Keane cannot remember the details, but
believes she was looking down at her phone at the time.

  Lucky to be alive after this hit-and-run incident.

  I lost count of pedestrians in Singapore and Malaysia descending stairs
  and fully engrossed typing SMS content or playing a mobile game, oblivious
  to their peril.

  See http://catless.ncl.ac.uk/Risks/30/89%23subj18.1
  cellphone addiction.

  Some people can't live without 'em until they die with 'em.

------------------------------

Date: Wed, 9 Jan 2019 01:47:34 -0500
From: Monty Solomon <monty@roscom.com>
Subject: Manafort Accused of Sharing Trump Campaign Data With Russian Associate
  (NYTimes)

https://www.nytimes.com/2019/01/08/us/politics/manafort-trump-campaign-data-kilimnik.html

Mr. Manafort's lawyers made the disclosure by accident, through a formatting
error in a document filed to respond to charges that he had lied to
prosecutors working for the special counsel, Robert S. Mueller III, after
agreeing to cooperate with their investigation into Russian interference in
the election.

------------------------------

Date: Mon, 7 Jan 2019 21:05:12 -0500
From: Monty Solomon <monty@roscom.com>
Subject: Democrats Faked Online Push to Outlaw Alcohol in Alabama Race
  (NYTimes)

https://www.nytimes.com/2019/01/07/us/politics/alabama-senate-facebook-roy-moore.html

A prohibitionist campaign appeared to be led by supporters of the Republican
Senate candidate in 2017. But it was created by progressives -- the second
such secret effort to be unmasked.

------------------------------

Date: Thu, 10 Jan 2019 21:18:00 -0800
From: Gene Wirchenko <genew@telus.net>
Subject: Google search results listings can be manipulated for propaganda
  (Catalin Cimpanu)

Catalin Cimpanu, ZDNet, 9 Jan 2019
https://www.zdnet.com/article/google-search-results-listings-can-be-manipulated-for-propaganda/

Google search results listings can be manipulated for propaganda
Dutch researcher argues that Google should remove support for knowledge panels.

opening text:

A feature of the Google search engine lets threat actors alter search
results in a way that could be used to push political propaganda, oppressive
views, or promote fake news.

The feature is known as the "knowledge panel", and is a box that usually
appears at the right side of the search results, usually highlighting the
main search result for a very specific query.

  [The article then gives details that, while I have not tried this myself,
  appear to suffice to reproduce the problem.]

------------------------------

Date: Tue, 8 Jan 2019 23:17:19 -0500
From: Monty Solomon <monty@roscom.com>
Subject: Disney, Apple and Facebook will be among your new streaming options
  in 2019 (WashPost)

Overwhelmed by all the TV you haven't seen? Get ready for even more.

https://www.washingtonpost.com/classic-apps/the-new-streaming-services-you-should-watch-in-2019/2019/01/04/1c40d660-106c-11e9-831f-3aa2c2be4cbd_story.html

------------------------------

Date: Mon, 7 Jan 2019 21:29:32 -0500
From: Monty Solomon <monty@roscom.com>
Subject: What Happens When Facebook Goes the Way of Myspace? (NYTimes)

If the past teaches us anything, it will happen one day. In fact, the
process might have already started.

https://www.nytimes.com/2018/12/12/magazine/what-happens-when-facebook-goes-the-way-of-myspace.html

------------------------------

Date: Wed, 2 Jan 2019 22:16:06 -0500
From: Monty Solomon <monty@roscom.com>
Subject: Hackers Target Chromecast Devices, Smart TVs With PewDiePie Message
  (Variety)

Hackers Target Chromecast Devices, Smart TVs With PewDiePie Message
https://variety.com/2019/digital/news/chromecast-hacked-pewdiepie-1203097889/

------------------------------

Date: Wed, 9 Jan 2019 22:48:15 -0500
From: Monty Solomon <monty@roscom.com>
Subject: Taking the smarts out of smart TVs would make them more expensive
  (The Verge)

https://www.theverge.com/2019/1/7/18172397/airplay-2-homekit-vizio-tv-bill-baxter-interview-vergecast-ces-2019

------------------------------

Date: Tue, 8 Jan 2019 19:20:10 +0800
From: Richard Stein <rmstein@ieee.org>
Subject: Why it pays to declutter your digital life (bbc.com)

http://www.bbc.com/future/story/20190104-are-you-a-digital-hoarder

"With the storage capacity of our devices increasing with every upgrade and
cloud storage plans costing peanuts, it might not seem like a problem to
hold on to thousands of emails, photos, documents and various other digital
belongings.

"But emerging research on digital hoarding -- a reluctance to get rid of the
digital clutter we accumulate through our work and personal lives --
suggests that it can make us feel just as stressed and overwhelmed as
physical clutter. Not to mention the cybersecurity problems it can cause for
individuals and businesses and the way it makes finding that one email you
need sometimes seem impossible."

Digital storage ubiquity promotes monomaniacal behavior.

Horder iDisorder disorder? IDisorder Horder disorder?

------------------------------

Date: Sat, 5 Jan 2019 19:03:52 -0500
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Is Gamification Working in Security Training? (Channel Futures)

One need only to look at hacker games and competitions to see the compelling
allure of gamification in training and practice for security pros.

https://www.channelfutures.com/mssp-insider/is-gamification-working-in-security-training

Wait, what?

------------------------------

Date: Thu, 10 Jan 2019 21:34:06 -0500
From: Monty Solomon <monty@roscom.com>
Subject: U.S. Announces Settlement With Fiat Chrysler Over Emissions
  (NYTimes)

https://www.nytimes.com/2019/01/10/business/fiat-chrysler-justice-emissions-settlement.html

The accord in lawsuits over false readings on diesel vehicles could cost
nearly $800 million, including penalties, fixes, warranties and
compensation.

------------------------------

Date: Tue, 8 Jan 2019 21:35:57 -0500
From: Monty Solomon <monty@roscom.com>
Subject: Apple trolls Google at CES 2019 with massive iMessage privacy ad
  (Business Insider)

https://www.businessinsider.com/apple-google-ad-ces-2019-privacy-imessage-2019-1

------------------------------

Date: Fri, 4 Jan 2019 17:41:53 -0600
From: Dimitri Maziuk <dmaziuk@bmrb.wisc.edu>
Subject: Re: New Zealand courts banned ... (Drewe, RISKS-31.01)

Is that the Google that removes the little padlock icon from their browser
because "the web is now safe by default"? The one that's pushing https down
our throats to ensure the ads we (don't) see came from bona fide
Google-paying advertisers?

Was it Bruce Schneier who said this isn't techno-feudalism because in
feudalism the feudal actually had obligations towards his vassals?

No obligation indeed.

------------------------------

Date: Mon, 7 Jan 2019 09:59:48 +0200
From: Amos Shapir <amos083@gmail.com>
Subject: Re: Huawei gives the US & allies security nightmares (RISKS-31.01)

The initial role of the Internet (in its first incarnation as Arpanet) was
to provide a medium, detached from the phone network, for secure and stable
communication even during a nuclear emergency.

It's ironic is that the same network had become a Trojan horse within the
US national security infrastructure.

------------------------------

Date: Mon, 7 Jan 2019 10:13:53 +0200
From: Amos Shapir <amos083@gmail.com>
Subject: Re: USA Wants to Restrict AI Exports: A Stupid and Dangerous Idea
  (RISKS-31.01)

This is yet another symptom of the "US first" fallacy.  Such laws and
regulations are based on an inherent assumption that the US is first in
everything, so any new technology would be made in the USA, and the only way
adversaries could get it is by export from the USA.

During the encryption exports craze of the 1980's, I came into the US
carrying a computer board for an exhibition; I was employed by an American
company, but the board was designed and built in their Israeli branch.  When
leaving the US, I was stopped by customs -- it seems the board's CPU was too
fast, so it was categorized as an encryption device.  I had no problem just
leaving it there, we had plenty more back home.  (I have no idea if the
company had ever redeemed the board, it may sill be stored in some customs
warehouse at JFK).

------------------------------

Date: Fri, 11 Jan 2019 10:41:20 -0800
From: Mark Thorson <eee@dialup4less.com>
Subject: The AI Winter is coming

No, not that one.  The other one.

http://www.smbc-comics.com/comics/1547218636-20190111.png

------------------------------

Date: Tue, 5 May 2018 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest.  Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
 subscribe and unsubscribe:
   http://mls.csl.sri.com/mailman/listinfo/risks

=> SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
   includes the string `notsp'.  Otherwise your message may not be read.
 *** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 *** Contributors are assumed to have read the full info file for guidelines!

=> OFFICIAL ARCHIVES:  http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
  http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
  Also,  ftp://ftp.sri.com/risks for the current volume
     or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
  If none of those work for you, the most recent issue is always at
     http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
  Lindsay has also added to the Newcastle catless site a palmtop version
  of the most recent RISKS issue and a WAP version that works for many but
  not all telephones: http://catless.ncl.ac.uk/w/r
  ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
  <http://the.wiretapped.net/security/info/textfiles/risks-digest/>
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
  Apologies for what Office365 and SafeLinks have done to URLs.  I have
  tried to extract the essence.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 31.02
************************