Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
precedence: bulk
Subject: Risks Digest 31.76

RISKS-LIST: Risks-Forum Digest  Wednesday 29 April 2020  Volume 31 : Issue 76

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/31.76>
The current issue can also be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
Online voting is too vulnerable (The Economist)
No-password Access to Britain's Road Surveillance Camera Data (The Register)
Democratising mass surveillance, one snafu at a time (The Register)
Washington Post-University of Maryland poll finds a problem for
  Apple-Google coronavirus app (WashPost)
Malicious Android apps (WiReD)
Nine million logs of Brits' road journeys spill onto the Internet
  from password-less number-plate camera dashboard (The Register)
Amazon Smart Oven Review: Don't Let It Anywhere Near Your Kitchen (WiReD)
Disney claims May the 4th (Rob Slade)
Ross Anderson course videos online (Rob Slade)
Re: 'No evidence' that recovering from Covid-19 gives people immunity,
  WHO says (Arthur Flatau)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Wed, 29 Apr 2020 15:51:31 PDT
From: "Peter G. Neumann" <neumann@csl.sri.com>
Subject:  Online voting is too vulnerable (The Economist)

Why voting online is not the way to hold an election in a pandemic:
It is still too vulnerable to cyber-attacks and security breaches.

<https://www.economist.com/international/2020/04/27/why-voting-online-is-not-the-way-to-hold-an-election-in-a-pandemic>

------------------------------

Date: Tue, 28 Apr 2020 14:49:12 -0400
From: Charles Dunlop <cemdunlop@gmail.com>
Subject: No-password Access to Britain's Road Surveillance Camera Data
  (The Register)

Travel involving nearly nine million cars in Britain was accessible merely
by typing the system's IP address into a browser:
  https://www.theregister.co.uk/2020/04/28/anpr_sheffield_council/

------------------------------

Date: Wed, 29 Apr 2020 13:09:44 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Democratising mass surveillance, one snafu at a time (The Register)

Exclusive In a blunder described as "astonishing and worrying," Sheffield
City Council's automatic number-plate recognition (ANPR) system exposed to
the Internet 8.6 million records of road journeys made by thousands of
people, The Register can reveal.

The ANPR camera system's internal management dashboard could be accessed by
simply entering its IP address into a web browser. No login details or
authentication of any sort was needed to view and search the live system –
which logs where and when vehicles, identified by their number plates,
travel through Sheffield's road network.

Britain's Surveillance Camera Commissioner Tony Porter described the
security lapse as "both astonishing and worrying," and demanded a full probe
into the snafu.

https://www.theregister.co.uk/2020/04/28/anpr_sheffield_council/

IoT follies.

------------------------------

Date: Wed, 29 Apr 2020 10:39:31 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Washington Post-University of Maryland poll finds a problem for
  Apple-Google coronavirus app (WashPost)

Nearly 3 in 5 Americans say they are either unable or unwilling to use the
infection-alert apps under development by Google and Apple, suggesting a
steep climb to win enough adoption of the technology to make it effective
against the coronavirus pandemic, a Washington Post-University of Maryland
poll finds. [...]

A major source of skepticism about the infection-tracing app is distrust of
Google, Apple and tech companies generally, with a majority expressing
doubts about whether they would protect the privacy of health data. A 57
percent majority of smartphone users report having a `great deal' or a `good
amount' of trust in public health agencies and 56 percent trust
universities. That compares with 47 percent who trust health insurance
companies and 43 percent who trust tech companies like Google and Apple.

https://www.washingtonpost.com/technology/2020/04/29/most-americans-are-not-willing-or-able-use-an-app-tracking-coronavirus-infections-thats-problem-big-techs-plan-slow-pandemic/

------------------------------

Date: Wed, 29 Apr 2020 13:12:24 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Malicious Android apps (WiReD)

Malicious Android apps from the so-called PhantomLance campaign targeted
hundreds of users, and at least two slipped past Google's defenses.

https://www.wired.com/story/phantomlance-google-play-malware-apt32/

------------------------------

Date: Tue, 28 Apr 2020 17:29:28 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Nine million logs of Brits' road journeys spill onto the Internet
  from password-less number-plate camera dashboard

https://www.theregister.co.uk/2020/04/28/anpr_sheffield_council/

------------------------------

Date: Wed, 29 Apr 2020 17:25:09 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Amazon Smart Oven Review: Don't Let It Anywhere Near Your Kitchen
  (WiReD)

Connected kitchen gadgets are supposed to streamline cooking, but this one
just gave me a headache.

https://www.wired.com/review/amazon-smart-oven/

This is laugh out loud funny.

------------------------------

Date: Tue, 28 Apr 2020 12:46:14 -0700
From: Rob Slade <rmslade@shaw.ca>
Subject: Disney claims May the 4th

Disney claimed that it owned "Maythe4th" and all *your* posts that use it.
https://twitter.com/disneyplus/status/1254772307941191686

The reaction was predictable.
https://www.bbc.com/news/technology-52457596

------------------------------

Date: Tue, 28 Apr 2020 12:28:31 -0700
From: Rob Slade <rmslade@shaw.ca>
Subject: Ross Anderson course videos online

Professor Ross Anderson (University of Cambridge)) has put his lectures for
his first-year Software and Security Engineering course online.  Freely
available.

https://www.cl.cam.ac.uk/teaching/1920/SWSecEng/materials.html

Avail yourselves.

  [Highly recommended.  PGN]

------------------------------

Date: Tue, 28 Apr 2020 13:08:19 -0500
From: Arthur Flatau <flataua@acm.org>
Subject: Re: 'No evidence' that recovering from Covid-19 gives people immunity,
  WHO says (RISKS-31.74)

There have been a number of reports and suggestions that people who have
had COVID-19 may not have immunity.  They are usually accompanied by
statements that we need a vaccine.  Of course, a vaccine just tricks the
immune system into developing antibodies by exposing it to parts
of/attenuated/dead the virus in question.  However, if being infected with
the virus does not create immunity, this makes developing an effective
vaccine very difficult if not impossible.

  [One of these days we will consider the risks of computer viruses and
  coronaviruses in complementary context -- for example, relating to the
  soundness of models and predictions, theory vs practice, belief systems,
  misinformation, disinformation, etc.  Many useful comparisons might seem
  relevant here, in case any readers are wondering why there are so many
  COVID items in RISKS lately!  PGN]

------------------------------

Date: Mon, 14 Jan 2019 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest.  Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
 subscribe and unsubscribe:
   http://mls.csl.sri.com/mailman/listinfo/risks

=> SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
   includes the string `notsp'.  Otherwise your message may not be read.
 *** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 *** Contributors are assumed to have read the full info file for guidelines!

=> OFFICIAL ARCHIVES:  http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
  http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
  Also,  ftp://ftp.sri.com/risks for the current volume
     or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
  If none of those work for you, the most recent issue is always at
     http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
  Lindsay has also added to the Newcastle catless site a palmtop version
  of the most recent RISKS issue and a WAP version that works for many but
  not all telephones: http://catless.ncl.ac.uk/w/r
  ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
  Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 31.76
************************