Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
precedence: bulk
Subject: Risks Digest 31.71

RISKS-LIST: Risks-Forum Digest  Wednesday 22 April 2020  Volume 31 : Issue 71

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/31.71>
The current issue can also be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
Google's auto-complete for speech can cover up glitches in video call
  (MIT Technology Review)
Nearly 25,000 email addresses and passwords allegedly from NIH, WHO, Gates
  Foundation and others are dumped online (WashPost)
Zero-Day Warning: It's Possible to Hack iPhones Just by Sending Email
  (The Hacker News)
How NASA does software testing and QA (Functionize)
Leaked pics from Amazon Ring show potential new surveillance features
  (Ars Technica)
A notable quote for scientists and academics (Dave Farber)
You can now receive 3 free credit reports each week for the next year (CNBC)
Anti-lockdown protester who said it was a 'political ploy' is killed by
  coronavirus (Metro)
Chinese Agents Spread Messages That Sowed Virus Panic in U.S. (NYTimes)
Las Vegas Mayor: Assume everyone has COVID-19, reopen the casinos,
  and let the chips fall where they may (WashPost)
TN Anti-lockdown protester spotted with vile poster saying 'Sacrifice the
  weak' to coronavirus (Metro)
Coronavirus is largely spread by people without symptoms (Inquirer)
Spam filter censoring COVID content (Henry Baker)
Lego is producing 13,000 face visors a day for healthcare workers amid
  coronavirus pandemic (USA Today)
Re: Australian Government proposes to distribute Coronavirus App
  (Amos Shapir, Michael Bacon)
Re: More on COVID-19 Digital Rights Tracker" (Chris Drewe)
Re: Internet Usage update (Martin Ward, Dmitri Maziuk, Barry Gold,
  JCHolleran)
Re: Anti-Asian Zoombombing at Newton South High School (Phil Nasadowski)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Thu, 23 Apr 2020 05:16:34 +0900
From: Dave Farber <farber@gmail.com>
Subject: Google's auto-complete for speech can cover up glitches in video
  call (MIT Technology Review)

https://www.technologyreview.com/2020/04/06/998410/google-artificial-intelligence-autocomplete-internet-voice-speech-glitches-video-call/

  [Beware.  PGN]

------------------------------

Date: Wed, 22 Apr 2020 16:57:30 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Nearly 25,000 email addresses and passwords allegedly from NIH,
  WHO, Gates Foundation and others are dumped online (WashPost)

Thousands of alleged email addresses and passwords linked to organizations
battling the coronavirus pandemic prominent have been dumped on the
Internet, where they almost immediately were used to foment hacking attempts
and harassment by far-right extremists.

https://www.washingtonpost.com/technology/2020/04/21/nearly-25000-email-addresses-passwords-allegedly-nih-who-gates-foundation-are-dumped-online/

------------------------------

Date: Wed, 22 Apr 2020 14:43:48 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Zero-Day Warning: It's Possible to Hack iPhones Just by Sending Email
  (The Hacker News)

https://thehackernews.com/2020/04/zero-day-warning-its-possible-to-hack.html

------------------------------

Date: Wed, 22 Apr 2020 15:44:17 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: How NASA does software testing and QA (Functionize)

It is, perhaps, your dream job -– doing software testing for positive
world-changing applications such as space exploration. But that comes with
additional concerns, such as lives at stake and too-far-to-repair
constraints.

https://www.functionize.com/blog/how-nasa-does-software-testing-and-qa/

------------------------------

Date: Wed, 22 Apr 2020 14:56:12 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Leaked pics from Amazon Ring show potential new surveillance
  features (Ars Technica)

Amazon wouldn't be the first consumer company to do it, but it would be the
biggest.

https://arstechnica.com/tech-policy/2020/04/ring-cameras-may-someday-scan-license-plates-and-faces-leak-shows/

------------------------------

Date: Thu, 23 Apr 2020 05:27:06 +0900
From: Dave Farber <farber@gmail.com>
Subject: A notable quote for scientists and academics

``The virus is reminding us that the purpose of scholarly communication is
not to allocate credit for career advancement, and neither is it to keep
publishers afloat.''

For research-policy manager Elizabeth Gadd, the pandemic has highlighted the
importance of open science. (Wonkhe | 6 min read)

https://wonkhe.com/blogs/the-purpose-of-publications-in-a-pandemic-and-beyo=
nd/

------------------------------

Date: April 22, 2020 7:41:47 JST
From: Richard Forno <rforno@infowarrior.org>
Subject: You can now receive 3 free credit reports each week for the next year
  (CNBC)

Experian, Equifax and TransUnion are now offering free credit reports to all
Americans on a weekly basis for the next year so you can protect your
financial health during hardships from the coronavirus.

https://www.cnbc.com/select/experian-equifax-transunion-offer-weekly-free-credit-reports-for-one-year/

------------------------------

Date: Wed, 22 Apr 2020 08:06:28 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Anti-lockdown protester who said it was a 'political ploy' is
  killed by coronavirus (Metro)

https://metro.co.uk/2020/04/21/anti-lockdown-protester-branded-covid-19-political-ploy-killed-coronavirus-12588467/

------------------------------

Date: Wed, 22 Apr 2020 07:57:29 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Chinese Agents Spread Messages That Sowed Virus Panic in U.S.,
  Officials Say (NYTimes)

https://www.nytimes.com/2020/04/22/us/politics/coronavirus-china-disinformation.html

American officials were alarmed by fake text messages and social media posts
that said President Trump was locking down the country. Experts see a
convergence with Russian tactics.

------------------------------

Date: Wed, 22 Apr 2020 08:01:41 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Las Vegas Mayor: Assume everyone has COVID-19, reopen the casinos,
  and let the chips fall where they may (WashPost)

https://www.washingtonpost.com/nation/2020/04/22/las-vegas-coronavirus-reopen/

------------------------------

Date: Wed, 22 Apr 2020 08:04:19 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: TN Anti-lockdown protester spotted with vile poster saying
  'Sacrifice the weak' to coronavirus (Metro)

https://metro.co.uk/2020/04/22/anti-lockdown-protester-spotted-vile-poster-saying-sacrifice-weak-coronavirus-12594348/

------------------------------

Date: Wed, 22 Apr 2020 01:14:00 -1000
From: geoff goodfellow <geoff@iconia.com>
Subject: Coronavirus is largely spread by people without symptoms (Inquirer)

Just two months ago, the discovery that two people infected with the
coronavirus had no symptoms was such big scientific news that it was
published in the New England Journal of Medicine.
<https://www.inquirer.com/health/coronavirus-transmission-asymptommatic-nejm-german-report-20200218.html>

Now, it is becoming clear that much, if not most, of the spread of the virus
is by infected people who don=E2=80=99t get sick. New evidence comes from
a Boston homeless shelter, an Italian town, a California county, and a Navy
aircraft carrier. [...]

https://www.inquirer.com/health/coronavirus/coronavirus-mostly-spreads-asymptomatically-complicating-reopening-20200420.html

------------------------------

Date: Tue, 21 Apr 2020 14:35:13 -0700
From: Henry Baker <hbaker1@pipeline.com>
Subject: Spam filter censoring COVID content

I can't even send a *private* message to my sister.

I'd say we've now reached the "tipping point" in killing free speech on the
Internet.

Encryption is no longer just about privacy; end2end encryption is now
essential to avoid censorship.

I sent a message with a subject heading:

Subject: <<some text>> protect against COVID19

My message got bounced with the following explanation:
-------------------------------------------------------------
This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

  emailname@domain
    host mx01.domain [XX.XX.XX.XX]
    SMTP error from remote mail server after end of data:
    554 5.7.1 [P4] Message blocked due to spam content in the message.

------------------------------

Date: Wed, 22 Apr 2020 18:18:43 +0800
From: Richard Stein <rmstein@ieee.org>
Subject: Lego is producing 13,000 face visors a day for healthcare workers
  amid coronavirus pandemic (USA Today)

https://www.usatoday.com/story/money/2020/04/10/coronavirus-lego-producing-13-000-visors-day-healthcare-workers/5135078002/

A revered global brand, Denmark's Lego has generously contributed their
expertise and facilities to manufacture and donate personal protective
equipment (PPE). Lego has pledged US$ 50M for pandemic relief efforts.

This example of corporate generosity from a trusted brand raises an
important risk. Lego makes toys. The pandemic has compelled a humane
business decision to become PPE suppliers, almost overnight.

The USA Today article does not discuss factory health and safety
certification or compliance standards. Apparently, one must assume that you
can "Bet your life on Lego."

Must Lego PPE satisfy ISO and other important/essential standards? Are the
PPE recipients equipped to perform receiving inspections and verify fitness
for use? Where are the inspection results? Are the inspectors qualified? Has
a manufacturing or inspection waiver been granted given the emergency? Under
whose authority? Is industrial regulatory compliance mandatory under
pandemic conditions for PPE?

If the PPE is faulty, patients and healthcare personnel will be at greater
risk of infection.

Reports about ineffective coronavirus test kits, substandard personal
protective equipment (PPE), and global shortages are noteworthy. See:
https://www.dw.com/en/coronavirus-netherlands-recalls-defective-masks-bought-from-china/a-52949216,
https://globalnews.ca/news/6769162/canada-medical-supplies-coronavirus/,
https://www.nytimes.com/2020/04/19/nyregion/coronavirus-face-shields-factory-nyc.html.

------------------------------

Date: Wed, 22 Apr 2020 10:12:26 +0300
From: Amos Shapir <amos083@gmail.com>
Subject: Re: Australian Government proposes to distribute Coronavirus App
  (RISKS-31.69-70)

Israel's Ministry of Health distributes such an application, which seems to
be using something similar Google's Timeline to backtrack confirmed infected
people and warn app holders who had come in contact with them.

I have downloaded this application, and indeed received a warning that I had
been in the vicinity of an infected person, and have to go into isolation
for up to 14 days from the moment of contact. The only problem was that I
got the warning on the 13th day, with less than 12 hours left of the
isolation time!

In an environment where it may take several days for an infected person to
show symptoms, a few more days to wait for an inspection, and a few more
till the results are in, the whole idea becomes a sad joke.  The long delay
also makes using proximity technology like Bluetooth useless, unless *all*
contacts between any two people, infected or not, are recorded and kept in a
database to be checked later if any of them is found to have been infected.

------------------------------

Date: Wed, 22 Apr 2020 11:05:13 +0100
From: A Michael W Bacon <amichaelwbacon@gmail.com>
Subject: Re: Australian Government proposes to distribute Coronavirus App
  (RISKS-31.69)

I belated learned that the proposed app defined a "contact" as a user to
have remained within 1.5 metres of another user (one of whom had marked
themself as "infected") for 15 minutes.

Although this would very largely avoid the "passing by" and "loose dog"
scenarios I postulated, it raises other questions.

Whilst the potential to be infected by another person rises by exposure
duration and proximity, one expulsion of virus-laden droplets immediately
upon "contact" can be sufficient to cause infection.  The 15 minute
"exposure" seems a wholly arbitrary time.  And what if the "contact" is
broken -- possibly by a signal dropout or just that the parties moved more
than 1.5 metres apart -- within that time, but then resumed, does the clock
reset?  Could I spend several hours in a meeting room 1.5 metres away from
an infected person across the table, but have the clock reset itself every
time I leaned my chair back?

Secondly, the recommended "social distance" is two metres (and some
scientists have indicated this is inadequate and should be at least
doubled), so even the lower figure is not met for the app.  That aside, the
figure is somewhat arbitrary too, and presumably can only be determined by
signal strength or maybe a "handshake" time between the two devices.
Whatever, it will likely not be so precise as to differentiate distances
around 1.5 metres.  BTW, I do appreciate that the 1.5 metre figure is not
necessarily precise, and anyway the signal distance will vary by situation
and over time.

Now some will argue -- with fair reason -- that the actual distance and time
are not *that* important; after all, whether or not a person (or cat) is
infected by another is highly variable and unpredictable.  However, it is
this variability and unpredictability that contributes to undermining the
usefulness/purpose of the app.  The imprecision in detection of "contacts"
is likely to generate many -- very possibly too many -- false positives and -
potentially worse and definitely 'too' -- many false negatives.  And the "too
many" false positives presents the potential for the mischievous and
malevolent to effectively 'DDOS' the system.  It's use will likely, as with
some other proposals, engender a false sense of security among users.

PS: Apologies for the solecism of the misused apostrophe in my previous, I
failed to catch Apple's erroneous autocorrection -- MB.

------------------------------

Date: Tue, 21 Apr 2020 22:23:31 +0100
From: Chris Drewe <e767pmk@yahoo.co.uk>
Subject: Re: More on COVID-19 Digital Rights Tracker" (RISKS-31.69)

> The creation of a global surveillance juggernaut that governments will
> never willingly give up or restrict solely to public health situations!
> -LW

This is what worries me.  World War 2 ended in Europe in May 1945 (we were
due to have a big 75th anniversary commemoration next month), but British
governments of the day didn't really pay much attention.  We had identity
cards until 1950, rationing well into the 1950s, conscription until 1960,
and exchange controls until 1980 -- in the 1970s, Brits traveling abroad on
vacation were limited to taking 50 pounds (~$60) with them.

Since then, about 15 years ago the government was enthusiastically
proceeding with plans for compulsory national identity cards ("we'll find
them so useful that we we'll wonder how we ever managed without them!")
backed up with a computerised citizens' database.  More recently, in last
year's British general election, if the Labour party had won there was a
strong possibility that exchange controls would have to be re-introduced to
prevent the loss of tax revenues.  Since the Covid-19 lockdown, various
politicians in the UK have proposed that this is a once-in-a-lifetime
opportunity to reorder society on a fairer, more-equitable basis, presumably
more like the popular and successful models of Cuba or the Soviet
Bloc... :o) There's a letter in today's newspaper saying "I hope this
pandemic cements the use of debit cards for all transactions and thereby the
end of cash".

Whether you consider these developments as good or bad depends on your
politics, but I feel uneasy if they're introduced under the guise of
tackling a public health issue.  Benjamin Franklin's famous quote comes to
mind:

> "They that can give up essential liberty to obtain a little temporary
> safety deserve neither liberty nor safety."

------------------------------

Date: Wed, 22 Apr 2020 14:14:10 +0100
From: Martin Ward <martin@gkc.org.uk>
Subject: Re: Internet Usage update (Fist, RISKS-31.70)

> Would the Information Technology Community promote the idea that we should
> all pay a low fee for sending each email.

It may surprise you to know that this solution has been suggested before:
more than once even!

Here's an example from 2003:

https://web.archive.org/web/20031229160109/http://www.pcpro.co.uk/news/news_story.php?id=51289

and one from 2013:

https://forums.moneysavingexpert.com/discussion/4383787/stop-spam-pay-for-email

Quote:

Your post advocates a

(X) technical (X) legislative (X) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't
work. (One or more of the following may apply to your particular idea, and
it may have other flaws which used to vary from state to state before a bad
federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
(X) Mailing lists and other legitimate email uses would be affected
(X) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
(X) Users of email will not put up with it
(X) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
(X) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate
potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
(X) Lack of centrally controlling authority for email
(X) Open relays in foreign countries
(X) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
(X) Jurisdictional problems
(X) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
(X) Huge existing software investment in SMTP
(X) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
(X)Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
(X) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
(X) Outlook

and the following philosophical objections may also apply:

(X) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
(X) Countermeasures must work if phased in gradually
(X) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

(X) Sorry dude, but I don't think it would work.  [...]

------------------------------

Date: Tue, 21 Apr 2020 14:43:08 -0500
From: dmaziuk <dmaziuk@bmrb.wisc.edu>
Subject: Re: Internet usage update (Fist, RISKS-31.70)

> Would the Information Technology Community promote the idea that we should
> all pay a low fee for sending each email.

You mean, we aren't? Last I checked I get a bill from my cableco every
month. I could divide it by the number of bytes transferred, multiply that
by the size of this message, and tell you exactly how much I paid for
sending this e-mail.

------------------------------

Date: Tue, 21 Apr 2020 13:24:12 -0700
From: Barry Gold <barrydgold@ca.rr.com>
Subject: Re: Internet Usage update (Fist, RISKS-31.70)

I suggested this some time back, only I was thinking of a truly diminutive
fee: 1 mil (1/10 cent). For normal users, this would be down in the grass --
not even worth bothering with. I also suggested a mechanism whereby:

1. The recipient can "accept" the email, in which case there is no fee
2. Opt-in mailing lists: no fee. Otherwise the moderator of RISKS might end
up paying a significant fee, to say nothing of all the people who sign up
for notifications from Facebook etc.

Most spammers send out millions or tens of millions of messages, and don't
care that most of them don't lead anywhere -- they make a profit if 1 person
falls for it (Nigerian scam) or for commercial ads if 1/100 of 1%
respond. This would either stop most of those spams, or force them to be a
great deal more selective in who they send their emails to.

I'd love to see the same for telephone calls: if the recipient rejects the
call, the caller is charged 10 cents, split between the phone system and the
recipient. Phone calls are a great deal more intrusive than emails, which is
why I suggest the higher fee.

At the time the idea was pooh-poohed (I no longer remember why). We'll see
what people think of Stewart Fist's version.

------------------------------

Date: Wed, 22 Apr 2020 16:15:06 +0000 (UTC)
From: jcholleran@verizon.net
Subject: Re: Internet Usage update (Fist, RISKS-31.70)

I know every reader of RISKS will initially bristle at the idea.  But, if we
were charged, say, 1 cent per mail sent, then most individuals would payonly
fractions of a dollar a day, and in a competitive world, this would beset
off against annual fees However those scam organisation which exist by
flooding the world's mailboxes with unwanted, illegal and disgusting emails
by the millions,would be quickly driven out of business.  The global email
and Internet system is never going to reach its potential until there is an
actual money penalty for abusing the technology.  Couldn't such a charge be
introduced on a global scale at the borders?

------------------------------

Date: Tue, 21 Apr 2020 19:26:37 -0400
From: Phil Nasadowski <pnasadowski@pcsintegrators.com>
Subject: Re: Anti-Asian Zoombombing at Newton South High School
  (RISKS-31.69)

After reading the article, one thing I couldn't figure out was `which
Newton?'  There's a few throughout the country, and it could have been the
Newton near me, or hundreds of miles away, or one I've never heard of.

This is one constant issue with news sources, particularly local ones --
they often don't say where they are located.  Saying you’re `XYZ area's
number one news source!' might be good for the locals, but in today’s
connected world, it doesn’t help the guy who stumbles on a random news
article.  Also referring to your geographic location as being in the
`bi/tri/quad-state region'.  To me, growing up on Long Island, `tri-state'
meant NY, NJ, CT.  To the local archery shop a bit west of me in
northeastern New Jersey, it means NJ, PA, and the southern tier of NY. Both
are technically correct correct, but neither really give me an idea of where
they are, and are ambiguous.

For the local paper's web site, the fix is easy -- put the state you’re in
at the top.  That resolves it, most of the time.  Until you hit New Jersey,
where we have plenty of localities with similar or identical names.

The risk?  Such ambiguities could incite or enrage people who read a story
and connect a name to a nearby location, when nothing at all has happened
there.  There's enough fake news going around.  We don’t need to
unintentionally create more of it...

  [Newton Mass in this case.  Sorry.  I could have added that.  PGN]

------------------------------

Date: Mon, 14 Jan 2019 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest.  Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
 subscribe and unsubscribe:
   http://mls.csl.sri.com/mailman/listinfo/risks

=> SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
   includes the string `notsp'.  Otherwise your message may not be read.
 *** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 *** Contributors are assumed to have read the full info file for guidelines!

=> OFFICIAL ARCHIVES:  http://www.risks.
org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
  http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
  Also,  ftp://ftp.sri.com/risks for the current volume
     or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
  If none of those work for you, the most recent issue is always at
     http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
  Lindsay has also added to the Newcastle catless site a palmtop version
  of the most recent RISKS issue and a WAP version that works for many but
  not all telephones: http://catless.ncl.ac.uk/w/r
  ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
  Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 31.71
************************