Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit precedence: bulk Subject: Risks Digest 32.38 RISKS-LIST: Risks-Forum Digest Sunday 22 November 2020 Volume 32 : Issue 38 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/32.38> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: State-sponsored actors 'very likely' looking to attack electricity supply, says intelligence agency (CBC) An Engineer Gets 9 Years for Stealing $10M From Microsoft (WiReD) Shoppers warned against buying cheap electronics online (BBC News) Technology To Catch HOV Lane Violators Is Coming To Virginia (Deist) Migration to new CMS can go embarrassingly wrong (BBC) Researchers hacked a robotic vacuum cleaner to record speech and music remotely (Techxplore.com) Microsoft Is Making a Secure PC Chip with Intel and AMD's Help (WiReD) Internet censorship report (Rob Slade) Online password '123456' more popular than ever and easy to crack (CBC) Apple Lets Some of its Big Sur macOS Apps Bypass Firewall and VPNs (Applre) Apple to pay $113M to settle state investigation into iPhone *Battererygate* (WashPost) Privacy labeling for Apple apps (Rob Slade) Indistinguishability Obfuscation (WiReD) Why experts urge caution in using covid risk and tracking tools (WashPost) Functional and assurance requirements and CoVID (Rob Slade) Wrong GPS usual suspects First Responder avoidance (Dan Jacobson) Letter to Consumer Reports magazine (Gabe Goldberg) How the U.S. Military Buys Location Data from Ordinary Apps (Vice) 'Bot Battle' Shows What Happens When Two AI Programs Go On a Date (Vice) AI is wrestling with a replication crisis (MIT Tech Review) The iOS Covid App Ecosystem Has Become a Privacy Minefield (WiReD) Metrics and CoVID (Rob Slade) Mac certificate check stokes fears that Apple logs every app you run (Ars Technica) Two-Factor Eggs in One Basket (Kent Borg) 'Most Secure' U.S. Election Not Without Problems (Lukas Ropek) Election Security Experts Contradict Trump's Voting Claims (Nicole Perlroth) Blockchain Voting Risks Undetectable Nation-Scale Failures (Stilgherrian) Did you know that Dominion's voting software "Allows staff to adjust tally based on review of scanned ballot images? (Twitter) What happens when you test TCL TV's (Nenry Baker) 'Cheating detection' goes full Orwell during pandemic (Henry Baker) Re: How to F Up and Aiport, including What It's Like to Stress-Test Berlin's Brand New Airport (John Levine) Re: Facial recognition used to identify Lafayette Square protester accused of assault (Chuck Jackson) Re: CPU-Heat Sink Thermal Paste Effectiveness (Charles Cazabon) Re: Whale Sculpture Stops Train From Plunge in the Netherlands (Brian Inglis) Re: "Did you know that Dominion's voting software "Allows staff to adjust tally based on review of scanned ballot images"? (PGN) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Wed, 18 Nov 2020 19:51:24 -0700 From: "Matthew Kruk" <mkrukg@gmail.com> Subject: State-sponsored actors 'very likely' looking to attack electricity supply, says intelligence agency (CBC) https://www.cbc.ca/news/politics/cse-threat-assesment-1.5806213 State-sponsored actors are "very likely" trying to shore up their cyber capabilities to attack Canada's critical infrastructure - such as the electricity supply - to intimidate or to prepare for future online assaults, a new intelligence assessment warns. "As physical infrastructure and processes continue to be connected to the Internet, cyber threat activity has followed, leading to increasing risk to the functioning of machinery and the safety of Canadians," says a new national cyber threat assessment drafted by the Communications Security Establishment. "We judge that state-sponsored actors are very likely attempting to develop the additional cyber capabilities required to disrupt the supply of electricity in Canada." ------------------------------ Date: Sun, 15 Nov 2020 23:15:45 -0500 From: Gabe Goldberg <gabe@gabegold.com> Subject: An Engineer Gets 9 Years for Stealing $10M From Microsoft (WiReD) A former Microsoft software engineer from Ukraine has been sentenced <https://www.justice.gov/usao-wdwa/pr/former-microsoft-software-engineer-sentenced-nine-years-prison-stealing-more-10-million> to nine years in prison for stealing more than $10 million in store credit from Microsoft's <https://www.wired.com/tag/microsoft/> online store. From 2016 to 2018, Volodymyr Kvashuk worked for Microsoft as a tester, placing mock online orders to make sure everything was working smoothly. The software automatically prevented shipment of physical products to testers like Kvashuk. But in a crucial oversight, it didn't block the purchase of virtual gift cards. So the 26-year-old Kvashuk discovered that he could use his test account to buy real store credit and then use the credit to buy real products. [...] Kvashuk has been ordered to pay $8.3 million in restitution, though it seems unlikely he'll ever be able to do that. The government says he may be deported after serving his time in prison. https://www.wired.com/story/an-engineer-gets-9-years-for-stealing-dollar10m-from-microsoft/ ------------------------------ Date: Tue, 17 Nov 2020 16:19:38 -0500 From: Gabe Goldberg <gabe@gabegold.com> Subject: Shoppers warned against buying cheap electronics online (BBC News) A laptop that caught fire after being fitted with a battery bought on Amazon has prompted safety charity Electrical Safety First to warn of the dangers of buying cheap electronics online. It said that it had found "some extremely dangerous items" for sale on Amazon, eBay and Wish. The warnings were echoed by watchdog Which? and the Trading Standards Institute. The charity wants to see government legislation on the issue. https://www.bbc.com/news/technology-54973538 ------------------------------ Date: Tue, 17 Nov 2020 17:00:09 -0500 From: Gabe Goldberg <gabe@gabegold.com> Subject: Technology To Catch HOV Lane Violators Is Coming To Virginia (Deist) https://dcist.com/story/20/11/17/technology-hov-lane-violators-cameras-virginia/ New Technology Allows Virginia To Verify That HOV Drivers Have The Right Number Of Passengers [Comment already there: Nowadays dolls can be so convincing. The good new is, you only need the top half to simulate a passenger; the bottom half can be reserved for other uses.] I hope cameras can detect objects as large as trucks which don't belong in Express Lanes! They're frequently there cheating and only rarely do I see one stopped by police. ------------------------------ Date: Wed, 18 Nov 2020 07:54:52 +0100 From: Anthony Thorn <anthony.thorn@atss.ch> Subject: Migration to new CMS can go embarrassingly wrong (BBC) On 15 Nov 2020, Radio France International (RFI) published the obituaries of "about 100" personages who were (are) still alive. Including: the Queen, Clint Eastwood, Pele, Brigitte Bardot. Ayatollah Ali Khamenei, Jimmy Carter, Raul Castro, Bernard Tapie... https://www.bbc.com/news/world-europe-54965098 https://nypost.com/2020/11/17/french-radio-accidentally-publishes-obits-for-still-alive-celebs/ (I hope the Queen was amused ;-) [Also noted by Gabe Goldberg. PGN] https://www.nytimes.com/2020/11/17/world/europe/france-website-obituaries.html ------------------------------ Date: Wed, 18 Nov 2020 16:42:27 +0800 From: Richard Stein <rmstein@ieee.org> Subject: Researchers hacked a robotic vacuum cleaner to record speech and music remotely (Techxplore.com) https://techxplore.com/news/2020-11-hacked-robotic-vacuum-cleaner-speech.html "We welcome these devices into our homes, and we don't think anything about it," said Roy, who holds a joint appointment in the University of Maryland Institute for Advanced Computer Studies (UMIACS). "But we have shown that even though these devices don't have microphones, we can repurpose the systems they use for navigation to spy on conversations and potentially reveal private information." What could be the next household device hack target for surveillance? Perhaps that IoT-enabled dental floss dispenser? ------------------------------ Date: Thu, 19 Nov 2020 02:04:05 -0500 From: Gabe Goldberg <gabe@gabegold.com> Subject: Microsoft Is Making a Secure PC Chip with Intel and AMD's Help (WiReD) The Pluton security processor will give the software giant an even more prominent role in locking down Windows hardware. https://www.wired.com/story/microsoft-pluton-secure-processor/ ------------------------------ Date: Thu, 19 Nov 2020 09:10:55 -0800 From: Rob Slade <rslade@gmail.com> Subject: Internet censorship report The University of Michigan has created an automated censorship measuring tool, Censored Planet, and has now released a report from the collected data. https://news.umich.edu/extremely-aggressive-internet-censorship-spreads-in-the-worlds-democracies/ The tool uses public Internet servers, and measures, and reports, when access to Websites is blocked. Billions of measurements are taken automatically, and further filters analyze the data. The findings, presented at the 2020 ACM Conference on Computer and Communications Security, demonstrate that even democracies are doing considerable censorship, and that tools are in place for much more. ------------------------------ Date: Wed, 18 Nov 2020 19:48:15 -0700 From: "Matthew Kruk" <mkrukg@gmail.com> Subject: Online password '123456' more popular than ever and easy to crack (CBC) Maker of password manager app details worst passwords of 2020 https://www.cbc.ca/news/business/nordpass-list-of-most-common-and-worst-passwords-1.5807089 People are still using the most basic of Internet passwords that can be easily cracked, according to a database analysis by password manager NordPass. Its list of the 200 most common passwords for online accounts in 2020 was released after a review of nearly 275.7 million passwords. Coming in first was "123456," used by 2.5 million people, after landing in second place last year. NordPass said it has been breached more than 23.5 million times. The data shows many people stubbornly cling to using weak passwords, even though they're the worst in terms of security. ------------------------------ Date: Wed, 18 Nov 2020 12:36:23 PST From: "Peter G. Neumann" <neumann@csl.sri.com> Subject: Apple Lets Some of its Big Sur macOS Apps Bypass Firewall and VPNs [via Geoff Goodfellow] Apple is facing the heat for a new feature in macOS Big Sur that allows many of its own apps to bypass firewalls and VPNs, thereby potentially allowing malware to exploit the same shortcoming to access sensitive data stored on users' systems and transmit them to remote servers. The issue was first spotted last month by a Twitter user named Maxwell in a beta version of the operating system. "Some Apple apps bypass some network extensions and VPN Apps," Maxwell *tweeted* <https://twitter.com/mxswd/status/1318305284524183552>. "Maps for example can directly access the Internet bypassing any NEFilterDataProvider or NEAppProxyProviders you have running." But now that the iPhone maker has released the latest version of macOS to the public on November 12, the behavior has been left unchanged, prompting concerns from security researchers, who say the change is ripe for abuse. Of particular note is the possibility that the bypass can leave macOS systems open to attack, not to mention the inability to limit or block network traffic at users' discretion. According to Jamf security researcher *Patrick Wardle* <https://twitter.com/patrickwardle/status/1327726496203476992>, the company's 50 Apple-specific apps and processes have been exempted from firewalls like Little Snitch and Lulu. The change in behavior comes as Apple *deprecated support* <https://developer.apple.com/support/kernel-extensions/> for Network Kernel Extensions last year in favor of Network Extensions Framework [...] https://thehackernews.com/2020/11/apple-lets-some-of-its-big-sur-macos.html ------------------------------ Date: Thu, 19 Nov 2020 02:13:10 -0500 From: Gabe Goldberg <gabe@gabegold.com> Subject: Apple to pay $113M to settle state investigation into iPhone *Battererygate* (WashPost) Apple will pay $113 million to settle an investigation by nearly three dozen states into the tech giant’s past practice of slowing custome' old iPhones in an attempt to preserve their batteries. https://www.washingtonpost.com/technology/2020/11/18/apple-fine-battery/ I think I filed claims for two affected phones; I also had batteries replaced in them for $29/each when Apple was doing that for penance. I have to say that this... That December, Apple acknowledged the practice, explaining that it had tweaked its technology starting a year earlier so that some older models, including the iPhone 6S, did not shut down unexpectedly or experience other malfunctions due to excessive demands on their dated batteries. The widespread blowback also prompted Apple to issue a public apology -- a rarity for the image-conscious tech giant -- and to begin offering battery-replacement discounts for consumers. ...doesn't sound entirely malign -- would shutdowns or other malfunctions really have been better than slowdowns? -- except it was done secretly. And given the huge set of Settings options, adding battery controls wouldn't have been burdensome. Now, at least, battery health can be user determined (though apparently there are more comprehensive battery tests only Apple can run). And, weirdly, iPadOS doesn't display iPad battery health; you need nifty/free PC/Mac utility iMazing for that). ------------------------------ Date: Mon, 16 Nov 2020 11:30:07 -0800 From: Rob Slade <rmslade@shaw.ca> Subject: Privacy labeling for Apple apps Apple will, as of December 8th, start requiring standardized summaries of information gathering and privacy behaviour for new and updated apps in the app store. https://www.theregister.com/2020/11/06/apple_privacy_advice/ In the announcement, Apple referred to the summaries as being like nutritional labels on food, which phrase seems to have caught the media's imagination. Details of the requirements are given at https://developer.apple.com/app-store/app-privacy-details/ The "labels" don't seem to be that far removed from the "permissions" that Android apps list, and don't give that much more information about collection. Having recently created a presentation on differential privacy, it strikes me that this is one of the first outcomes of Apple's grand announcement of its commitment to the technology in 2016. Differential privacy does allow for some version of metrics for privacy, but so far it has been a rather academic exercise. This announcement doesn't push it much further. ------------------------------ Date: Mon, 16 Nov 2020 11:47:19 -0800 From: Rob Slade <rmslade@shaw.ca> Subject: Indistinguishability Obfuscation (WiReD) https://www.wired.com/story/computer-scientists-achieve-the-crown-jewel-of- cryptography/ First reaction: this sounds very much like trying to build a Bell and LaPadula [Multilevel-secure] computer. It sounds like the type of formal and theoretical abstraction that is useful as an exercise, but seldom results in an actual, useful, working device. I am, again, reminded of differential privacy: some great ideas, but the outcomes that people tend to actually present are less than earth-shattering, in reality. Second reaction: although the article seems to be reasonably detailed, there simply isn't enough information on iO in there to make any real assessment. ------------------------------ Date: Tue, 17 Nov 2020 11:28:09 +0800 From: Richard Stein <rmstein@ieee.org> Subject: Why experts urge caution in using covid risk and tracking tools (WashPost) https://www.washingtonpost.com/lifestyle/wellness/understanding-risk-covid-tracker-tools/2020/11/13/95adb654-2504-11eb-952e-0c475972cfc0_story.html "Instead of relying on any one tool, Landon recommended people use multiple data sources to help with decisions and reference community and federal resources. The CDC recently updated its guidance for Thanksgiving gatherings, suggesting many ways for people to celebrate the holiday without putting themselves or their loved ones at increased risk. "'If you unknowingly spread covid to higher-risk individuals in your family, there's no do-over for that,' Landon said." Confronting a go/no-go choice based on imperfect information is an age-old problem. Second opinions can be helpful, but if their recommendations differ? Choose a 3rd, and accept a "best two-out-of-three" result? A deficit of civil forbearance appears to sustain COVID-19 pandemic waves in the US. A commonsense vaccine to replenish diminished public trust is urgently needed. ------------------------------ Date: Tue, 17 Nov 2020 08:12:18 -0800 From: Rob Slade <rmslade@shaw.ca> Subject: Functional and assurance requirements and CoVID With the recent surges in CoVID-19 cases (pretty much everywhere), parents have become (understandably) concerned about the welfare and safety of their children, particularly at school. There have been widespread calls for school closures, or, at the very least, mandatory mask wearing for all staff and students. However, looking at the situation in terms of both functional and assurance requirements demonstrates that these concerns are unnecessary, or, at least, misplaced. First lets look at the functional requirements. For the most part, controls against the pandemic are still basic and widely known. But they are problematic in regard to schools. Isolation is the most effective. However, classrooms are too few, and too small, for completely effective isolation. Desktop and other barrier systems are possibly expensive and time-consuming to construct and install in many places, and, in any case, are limited at best. Distance learning carries its own set of problems. Handwashing is good, and, particularly in the younger grades, you can really get students to buy into it. But it's not complete. (And forget trying to get teenagers to do it regularly.) And any teacher knows that telling kids, especially in the primary grades, to keep physically distant from each other is just not going to work. (Actually, if you tell students in the primary grades that it's a game, that their friends are radioactive, and that if they get close enough for their outstretched hand to touch their friends' outstretched hands they'll both explode, it'd probably work. It's the teenagers who seem to think that social distancing means six inches.) And I've written elsewhere about masks, but it is difficult to get kids, particularly younger kids, to wear them consistently and properly. However, when we look at assurance requirements, we find a much different picture. One of the assurance requirements is detailed contact tracing, looking at where, how, and in what situations the infection actually (as opposed to theoretically) does spread. Part of this, of course, gives us information about which controls actually do work. But often it just gives us information about risk levels. And, even in these "resurgent" times, schools are not dangerous places. Detailed contact tracing has demonstrated that the number of actual transmissions of the infection in schools is startlingly small, given the problems we have just looked at with functional requirements and controls. In British Columbia, while general case numbers jumped from 5,000 to over 20,000, there were only three outbreaks in schools, and, in those outbreaks, it seems to be impossible to prove that any infections actually took place *at* school. Schools do seem to reflect the prevalence of the case numbers, and, during this surge, exposure events at schools have increased, but cases of actual transmission seem to be vanishingly small. Unfortunately, we do not yet have enough data to know exactly why this is the case. It may be that children, particularly young children, have differences in their immune systems that make them less susceptible to the coronavirus, but that would not explain why there are almost no cases of student to teacher transmission. It may be that, despite the problematic nature of the functional controls, the fact that children are better at "sticking to the rules" means that the layered defence works better than in adults (who often seem to think that wearing a mask means you can neglect all the other safeguards). At this point we still don't know enough to explain it. There are other things that the assurance requirement of detailed contact tracing can demonstrate, but not explain. We have seen that transmission in restaurants is low, but transmission in bars is very much higher. Why is that the case? The two situations are very similar. Bars do the same level of cleaning as restaurants, and often have the same capacity limitations. Alcohol is served at restaurants as well as bars. But bars have higher transmission rates. In fact, the data even shows that transmission rates, in both bars *and* restaurants, is higher after 10 pm than before. Why? Is it just because patrons are drunker (and drunk people make worse decisions about sticking to the rules)? We can't yet explain why, but we do know that it is the case. In security, we often pursue functional requirements and neglect assurance. After all, it is functional requirements that direct us to technologies and systems and processes that keep us safe. But it is assurance requirements that tell us whether the technologies and systems and processes actually *do* keep us safe, or whether we are wasting resources on controls that don't actually do anything for us. We need that assurance. ------------------------------ Date: Mon, 16 Nov 2020 23:15:43 +0800 From: Dan Jacobson <jidanni@jidanni.org> Subject: Wrong GPS usual suspects First Responder avoidance Today I noticed that my friends' cell phones' GPS all show the same wrong place when not fully warmed up. Year in and year out. So that got me thinking, there must be about one of these points every few kilometers. So all rescue departments need to do is keep a list of them. Then, say, someone calls in "Help me, I'm at xxx.xxx,yyy.yyy," the First Responders could reply, "Give your GPS a few more minutes to warm up, then call us back." Actually they don't need a full list. All they need is the algorithms of how those points are arrived at. Yes, they are like 12.000 for 12.345, but "binary". Sure, different chips have different algorithms. And maybe AGPS is involved, etc. OK, now generate a list for your local area. So next time somebody calls in with one of those suspect coordinate pairs, right down to the millimeter, just tell them to take a deep breath... ------------------------------ Date: Sun, 15 Nov 2020 15:28:06 -0500 From: Gabe Goldberg <gabe@gabegold.com> Subject: Letter to Consumer Reports magazine Your December TV ratings data includes "Data privacy" and "Data security" columns not mentioned in text. Those deserve explanation, along with advice for enhancing privacy/security. Such as not connecting "smart" TVs to the Internet. I don't, and my large-screen TV works just fine, handling cable, DVD, and Roku content. I avoid the TV snooping or compromising anything and don't miss the TV's remote voice control feature since I use a universal remote to control ALL devices. The TV whines occasionally that it longs to go online but I don't let it -- thus also avoiding problems with unneeded software updates. TVs should be TVs, not computers. ------------------------------ Date: Mon, 16 Nov 2020 12:44:23 -1000 From: geoff goodfellow <geoff@iconia.com> Subject: How the U.S. Military Buys Location Data from Ordinary Apps *A Muslim prayer app with over 98 million downloads is one of the apps connected to a wide-ranging supply chain that sends ordinary people's personal data to brokers, contractors, and the military.* [...] https://www.vice.com/en/article/jgqm5x/us-military-location-data-xmode-locate-x ------------------------------ Date: Mon, 16 Nov 2020 12:55:11 -1000 From: the keyboard of geoff goodfellow <geoff@iconia.com> Subject: 'Bot Battle' Shows What Happens When Two AI Programs Go On a Date (Vice) To test its superiority, one AI company put out a call for tech firms to challenge their AI bot head-to-head. What happens when two AI programs go on a date? Well, apparently, a few stumbles, a lot of flattery, and one, ``It is exciting that I get to kill people'' comment. AI company Pandorabots, Inc. and Facebook AI have gone head-to-head in a ``Bot Battle'' for the ages. Streamed on Twitch, the two programs interacted with each other for three weeks straight. Viewers were able to vote on which company's mascot they believe held conversation the best. Pandorabot's Kuki, a female embodied agent sporting a neon bob haircut, won in a landslide victory picking up 78 percent of the vote. Her opponent was Facebook's Blenderbot, who sports a ``Make Facebook Great Again'' hat in true Zucker-bro style. Pandorabots created the competition to put their program on display, a Medium post by Kuki's creator, Steve Worswick, explains. ``We are planning to get more bots -- and some humans! -- into the arena to hang with Kuki. We will also continue to iterate and update the avatars," he wrote. During the battle, which drew more than 400,000 views during the three-week stream, the bots talked about everything from the election to an in-depth history of Pac-Man. The two even gave an attempt at making jokes. Remember, the conversation was completely autonomous from human involvement and the bots are running day and night. Still, at best the conversation was followable and somewhat complex. At times it turned into a staring contest where nothing was said. Many of the silences were awkward. And other times the conversation completely derailed into a splurge of courteous compliments. [...] https://www.vice.com/en/article/5dpbaz/bot-battle-shows-what-happens-when-two-ai-programs-go-on-a-date ------------------------------ Date: Sun, 15 Nov 2020 11:00:02 -1000 From: geoff goodfellow <geoff@iconia.com> Subject: AI is wrestling with a replication crisis (MIT Tech Review) *Tech giants dominate research but the line between real breakthrough and product showcase can be fuzzy. Some scientists have had enough.* Last month Nature published a damning response <https://www.nature.com/articles/s41586-020-2766-y> written by 31 scientists to a study from Google Health <https://www.nature.com/articles/s41586-019-1799-6> that had appeared in the journal earlier this year. Google was describing successful trials of an AI that looked for signs of breast cancer in medical images. But according to its critics, the Google team provided so little information about its code and how it was tested that the study amounted to nothing more than a promotion of proprietary tech. ``We couldn't take it anymore,'' says Benjamin Haibe-Kains, the lead author of the response, who studies computational genomics at the University of Toronto. ``It's not about this study in particular -- it's a trend we've been witnessing for multiple years now that has started to really bother us.'' Haibe-Kains and his colleagues are among a growing number of scientists pushing back against a perceived lack of transparency in AI research. ``When we saw that paper from Google, we realized that it was yet another example of a very high-profile journal publishing a very exciting study that has nothing to do with science,'' he says. ``It's more an advertisement for cool technology. We can't really do anything with it.'' Science is built on a bedrock of trust, which typically involves sharing enough details about how research is carried out to enable others to replicate it, verifying results for themselves. This is how science self-corrects and weeds out results that don't stand up. Replication also allows others to build on those results, helping to advance the field. Science that can't be replicated falls by the wayside. At least, that's the idea. In practice, few studies are fully replicated because most researchers are more interested in producing new results than reproducing old ones. But in fields like biology and physics--and computer science overall--researchers are typically expected to provide the information needed to rerun experiments, even if those reruns are rare. Ambitious noob... [...] https://www.technologyreview.com/2020/11/12/1011944/artificial-intelligence-replication-crisis-science-big-tech-google-deepmind-facebook-openai/ ------------------------------ Date: Fri, 13 Nov 2020 18:29:40 -0500 From: Gabe Goldberg <gabe@gabegold.com> Subject: The iOS Covid App Ecosystem Has Become a Privacy Minefield (WiReD) An analysis of nearly 500 Covid-related apps worldwide shows major differences in how much data they expect you to give up. The results show that only 47 of that subset of 359 apps use Google and Apple's more privacy-friendly exposure-notification system, which restricts apps to only Bluetooth data collection. More than six out of seven Covid-focused iOS apps worldwide are free to request whatever privacy permissions they want, with 59 percent asking for a user's location when in use and 43 percent tracking location at all times. Albright found that 44 percent of Covid apps on iOS asked for access to the phone's camera, 22 percent of apps asked for access to the user's microphone, 32 percent asked for access to their photos, and 11 percent asked for access to their contacts. https://www.wired.com/story/covid-19-ios-apps-privacy/ I guess it wants to check whether your photo has been near photo of someone with Covid. ------------------------------ Date: Tue, 17 Nov 2020 06:01:53 -0800 From: Rob Slade <rmslade@shaw.ca> Subject: Metrics and CoVID Another security lesson from CoVID is in regard to metrics. Those who have tried to create security metrics will know, all too well, how difficult it is to choose those that are actually useful, rather than just being collections of numbers. (Brotby and Hinson's PRAGMATIC acronym is very helpful in providing guidance.) Among the various statistics that CoVID has generated, such as case rates, new cases, doubling time of cases, hospitalization rates, et cetera, one single number that has been consistently useful is the positivity rate. This is the number of cases confirmed, divided by the total tests done. Donald Trump to the contrary, while there are a number of additional factors to consider, it seems to be generally felt that a positivity rate of about two percent is probably reasonable. Any lower, and it is likely that you are testing too many people too indiscriminately, and wasting money and resources. Any higher, and it is likely that you aren't testing enough, and that cases are, or shortly will be, increasing. Positivity has proven itself "Relevant" from the PRAGMATIC list. Recently, in British Columbia, we have seen how difficult it may be to keep such metrics "Meaningful" and "Accurate." BC, often known as "Hollywood North," is home to a thriving and active film industry. If you are a fan of Hallmark romances and mysteries, and other such "made for TV" fare, chances are very good that they were shot here. (When Gloria and I watch them, it is often as much to play "spot the location" as to follow the plots.) This is especially true now during the pandemic, when BC has been a relatively safe place to do film shoots. There are, of course, a number of restrictions to keep filmmaking safe, some imposed by local health authorities, and some required by unions, particularly from the US and places where the case rates have been much higher, demanding fairly stringent precautions. CoVID testing, in particular, is done regularly, and often very frequently, regardless of how many cases turn up. Testing for the movie industry is done at private labs, so as not to affect lab capacity for the public health system. However, even so, the testing is "reportable," and thus the numbers make their way into public figures. The demands of the movie industry are such that 4-5,000 tests may be done daily, at a time when the public testing capacity is about 16,000 tests per day. Since the movie industry definitely "overtests," the movie numbers artificially depress the overall positivity rate. Our positivity rate in BC may actually be twice what the published figures show. ------------------------------ Date: Mon, 16 Nov 2020 17:01:11 -0500 From: Monty Solomon <monty@roscom.com> Subject: Mac certificate check stokes fears that Apple logs every app you run (Ars Technica) Amid concern that macOS logs app usage in real time, Apple issues assurances. https://arstechnica.com/gadgets/2020/11/mac-certificate-check-stokes-fears-apple-logs-every-app-you-run/ ------------------------------ Date: Mon, 16 Nov 2020 15:42:54 -0800 From: Kent Borg <kentborg@borg.org> Subject: Two-Factor Eggs in One Basket A friend of mine got the newest Iphone. Being latest and greatest he wants it to be all 5G-est, too, and that part isn't working right. Word is he needed a different SIM, and I don't follow all the details. Anyway, at this point some Verizon person probably needs to walk through network settings to fix something set wrong. Okay. But my friend takes covid-19 seriously and doesn't want to go to the store. Okay, smart. I'm sure he could go through the settings by phone call. Nope: My friend hopped on the two-factor bandwagon and Verizon won't talk to him without texting him aboard their two-factor ritual, and he says that doesn't work with the new SIM. Sure, he could put in the old SIM where it does work, but he needs to debug the 5G SIM… I've always thought two-factor was a great idea for really high value accounts, with lots of talented high end support at the ready, but I don't understand why people think it scales to everyone for everything. ------------------------------ Date: Wed, 18 Nov 2020 12:19:16 -0500 (EST) From: ACM TechNews <technews-editor@acm.org> Subject: 'Most Secure' U.S. Election Not Without Problems Lucas Ropek, *Government Technology*, 16 Nov 2020 via ACM TechNews, Wednesday, November 18, 2020 Although federal officials declared the 2020 presidential election the "most secure in American history," there were still technical problems. Alleged software glitches caused mistakes in vote tabulation for both presidential and local races in certain counties, while some communities suffered temporary miscounts due to clerical errors. Threats of foreign interference appear to have been countered by greater vigilance and stronger cyberdefenses by watchdogs like the Cybersecurity and Infrastructure Security Agency, and multi-stakeholder collaboration and information sharing. However, disinformation and misinformation have continued to fuel polarization of the electorate. Former ACM president Barbara Simons urges greater transparency and committed investment in auditable machinery as top priorities, along with curtailing the use of paperless voting machines. https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-28148x226823x070792& ------------------------------ Date: Tue, 17 Nov 2020 15:43:35 PST From: "Peter G. Neumann" <neumann@csl.sri.com> Subject: Election Security Experts Contradict Trump's Voting Claims (Nicole Perlroth) Nicole Perlroth, *The New York Times*, 16 Nov 2020 Election Security Experts Contradict Trump's Voting Claims https://www.nytimes.com/2020/11/16/business/election-security-letter-trump.html Fifty-nine of the country's top computer scientists and election security experts rebuked President Trump's baseless claims of voter fraud and hacking on Monday, writing that such assertions are ``unsubstantiated or are technically incoherent.'' The rebuttal, in a letter to be published on various websites, did not mention Mr. Trump by name but amounted to another forceful corrective to the torrents of disinformation that he has posted on Twitter. ``Anyone asserting that a U.S. election was *rigged* is making an extraordinary claim, one that must be supported by persuasive and verifiable evidence.'' In the absence of evidence, they added, it is simply `speculation'. ``To our collective knowledge, no credible evidence has been put forth that supports a conclusion that the 2020 election outcome in any state has been altered through technical compromise,'' they wrote. [...] ------------------------------ Date: Mon, 16 Nov 2020 12:18:26 -0500 (EST) From: ACM TechNews <technews-editor@acm.org> Subject: Blockchain Voting Risks Undetectable Nation-Scale Failures (Stilgherrian) Stilgherrian, ZDNet, 16 Nov 2020 via ACM TechNews, Monday, November 16, 2020 A study by Massachusetts Institute of Technology (MIT) researchers labeled assertions that Internet- and blockchain-based voting would boost election security "misleading," adding that they would "greatly increase the risk of undetectable, nation-scale election failures." The MIT team analyzed previous research on the security risks of online and offline voting systems, and found blockchain solutions are vulnerable to scenarios where election results might have been erroneously or deliberately changed. The MIT researchers proposed five minimal election security mandates: ballot secrecy to deter intimidation or vote-buying; software independence to verify results with something like a paper trail; voter-verifiable ballots, where voters themselves witness that their vote has been correctly recorded; contestability, where someone who spots an error can persuade others that the error is real; and an auditing process. https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-28090x22672ex070514& ------------------------------ Date: Tue, 17 Nov 2020 07:22:00 -1000 From: the keyboard of geoff goodfellow <geoff@iconia.com> Subject: Did you know that Dominion's voting software "Allows staff to adjust tally based on review of scanned ballot images? (Twitter) > 4https://twitter.com/CodeMonkeyZ/status/1328342166007992323 > So there would be a record if anything was changed. PGN Response: If you believe audit records cannot be hacked, we are still offering the Brooklyn Bridge at a huge discount. On the other hand, the DREs of a decade ago when we were fighting the lack of an audit trail did not even pretend to have a meaningful audit trail. ------------------------------ Date: Fri, 13 Nov 2020 14:39:51 -0800 From: Henry Baker <hbaker1@pipeline.com> Subject: What happens when you test TCL TV's [Henry's two contributions to this issue were as longer than the rest of the issue. I have seriously foreshortened both. If you want the full story for the first one, please ask Henry to sent it to you. The second has a URL for the PGN-ed text. PGN] The Chinese have us by their Ten TCL's :-) You really have to read this TCL 'Smart' TV vulnerability report all the way through; you don't have to be a Linux wizard to start laughing, and it gets better and better as you read! I don't know which is scarier: the vulnerabilities themselves, or the lack of response from TCL together with a sneaky 'silent' update to 'fix' these (wink, wink) 'bugs'. I knew there was a reason why I never enabled the Internet connection on my 'smart' TV; I allow HDMI only. Previews: "Port 22 open and allowing SSH access as root:root out of the box" "When in the history of your career... Have you ever needed to serve the entire filesystem... over http?" TCL me, Elmo!! https://sick.codes/extraordinary-vulnerabilities-discovered-in-tcl-android-tvs-now-worlds-3rd-largest-tv-manufacturer/ Extraordinary Vulnerabilities Discovered in TCL Android TVs, Now World's 3rd Largest TV Manufacturer. ------------------------------ Date: Mon, 16 Nov 2020 09:03:04 -0800 From: Henry Baker <hbaker1@pipeline.com> Subject: 'Cheating detection' goes full Orwell during pandemic I've heard of the 'school-to-prison pipeline', but I had no idea how short this pipeline had become... I think they may possibly have misspelled "proctoring" when they referred to contacting a back door into your computer. :-) Drew Harwell, *The Washington Post* Cheating-detection companies made millions during the pandemic. Now students are fighting back. [...] https://www.msn.com/en-us/news/us/cheating-detection-companies-made-millions-during-the-pandemic-now-students-are-fighting-back/ar-BB1aX8Qa ------------------------------ Date: 13 Nov 2020 20:04:19 -0500 From: "John Levine" <johnl@iecc.com> Subject: Re: How to F Up and Aiport, including What It's Like to Stress-Test Berlin's Brand New Airport (Goldberg) The Radio Spätkauf podcast has a five part series called "How to F* Up an Airport" on the bizarre and sad history of the new Berlin airport. Many of the failures were due to political interference and a staggering level of arrogance and incompetence, but a certain amount is technical, such as the fact that physics tells us that if you increase the size of the terminal, the ventilation requirements and particularly the emergency smoke removal ventilation do not scale linearly. Or that it is not a good idea to cram power and signal wires into the same undersized pipe. It includes a segment about the dress rehearsal described in the Atlas Obscura page. They said it included plenty of very bad coffee. https://player.fm/series/how-to-feuk-up-an-airport ------------------------------ Date: Fri, 13 Nov 2020 21:46:10 -0500 From: Chuck Jackson <clj@jacksons.net> Subject: Re: Facial recognition used to identify Lafayette Square protester accused of assault (Levine, RISKS-32.37) Here's a quote (emphasis added) from *The Washington Post* article on this event: After the demonstration, Park Police tracked him through Twitter and sent the image to the Maryland-National Capital Park Police in Prince George's County, which ran it through NCRFRILS, returning Michael Joseph Peterson Jr. as a possible match, the court documents state. *Authorities said they also found a backpack at the scene of the protests containing Peterson's ID.* Apparently, he took off leaving his driver's license behind. ------------------------------ Date: Fri, 13 Nov 2020 21:23:14 -0600 From: Charles Cazabon <charlesc-risks-digest@pyropus.ca> Subject: Re: CPU-Heat Sink Thermal Paste Effectiveness (Stein, RISKS-32.37) (1) No AMD Ryzen processor from the Ryzen 5, Ryzen 7, or Ryzen 9 families, whether from the 1st-gen 1000 series, 2nd-gen 2000-series, 3rd-gen 3000 series, or the new 5000 series requires liquid cooling. All are perfectly capable of working at their full specified speeds with a quality air cooler; all but the most recent top-spec versions shipped with such a cooler. They can typically be overclocked, and they will overclock better with liquid cooling, but it is by no means necessary. (2) Pretty much any substance with a significant amount of water in it will transfer heat effectively from a CPU to its heatsink (*); CPU cooling is simply not a particularly demanding application. The advantages in quality heatsink thermal compounds are not in efficacy, but in other areas - less "creep" out of the joints, easier application, longer life without drying out, etc. (*) Dan Rutter of dansdata.com famously did a comparison in 2002 of various thermal compounds, from cheap white zinc-based thermal paste to fancy silver-loaded silicone formulations, to toothpaste (!) and vegemite (!!). http://www.dansdata.com/goop.htm ------------------------------ Date: Mon, 16 Nov 2020 22:32:18 -0700 From: Brian Inglis <Brian.Inglis@SystematicSw.ab.ca> Subject: Re: Whale Sculpture Stops Train From Plunge in the Netherlands (RISKS-32.37) > It was only a fluke that the driver wasn't killed. > [But "a fluke" is also a fish, which the whale is not. PGN] It was just a fluke it landed on a fluke, which is a tail of a whale, and nobody was killed, so it's a whale of a tale about "Whale Tails", which is named a fluke as well as called a fluke. [Also a parasitic worm, and a barb on an anchor, arrow, harpoon, hook, etc. Anyone care to take this any further in those directions: limerick perhaps? See also Whale sculpture catches crashed Dutch metro train: https://www.bbc.com/news/world-europe-54780430 ] ------------------------------ Date: Wed, 18 Nov 2020 13:43:53 PST From: "Peter G. Neumann" <neumann@csl.sri.com> Subject: Re: "Did you know that Dominion's voting software "Allows staff to adjust tally based on review of scanned ballot images"? (RISKS-32.38) > So there would be a record if anything was changed. If you believe audit records cannot be hacked, we are still offering the Brooklyn Bridge at a huge discount. On the other hand, the DREs of a decade ago when we were fighting the lack of an audit trail did not even pretend to have a meaningful audit trail. ------------------------------ Date: Mon, 1 Aug 2020 11:11:11 -0800 From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume/previous directories or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00 ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 32.38 ************************