• RISKS Digest 31.16

    From Sean Dennis@1:18/200 to All on Saturday, April 06, 2019 21:45:57
    (Apologies for any weird characters: posting to Linux from a Windows box...)

    RISKS-LIST: Risks-Forum Digest Monday 1 April 2019 Volume 31 : Issue 15

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as
    The current issue can also be found at

    Might this be the last vestige of the British Empire? (PGN)
    MIT To Require 'Turing Test' for Admissions (Henry Baker)
    Russian interference alleged in mayor's election (Mark Thorson) ThickerThanWater[dot]com (Richard Stein)
    Electric seaplanes? (Rob Stein)
    British Airways flight lands 525 miles away from destination (USA Today) Computer outage led to flight delays for some U.S. biggest airlines (Vox)
    HTTPS Isn't Always As Secure As It Seems (WiReD)
    Twitter Network Uses Fake Accounts to Promote Netanyahu (NYTimes)
    Lawmakers Scrutinize Timeline for Boeing 737 MAX Software Fix (WSJ)
    Road safety: UK set to adopt vehicle speed limiters (bbc.com)
    Russia Regularly Spoofs Regional GPS (DarkReading)
    Smart talking: are our devices threatening our privacy? (The Guardian)
    Abridged info on RISKS (comp.risks)


    Date: Mon, 1 Apr 2019 12:00:00 -0700
    From: "Peter G. Neumann" <peter.neumann@sri.com>
    Subject: Might this be the last vestige of the British Empire?

    Given the troubles over the Brexit referendum, where at present no
    acceptable solution appears to be possible, Great Britain seems likely to be splitting altogether. A new proposal is that England itself would splinter, with London, Oxbridge, and a few other regions becoming part of France (Fritainnia?) to remain within the EU, while the rest of England would
    become something like Less Britain. [Some pundits mistakenly see a parallel with the Greater Antilles and the Lesser Antilles, although in that case,
    size was the primary measure for the naming.]

    Despite the troubles over the Troubles, it appears that Northern Ireland and the Republic of Ireland have finally decided to merge, with a new capital
    city to be built on the border (perhaps Dubbel, with the combined
    population, although Dubfast and Belin might also be under consideration). Reversing the 1973 referendum to split, this would enable Northern Ireland
    to remain within the EU, in the face of the uncertainties noted above.
    Scotland and Wales are still contemplating whether to join the new
    Fritainnia, or the new United States of Ireland; remaining with Less Britain somehow seems less likely to many observers.

    Finally, given all of the above, the British Parliament seems most likely to abolish itself altogether, starting first with the House of Lords (long overdue), and then Commons.

    [So, why is this relevant to RISKS? Once again, late-stage maneuvering
    seems to be just one more example of the results of short-term
    optimization instead of long-term planning. The Foresight Saga
    strikes again. PGN]


    Date: Mon, 1 Apr 2019 13:00:00 -0700
    From: Henry Baker <hbaker1@pipeline.com>
    Subject: MIT To Require 'Turing Test' for Admissions

    Cambridge, MA -- The Massachusetts Institute of Technology ("MIT") today announced that -- in addition to the usual SAT, ACT, etc., standardized
    tests -- applicants to MIT will now also have to pass a Turing Test.

    ``The Turing test, developed by [famed English WWII codebreaker and
    computer scientist] Alan Turing in 1950, is a test of a machine's ability
    to exhibit intelligent behavior equivalent to, or indistinguishable from,
    that of a human.'' -- Wikipedia

    ``We've been overwhelmed by applications from robots,'' said Dr. Noah
    Gnurds, MIT Director of Admissions. Dr. Gnurds continued, "If we didn't
    filter out robot applications, our current acceptance ratio of 7.9% would be 10^-3 times as large. As it is, we send out ten times as many acceptance letters to robots as to human applicants. This new test will ensure that we admit people, not test scores."


    NYTimes reporter Ivy Leek asked, ``Is MIT's announcement related in any way
    to the recent 'Operation Varsity Blues' college admissions scandal?''

    ``Not really. We doubt that MIT will be implicated, because MIT doesn't
    admit applicants too stupid not to use Tor, Signal and untraceable
    blockchain cryptocurrencies for their legacies,'' Dr. Gnurds responded.

    When asked how these new Turing Tests would be administered, Dr. Gnurds
    said, ``Due to the substantial effort required to administer these tests,
    MIT has developed a new Artificial Intelligence/Machine Learning program in conjunction with IBM's Watson research effort. IBM believes that Watson can sniff out even the most sophisticated robots.''

    ``Isn't there some irony in utilizing a robot to test for robots?' asked a reporter from MIT Technology Review. Noah replied, ``It takes one to know one.''


    Date: Mon, 1 Apr 2019 08:00:22
    From: Mark Thorson <eee@dialup4less.com>
    Subject: Russian interference alleged in mayor's election

    WASHINGTON DC (4/1/2019) -- Sources close to the recent Mueller probe leaked
    an unlikely finding in the investigation of Russian interference in U.S. elections. According to experts, social-media hackers engineered the upset victory of the mayor of a small city in Idaho. Vladimir Jackson won the top office of Moscow ID. with an astounding 97% of votes cast. "The election
    had to be rigged," said Solomon Spaulding, owner and operator of Moscow Haircuts. "I know most everybody in town, and nobody I know voted for him."

    Jackson, originally from New York City, ran on a black separatist platform, which advocates the creation of an independent Afro-American state in a
    region that is presently in Idaho. Reached for comment, Jackson denied any illegitimacy in the election. "Isn't that the way it always is?," he asked. "When a white guy gets elected nobody says the election is rigged, but when
    a black guy gets elected people just assume it can't be kosher. Give me a break!"

    "There is no doubt that Russians exerted influence in the Moscow mayor's
    race," said an informed source on condition of anonymity. "What we don't
    know is whether it's because the town's name is Moscow, the candidate's name
    is Vladimir, or maybe they sought to sow discord by supporting black separatism." A spokeperson for the Russian embassy denied any involvement, saying, "Why do we care about mayor? We got bigger fish. This is only to
    make us look bad. We no do it."


    Date: Mon, 1 Apr 2019 18:46:08 -0800
    From: Richard Stein <rmstein@ieee.org>
    Subject: ThickerThanWater[dot]com

    WASHINGTON, D.C. -- In a nationwide sting operation involving 600 federal marshals and over 20 FBI field offices, the Justice Department indicted the principals of ThickerThanWater.com (TTW), a startup specializing in human
    DNA analysis. The indictment also names intelligence and law enforcement personnel. TTW had planned their initial public offering the following week.

    TTW was a deep-state cover business established for one purpose: Create, manage, and monetize a vast human DNA database to accelerate cold-case
    closure, exonerate the wrongly convicted, and track foreign espionage
    sleeper agents.

    To promote these objectives, TTW funded a "blood bounty" program enlisting nearly 10,000 phlebotomists over a 9-month interval. Records show that each participating phlebotomist pocketed almost $500/day, at $5 per sample cash, with no questions asked by patients subject to routine blood extraction per hospital or doctor wellness visit.

    Dropoff locations reportedly overflowed with blood samples containing
    personal identifying information. Hospital administrators were blind to the blood sample tube inventory turnover; the extra consumables were never

    TTW's corporate charter sought to commercially exploit DNA telomeric extrapolation maps. These maps, when combined with Turing's tNose, enabled human exposome tracking.

    The exposome is the unique aroma, a scent-like fingerprint, that each person exudes from interactions between skin bacteria and pheromones. Telomeric extrapolation maps predetermine each person's mix of skin bacteria and pheromone, coupled to DNA replication and protein synthesis.

    Approximately 250 million DNA profiles were created by TTW and their army of phlebotomists-for-hire. Each profile was subject to real-time exposomal tracing. The Justice Department released a 2 minute-long videoclip of TTW's SOC Γ.. Smell Operation Center Γ.. showing red, blue, and green exposomal tracks
    with metadata updates across a large tessellated display.

    A Justice Department spokeswoman refused to comment on cold-case closures, prisoner releases, or sleeper spy discoveries.

    "I thought I was being patriotic when TTW called," said Ann, a phlebotomist with 12 years of experience. "I figured that law enforcement and
    intelligence agencies needed the help. The bounty added up quickly. Of
    course, I reported every nickel of bounty-earned income on my taxes -- I
    kept sample records on my phone!"

    As TTW's CEO was perp-walked and frog-marched under police custody, she shouted, "Blood is thicker than water!"


    Date: Tue, 26 Mar 2019 12:05:58 -0700
    From: Rob Slade <rmslade@shaw.ca>
    Subject: Electric seaplanes?

    I've lived around seaplanes all my life. At one point I spent a lot of time traveling up and down the coast in seaplanes, particularly Beavers. So I
    was very interested in this story about Harbour Air converting float planes
    to battery power. https://www.harbourair.com/harbour-air-and-magnix-partner-to-build-worlds-first -all-electric-airline/ https://www.timescolonist.com/news/local/harbour-air-to-add-zero-emission-elect ric-plane-aims-to-convert-whole-fleet-1.23770626

    The initial conversion of a Beaver will be intriguing. I'll be fascinated
    when they get to convert an Otter (a candidate for world's noisiest
    aircraft) to electricity. (I know Harbour Air has a number of them.)

    I'll be wondering how well electric engines get along with salt water. Most
    of my flying time was at longer distances, so I'm curious about the
    half-hour range. (Although that's well within most of Harbour Air's
    scheduled flights.) I'll be interested in recharge time and reliability. (Harbour Air planes do tend to spend a lot of time sitting at the dock in
    the bay.) The complete changeover from turbine engine to electric infrastructure will be a non-trivial accomplishment.

    But, if it works, it could be pretty great ...


    Date: Tue, 26 Mar 2019 15:23:50 -0400
    From: Monty Solomon <monty@roscom.com>
    Subject: British Airways flight lands 525 miles away from destination

    https://www.usatoday.com/story/travel/news/2019/03/25/british-airways-flight-la nds-525-miles-away-destination-scotland-london-germany/3267136 002/


    Date: Tue, 26 Mar 2019 15:25:53 -0400
    From: Monty Solomon <monty@roscom.com>
    Subject: Computer outage led to flight delays for some U.S. biggest airlines

    The outage affected American Airlines, JetBlue, and other major airlines.

    https://www.vox.com/the-goods/2019/3/26/18282767/sabre-outage-american-airlines -jetblue-alaska-delays


    Date: Thu, 28 Mar 2019 08:46:53 -0700
    From: geoff goodfellow <geoff@iconia.com>
    Subject: HTTPS Isn't Always As Secure As It Seems (WiReD)

    Widespread adoption of the web encryption scheme HTTPS has added a lot of
    green padlocks and corresponding data protection -- to the web. Almost all
    of the popular sites you visit every day likely offer this defense, called Transport Layer Security (TLS), which encrypts data between your browser and the web servers it communicates with to protect your travel plans,
    passwords, and embarrassing Google searches from prying eyes. But new
    findings from researchers at Ca' Foscari University of Venice in Italy and
    Tu Wien in Austria indicate that a surprising number of encrypted sites
    still leave these connections exposed. https://www.wired.com/2016/11/googles-chrome-hackers-flip-webs-security-model/

    In analysis of the web's top 10,000 HTTPS sites -- as ranked by Amazon-owned analytics company Alexa -- the researchers found that 5.5 percent had potentially exploitable TLS vulnerabilities. These flaws were caused by a combination of issues in how sites implemented TLS encryption schemes and failures to patch known bugs (of which there are many in TLS and its predecessor Secure Sockets Layer. But the worst thing about these flaws is
    they are subtle enough that the green padlock will still appear.

    https://www.wired.com/2014/04/heartbleed-embedded/ https://www.wired.com/2014/10/poodle-explained/ https://www.acunetix.com/blog/articles/tls-vulnerabilities-attacks-final-part/

    "We assume in the paper that the browser is up to date, but the things that
    we found are not spotted by the browser," says Riccardo Focardi, a network security and cryptography researcher at Ca' Foscari University, who also co-founded the auditing firm Cryptosense. "These are things that are not
    fixed and are not even noticed. We wanted to identify these problems with sites' TLS that are not yet pointed out on the user side."

    The researchers, who will present their full findings at the IEEE Symposium
    on Security and Privacy in May, developed TLS analysis techniques and also
    used some from existing cryptographic literature to crawl and vet the top 10,000 sites for TLS issues. And they developed three categories for the
    types of vulnerabilities they found...



    Date: Mon, 1 Apr 2019 10:05:31 +0300
    From: Amos Shapir <amos083@gmail.com>
    Subject: Twitter Network Uses Fake Accounts to Promote Netanyahu (NYTimes)

    An Israeli watchdog group has discovered a network of hundreds of fake
    Twitter accounts, all promoting the candidacy of PM Netanyahu and his party, using exact wordings of the party's official messages. These accounts
    "like" and re-tweet each other, in an attempt to create the impression of
    large grass-roots support.


    Luckily, bots cannot actually vote (yet?)


    Date: Wed, 27 Mar 2019 07:33:42 -0400
    From: Monty Solomon <monty@roscom.com>
    Subject: Lawmakers Scrutinize Timeline for Boeing 737 MAX Software Fix (WSJ)

    The basics of the safety change were first described to airlines and pilot groups last November

    https://www.wsj.com/articles/lawmakers-scrutinize-timeline-for-boeing-737-max-s oftware-fix-11553601603


    Date: Thu, 28 Mar 2019 05:38:05 +0800
    From: Richard Stein <rmstein@ieee.org>
    Subject: Road safety: UK set to adopt vehicle speed limiters (bbc.com)


    "Under the ISA system, cars receive information via GPS and a digital map, telling the vehicle what the speed limit is. This can be combined with a
    video camera capable of recognising road signs. Under the ISA system, cars receive information via GPS and a digital map, telling the vehicle what the speed limit is. This can be combined with a video camera capable of recognising road signs."

    RISKS Trifecta: GPS spoofing, digital map inaccuracies, digital image recognition.


    Date: Wed, 27 Mar 2019 22:03:11 -0700
    From: Rich Wales <richw@richw.org>
    Subject: Russia Regularly Spoofs Regional GPS (DarkReading)

    A large-scale analysis of data has discovered widespread Russian government spoofing of the country's satellite navigation system. The findings
    underscore the dangers of relying on global positioning data.

    (This could also presumably lead to problems with Russian time enthusiasts
    using GLONASS for time synchronization in computer networks.)

    https://www.darkreading.com/risk/russia-regularly-spoofs-regional-gps/d/d-id/13 34262


    Date: Sun, 31 Mar 2019 19:11:05 -0400
    From: Monty Solomon <monty@roscom.com>
    Subject: Smart talking: are our devices threatening our privacy?
    (The Guardian)

    Millions of us now have virtual assistants, in our homes and our
    pockets. Even children's toys are getting smart. But when we talk to them,
    who is listening?

    https://www.theguardian.com/technology/2019/mar/26/smart-talking-are-our-device s-threatening-our-privacy


    Date: Mon, 14 Jan 2019 11:11:11 -0800
    From: RISKS-request@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:

    SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    SPAM challenge-responses will not be honored. Instead, use an
    address from which you never send mail where the address becomes public!
    The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    *** Contributors are assumed to have read the full info file for guidelines!

    OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    Special Offer to Join ACM for readers of the ACM RISKS Forum:


    End of RISKS-FORUM Digest 31.15


    ... After all is said and done, a lot more has been said than done.
    --- GoldED+/LNX 1.1.5-b20170303
    * Origin: Outpost BBS * Limestone, TN, USA (1:18/200)