Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
precedence: bulk
Subject: Risks Digest 32.08
RISKS-LIST: Risks-Forum Digest Tuesday 7 July 2020 Volume 32 : Issue 08
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.08>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
No Injuries In Red Line Metro Derailment Outside Silver Spring (DCist)
In Hong Kong, a Proxy Battle Over Internet Freedom Begins (NYTimes)
Looks Like Russian Hackers Are on an Email Scam Spree (WiReD)
Supreme Court bans debt collection robocalling to cellphones (TypePad)
Goodbye to the Wild Wild Web (NYTimes)
Encrypted Phone Network of Mob is Hacked in Europe (Adam Nossiter)
Risks of Editing Wikipedia (Aida Chavez)
Not so random acts: Science finds that being kind pays off (APNews)
How my dad got scammed for $3,000 worth of gift cards (Zachary Crockett)
Japanese startup creates 'connected' face mask for coronavirus new normal
(Reuters)
What we need is social-media distancing (Spectator)
Early Covid-19 tracking apps easy prey for hackers, and it might get worse
before it gets better (Jumbo Privacy)
Re: Breaking HTTPS in the IoT: Practical Attacks For Reverse (Keith Medcalf)
Re: Jane Goodall on conservation, climate change and COVID-19 (CBS News,
(Dennis Allison)
Re: A Doctor Confronts Medical Errors (Amos Shapir)
Re: Smells Fishy? The Fish That Prevent Iran From Hacking Israel's Water
System (Bill Matthews)
Quote of The Day (Calvin Coolidge)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Tue, 7 Jul 2020 17:49:41 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: No Injuries In Red Line Metro Derailment Outside Silver Spring
(DCist)
The Washington Metrorail Safety Commission, the independent body overseeing
Metro safety, says its preliminary investigation found the operator ran a
red signal, which has been a fireable offense in previous instances.
How can modern trains run red signals? Even without Positive Train Control,
automatic stop-on-red has been around for a long time. That seems better
than firing after offenses.
https://dcist.com/story/20/07/07/first-two-cars-of-wmata-train-comes-off-tracks-outside-silver-spring-no-serious-injuries/
------------------------------
Date: Tue, 7 Jul 2020 12:11:49 -0400
From: Monty Solomon <monty@roscom.com>
Subject: In Hong Kong, a Proxy Battle Over Internet Freedom Begins (NYTimes)
As the city grapples with new restrictions on online speech, American tech
giants are on the front line of a clash between China and the United States
over the Internet's future.
https://www.nytimes.com/2020/07/07/business/hong-kong-security-law-tech.html
------------------------------
Date: Tue, 7 Jul 2020 17:26:21 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Looks Like Russian Hackers Are on an Email Scam Spree (WiReD)
A group dubbed Cosmic Lynx uses surprisingly sophisticated methods -- and
targets big game.
For years, costly email grifts have largely been the provenance of West
African scammers, particularly those based in Nigeria
<https://www.wired.com/story/feds-bust-nigerian-email-scammers/>. A newly
discovered "business email compromise" campaign, though, appears to come
from a criminal group in a part of the world better known for a different
brand of online mayhem: Russia.
Dubbed Cosmic Lynx, the group has carried out more than 200 BEC campaigns
since July 2019, according to researchers from the email security firm
Agari, particularly targeting senior executives at large organizations and
corporations in 46 countries. Cosmic Lynx specializes in topical, tailored
scams related to mergers and acquisitions; the group typically requests
hundreds of thousands or even millions of dollars as part of its hustles.
The researchers, who have worked extensively on tracking Nigerian BEC
scammers, say they don't have a clear sense of how often Cosmic Lynx
actually succeeds at obtaining a payout. Given that the group hasn't lowered
its asks in a year, though, and has been prolific about developing new
campaigns -- including some compelling Covid-19–related scams -- Agari
reasons that Cosmic Lynx must be raking in a fair amount of money.
https://www.wired.com/story/russian-hackers-email-scams/
------------------------------
Date: Tue, 7 Jul 2020 10:23:14 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Supreme Court bans debt collection robocalling to cellphones
(TypePad)
https://pubcit.typepad.com/clpblog/2020/07/supreme-court-bans-debt-collection-robocalling-to-cellphones.html
https://pubcit.typepad.com/clpblog/2020/07/severability-to-the-rescue-again-a-further-note-on-todays-supreme-court-robocalling-decision.html
https://www.supremecourt.gov/opinions/19pdf/19-631_2d93.pdf
------------------------------
Date: Fri, 3 Jul 2020 15:58:26 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Goodbye to the Wild Wild Web (NYTimes)
The Internet is changing, and the freewheeling, anything-goes culture of
social media is being replaced by something more accountable.
https://www.nytimes.com/2020/07/02/technology/goodbye-to-the-wild-wild-web.html
------------------------------
Date: Sat, 4 Jul 2020 17:18:04 PDT
From: "Peter G. Neumann" <neumann@csl.sri.com>
Subject: Encrypted Phone Network of Mob is Hacked in Europe (Adam Nossiter)
Adam Nossiter, *The New York Times*, 3 July 2020
Paris -- The police in Europe arrested hundreds of people on suspicion of
drug trafficking and other crimes, after successfully hacking into an
encrypted phone network being used by organized criminals around the world.
Millions of messages were read in real time. PGN-ed
------------------------------
Date: Sat, 04 Jul 2020 06:56:17 -0700
From: Henry Baker <hbaker1@pipeline.com>
Subject: Risks of Editing Wikipedia (Aida Chavez)
[Right on cue re: Orwell, from the Ministry of Truth (Minitrue).. HB]
Aida Chavez, The Intercept, 2 Jul 2020
https://theintercept.com/2020/07/02/kamala-harris-wikipedia/
There's a War Going On Over Kamala Harris's Wikipedia Page, with
Unflattering Elements Vanishing
California Democratic Sen. Kamala Harris is widely seen as a frontrunner for
a spot on the ticket with presumptive nominee Joe Biden, with vetting well
underway.
Presidential vetting operations have entire teams of investigators, but for
the public, when the pick is announced, the most common source for
information about the person chosen is Wikipedia. And there, a war has
broken out over how to talk about Harris's career.
[Long item pruned for RISKS by your moderator, who notes that what was on
wikipedia for me for many years was way out of date. I just checked for
the first time in several years and see that the earlier version has been
considerably updated! Many thanks to whomever had the patience to do
that. PGN]
------------------------------
Date: Sun, 5 Jul 2020 01:16:00 -1000
From: geoff goodfellow <geoff@iconia.com>
Subject: Not so random acts: Science finds that being kind pays off
Acts of kindness may not be that random after all. Science says being kind
pays off.
Research shows that acts of kindness make us feel better and healthier.
Kindness is also key to how we evolved and survived as a species, scientists
say. We are hard-wired to be kind.
[But apparently not for all values of "we". PGN]
Kindness ``is as bred in our bones as our anger or our lust or our grief or
as our desire for revenge,'' said University of California San Diego
psychologist Michael McCullough, author of the forthcoming book, *Kindness
of Strangers*. It's also, he said, ``the main feature we take for
granted.''
Scientific research is booming into human kindness and what scientists have
found so far speaks well of us.
``Kindness is much older than religion. It does seem to be universal,'' said
University of Oxford anthropologist Oliver Curry, research director at
Kindlab. ``The basic reason why people are kind is that we are social
animals.''
We prize kindness over any other value. When psychologists lumped values
into ten categories and asked people what was more important, benevolence or
kindness, comes out on top, beating hedonism, having an exciting life,
creativity, ambition, tradition, security, obedience, seeking social justice
and seeking power, said University of London psychologist Anat Bardi, who
studies value systems.
``We're kind because under the right circumstances we all benefit from
kindness,'' Oxford's Curry said.
When it comes to a species' survival, ``kindness pays, friendliness pays,''
said Duke University evolutionary anthropologist Brian Hare, author of the
new book *Survival of the Friendliest* <https://amzn.to/2NS4JDs>
Kindness and cooperation work for many species, whether it's bacteria,
flowers or our fellow primate bonobos. The more friends you have, the more
individuals you help, the more successful you are, Hare said.
For example, Hare, who studies bonobos and other primates, compares
aggressive chimpanzees, which attack outsiders, to bonobos where the animals
don't kill but help out strangers. Male bonobos are far more successful at
mating than their male chimp counterparts, Hare said.
McCullough sees bonobos as more the exceptions. Most animals aren't kind or
helpful to strangers, just close relatives so in that way it is one of the
traits that separate us from other species, he said. And that, he said, is
because of the human ability to reason.
Humans realize that there's not much difference between our close relatives
and strangers and that someday strangers can help us if we are kind to them,
McCullough said. [...]
https://apnews.com/f487b63befb2f4c3181404bcc87be1c1
------------------------------
Date: Sun, 5 Jul 2020 09:27:01 -0400
From: Monty Solomon <monty@roscom.com>
Subject: How my dad got scammed for $3,000 worth of gift cards
(Zachary Crockett)
At 2:30 pm on a recent Monday, my dad received a jarring phone call.
A man claiming to be a federal agent (David White, ID #US2607-12) told him
there was an abandoned car in El Paso, Texas, rented in his name. Inside
the car, they'd found a pile of cash, blood, and drugs. His Social Security
number had been linked to 7 different bank accounts, $230k in wired funds,
and a rental unit stocked with 22 lbs. of cocaine.
If my dad -— a 66-year-old retiree with cancer -— didn't cooperate, Agent
White would freeze his bank account and pursue criminal charges. ...
https://thehustle.co/phone-scam-gift-cards/
------------------------------
Date: Sun, 5 Jul 2020 01:14:00 -1000
From: geoff goodfellow <geoff@iconia.com>
Subject: Japanese startup creates 'connected' face mask for coronavirus new
normal (Reuters)
As face coverings become the norm amid the coronavirus pandemic, Japanese
startup Donut Robotics has developed an Internet-connected `smart mask' that
can transmit messages and translate from Japanese into eight other
languages.
The white plastic `c-mask' fits over standard face masks and connects via
Bluetooth to a smartphone and tablet application that can transcribe speech
into text messages, make calls, or amplify the mask wearer's voice.
``We worked hard for years to develop a robot and we have used that
technology to create a product that responds to how the coronavirus has
reshaped society,'' said Taisuke Ono, the chief executive of Donut
Robotics. [...]
https://www.reuters.com/article/us-health-coronavirus-japan-mask-technol/japanese-startup-creates-connected-face-mask-for-coronavirus-new-normal-idUSKBN23X190
------------------------------
Date: Sun, 5 Jul 2020 01:15:00 -1000
From: geoff goodfellow <geoff@iconia.com>
Subject: What we need is social-media distancing (Spectator)
Social media brings out the worst in us because the algorithm rewards us
for being tribal, divisive and emotional
Nearly three months into lockdown, 40 million Americans were unemployed.
Kids lost out on three months of schooling. Businesses shuttered, many never
to open again. Mental health suffered. People lost their homes. Tens of
thousands died alone in hospitals, family members were prevented from
holding the hands of their loved ones in their final days, and in many cases
they weren't allowed to bury them or hold a funeral.
Parents struggled to balance distance learning and work. Teachers worried
that their most vulnerable students weren't logging in to class. People
couldn't receive medical treatment or attend birthdays and graduations.
But humans are creative, resilient creatures, and it didn't take long before
we adjusted to living online. Necessity forced ingenuity. AA meetings,
fitness classes, happy hours and business meetings all pivoted to Zoom. We
started group chats with family members and college friends to stay
connected. Mostly, we shared memes.
We posted pictures of the dog we adopted, or the sourdough we attempted to
make, or the projects in our houses we'd been putting off forever that we
finally got to finish, just to try to stay optimistic. There were silver
linings, too. Much ink was spilled about learning to slow down, finding joy
in being home with the family. All that time commuting -- was it worth it?
Who did we value -- and why? Instead of honoring celebrities, athletes and
musicians, we applauded nurses, doctors, truck drivers and grocery-store
cashiers. We smiled at each other with our eyes as we stood six feet apart
in lines. A feeling of solidarity and grit in the face of a common hardship
pervaded, for a brief moment.
Pundits wondered, naively, Did COVID-19 kill the culture wars? [...]
https://spectator.us/need-social-media-distancing-protest-internet/
------------------------------
Date: Tue, 7 Jul 2020 01:15:00 -1000
From: geoff goodfellow <geoff@iconia.com>
Subject: Early Covid-19 tracking apps easy prey for hackers, and it might
get worse before it gets better (Jumbo Privacy)
The apps could prove vital to curtailing the virus's spread as states
reopen, but security fears may make them unpopular with users.
The push to use smartphone apps to track the spread of coronavirus is
creating a potential jackpot for hackers worldwide -- and the U.S. offers a
fat loosely defended target.
In the Qatar Covid-19 app, researchers found a vulnerability that would've
let hackers obtain more than a million people's national ID numbers and
health status. In India's app, a researcher discovered a security gap that
allowed him to determine who was sick in individual homes. And researchers
uncovered seven security flaws in a pilot app in the U.K.
The U.S. is just starting to use these contact tracing apps -- which track
who an infected person may have had contact with -- but at least one app has
already experienced a data leak. North Dakota conceded in May that its
smartphone app, Care19, had been sending users' location data to th= e
digital marketing service Foursquare. The issue has since been fixed,
*according to the privacy app developer* that discovered the leak.
<https://blog.jumboprivacy.com/care19-update-foursquare-allows-developers-to-disable-idfa-collection.html>
To date, the public debate about whether to use contact tracing apps -- a
potentially crucial strategy for reopening economies during the pandemic --
*has centered mostly on* what data to collect and who should have access to
it, but cybersecurity insiders say the apps are also highly vulnerable to
attacks that could expose data ranging from user names to location data.
<https://www.politico.com/news/2020/06/10/google-and-apples-rules-for-virus=
-tracking-apps-sow-division-among-states-312199>
And the U.S. has its own unique vulnerabilities: a fragmented collection of
apps, tiny state cybersecurity budgets and stalled legislation in Congress
that makes federal government rules unlikely anytime soon. [...]
https://www.politico.com/news/2020/07/06/coronavirus-tracking-app-hacking-3=
48601
------------------------------
Date: Sun, 05 Jul 2020 07:56:52 -0600
From: "Keith Medcalf" <kmedcalf@dessus.com>
Subject: Re: Breaking HTTPS in the IoT: Practical Attacks For Reverse
Engineers (RISKS-32.07)
> For instance, the use of insecure communications (e.g., unencrypted HTTP),
> is now only found in a minority of Bishop Fox client product assessments,
> which gives a somewhat positive (and admittedly biased) picture of IoT
> security trends.
HTTPS is *not* a security protocol. It is a *privacy* protocol. It has
absolutely ZERO impact on security, which is quite a different thing
entirely than privacy. Simply wrapping a security vulnerability inside
*private* transport does absolutely nothing for security.
------------------------------
Date: Sat, 4 Jul 2020 01:13:00 -1000
From: geoff goodfellow <geoff@iconia.com>
Subject: Re: Jane Goodall on conservation, climate change and COVID-19
"If we carry on with business as usual, we're going to destroy ourselves"
While COVID-19 and protests for racial justice the world's collective
attention, ecological destruction, species extinction and climate change
continue unabated. While the world's been focused on other crises, an
alarming study was released warning that species extinction is now
progressing so fast that the consequences of "biological annihilation" may
soon be "unimaginable."
<https://www.cbsnews.com/news/species-extinction-risk-biological-annihilation-study/>
Dr. Jane Goodall <https://www.janegoodall.org/>, the world-renowned
conservationist, desperately wants the world to pay attention to what she
sees as the greatest threat to humanity's existence.
CBS News recently spoke to Goodall over a video conference call and asked
her questions about the state of our planet. Her soft-spoken grace somehow
helped cushion what was otherwise extremely sobering news: "I just know that
if we carry on with business as usual, we're going to destroy ourselves. It
would be the end of us, as well as life on Earth as we know it," warned
Goodall. [...]
https://www.cbsnews.com/news/jane-goodall-climate-change-coronavirus-environment-interview/
------------------------------
Date: Sat, Jul 4, 2020 at 6:27 AM
From: Dennis Allison <dennis.allison@gmail.com>
Subject: Re: Jane Goodall on conservation, climate change and COVID-19
(RISKS-32.07)
> "If we carry on with business as usual, we're going to destroy ourselves"
Geoff, anyone tracking the posts you've made knows that Jane Goodall has
gotten her tense wrong; we are already extinct. We might be able to save
ourselves from extinction were we to mount a cooperative global effort to
mitigate the impacts that are going to occur no matter what we do. The
likelihood of that is about the same as a snowball's chance of survival in
the antarctic where temperatures reached 65 degrees Fahrenheit.
------------------------------
Date: Sat, 4 Jul 2020 12:03:03 +0300
From: Amos Shapir <amos083@gmail.com>
Subject: Re: A Doctor Confronts Medical Errors (RISKS-32.07)
Every documentary I've ever watched about a rare disease or medical
condition, always repeats the same story: A patient develops some symptoms,
doctors diagnose it as some common condition, treatment is not effective.
It might takes a long time -- sometimes years -- for one curious doctor to
realize it's a rare condition, and try to analyze it correctly.
It seems that doctors use analysis algorithms that always come up pointing
to a common condition -- which may be correct in a large majority of cases,
but is never "this may be a rare case, further investigation is needed".
Such methods may be understandable when working under constant pressure and
diminishing budgets, but doctors now employ computerized systems, which can
present them with a greater variety of options -- but do not. It seems that
the same old algorithms had just been computerized with no added
sophistication. AI systems wouldn't help either, if they are trained using
data which is generated by the old methods.
------------------------------
Date: Sat, 4 Jul 2020 21:30:21 -0400
From: Bill Matthews <yellow.tropicana@gmail.com>
Subject: Re: Smells Fishy? The Fish That Prevent Iran From Hacking
Israel's Water System (RISKS-32.06)
What kind of fish is it that can live in chlorinated water?
When our local potable water supplier intends to change the level of
chlorination or the kind of chlorinating-chemical in our water, it's
advertised in the local paper prior to their making the change. It's
advertised prior to the event so that aquarists can appropriately adapt to
the change in chlorination.
------------------------------
Date: Sat, 4 Jul 2020 01:10:00 -1000
From: geoff goodfellow <geoff@iconia.com>
Subject: Quote of The Day
Calvin Coolidge, 150th Anniversary of the Declaration of Independence:
"We live in an age of science and of abounding accumulation of material
things. These did not create our Declaration. Our Declaration created
them."*
https://nsjonline.com/article/2020/06/hill-president-calvin-coolidge-on-the-150th-anniversary-of-the-declaration-of-independence-july-5-1926/
------------------------------
Date: Mon, 1 Jun 2020 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
=> SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!
=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 32.08
************************