Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit precedence: bulk Subject: Risks Digest 32.58 RISKS-LIST: Risks-Forum Digest Thursday 1 April 2021 Volume 32 : Issue 58 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/32.58> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: April No-Fools' Day? No fooling! (PGN) Post-vaccine guidance (Rob Slade) Errors ruin 15 million doses of Johnson & Johnson's COVID-19 vaccine (NYTimes) Dark web bursting with COVID-19 vaccines, vaccine passports (Ars Technica) New York launches nation's first vaccine passports (USA Today) Vaccine passports (Lauren Weinstein) New Covid vaccines needed globally within a year, say scientists (The Guardian) Child tweets gibberish from U.S. nuclear-agency account (BBC News) Fooling facial recognition (The Register) Biometrics instead of passwords (The Register via Arthur T.) The Antiscience Movement Is Escalating, Going Global and Killing Thousands (Peter J. Hotez) Nine requests assistance from government after major cyber-attack (John Colville) How the Nine cyber-attack is affecting the Herald (John Colville) How a Software Error Made Spain's Child COVID-19 Mortality Rate Skyrocket (Slate) The Underground Nuclear Test That Didn't Stay Underground (Atlas Obscura) Solar Geoengineering Should be Investigated, Scientists Say (Scientific American) PHP's Git Server Hacked to Insert Secret Backdoor to Its Source Code (The Hacker News) New wave of hacktivism adds twist to cybersecurity woes (reuters.com) Blockchain is causing female green sea turtles (Rob Slade) Your right to repair: COVID-19 is sending businesses, hospitals, and consumers to the breaking point (ZDNet) Wetware data retrieval: Forensic analysis and data recovery from water-submerged hard drives (Techxplore) Scientists can implant false memories -- and reverse them... (Inverse) Suez Canal Blocked After Giant Container Ship Gets Stuck (NY Times) Suez Canal from Space (Geoff Kuenning) 'Agile' F-35 fighter software dev techniques failed to speed up supersonic jet deliveries (The Register) F-35 vs. bird (Gabe Goldberg with PGN comments) Radiation Upset confused computers and caused false alarm on International Space Station (The Register) Vote-by-mail fraud in Australia (Vanessa Teague) How Facebook got addicted to spreading misinformation (TechReview) No security on Website intended to prove that Swiss are vaccinated (Anthony Thorn) Volkswagen apparently changing their name in U.S. (Lauren Weinstein) Remote Work Is Here to Stay. Manhattan May Never Be the Same (NYTimes) Where Are Those Shoes You Ordered? Check the Ocean Floor (David Lesher) Cautionary story about cryptocurrencies, apps, security... (Gabe Goldberg) Energy-harvesting card treats 5G networks as wireless power grids (NewAtlas) Yet another 5G attack vector (Rob Slade) Re: No good evidence that 5G harms humans, new studies find (Douglas Lucas) Re: Cybersecurity in retrospect: not good! (Dick Mills) Re: How far should humans go to help species adapt? (Bob Wilson) Re: Too much choice is hurting America (Sam Steingold) Re: Risk transfer and Doordash (John Levine) TikTok Does Not Pose Overt Threat to U.S. National Security (Eva Xiao) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Tue, 30 Mar 2021 10:47:11 PDT From: Peter Neumann <neumann@csl.sri.com> Subject: April No-Fools' Day? No fooling! With all the worldwide rampant disinformation, this year RISKS is attempting to eschew intentional foolishness on April Fools' Day. However, this issue is full of unintentional folly -- which is normally our standard fare. Walt Kelly's Pogo might once have said about April Fools' Day, "We have met the fools, and they are us." There are of course still a lot of fools believing wild conspiracy theories. But might the fools be many people who do not read RISKS? I would like to believe that after more than 36 years, our readership is continually becoming more enlightened. However, please read the next item carefully. It starts out (a) as an April Fools piece, but (b) then changes its mind and is not. ------------------------------ Date: Sun, 28 Mar 2021 10:51:04 -0800 From: Rob Slade <rmslade@shaw.ca> Subject: Post-vaccine guidance Many people are concerned that health authorities, while working diligently to ensure vaccine rollout is as fast and as smooth as possible, have not given clear and specific guidance to those who *have* been vaccinated as to when they can resume normal activities, and which activities are permitted, at which point, once they have received vaccinations. The following is a chapter that was somehow missed from the printed edition of "Cybersecurity Lessons from CoVID-19," and is an attempt to fill that gap. As many will know, receipt of the vaccine shot does not immediately confer full immunity or protection. There is a delay while the body reacts to the vaccine, and builds up antibody defences. In the case of most vaccines, this build-up of protection takes between three weeks and a month. Most of the vaccine candidates also benefit from, but do not necessarily require, a booster shot. This second shot can slightly increase the level of protection against the infection, and tends to make the protection last for a longer period of time. There are few changes in routine and protective behaviour, therefore, immediately following receipt of the shot. Those vaccinated are, however, cautioned against celebrating receipt of the vaccine with breakdancing, since medical staff will be watching closely, in the first fifteen minutes after vaccine administration, for signs of Adverse Effects From Immunization (AEFIs), and may falsely report high levels of seizures. Also be advised that referring to a large vaccination facility as a "mass shooting site" will not be appreciated by staff. You may have heard of variants of concern. For those who have not yet been vaccinated, you should also be aware that there are also vaccines of concern. Do be cautious in terms of the vaccine that you are offered. "Sputnick," "Phiser," or "Modern" brand vaccine is unlikely to be effective, nor is anything manufactured by "Joe's Vaccines-Backwards-R-Us and Autobody." If someone offers you P.1, note that this is not a vaccine, but either the virus itself, or a fictional computer virus from a book by Thomas J. Ryan. Since protection does take time to build, please do not immediately discard your facemask on the floor of the facility with loud exclamations of "Well thank [deity of your choice] *THAT'S* over with!" as you leave. Please continue masking, as usual, for a least a month after receipt of the vaccine. (Between weeks three and four it *is* permissible to wear your mask under your nose.) If you wish to ceremonially burn your facemask after the full month has passed, please ensure you do so in a well-ventilated area away from dry vegetation, and remove all plastic and rubber components first and discard in appropriate recycling bins. Currently, for unvaccinated individuals, gatherings are restricted to households or a designated "safe six." Three weeks after initial vaccination, you may introduce a seventh person, but only someone that none of you really like. After four weeks, you may introduce one additional vaccinated person per week, as long as they sit more than six feet or two metres away, which distancing can be reduced by one foot (thirty centimetres) per week. (If that additional person has received a different vaccine from the one you received, please add an additional four inches [ten centimetres] of distance.) Once you have received your second vaccine shot, you may engage in board games with people who have received only their first shot, but only if the board and all pieces are sprayed with disinfectant after each move. As vaccines have been priorized for those in older age categories, there will be situations where grandparents have been vaccinated, but their children and grandchildren have not. If the grandparents have had both shots, then they may visit if their children (parents of the grandchildren) have had at least one shot, and may have some contact with grandchildren, but should avoid "lifting" games, especially if the grandchildren weigh more than fifty pounds. As most vaccines are not yet approved for children under the age of sixteen, contact with the grandchildren should be limited to a gentle pinch on the cheek and the comment, "My, aren't you getting big!" (Both cheek and fingers should be sanitized immediately after.) Children may attend school, as studies show that transmission rates within schools are lower than in the general community. (Parents and grandparents are warned that they will not be allowed to live in schools until full vaccination is achieved.) In terms of intimate relationships, you may engage in short affairs between the receipt of your initial shot and your booster shot, but do not enter into any relationship likely to extend beyond the date for your second shot. Weddings and other large gatherings may slowly resume, with restrictions. If both bride and groom are unvaccinated, the ceremony is limited to ten people, outdoors. If both bride and groom have had their first vaccination, the ceremony is limited to ten people, indoors. If the bride and groom have had vaccinations from different manufacturers, the ceremony may be held indoors, but the centre aisle must be a least three metres wide. If all guests have had both shots, the ceremony may be held with 50 guests. Any guests who have had only one vaccine are limited to no more than 15, and must be at least four rows back from those who have had both shots. If the groom and the groom have both had their shots from the same manufacturer, and all the guests have as well, and there is at least one Catholic in the guest list who has had both shots *and* has been sprinkled with holy water, please contact the Vatican medical office for the proper protocol. Children's birthday parties with large numbers of children and all parents in attendance should only be planned if you do not intend to hold a similar party with the same guests next year. Medical guidance is that handwashing should continue after receipt of the first vaccine, but you can reduce the time taken by leaving off the last line of the second repetition of the "Happy Birthday" song. After receipt of the booster shot, you should continue handwashing, but you don't have to scrub under your finger-nails. Two weeks after receipt of the second shot, you may eat chili with your bare hands and rub them dry on your pants. Two weeks after receipt of the second vaccine shot, decisions about being in enclosed spaces are best left to you and your claustrophobia therapist. In terms of travel, road trips in the family car are seen as safer than air travel or other forms of mass transit. Leaving the car for meals, recreation, or nightly housing increases the risk, so it is recommended that you just drive to the various locations you want to visit, and not leave the car for any reason until you return home. Note that the kids continually asking "Are we there yet?" will not be accepted as a valid excuse for killing them. In regard to travel, as well as other activities, some may wish to obtain a "vaccine passport." Well, you can't. At least not one that will be recognized as a passport at pretty much any border control. Many people will be willing to sell you a vaccine passport, or a vaccine certificate, sometimes even if you haven't been vaccinated! Almost nobody will be willing to accept such a passport or certificate. A true vaccine certificate will include the date and time of your vaccination, the maker of your vaccine, the batch number, your name, medical history, and medical insurance information, the name, phone number, and digital signature of the person who registered you for the vaccine certificate, the name, phone number, medical certificate, and proof of non-membership in an anti-vaxxer organization of the person who reconstituted your shot, and the name, number, and a decent picture with the eyes not *too* squidged shut of the person who gave you the shot. Note that non-Chinese vaccine certificates will not be accepted in China. Remember that no vaccine provides 100% protection. Two weeks after the second dose, with a month between first and second doses, Pfizer provides 95%, Moderna provides 94%, and AstraZeneca provides 60%, 69%, 76%, 79%, 89%, or 100%, depending upon how many AstraZeneca press releases you have read. Reading AstraZeneca press releases increases protection, but at the expense of a risk of increased anxiety. Those taking the AstraZeneca vaccine following a full regime of AstraZeneca press releases are advised to combine it with Xanax, and one low-dose or "baby" aspirin. (Medical guidance is that AstraZeneca press releases are not recommended for children under the age of five.) In terms of other activities, pleased be advised that, following administration of the vaccine, you will *not* be able to play the bagpipes unless you could play them before you were vaccinated. For further details or clarification of these recommendations, please see https://xkcd.com/2434/ The foregoing is, of course, an "April Fools" piece, and not actual medical advice. (If it *had* been medical advice, of course, you would have been charged more.) However, yesterday, as I wrote this, and a few days ago, as you read this, events forced me to reconsider and add a little bit. I had no sooner sent this off to Peter for RISKS than I started on my, pretty much daily, trip to the library and the mall. I never got to the library because it was surrounded by police. Someone had gone on a rampage, stabbing at least six people and sending them to hospital. At least one has died. The municipality where I live is part of the fairly cosmopolitan city of Vancouver, but has the feel of a small town. The neighbourhood where I reside is even more protected. It is in a kind of pocket on the side of the mountain, and even wind storms seem to pass over it, so it is very much the type of place where people would say, "yeah, we see things like that on the news, but they never happen *here*." The suspect is, apparently, "known to police" and has a record. Nobody has yet mentioned "mental issues," but you can almost hear the reporters keeping themselves from saying it. (Which is not, of course, a reason for attacks: I've fought my own "mental issues" for fifty years. But that's another topic.) We probably won't ever know the real reason for the attack, but I have to suspect that media reports of mass shootings over the past weeks contributed. We have all been in a pandemic, and under various restrictions, from handwashing to lockdowns, for over a year now. CoVID fatigue is real, and it seems to be encouraging us do some pretty awful things. I have been extremely disappointed by the move of racism from covert and pernicious to overt, vociferous, and even demanding. The almost complete collapse of any kind of civility in American political discourse is terrifying. The economy seems to have, almost automatically, made the rich richer, and the poor poorer, widening the inequity gap. The pandemic seems to have magnified all that is worst about our society. I hope that the beginning of this piece was, at least, amusing, and possibly provides a bit of a break for you in these dark times. The vaccines do provide us with a "light at the end of the tunnel" (which is a phrase I most often associate with the lights of an oncoming train). While even the vaccines, as a limited resource, have created tensions and problems, I hope that, within months, they will make a significant difference to the over-arching pandemic problems. In the meantime, keep to the precautions for a little longer. Wash your hands, wear a mask, maintain distance, don't have or go to parties or events. When you can, without jumping any queues, get vaccinated. See you all on Zoom when there is an opportunity, and in person, hopefully, by the fall. Oh, one more thing. The day before April Fools day, 31 Mar, is apparently World Backup Day. http://www.worldbackupday.com/en/ I'm very big on backups. We give them lip service, but we don't do them as often as we should. I wrote the first part of this piece over several days, keeping it up on the system I was using to write it. As is often the case with something I'm working on, I made a separate backup. And, as blind, random chance would have it, the system I was writing it on had a hiccup and collapsed, taking the piece with it. But, I recovered the backup, and all was well. Now go make a backup. And, while it's completing, wash your hands. ------------------------------ Date: Thu, 1 Apr 2021 08:41:04 -0400 From: Monty Solomon <monty@roscom.com> Subject: Errors ruin 15 million doses of Johnson & Johnson's COVID-19 vaccine (The Verge + NYTimes) Johnson & Johnson Covid-19 vaccine is delayed by a U.S. factory mixup. A manufacturer in Baltimore accidentally conflated the ingredients for two different coronavirus vaccines, officials say. https://www.theverge.com/coronavirus/2021/3/31/22361028/johnson-covid-vaccine-error-ruin-doses https://www.nytimes.com/2021/03/31/world/johnson-and-johnson-vaccine-mixup.html ------------------------------ Date: Tue, 30 Mar 2021 07:24:30 -0700 From: Lauren Weinstein <lauren@vortex.com> Subject: Dark web bursting with COVID-19 vaccines, vaccine passports (Ars Technica) [Fake vaccines. Unrefrigerated vaccines. Fake vaccination cards. Train wreck. LW] https://arstechnica.com/tech-policy/2021/03/dark-web-bursting-with-covid-19-vaccines-vaccine-passports/ ------------------------------ Date: Sun, 28 Mar 2021 09:53:05 -1000 From: Geoff goodfellow <geoff@iconia.com> Subject: New York launches nation's first 'vaccine passports' Others are working on similar ideas, but many details must be worked out. Starting Friday, New Yorkers will be able to pull up a code on their cell phone or a printout to prove they've been vaccinated against COVID-19 or recently tested negative for the virus that causes it. The first-in-the-nation certification, called the Excelsior Pass, will be useful first at large-scale venues like Madison Square Garden, but next week will be accepted at dozens of event, arts and entertainment venues statewide. It already enables people to increase the size of a wedding party, or other catered event. The app, championed by Gov. Andrew Cuomo to support the recovery of industries most affected by the pandemic, is funded by the state and available for free to businesses and anyone with vaccination records or test results in New York. Like an airline boarding pass, people will be able to prove their health status with a digital QR code -- or "quick response" machine-readable label. They'll need to download the Excelsior Pass app, enter their name, date of birth, zip code and answer a series of personal questions to confirm their identity. The data will come from the state's vaccine registry and also will be linked to testing data from a number of pre-approved testing companies. The New York system, built on IBM's digital health pass platform <https://www.ibm.com/products/digital-health-pass>, is provided via blockchain technology, so neither IBM nor any business will have access to private medical information. An entertainment venue will simply scan the QR code and get a green check or a red X. The new pass is part of a growing but disjointed effort to provide vaccine "passports" or certifications, so people won't have to hang onto a dog-eared piece of paper, worry about privacy issues or forgeries, or fork over extra cash to prove they're not contagious. [...] https://www.usatoday.com/story/news/health/2021/03/26/covid-vaccine-passports-new-york-first-vaccination-proof-system/6976009002/ ------------------------------ Date: Tue, 30 Mar 2021 09:15:12 -0700 From: Lauren Weinstein <lauren@vortex.com> Subject: Vaccine passports Unfortunately, the probability that the array of proposed "vaccine passport" systems could lead to massive new government and private tracking of individuals, and a de facto "national ID" system, is substantial. So far I do not see an obvious path that is not ripe for abuses. And one way or another, the odds of complex litigation on this topic seem very high. ------------------------------ Date: Tue, 30 Mar 2021 13:27:39 -1000 From: geoff goodfellow <geoff@iconia.com> Subject: New Covid vaccines needed globally within a year, say scientists (The Guardian) *Survey of experts in relevant fields concludes that new variants could arise in countries with low vaccine coverage* [...] https://www.theguardian.com/world/2021/mar/30/new-covid-vaccines-needed-within-year-say-scientists ------------------------------ Date: Tue, 30 Mar 2021 14:03:52 -0400 From: Gabe Goldberg <gabe@gabegold.com> Subject: Child tweets gibberish from U.S. nuclear-agency account (BBC News) A young child inadvertently sparked confusion over the weekend by posting an unintelligible tweet to the official account of US Strategic Command. https://www.bbc.com/news/technology-56578544 Risks? Technology + children ------------------------------ Date: Wed, 31 Mar 2021 11:11:28 -0700 From: Rob Slade <rmslade@shaw.ca> Subject: Fooling facial recognition (The Register) Two tricksters in China have fooled the state's massive facial recognition system. Temporarily, anyway. https://www.theregister.com/2021/03/31/tax_scammers_fool_ai_facial_recognition It's really interesting to look at this story and see the implications