Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
precedence: bulk
Subject: Risks Digest 32.90

RISKS-LIST: Risks-Forum Digest  Sunday 17 October 2021  Volume 32 : Issue 90

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/32.90>
The current issue can also be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
Keyword warrants (NY Post)
Security risks of insulin pumps (Healio)
The FDA Should Better Regulate Medical Algorithms (Scientific American)
Apple's App Tracking Transparency circumvented by some apps
 (LockDownPrivacy)
Special Report: How AT&T helped build far-right One America News (Reuters)
Missouri governor accuses journalist who warned state about cybersecurity
 flaw of criminal ‘hacking’ (WashPost)
Trans man says confusion caused cervical screening delay (BBC News)
How the WhatsApp Outage Hurt Small Businesses in India (Slate)
Expensive hotel room!!! (Jonathan M. Gitlin)
Hyperbole (Lauren Weinstein)
Google Chat spam? (Rob Slade)
Dubai’s Ruler Hacked Phones of His Ex-Wife and Her Lawyers, UK Court Says
 (NYTimes)
Bugs in our Pockets: The Risks of Client-Side Scanning (PGN)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Wed, 6 Oct 2021 20:07:17 PDT
From: Peter Neumann <neumann@csl.sri.com>
Subject: Keyword warrants (NYPost)

The U.S. federal government is secretly ordering Google and other search
engines to track and provide data on anyone who searches certain terms
through *keyword warrants*, according to a new report.

In recent years, only two such warrants have been made public, but
accidentally *unsealed court documents obtained by Forbes* show the
government has been making these requests far more frequently.  [...]
<https://www.forbes.com/sites/thomasbrewster/2021/10/04/google-keyword-warrants-give-us-government-data-on-search-users/?sh=3D62af27647c97>

https://nypost.com/2021/10/06/us-government-ordering-search-engines-to-provide-search-data/

------------------------------

Date: Wed, 6 Oct 2021 19:25:51 +0000
From: "Judith Hemenway" <Judith@divingturtle.com>
Subject: Security risks of insulin pumps (Healio)

https://www.healio.com/news/endocrinology/20211006/medtronic-expands-recall-of-insulin-pump-controllers-due-to-cybersecurity-risks?utm_source=selligent&utm_medium=email&utm_campaign=news&M_BT=7416989536009

------------------------------

Date: Fri, 8 Oct 2021 11:18:31 +0800
From: "Richard Stein" <rmstein@ieee.org>
Subject: The FDA Should Better Regulate Medical Algorithms (Scientific American)

https://www.scientificamerican.com/article/the-fda-should-better-regulate-medical-algorithms/

"Medical algorithms are used across the health care spectrum to diagnose
disease, offer prognosis, monitor patients’ health and assist with
administrative tasks such as scheduling patients. But recent news in the
U.S. is filled with stories of these technologies running amok. From sexual
trauma victims being unfairly labeled as “high-risk” by substance-abuse-
scoring algorithms to diagnostic algorithms failing to detect sepsis cases
in more than 100 health systems nationwide to clinical decision support
(CDS) software systematically discriminating against millions of Black
patients by discouraging necessary referrals to complex care—this problem
abounds. And it extends our pandemic as well. In a review of 232
machine-learning algorithms designed to detect COVID-19, none were of
clinical use.

"The kicker: most of these algorithms did not require FDA approval, and the
ones that did often were not required to conduct clinical trials."

The FDA's 510(k) regulatory process promotes medical innovations by
establishing a broadened definition of "device similarity" -- if the newest
form of a medical device is not too different from the old, approval for
deployment and use is given without significant qualification trial for
effectiveness or safety.

The 510(k) process has been abused by medical device manufacturers,
especially those based on computer technology. Patients that rely on
embedded applications (pacemakers, cardiodefibrillators, drug infusers,
continuous glucose monitors, etc.) and diagnostic systems (X-rays, MRI,
blood chemistry analyzers, etc.) are constantly exposed to adverse product
events documented as malfunctions, injuries, and deaths. Adverse events also
contribute to inconvenience that consumers and insurers underwrite through
lost time and expense.

Failure to minimize software defect escape exposes patient populations to
unnecessary and avoidable technological risks. Reforming the 510(k) process
by subjecting algorithmic qualification efforts to broad public scrutiny
(e.g., open source inspection) can suppress product defect escape potential.

------------------------------

Date: Sat, 9 Oct 2021 16:29:26 +0200
From: "Anthony Thorn" <anthony.thorn@atss.ch>
Subject: Apple's App Tracking Transparency circumvented by some apps
 (LockDownPrivacy)

Apple’s so-called App Tracking Transparency initiative has not stopped all
tracking.  Testing by Johnny Lin and Sean Halloran of "Lockdown Privacy"
showed that apps are using "Fingerprinting" to track users.

https://blog.lockdownprivacy.com/2021/09/22/study-effectiveness-of-apples-app-tracking-transparency.html

https://www.washingtonpost.com/technology/2021/09/23/iphone-tracking/

"To find out what happens when you tap “ask app not to track,” Lockdown says
it tested ten popular apps on an iPhone running iOS 14.8 and again with the
newest iOS 15, analyzing what personal information flowed out of them.

As part of a technical change that arrived with iOS 14.5, the apps were
no longer able to access one valuable piece of data: a kind of social
security number for your iPhone, known as the ID for Advertisers, or
IDFA. But there’s other information that can identify your phone beyond
that number. [...]"

For example:

The app "Subway Surfers starts sending an outside ad company called
Chartboost 29 very specific data points about your iPhone, including your
Internet address, your free storage, your current volume level (to 3 decimal
points) and even your battery level (to 15 decimal points).  It’s the kind
of unique data that could be used by advertisers to identify your iPhone,
possibly letting them know what other apps you use or how to target you."

------------------------------

Date: Sun, 10 Oct 2021 22:25:24 -0400
From: "Gabe Goldberg" <gabe@gabegold.com>
Subject: Special Report: How AT&T helped build far-right One America News
 (Reuters)

As it lauded former President Donald Trump and spread his unfounded claims
of election fraud, One America News Network saw its viewership jump. Reuters
has uncovered how America’s telecom giant nurtured the news channel now at
the center of a bitter national divide over politics and truth.

https://www.reuters.com/investigates/special-report/usa-oneamerica-att/

------------------------------

Date: Fri, 15 Oct 2021 16:18:30 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Missouri governor accuses journalist who warned state about
 cybersecurity flaw of criminal ‘hacking’ (WashPost)

Free press advocates called Gov. Mike Parson's comments against a St. Louis
Post-Dispatch journalist "absurd."

When a St. Louis Post-Dispatch journalist discovered that the Missouri state
teachers website allowed anyone to see the Social Security numbers of some
100,000 school employees, he did what any reporter might do. He published a
story about the security vulnerability — though not before warning the state
and giving it time to remove the affected webpages.

Another official might have thanked the newspaper for spotting the flaw and
giving a heads-up before publicizing it — or at least downplayed what
appears to be an embarrassing government mishap. But Missouri Gov.  Mike
Parson (R) did the opposite: He called the journalist “a hacker” who may
face civil or criminal charges for “decod[ing]” HTML code on the Department
of Elementary and Secondary Education website and viewing three Social
Security numbers.

The journalist was “acting against the state agency to compromise teachers’
personal information in an attempt to embarrass the state and sell headlines
for their news outlet,” Parson announced Thursday. He said that he had
referred the case to the Cole County prosecutor and the Missouri State
Highway Patrol’s Digital Forensic Unit.

The announcement immediately drew appalled reactions from The Post-Dispatch
and other journalistic organizations.

“We stand by our reporting and our reporter who did everything right,” Ian
Caso, president and publisher of The Post-Dispatch, said in a
statement. “It’s regrettable the governor has chosen to deflect blame onto
the journalists who uncovered the website’s problem and brought it to DESE’s
attention.”

Committee to Protect Journalists’ U.S. and Canada program coordinator
Katherine Jacobsen called Parson’s legal threats “absurd.”

“Using journalists as political scapegoats by casting routine research as
‘hacking’ is a poor attempt to divert public attention from the government’s
own security failing,” she told The Washington Post in an email.

https://www.washingtonpost.com/media/2021/10/14/mike-parson-st-louis-post-dispatch-hacker/

------------------------------

Date: Mon, 4 Oct 2021 13:29:24 +0200
From: Jane Muir <jmuir2048@gmx.co.uk>
Subject: Trans man says confusion caused cervical screening delay (BBC News)

A transgender man (i.e., someone who was born female and subsequently
transitioned gender) was registered with his medical practice and the UK
National Health Service as male. Having a vagina and cervix, he arranged a
cervical screening test (US: Pap test).  When the test results came back
suggesting abnormalities, the hospital follow up checks were significantly
delayed by confusion over why a man needed cervical cancer checks.

https://www.bbc.co.uk/news/uk-england-humber-58515769"

In fact the patient had also had to take the initiative to arrange the
original screening. NHS England policy for cervical screening is that those
between 25 and 64 registered with a GP as female will be routinely invited
for cervical screening, those registered as male won't. Transgender men can
contact their GP to arrange to book a screening. Transgender men are not
routinely invited to cervical screening checks and might not arrange their
own.  To be clear about terminology, according to the World Health
Organisation, `gender' is used to describe the characteristics of women and
men that are socially constructed, while `sex' refers to those that are
biologically determined. People are born female or male, but learn to be
girls and boys who grow into women and men. This learned behaviour makes up
gender identity and determines gender roles.

A data field intended for one purpose, recording biological sex, is
being used to record something else (gender identity) for a small number of
patients while using exactly the same coding. There does not appear to be a
field that would disambiguate the two usages. A person or automated system
reading the record cannot distinguish them immediately without reading
background notes or accompanying letters.

The risk: Records that conflate biological sex with gender identity can
result in people having essential health checks compromised or missed
altogether.

------------------------------

Date: Wed, 6 Oct 2021 09:31:24 -0700
From: "Lauren Weinstein" <lauren@vortex.com>
Subject: How the WhatsApp Outage Hurt Small Businesses in India (Slate)

When Facebook went down, it took Instagram and WhatsApp with it. -L

https://slate.com/technology/2021/10/whatsapp-facebook-instagram-outage-india-startups.html?via=rss

------------------------------

Date: Sun, 3 Oct 2021 17:56:52 +0900
From: "Dave Farber" <farber@gmail.com>
Subject: Expensive hotel room!!! (Jonathan M. Gitlin)

Jonathan M. Gitlin (8 Jun 2019)
NASA will allow private astronauts on the ISS for $11,250-$22,500 a day The
space agency wants to create a sustainable economy in low Earth orbit.

The forward end of the International Space Station is pictured showing
portions of five modules. From right to left is a portion of the
U.S. Destiny laboratory module linking forward to the Harmony
module. Attached to the port side of Harmony (left foreground) is the Kibo
laboratory module from the Japan Aerospace Exploration Agency (JAXA) with
its logistics module berthed on top. On Harmony's starboard side (center
background) is the Columbus laboratory module from ESA (European Space
Agency).

NASA

On Thursday morning, NASA held a press conference to announce that the
International Space Station is now open for business. Previously, commercial
organizations have only been able to use the ISS for research purposes; now
NASA is open to letting them make a profit in low Earth orbit (LEO). "We're
marketing these opportunities as we've never done before," said NASA's Chief
Financial Officer Jeff DeWitt earlier today.

For starters, the space agency issued a new directive that allows commercial
manufacturing and production to occur on the ISS, as well as marketing
activities. It's not quite "anything goes," though—approved activities have
to have a link to NASA's mission, stimulate the development of a LEO
economy, or actually require a zero-G environment. NASA has published a
price list for the ISS, and it's setting aside five percent of the station's
annual resources (including astronaut time and cargo mass) for commercial
use.

------------------------------

Date: Tue, 5 Oct 2021 10:06:53 -0700
From: "Lauren Weinstein" <lauren@vortex.com>
Subject: Hyperbole

So now they're comparing Facebook with cigarettes and opioids. For the
record, similar accusations were made against comic books and horror movies
in their day. Here we go again.

------------------------------

Date: Mon, 11 Oct 2021 11:53:14 -0700
From: Rob Slade <rmslade@shaw.ca>
Subject: Google Chat spam?

Recently I've been getting a whole bunch of requests, from people I don't know, to
join "chats" via Google Chat.  (I don't yet know Google Chat, but I assume that it
is an evolution of Duo?)

I assume this is some kind of fraud or phishing, possibly a version of 419/advance
fee fraud.  Anybody have any additional details?  (I don't have time to explore it
by joining the chats, but does anyone know if there are any malware
vulnerabilities?)

------------------------------

Date: Wed, 6 Oct 2021 17:52:54 -0400
From: "Jan Wolitzky" <jan.wolitzky@gmail.com>
Subject: Dubai’s Ruler Hacked Phones of His Ex-Wife and Her Lawyers,
 UK Court Says (NYTimes)

When the hyper-wealthy ruler of the Middle Eastern emirate of Dubai found
himself embroiled in a British court case with the Jordanian princess who
was once his wife, he did more than hire top-shelf lawyers.

He also deployed high-tech software purchased from an Israeli company to
hack the cellphones of his ex-wife, two of her lawyers and three other
associates, according to court documents made public on Wednesday.

https://www.nytimes.com/2021/10/06/world/europe/dubai-sheik-hacked-phones-ex-wife-uk.html

------------------------------

Date: Thu, 14 Oct 2021 20:32:58 -0400
From: Peter G Neumann <Neumann@CSL.SRI.COM>
Subject: Bugs in our Pockets: The Risks of Client-Side Scanning

Title: Bugs in our Pockets: The Risks of Client-Side Scanning
Authors: Hal Abelson, Ross Anderson, Steven M. Bellovin, Josh Benaloh, Matt
  Blaze, Jon Callas, Whitfield Diffie, Susan Landau, Peter G. Neumann, Ronald
  L. Rivest, Jeffrey I. Schiller, Bruce Schneier, Vanessa Teague and Carmela
  Troncoso

http://arxiv.org/abs/2110.07450
Comments: 46 pages, 3 figures
License: http://creativecommons.org/licenses/by/4.0/

Our increasing reliance on digital technology for personal, economic, and
government affairs has made it essential to secure the communications and
devices of private citizens, businesses, and governments. This has led to
pervasive use of cryptography across society. Despite its evident
advantages, law enforcement and national security agencies have argued that
the spread of cryptography has hindered access to evidence and
intelligence. Some in industry and government now advocate a new technology
to access targeted data: client-side scanning (CSS). Instead of weakening
encryption or providing law enforcement with backdoor keys to decrypt
communications, CSS would enable on-device analysis of data in the clear. If
targeted information were detected, its existence and, potentially, its
source, would be revealed to the agencies; otherwise, little or no
information would leave the client device. Its proponents claim that CSS is
a solution to the encryption versus public safety debate: it offers privacy
-- in the sense of unimpeded end-to-end encryption -- and the ability to
successfully investigate serious crime. In this report, we argue that CSS
neither guarantees efficacious crime prevention nor prevents
surveillance. Indeed, the effect is the opposite. CSS by its nature creates
serious security and privacy risks for all society while the assistance it
can provide for law enforcement is at best problematic. There are multiple
ways in which client-side scanning can fail, can be evaded, and can be
abused.

RELATED COMMENTARY:

https://www.theguardian.com/world/2021/oct/15/apple-plan-scan-child-abuse-images-tears-heart-of-privacy

From Ross Anderson:
https://www.lightbluetouchpaper.org/2021/10/15/bugs-in-our-pockets/
The report is also at https://www.cl.cam.ac.uk/~rja14

From Susan Landau <susan.landau@privacyink.org>
https://www.lawfareblog.com/bugs-our-pockets-risks-client-side-scanning

From Bruce Schneier:
https://www.schneier.com/blog/archives/2021/10/security-risks-of-client-side-scanning.html

------------------------------

Date: Mon, 1 Aug 2020 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest.  Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
 subscribe and unsubscribe:
   http://mls.csl.sri.com/mailman/listinfo/risks

=> SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
   includes the string `notsp'.  Otherwise your message may not be read.
 *** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 *** Contributors are assumed to have read the full info file for guidelines!

=> OFFICIAL ARCHIVES:  http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
  http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
  Also, ftp://ftp.sri.com/risks for the current volume/previous directories
     or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
  If none of those work for you, the most recent issue is always at
     http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00
  ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
  Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 32.90
************************