Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit precedence: bulk Subject: Risks Digest 31.71 RISKS-LIST: Risks-Forum Digest Wednesday 22 April 2020 Volume 31 : Issue 71 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/31.71> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Google's auto-complete for speech can cover up glitches in video call (MIT Technology Review) Nearly 25,000 email addresses and passwords allegedly from NIH, WHO, Gates Foundation and others are dumped online (WashPost) Zero-Day Warning: It's Possible to Hack iPhones Just by Sending Email (The Hacker News) How NASA does software testing and QA (Functionize) Leaked pics from Amazon Ring show potential new surveillance features (Ars Technica) A notable quote for scientists and academics (Dave Farber) You can now receive 3 free credit reports each week for the next year (CNBC) Anti-lockdown protester who said it was a 'political ploy' is killed by coronavirus (Metro) Chinese Agents Spread Messages That Sowed Virus Panic in U.S. (NYTimes) Las Vegas Mayor: Assume everyone has COVID-19, reopen the casinos, and let the chips fall where they may (WashPost) TN Anti-lockdown protester spotted with vile poster saying 'Sacrifice the weak' to coronavirus (Metro) Coronavirus is largely spread by people without symptoms (Inquirer) Spam filter censoring COVID content (Henry Baker) Lego is producing 13,000 face visors a day for healthcare workers amid coronavirus pandemic (USA Today) Re: Australian Government proposes to distribute Coronavirus App (Amos Shapir, Michael Bacon) Re: More on COVID-19 Digital Rights Tracker" (Chris Drewe) Re: Internet Usage update (Martin Ward, Dmitri Maziuk, Barry Gold, JCHolleran) Re: Anti-Asian Zoombombing at Newton South High School (Phil Nasadowski) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Thu, 23 Apr 2020 05:16:34 +0900 From: Dave Farber <farber@gmail.com> Subject: Google's auto-complete for speech can cover up glitches in video call (MIT Technology Review) https://www.technologyreview.com/2020/04/06/998410/google-artificial-intelligence-autocomplete-internet-voice-speech-glitches-video-call/ [Beware. PGN] ------------------------------ Date: Wed, 22 Apr 2020 16:57:30 -0400 From: Monty Solomon <monty@roscom.com> Subject: Nearly 25,000 email addresses and passwords allegedly from NIH, WHO, Gates Foundation and others are dumped online (WashPost) Thousands of alleged email addresses and passwords linked to organizations battling the coronavirus pandemic prominent have been dumped on the Internet, where they almost immediately were used to foment hacking attempts and harassment by far-right extremists. https://www.washingtonpost.com/technology/2020/04/21/nearly-25000-email-addresses-passwords-allegedly-nih-who-gates-foundation-are-dumped-online/ ------------------------------ Date: Wed, 22 Apr 2020 14:43:48 -0400 From: Monty Solomon <monty@roscom.com> Subject: Zero-Day Warning: It's Possible to Hack iPhones Just by Sending Email (The Hacker News) https://thehackernews.com/2020/04/zero-day-warning-its-possible-to-hack.html ------------------------------ Date: Wed, 22 Apr 2020 15:44:17 -0400 From: Gabe Goldberg <gabe@gabegold.com> Subject: How NASA does software testing and QA (Functionize) It is, perhaps, your dream job -– doing software testing for positive world-changing applications such as space exploration. But that comes with additional concerns, such as lives at stake and too-far-to-repair constraints. https://www.functionize.com/blog/how-nasa-does-software-testing-and-qa/ ------------------------------ Date: Wed, 22 Apr 2020 14:56:12 -0400 From: Gabe Goldberg <gabe@gabegold.com> Subject: Leaked pics from Amazon Ring show potential new surveillance features (Ars Technica) Amazon wouldn't be the first consumer company to do it, but it would be the biggest. https://arstechnica.com/tech-policy/2020/04/ring-cameras-may-someday-scan-license-plates-and-faces-leak-shows/ ------------------------------ Date: Thu, 23 Apr 2020 05:27:06 +0900 From: Dave Farber <farber@gmail.com> Subject: A notable quote for scientists and academics ``The virus is reminding us that the purpose of scholarly communication is not to allocate credit for career advancement, and neither is it to keep publishers afloat.'' For research-policy manager Elizabeth Gadd, the pandemic has highlighted the importance of open science. (Wonkhe | 6 min read) https://wonkhe.com/blogs/the-purpose-of-publications-in-a-pandemic-and-beyo= nd/ ------------------------------ Date: April 22, 2020 7:41:47 JST From: Richard Forno <rforno@infowarrior.org> Subject: You can now receive 3 free credit reports each week for the next year (CNBC) Experian, Equifax and TransUnion are now offering free credit reports to all Americans on a weekly basis for the next year so you can protect your financial health during hardships from the coronavirus. https://www.cnbc.com/select/experian-equifax-transunion-offer-weekly-free-credit-reports-for-one-year/ ------------------------------ Date: Wed, 22 Apr 2020 08:06:28 -0700 From: Lauren Weinstein <lauren@vortex.com> Subject: Anti-lockdown protester who said it was a 'political ploy' is killed by coronavirus (Metro) https://metro.co.uk/2020/04/21/anti-lockdown-protester-branded-covid-19-political-ploy-killed-coronavirus-12588467/ ------------------------------ Date: Wed, 22 Apr 2020 07:57:29 -0700 From: Lauren Weinstein <lauren@vortex.com> Subject: Chinese Agents Spread Messages That Sowed Virus Panic in U.S., Officials Say (NYTimes) https://www.nytimes.com/2020/04/22/us/politics/coronavirus-china-disinformation.html American officials were alarmed by fake text messages and social media posts that said President Trump was locking down the country. Experts see a convergence with Russian tactics. ------------------------------ Date: Wed, 22 Apr 2020 08:01:41 -0700 From: Lauren Weinstein <lauren@vortex.com> Subject: Las Vegas Mayor: Assume everyone has COVID-19, reopen the casinos, and let the chips fall where they may (WashPost) https://www.washingtonpost.com/nation/2020/04/22/las-vegas-coronavirus-reopen/ ------------------------------ Date: Wed, 22 Apr 2020 08:04:19 -0700 From: Lauren Weinstein <lauren@vortex.com> Subject: TN Anti-lockdown protester spotted with vile poster saying 'Sacrifice the weak' to coronavirus (Metro) https://metro.co.uk/2020/04/22/anti-lockdown-protester-spotted-vile-poster-saying-sacrifice-weak-coronavirus-12594348/ ------------------------------ Date: Wed, 22 Apr 2020 01:14:00 -1000 From: geoff goodfellow <geoff@iconia.com> Subject: Coronavirus is largely spread by people without symptoms (Inquirer) Just two months ago, the discovery that two people infected with the coronavirus had no symptoms was such big scientific news that it was published in the New England Journal of Medicine. <https://www.inquirer.com/health/coronavirus-transmission-asymptommatic-nejm-german-report-20200218.html> Now, it is becoming clear that much, if not most, of the spread of the virus is by infected people who don=E2=80=99t get sick. New evidence comes from a Boston homeless shelter, an Italian town, a California county, and a Navy aircraft carrier. [...] https://www.inquirer.com/health/coronavirus/coronavirus-mostly-spreads-asymptomatically-complicating-reopening-20200420.html ------------------------------ Date: Tue, 21 Apr 2020 14:35:13 -0700 From: Henry Baker <hbaker1@pipeline.com> Subject: Spam filter censoring COVID content I can't even send a *private* message to my sister. I'd say we've now reached the "tipping point" in killing free speech on the Internet. Encryption is no longer just about privacy; end2end encryption is now essential to avoid censorship. I sent a message with a subject heading: Subject: <<some text>> protect against COVID19 My message got bounced with the following explanation: ------------------------------------------------------------- This message was created automatically by mail delivery software. A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed: emailname@domain host mx01.domain [XX.XX.XX.XX] SMTP error from remote mail server after end of data: 554 5.7.1 [P4] Message blocked due to spam content in the message. ------------------------------ Date: Wed, 22 Apr 2020 18:18:43 +0800 From: Richard Stein <rmstein@ieee.org> Subject: Lego is producing 13,000 face visors a day for healthcare workers amid coronavirus pandemic (USA Today) https://www.usatoday.com/story/money/2020/04/10/coronavirus-lego-producing-13-000-visors-day-healthcare-workers/5135078002/ A revered global brand, Denmark's Lego has generously contributed their expertise and facilities to manufacture and donate personal protective equipment (PPE). Lego has pledged US$ 50M for pandemic relief efforts. This example of corporate generosity from a trusted brand raises an important risk. Lego makes toys. The pandemic has compelled a humane business decision to become PPE suppliers, almost overnight. The USA Today article does not discuss factory health and safety certification or compliance standards. Apparently, one must assume that you can "Bet your life on Lego." Must Lego PPE satisfy ISO and other important/essential standards? Are the PPE recipients equipped to perform receiving inspections and verify fitness for use? Where are the inspection results? Are the inspectors qualified? Has a manufacturing or inspection waiver been granted given the emergency? Under whose authority? Is industrial regulatory compliance mandatory under pandemic conditions for PPE? If the PPE is faulty, patients and healthcare personnel will be at greater risk of infection. Reports about ineffective coronavirus test kits, substandard personal protective equipment (PPE), and global shortages are noteworthy. See: https://www.dw.com/en/coronavirus-netherlands-recalls-defective-masks-bought-from-china/a-52949216, https://globalnews.ca/news/6769162/canada-medical-supplies-coronavirus/, https://www.nytimes.com/2020/04/19/nyregion/coronavirus-face-shields-factory-nyc.html. ------------------------------ Date: Wed, 22 Apr 2020 10:12:26 +0300 From: Amos Shapir <amos083@gmail.com> Subject: Re: Australian Government proposes to distribute Coronavirus App (RISKS-31.69-70) Israel's Ministry of Health distributes such an application, which seems to be using something similar Google's Timeline to backtrack confirmed infected people and warn app holders who had come in contact with them. I have downloaded this application, and indeed received a warning that I had been in the vicinity of an infected person, and have to go into isolation for up to 14 days from the moment of contact. The only problem was that I got the warning on the 13th day, with less than 12 hours left of the isolation time! In an environment where it may take several days for an infected person to show symptoms, a few more days to wait for an inspection, and a few more till the results are in, the whole idea becomes a sad joke. The long delay also makes using proximity technology like Bluetooth useless, unless *all* contacts between any two people, infected or not, are recorded and kept in a database to be checked later if any of them is found to have been infected. ------------------------------ Date: Wed, 22 Apr 2020 11:05:13 +0100 From: A Michael W Bacon <amichaelwbacon@gmail.com> Subject: Re: Australian Government proposes to distribute Coronavirus App (RISKS-31.69) I belated learned that the proposed app defined a "contact" as a user to have remained within 1.5 metres of another user (one of whom had marked themself as "infected") for 15 minutes. Although this would very largely avoid the "passing by" and "loose dog" scenarios I postulated, it raises other questions. Whilst the potential to be infected by another person rises by exposure duration and proximity, one expulsion of virus-laden droplets immediately upon "contact" can be sufficient to cause infection. The 15 minute "exposure" seems a wholly arbitrary time. And what if the "contact" is broken -- possibly by a signal dropout or just that the parties moved more than 1.5 metres apart -- within that time, but then resumed, does the clock reset? Could I spend several hours in a meeting room 1.5 metres away from an infected person across the table, but have the clock reset itself every time I leaned my chair back? Secondly, the recommended "social distance" is two metres (and some scientists have indicated this is inadequate and should be at least doubled), so even the lower figure is not met for the app. That aside, the figure is somewhat arbitrary too, and presumably can only be determined by signal strength or maybe a "handshake" time between the two devices. Whatever, it will likely not be so precise as to differentiate distances around 1.5 metres. BTW, I do appreciate that the 1.5 metre figure is not necessarily precise, and anyway the signal distance will vary by situation and over time. Now some will argue -- with fair reason -- that the actual distance and time are not *that* important; after all, whether or not a person (or cat) is infected by another is highly variable and unpredictable. However, it is this variability and unpredictability that contributes to undermining the usefulness/purpose of the app. The imprecision in detection of "contacts" is likely to generate many -- very possibly too many -- false positives and - potentially worse and definitely 'too' -- many false negatives. And the "too many" false positives presents the potential for the mischievous and malevolent to effectively 'DDOS' the system. It's use will likely, as with some other proposals, engender a false sense of security among users. PS: Apologies for the solecism of the misused apostrophe in my previous, I failed to catch Apple's erroneous autocorrection -- MB. ------------------------------ Date: Tue, 21 Apr 2020 22:23:31 +0100 From: Chris Drewe <e767pmk@yahoo.co.uk> Subject: Re: More on COVID-19 Digital Rights Tracker" (RISKS-31.69) > The creation of a global surveillance juggernaut that governments will > never willingly give up or restrict solely to public health situations! > -LW This is what worries me. World War 2 ended in Europe in May 1945 (we were due to have a big 75th anniversary commemoration next month), but British governments of the day didn't really pay much attention. We had identity cards until 1950, rationing well into the 1950s, conscription until 1960, and exchange controls until 1980 -- in the 1970s, Brits traveling abroad on vacation were limited to taking 50 pounds (~$60) with them. Since then, about 15 years ago the government was enthusiastically proceeding with plans for compulsory national identity cards ("we'll find them so useful that we we'll wonder how we ever managed without them!") backed up with a computerised citizens' database. More recently, in last year's British general election, if the Labour party had won there was a strong possibility that exchange controls would have to be re-introduced to prevent the loss of tax revenues. Since the Covid-19 lockdown, various politicians in the UK have proposed that this is a once-in-a-lifetime opportunity to reorder society on a fairer, more-equitable basis, presumably more like the popular and successful models of Cuba or the Soviet Bloc... :o) There's a letter in today's newspaper saying "I hope this pandemic cements the use of debit cards for all transactions and thereby the end of cash". Whether you consider these developments as good or bad depends on your politics, but I feel uneasy if they're introduced under the guise of tackling a public health issue. Benjamin Franklin's famous quote comes to mind: > "They that can give up essential liberty to obtain a little temporary > safety deserve neither liberty nor safety." ------------------------------ Date: Wed, 22 Apr 2020 14:14:10 +0100 From: Martin Ward <martin@gkc.org.uk> Subject: Re: Internet Usage update (Fist, RISKS-31.70) > Would the Information Technology Community promote the idea that we should > all pay a low fee for sending each email. It may surprise you to know that this solution has been suggested before: more than once even! Here's an example from 2003: https://web.archive.org/web/20031229160109/http://www.pcpro.co.uk/news/news_story.php?id=51289 and one from 2013: https://forums.moneysavingexpert.com/discussion/4383787/stop-spam-pay-for-email Quote: Your post advocates a (X) technical (X) legislative (X) market-based ( ) vigilante approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.) ( ) Spammers can easily use it to harvest email addresses (X) Mailing lists and other legitimate email uses would be affected (X) No one will be able to find the guy or collect the money ( ) It is defenseless against brute force attacks ( ) It will stop spam for two weeks and then we'll be stuck with it (X) Users of email will not put up with it (X) Microsoft will not put up with it ( ) The police will not put up with it ( ) Requires too much cooperation from spammers (X) Requires immediate total cooperation from everybody at once ( ) Many email users cannot afford to lose business or alienate potential employers ( ) Spammers don't care about invalid addresses in their lists ( ) Anyone could anonymously destroy anyone else's career or business Specifically, your plan fails to account for ( ) Laws expressly prohibiting it (X) Lack of centrally controlling authority for email (X) Open relays in foreign countries (X) Ease of searching tiny alphanumeric address space of all email addresses ( ) Asshats (X) Jurisdictional problems (X) Unpopularity of weird new taxes ( ) Public reluctance to accept weird new forms of money (X) Huge existing software investment in SMTP (X) Susceptibility of protocols other than SMTP to attack ( ) Willingness of users to install OS patches received by email (X)Armies of worm riddled broadband-connected Windows boxes ( ) Eternal arms race involved in all filtering approaches (X) Extreme profitability of spam ( ) Joe jobs and/or identity theft ( ) Technically illiterate politicians ( ) Extreme stupidity on the part of people who do business with spammers ( ) Dishonesty on the part of spammers themselves ( ) Bandwidth costs that are unaffected by client filtering (X) Outlook and the following philosophical objections may also apply: (X) Ideas similar to yours are easy to come up with, yet none have ever been shown practical ( ) Any scheme based on opt-out is unacceptable ( ) SMTP headers should not be the subject of legislation ( ) Blacklists suck ( ) Whitelists suck ( ) We should be able to talk about Viagra without being censored ( ) Countermeasures should not involve wire fraud or credit card fraud ( ) Countermeasures should not involve sabotage of public networks (X) Countermeasures must work if phased in gradually (X) Sending email should be free ( ) Why should we have to trust you and your servers? ( ) Incompatiblity with open source or open source licenses ( ) Feel-good measures do nothing to solve the problem ( ) Temporary/one-time email addresses are cumbersome ( ) I don't want the government reading my email ( ) Killing them that way is not slow and painful enough Furthermore, this is what I think about you: (X) Sorry dude, but I don't think it would work. [...] ------------------------------ Date: Tue, 21 Apr 2020 14:43:08 -0500 From: dmaziuk <dmaziuk@bmrb.wisc.edu> Subject: Re: Internet usage update (Fist, RISKS-31.70) > Would the Information Technology Community promote the idea that we should > all pay a low fee for sending each email. You mean, we aren't? Last I checked I get a bill from my cableco every month. I could divide it by the number of bytes transferred, multiply that by the size of this message, and tell you exactly how much I paid for sending this e-mail. ------------------------------ Date: Tue, 21 Apr 2020 13:24:12 -0700 From: Barry Gold <barrydgold@ca.rr.com> Subject: Re: Internet Usage update (Fist, RISKS-31.70) I suggested this some time back, only I was thinking of a truly diminutive fee: 1 mil (1/10 cent). For normal users, this would be down in the grass -- not even worth bothering with. I also suggested a mechanism whereby: 1. The recipient can "accept" the email, in which case there is no fee 2. Opt-in mailing lists: no fee. Otherwise the moderator of RISKS might end up paying a significant fee, to say nothing of all the people who sign up for notifications from Facebook etc. Most spammers send out millions or tens of millions of messages, and don't care that most of them don't lead anywhere -- they make a profit if 1 person falls for it (Nigerian scam) or for commercial ads if 1/100 of 1% respond. This would either stop most of those spams, or force them to be a great deal more selective in who they send their emails to. I'd love to see the same for telephone calls: if the recipient rejects the call, the caller is charged 10 cents, split between the phone system and the recipient. Phone calls are a great deal more intrusive than emails, which is why I suggest the higher fee. At the time the idea was pooh-poohed (I no longer remember why). We'll see what people think of Stewart Fist's version. ------------------------------ Date: Wed, 22 Apr 2020 16:15:06 +0000 (UTC) From: jcholleran@verizon.net Subject: Re: Internet Usage update (Fist, RISKS-31.70) I know every reader of RISKS will initially bristle at the idea. But, if we were charged, say, 1 cent per mail sent, then most individuals would payonly fractions of a dollar a day, and in a competitive world, this would beset off against annual fees However those scam organisation which exist by flooding the world's mailboxes with unwanted, illegal and disgusting emails by the millions,would be quickly driven out of business. The global email and Internet system is never going to reach its potential until there is an actual money penalty for abusing the technology. Couldn't such a charge be introduced on a global scale at the borders? ------------------------------ Date: Tue, 21 Apr 2020 19:26:37 -0400 From: Phil Nasadowski <pnasadowski@pcsintegrators.com> Subject: Re: Anti-Asian Zoombombing at Newton South High School (RISKS-31.69) After reading the article, one thing I couldn't figure out was `which Newton?' There's a few throughout the country, and it could have been the Newton near me, or hundreds of miles away, or one I've never heard of. This is one constant issue with news sources, particularly local ones -- they often don't say where they are located. Saying you’re `XYZ area's number one news source!' might be good for the locals, but in today’s connected world, it doesn’t help the guy who stumbles on a random news article. Also referring to your geographic location as being in the `bi/tri/quad-state region'. To me, growing up on Long Island, `tri-state' meant NY, NJ, CT. To the local archery shop a bit west of me in northeastern New Jersey, it means NJ, PA, and the southern tier of NY. Both are technically correct correct, but neither really give me an idea of where they are, and are ambiguous. For the local paper's web site, the fix is easy -- put the state you’re in at the top. That resolves it, most of the time. Until you hit New Jersey, where we have plenty of localities with similar or identical names. The risk? Such ambiguities could incite or enrage people who read a story and connect a name to a nearby location, when nothing at all has happened there. There's enough fake news going around. We don’t need to unintentionally create more of it... [Newton Mass in this case. Sorry. I could have added that. PGN] ------------------------------ Date: Mon, 14 Jan 2019 11:11:11 -0800 From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks. org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00 Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 31.71 ************************