• RISKS Digest 31.17

    From Sean Dennis@1:18/200 to All on Wednesday, April 10, 2019 17:40:47
    RISKS-LIST: Risks-Forum Digest Tuesday 9 April 2019 Volume 31 : Issue 17

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as
    The current issue can also be found at

    Additional software problem detected in Boeing 737 Max flight control
    system, officials say (WashPost)
    Not Just Airplanes: Why The Government Often Lets Industry Regulate Itself
    Makers of self-driving cars should study Boeing crashes (The Straits Times) Major US airlines hit by delays after glitch at vendor (The Boston Globe) Simulated Engine Failure Led To Crash (Russ Niles)
    Eyes on the Road: Your Car Is Watching (NYTimes)
    Covert data-scraping on watch as EU DPA lays down 'radical' GDPR red-line Hospital viruses: Fake cancerous nodes in CT scans, created by malware,
    trick radiologists (WashPost)
    The Newest AI-Enabled Weapon: Deep-Faking Photos of the Earth? (Defense One) Backdoor vulnerability in open-source tool exposes thousands of apps to
    remote code execution (Cyberscoope)
    Security analyst finds fake cell carrier apps are tracking iPhone location
    and listening in on phone calls (9to5 Mac)
    UK to keep social networks in check with Internet safety regulator (CNET) Should cybersecurity be more chameleon, less rhino? (bbc.com)
    This is not how the secret service should examine a USB stick (TechCrunch) Report: Official forgot secret arms-deal file at airport (Times of Israel) Hospital says patient info exposed after phishing incident (Boston Globe)
    DHS tech manager admits stealing data on 150,000 internal investigations,
    nearly 250,000 workers (WashPost)
    Online credit-card skimmer (WarbyParker)
    The engineering of living organisms could soon start changing everything
    (The Economist)
    Social media are divisive (WSN/NBC poll)
    The future of news is conversation in small groups with trusted voices
    (Chikai Ohazama)
    Why It's So Easy for a Bounty Hunter to Find You (NYTimes)
    Identity Theft -- Act Now to Protect Yourself (Kiplinger)
    Re: Are We Ready For An Implant That Can Change Our Moods? (Wol)
    Re: How a 50-year-old design came back (Wol)
    Re: New Climate Books Stress We Are Already Far Down The Road To A
    Different Earth (Wol, Amos Shapir)
    Re: Researchers Find Google Play Store Apps Were Actually Government Malware
    Amos Shapir)
    Re: Huawei's code is a steaming pile... (Amos Shapir)
    Re: According to this bank, password managers are bad (Andrew Duane)
    Re: Is curing patients, a sustainable business model? (Toby Douglass,
    Chris Drewe)
    Abridged info on RISKS (comp.risks)


    Date: Thu, 4 Apr 2019 21:26:18 -0400
    From: Monty Solomon <monty@roscom.com>
    Subject: Additional software problem detected in Boeing 737 Max flight
    control system, officials say (WashPost)

    The findings of the preliminary report in last month's airline crash
    increase the pressure on Boeing, which has announced the imminent rolling
    out of a new software fix for its most popular passenger plane. The
    grounding of the 737 Max 8 following similar crashes in Ethiopia and
    Indonesia has been a massive blow to one [...]





    Date: Fri, 5 Apr 2019 14:49:02 +0800
    From: Richard Stein <rmstein@ieee.org>
    Subject: Not Just Airplanes: Why The Government Often Lets Industry
    Regulate Itself (npr.org)


    "In fact, the acting director of the FAA told Congress it would take nearly
    $2 billion and 10,000 new employees for the agency to end its reliance on aircraft manufacturers to conduct their own certification tests."

    Carbon-extraction (oil/gas), chemicals, railroads, medical devices, food, surface vehicles, pharmaceuticals, aircraft, etc. are largely
    self-certifying industries subject to minimal Federal inspection and
    oversight: Uncle Sam finds proactive risk avoidance engagement to be too expensive.

    In the US, under a self-certification framework, financial and legal
    penalties are apparently sufficient to deter unsafe product sales or from capricious corporate operations that endanger public health and safety.

    "Peter Van Doren, a senior fellow at the libertarian CATO Institute, argues self-regulation has largely gone on unnoticed, because, with a few
    exceptions, it has been a success. 'In effect, the delegation of all this to experts and the lack of second-guessing about all this occurred because it
    was working.'"

    "Was working" is certainly correct in Boeing's case. Which self-regulating
    US industry will be next to earn the "was working" label and who will bear
    the lesson's burden?

    It is certainly true that "there is only so much risk avoidance you can do"
    per http://catless.ncl.ac.uk/Risks/18/19%23subj7.1
    For Boeing's 737 MAX, the risk avoidance practice was ineffective and failed.

    In contrast, the EU applies "precautionary measures" for regulation. See
    "Why Does the U.S. Tolerate So Much Risk?" in https://www.nytimes.com/2019/03/15/opinion/federal-aviation-administration-boei

    "As European policymakers have grown more willing to regulate risks on precautionary grounds, increasingly skeptical American policymakers have
    called for higher levels of scientific certainty before imposing additional regulatory controls on business," David Vogel, a political scientist at the University of California, Berkeley, wrote in a 2012 book on the divide, "The Politics of Precaution."


    Date: Fri, 5 Apr 2019 10:34:08 +0800
    From: Richard Stein <rmstein@ieee.org>
    Subject: Makers of self-driving cars should study Boeing crashes
    (The Straits Times)

    Brooke Masters byline in https://www.straitstimes.com/opinion/makers-of-self-driving-cars-should-study-b
    and via https://www.ft.com/content/d2c905d8-5473-11e9-91f9-b6515a54c5b1 Both behind paywalls.

    "The two disasters...should serve as a warning in other areas where
    technology is taking over part, though not all, of crucial tasks from human experts."

    As in-vehicle distractions multiply, drivers are challenged to maintain safe operation. Self-driving cars are supposed to eliminate distractions by relieving drivers of their operational role, save for command instructions
    like "Take me to the nearest supermarket."

    Masters suggests that human driving skills atrophy from neglect and
    disuse. Self-driving vehicle technology deployments will accelerate carbon-based driver skill erosion. Even supplemental, partial automation
    such as the Tesla "autopilot" feature, contributes to driving skill erosion.

    'The chief executive of Volvo Cars, Mr. Hakan Samuelsson, warned last week
    that introducing such semi-automation can be "irresponsible" and cause accidents when misplaced confidence leads to "over-reliance" by consumers.'

    In contrast, https://www.nytimes.com/2019/03/23/opinion/sunday/stick-shift-cars.html
    argues that with a manual transmission, both of the driver's hands and feet
    are actively occupied: no free digits for dialing, texting, audio tuning, environment adjustment, or navigation system interfacing.

    Vehicle manufacturers are phasing out manual transmission equipment options, replacing them with computerized continuously variable mechanisms.

    Long live the Four-on-the-Floor!


    Date: Thu, 4 Apr 2019 09:02:56 -0400
    From: Monty Solomon <monty@roscom.com>
    Subject: Major US airlines hit by delays after glitch at vendor



    Date: Thu, 4 Apr 2019 23:56:36 -0400
    From: Gabe Goldberg <gabe@gabegold.com>
    Subject: Simulated Engine Failure Led To Crash (Russ Niles)

    [The risk? Testing a risk...]

    The NTSB says a simulated engine failure on takeoff that turned into the
    real thing led to the crash of a STOL Aircraft UC-1 Twin Seabee into a house
    in Winter Haven, Florida, 23 Feb 2019. The crash killed instructor James
    Wagner while student pilot Timothy Sheehey was slightly injured and a young woman in the house was seriously hurt. Sheehey, a commercial pilot training
    for a mult-engine seaplane rating, told NTSB investigators that before
    takeoff, Wagner said he was going to reduce the power on one engine. When he chopped the power, the engine quit, the prop feathered and the engine
    couldn't be restarted.

    The report said Wagner headed for an emergency landing spot but determined
    he couldn't make it and turned left to land on a lake instead. He lost
    control and the airplane ended up tail-up vertically in the house. The
    impact knocked the woman in the house through an interior wall. The aircraft
    is based on the original single-engine Seabee but equipped with two wing-mounted Lycoming IO-360 engines.


    Date: Thu, 4 Apr 2019 23:14:17 -0400
    From: Monty Solomon <monty@roscom.com>
    Subject: Eyes on the Road: Your Car Is Watching


    As more technology creeps into the front seat to help drivers, so too will systems that eavesdrop on and monitor them.


    Date: Wed, 3 Apr 2019 09:22:04 -0400
    From: Monty Solomon <monty@roscom.com>
    Subject: Covert data-scraping on watch as EU DPA lays down 'radical' GDPR



    Date: Thu, 4 Apr 2019 16:38:39 +0800
    From: Richard Stein <rmstein@ieee.org>
    Subject: Hospital viruses: Fake cancerous nodes in CT scans, created by
    malware, trick radiologists (WashPost)


    "Researchers in Israel created malware to draw attention to serious security weaknesses in medical imaging equipment and networks."

    Risks: Misdiagnosis from hacked image artifact interpretation. Additional diagnostic radiation procedures elevate cancer potential. Unnecessary
    surgical procedures initiated by "ghost" tumors.

    X-ray film capture avoids digital image hacks, but operational logistics (storage and supplychain) apparently deter radiology from a technological rollback. If CT scans (and presumably MRI, PET, etc.) images are vulnerable
    to malware image hacks, shouldn't providers adopt mitigating strategies?


    Date: Wed, 3 Apr 2019 08:45:39 -1000
    From: geoff goodfellow <geoff@iconia.com>
    Subject: The Newest AI-Enabled Weapon: Deep-Faking Photos of the Earth?

    *Step 1: Use AI to make undetectable changes to outdoor photos. *
    *Step 2: release them into the open-source world and enjoy the chaos.*


    Worries about deep fakes machine-manipulated videos of celebrities and world leaders purportedly saying or doing things that they really
    didn't -- are quaint compared to a new threat: doctored images
    of the Earth itself. <https://www.defenseone.com/technology/2017/08/ai-will-make-fake-news-video-and

    China is the acknowledged leader in using an emerging technique called generative adversarial networks to trick computers into seeing objects in landscapes or in satellite images that aren't there, says Todd Myers, automation lead and Chief Information Officer in the Office of the Director
    of Technology at the National Geospatial-Intelligence Agency.

    ``The Chinese are well ahead of us. This is not classified info,'' Myers said Thursday at the second annual Genius Machines <https://www.defenseone.com/feature/genius-machines-ai-livestream/ summit, hosted by *Defense One* and *Nextgov*. ``The Chinese have already designed; they're already doing it right now, using GANs -- which are generative adversarial networks -- to manipulate scenes and pixels to create things for nefarious reasons.''

    For example, Myers said, an adversary might fool your computer-assisted
    imagery analysts into reporting that a bridge crosses an important river at
    a given point.

    ``So from a tactical perspective or mission planning, you train your forces
    to go a certain route, toward a bridge, but it's not there. Then there's a
    big surprise waiting for you,'' he said.

    First described in 2014 https://arxiv.org/pdf/1406.2661.pdf GANs represent a big evolution in the way neural networks learn to see and recognize objects
    and even detect truth from fiction... [...]



    Date: April 6, 2019 at 00:57:40 EDT
    From: geoff goodfellow <geoff@iconia.com>
    Subject: Backdoor vulnerability in open-source tool exposes thousands
    of apps to remote code execution

    Roughly 28 million users have downloaded a malicious version of a popular open-source framework that masquerades as the real thing, but in fact gives
    a hackers a back door into applications.

    A compromised version of the website development tool bootstrap-sass was published to the official RubyGems repository, a hub where programmers can share their application code. The open source security firm Snyk alerted developers to the issue Wednesday, advising users to update their systems
    away from the infected framework (version

    ``That doesn't mean there are something like 27 million apps out there using this,'' said Chris Wysopal, chief technology officer at app security company Veracode. ``[But] when you're using open source packages to build your applications, you're inheriting many of the vulnerabilities. But bootstrap-sass is a popular component used by enterprises and startups so there's potentially thousands of applications affected by this.''

    While the vulnerability is serious -- hackers can exploit it for remote code execution -- the issue also highlights how pervasive such flaws can become
    if they're not fixed quickly, according to application security experts. The 2017 data breach at Equifax was possible because the company did not act to resolve a flaw in the open source Apache Struts framework...



    Date: April 9, 2019 at 01:11:01 EDT
    From: geoff goodfellow <geoff@iconia.com>
    Subject: Security analyst finds fake cell carrier apps are tracking iPhone
    location and listening in on phone calls


    In yet another abuse of the enterprise distribution program, security
    analyst Lookout has identified apps (via Techcrunch) that were pretending to
    be published by cell carriers in Italy and Turkmenistan. The apps were available for iPhone users to download through Safari as they were signed by
    an enterprise certificate. These apps used carrier branding and pretended to offer utilities for the users' cell plans when in reality they would ask for every permission they could to track location, collect contact, photos, and more, and had the capability to listen in on users' phone conversations.

    Apps using enterprise certificates are not available through the App Store,
    but malicious criminals can target iOS users through Safari (perhaps with a phishing attack-esque email) and get people to download the app over the
    web, outside of the purview of the App Store review process.

    Essentially, when an app is distributed with an enterprise certificate,
    there is no accountability over what the app can do. When a developer
    applies for an enterprise certificate, Apple makes it plain that apps should only be delivered to employees of the enterprise and not used
    elsewhere. However, as it stands, there is very little Apple can do to
    enforce this beyond the policy of advisory language.

    This year, we have seen countless abuses of the enterprise system, including high-profile cases like operations at Facebook and Google. Apple revokes the certificate when it becomes aware of individual cases, but it's clear the company does not have the overall enterprise certificate program under
    control. In a future software version of iOS, Apple may impose stricter requirements to tighten the security screws on the enterprise program. The company is yet to commit to any such plans however.

    Certificates are often stolen or sold on, so licenses to the enterprise developer program that were once used legitimately are now being used nefariously. In the case of the app highlighted by Lookout, it appears to be linked to similar malware that existed on Android called `Exodus'...

    https://9to5mac.com/2019/04/08/iphone-tracking-security-carrier-apps/ https://techcrunch.com/2019/04/08/iphone-spyware-certificate/


    Date: April 8, 2019 at 1:14:01 AM EDT
    From: geoff goodfellow <geoff@iconia.com>
    Subject: UK to keep social networks in check with Internet safety regulator

    Facebook, Twitter, YouTube and a whole bunch of smaller platforms will face huge fines if they fail to live up to their "duty of care" to Internet


    The UK government is taking a hard line when it comes to online safety, appointing what it claims is the world's first independent regulator to keep social media companies in check.

    Companies that fail to live up to requirements will face huge fines, with senior directors who are proven to have been negligent of their responsibilities being held personally liable. They may also find access to their sites blocked.

    The new measures, designed to make the Internet a safer place, were
    announced jointly by the Home Office and Department of Culture, Media and Sport. The introduction of the regulator is the central recommendation of
    the highly anticipated government white paper, published early Monday
    morning in the UK.

    The regulator will be tasked with ensuring social media companies are
    tackling a range of online problems, including:

    * Inciting violence and spreading violent content (including terrorist content)
    * Encouraging self-harm or suicide
    * The spread of disinformation and fake news
    * Cyber bullying
    * Children accessing inappropriate material
    * Child exploitation and abuse content

    As well as applying to the major social networks, such as Facebook, YouTube
    and Twitter, the requirements will also have to be met by file-hosting
    sites, online forums, messaging services and search engines.

    "For too long these companies have not done enough to protect users,
    especially children and young people, from harmful content," said Prime Minister Theresa May in a statement. "We have listened to campaigners and parents, and are putting a legal duty of care on Internet companies to keep people safe."...



    Date: Tue, 9 Apr 2019 16:19:34 +0800
    From: Richard Stein <rmstein@ieee.org>
    Subject: Should cybersecurity be more chameleon, less rhino? (bbc.com)


    Crypto-splitting or Morphisec. "Morphisec -- born out of research done at Ben-Gurion University -- has developed what it calls 'moving target
    security'. It's a way of scrambling the names, locations and references of
    each file and software application in a computer's memory to make it harder
    for malware to get its teeth stuck in to your system."

    Sounds like a kind of parallel random access machine, though the difference
    is static resource references (files, hard/soft links, URLs, etc.) are
    hashed, and randomized inside a virtual and possibly distributed address
    space pool to prevent malware detection and then manipulating the
    application or data for fun and profit.

    Risk: The malware can learn to do the same thing as the morphisec stack. Alternatively, reverse engineer the run-time stack with Ghidra. Perhaps
    Mayhem can be trained for this purpose?


    Date: Tue, 9 Apr 2019 11:27:21 +0100
    From: Neil Youngman <neil.youngman@youngman.org.uk>
    Subject: This is not how the secret service should examine a USB stick

    It seems that the secret service are not advised to avoid plugging unknown/suspicious USB sticks into their laptops. The risks are all too obvious.



    Date: Tue, 9 Apr 2019 10:44:38 -0400
    From: Gabe Goldberg <gabe@gabegold.com>
    Subject: Report: Official forgot secret arms-deal file at airport
    (The Times of Israel)


    Oops -- better repeat Tradecraft 101.


    Date: Tue, 9 Apr 2019 05:47:39 -0400
    From: Monty Solomon <monty@roscom.com>
    Subject: Hospital says patient info exposed after phishing incident
    (Boston Globe)



    Date: Thu, 4 Apr 2019 21:33:01 -0400
    From: Monty Solomon <monty@roscom.com>
    Subject: DHS tech manager admits stealing data on 150,000 internal
    investigations, nearly 250,000 workers (WashPost)

    A Virginia woman pleaded guilty to conspiring with a former DHS acting inspector general.




    Date: Mon, 8 Apr 2019 20:33:27 -0700
    From: "Ralph Barone" <ralph.barone@shaw.ca>
    Subject: Online credit-card skimmer (WarbyParker)

    This online optician has an interesting online way to measure your pupillary distance online. You just take a picture of yourself with a magstrip
    equipped card beneath your nose, and their algorithms will compare the
    distance between your pupils to the known width of the card (85.60 mm) and
    tell you how far apart your pupils are. However, you are also very likely sending them a picture of the back of your credit card, with the embossed numbers and expiration date clearly visible, as well as your signature and
    CVV code for the card. So what do you figure the risk/benefit ratio is for that?



    Date: Mon, 8 Apr 2019 19:58:57 +0800
    From: Richard Stein <rmstein@ieee.org>
    Subject: The engineering of living organisms could soon start changing
    everything (The Economist)


    The syn-bio field offers substantial promise for healthcare: effective
    cancer treatments, less expensive pharmaceuticals, etc. Carbon-neutral fuel sources (biofuels from bacteria) was an early investment target. The
    biofuel startups nose-dived on oil price decline.

    "That made investors very cautious about synthetic biology. But the field attracted a bit of support from some governments, such as those of Britain
    and Singapore. In America the Pentagon's far-out-ideas department, DARPA,
    which had taken an early interest, created a new office of biology in
    2013. Two years later it launched a programme that paid for leading laboratories in the field to put together pathways which could produce 1,000 molecules never created biologically before."

    Easy to imagine "The Andromeda Strain" arising from a syn-bio experiment
    gone wrong courtesy of a "repressilator" specification error or a synthesis programming error or malware assault.


    Date: Fri, 5 Apr 2019 12:13:12 PDT
    From: "Peter G. Neumann" <neumann@csl.sri.com>
    Subject: Social media are divisive

    Social-media services such as Facebook and Twitter do more to divide
    Americans than bring them together, according to a solid majority of respondents in a WSJ/NBC poll:



    Date: April 9, 2019 at 07:53:19 EDT
    From: Dewayne Hendricks <dewayne@warpspeed.com>
    Subject: The future of news is conversation in small groups with trusted
    voices (Chikai Ohazama)

    Techcrunch, Apr 7 2019 <https://techcrunch.com/2019/04/07/stuck-at-the-sushi-boat-bar-of-news/

    When I first came out to California, one of my favorite places to go for
    sushi was in downtown Mountain View. They had these little boats that would float around the bar, each carrying some sushi on a small plate. You just
    sat down and started picking out the ones you liked, and began eating --
    very efficient and also a little bit of fun.

    I feel like my news consumption these days is like those sushi boats. I sit down and the news just streams by and I pick out the articles I like and
    read them. Very efficient and also a little bit of fun. But I've been stuck
    at the sushi boat bar of news for far too long, watching the same imitation crab rolls go by. I need a better way to consume better information.

    As you probably guessed, that ``sushi boat bar of news'' is Facebook,
    Twitter and the like. The algorithmic nature of news feeds tends to target
    the lowest common denominator, and it can often pander to people's baser instincts. That being said, it does have its place, and provides a glimpse
    into what is capturing the general public's attention -- but it can't be the whole meal, and that is what it has become. It's like people who eat
    McDonald's for breakfast, lunch and dinner. It's tasty, addictive, but very unhealthy in the long term.

    So what can you do about it, how can you make a change?

    Email newsletters have been making a resurgence in popularity, but they are hard to manage and sort through. Christopher Mims of The Wall Street Journal tweeted about this problem:

    * If everyone has an email newsletter and someone gets the brilliant idea to
    consolidate them in one place where they can easily be followed or
    unfollowed wouldn't that realize the dream of an open standards-based,
    surveillance-free alternative to Facebook?

    And then Steven Sinofsky had a witty response:

    And let us name it is RSS.

    Indeed, another `old' technology like email that people have been
    gravitating toward as an alternative to get their daily news. Wired has proclaimed that ``It's time for an RSS revival'' and it has resonated with well-respected thought leaders like Brad Feld. But RSS has had a tumultuous past, mainly used by professionals who need to keep up with their respective industries, not by the average consumer.

    If email newsletters or RSS were to become the replacement, it would need a
    new approach or framework, not just a rehashing of past products. But that
    is only half the problem. In this day and age, we have become accustomed to having our friends and other people around when we read the news. Even if
    you don't make any comments yourself, news exists in a public conversation
    and people's reactions, whether they be from your friends or celebrities,
    are often part of the news itself.

    Now these public conversations can be very toxic and are the very reason
    people are fleeing and looking for alternatives, but I don't think people
    want to turn the dial to zero and go back to the days of reading the
    newspaper by yourself over breakfast. I think people still want others
    around -- they just want it to be safe and free from trolls.

    When the web first started taking off, information propagated via the web
    and hyperlinks, and that world was dominated by Google web search. As
    Facebook and Twitter grew into prominence, information started to propagate
    via social networks. And now people are starting to get more and more of
    their information via messaging, which is looking to be the next step in the progression. You can already see this transition happening in places like
    India with WhatsApp, where it is becoming a major source of misinformation.
    And there are interesting experiments out there like Naveen Selvadurai's
    README on Telegram, where he posts articles into a Telegram group.

    But for the most part there hasn't been much evolution or progress on the messaging side of the equation to adapt it to become more of an information propagation medium. It's still mainly about casual conversation and has
    little overlap with the ``news feed'' use case. But given how things are changing, now may be a good time to push the boundaries of what messaging
    could become. I think people are seeking relief from the barrage of social media, not knowing who to trust any more and wanting a better channel to the truth.

    I'm pretty confident that closing the circle to a closer, trusted group
    would be welcome by most people. It doesn't necessarily mean just friends,
    but it could include trusted experts or voices in the community that can
    help shepherd people through the noise and distractions. [...]


    Date: Tue, 2 Apr 2019 23:08:35 -0400
    From: Monty Solomon <monty@roscom.com>
    Subject: Why It's So Easy for a Bounty Hunter to Find You (NYTimes)

    Wireless companies sell your location data. Federal regulators should stop them.


    Date: Sun, 7 Apr 2019 10:56:46 PDT
    From: "Peter G. Neumann" <neumann@csl.sri.com>
    Subject: Identity Theft -- Act Now to Protect Yourself (Kiplinger)

    Identity thieves are more skilled at their nefarious craft than ever,
    more sophisticated.

    As new research on identity theft continues to roll in, it paints an
    unsettling picture of how good crooks are getting at their craft. Although
    the number of U.S. breaches fell in 2018, the number of records exposed containing sensitive, personally identifiable information (such as Social Security and financial-account numbers) spiked by 126% from the year before, according to a report from the Identity Theft Resource Center. ``That tells
    us thieves aren't committing less crime -- they're just getting better at
    it,'' says Eva Velasquez, president and CEO of the ITRC.

    One of the largest breaches disclosed last year was at Marriott
    International, which admitted in November that its Starwood guest
    reservation database had been hacked starting in 2014. That exposed up to
    383 million guest records (though the number of guests affected is likely smaller because of multiple records). Many records contained data such as passport numbers, addresses, dates of birth and, in some cases, customers' payment-card information. Quora, an online question-and-answer platform,
    also discovered a breach of account information including names, e-mail addresses and passwords of up to 100 million users. Hackers may try to enter stolen usernames and passwords into other sites -- say, those of banks or retailers -- in hopes that some customers reuse their log-in details across several accounts. ``The chances that some of those credentials will work on one or more other websites are exceptionally high,'' says Velasquez.

    Fortunately, none of those 2018 breaches involved Social Security numbers --
    a key piece of information a thief can use to run away with someone else's identity. But the 2017 Equifax data breach exposed the names, Social
    Security numbers, birth dates and other sensitive data of more than 145
    million Americans. Those bits of info are permanent pieces of your identity, and they may sit idle for years before a criminal puts them to work.

    The overall number of fraud victims fell significantly last year from 2017, thanks largely to a decline in fraud against existing credit and debit
    cards, according to a Javelin Strategy & Research report. But in both 2017
    and 2018, the number of victims who faced some liability for fraud more than doubled from 2016, and so did the victims' out-of-pocket costs. Incidents
    of fraud in which criminals open new financial accounts in a victim's name
    or take over existing non-card accounts, such as brokerage or retirement accounts, were well above historical levels in 2017 and 2018 and ``are much more difficult, and frequently expensive, for victims to resolve,'' says Javelin.



    Date: Sun, 7 Apr 2019 08:10:30 +0100
    From: Wols Lists <antlists@youngman.org.uk>
    Subject: Re: Are We Ready For An Implant That Can Change Our Moods? (npr.org,

    On 06/04/19 22:46, RISKS List Owner wrote:
    Without a randomized control trial to validate device efficacy, a cranial implant faces significant obstacles to achieve regulatory approval, gain widespread acceptance, and become commercially viable. Volunteers will
    difficult to attract.

    Such devices already have approval, and are part of the neurologist's
    standard arsenal. And volunteers who feel they have nothing to lose are not hard to attract.

    Deep Brain Stimulation is a recognised treatment for Parkinsons Dyskinesia
    -- indeed one of my friends has an implant -- and can be very effective. It
    has massively improved my friend's quality of life.

    Using it like a mind-enhancing drug to trigger mood-swings, though -- that's
    a very different kettle of fish. I can't imagine that being approved other
    than for people who suffer severe and sudden or uncontrollable depression - life-threatening depression.


    Date: Sun, 7 Apr 2019 08:30:20 +0100
    From: Wols Lists <antlists@youngman.org.uk>
    Subject: Re: How a 50-year-old design came back (Broadbeck, RISKS-31.16)

    This is true of most fighter aircraft designed since the mid-70s,
    it doesn't exactly have to do with shape complexity.

    A perfect example of this (although not a fighter aircraft) is the Hawker Harrier.

    Look at pretty much any aircraft from the 50s and earlier. The wings all
    slope upwards and outwards (dihedral) from the body. As the aircraft rolls, this increases the lift from the dropping wing, and counteracts the roll.

    Then look at the Harrier. Its wings slope DOWNward (anhedral), which means
    if it starts rolling, the roll will accelerate. This is typically countered
    by strong dihedral on the tail to give an aircraft minimum stability rather than negative stability as this gives best performance.

    But a very early example of this sort of thing is the Sopwith Camel, from
    1917. While it involved the engine, not the wings, level flight required
    firm left rudder. This killed a lot of novices who didn't realise that as
    soon as the aircraft lifted off it would promptly try and dive to the right, but in the hands of an ace they would nearly always turn right because even
    if you wanted to turn left it was far faster to go three-quarters right.


    Date: Sun, 7 Apr 2019 09:45:52 +0100
    From: Wols Lists <antlists@youngman.org.uk>
    Subject: Re: New Climate Books Stress We Are Already Far Down The Road To A
    Different Earth (TPR, RISKS-31.16)

    So, when Wallace-Wells talks of economic impacts, he cites a study
    3.7 degrees of warming to over $550 trillion of climate-related
    damage. Since $550 trillion is twice today's global wealth, the
    is that eventually rebuilding from the "n-th" superstorm will stop. We'll just abandon our cities or live within the ruin.

    I've been told it's impossible, but I'm afraid of a new "Noah's Flood". The probable explanation of the original story is that, 10,000 years ago the
    Rhine flowed into the Atlantic somewhere between Scotland and Norway,
    Britain was part of Europe, and farming was new-fangled technology in the fertile Indus plain between Europe and Asia. Then an ice dam in Canada
    failed due to global warming.

    A few short *months* later, the English Channel had appeared, the Rhine
    Estuary had become the North Sea, and the Indus plain had become the Black
    Sea. Farming spread rapidly because all the farmers had been evicted from
    their Garden of Eden, and they took the story of the flood with them.

    At the moment, a huge amount of Antarctic ice is held back by the -- I think
    -- Weddel ice sheet. It might not take much of rise in sea-level to make
    that float such that it no longer holds back the glaciers, and a huge amount
    of ice could slide in to the ocean.

    The recent Japanese tsunami breached a defense designed to withstand a
    10m surge. What would happen if the world suffered not a 10m surge, but
    a 10m rise over a couple of months? London would be gone. New York would
    be gone. Most international shipping would be gone -- the ports would be underwater. Much international communication would be gone -- how much
    critical infrastructure is located close to the coast?

    We wouldn't have to worry about the international refugee crisis -- most
    people wouldn't be able to flee far. I expect civilisation would recover
    from such a disaster pretty quickly, but part of the recovery would be
    lethal epidemics that make the Black Death look a picnic -- that took out
    a third of Europe's population. If the world went down to 2 or 3
    billion, those that were left could live very comfortably. And the world
    would hopefully recover as our ability to mine fossil fuels will have
    been severely curtailed.


    Date: Mon, 8 Apr 2019 10:27:04 +0300
    From: Amos Shapir <amos083@gmail.com>
    Subject: Re: New Climate Books Stress We Are Already Far Down The Road To A
    Different Earth (TPR, RISKS-31.16)

    The trouble with such books is that when the most extreme scenario does not happen (or is rather bad, but not outright catastrophic), there would be a
    lot of deniers who'd use it to declare "Global Warming is a hoax, we can go
    on polluting as usual".

    [That argument merely contributes to the hoax that "Global Warming is a
    hoax." However, there is a difference between anticipating the future and
    chronicling the past -- as in new findings on evolution, dinosaur
    extinctions, the effects of the monster meteor strike on the climate based
    on geological evidence, But those don't hinder the deniers. PGN]


    From: Amos Shapir <amos083@gmail.com>
    Date: Mon, 8 Apr 2019 10:28:51 +0300
    Subject: Re: Researchers Find Google Play Store Apps Were Actually
    Government Malware (Motherboard, RISKS-31.16)

    This gives new meaning to "hidden in plain site"...


    Date: Mon, 8 Apr 2019 10:54:46 +0300
    From: Amos Shapir <amos083@gmail.com>
    Subject: Re: Huawei's code is a steaming pile... (Henry Baker, RISKS-31.16)

    The main fault of memcpy() and strcpy()-like functions is that they believe their input; but that might be dangerous only if such input originates externally and is not sanitized before use.

    IMHO most of the thousands of calls mentioned process data internal to the program, which is sure not to cause overflow or to have been injected with malicious code, and in any case in under the programmer's control and cannot
    be modified by external sources. But in some cases, it might take very sophisticated software analysis tools to identify the few truly risky calls.


    Date: Mon, 8 Apr 2019 09:45:57 -0400
    From: Andrew Duane <e91.waggin@gmail.com>
    Subject: Re: According to this bank, password managers are bad (Sheps,

    My company, a very high-tech established company, has a similar requirement
    for passwords: incredibly complex rules and length requirements and an absolutely mandated 6-month change period (else you get locked out of everything). Repeated attempts to get our IT security group to understand
    that multiple frequent change requirements are incompatible with developing good secure passwords have failed. Luckily, they are silent on password managers, which everyone here uses.


    Date: Sun, 7 Apr 2019 21:30:40 +0300
    From: Toby Douglass <risks@winterflaw.net>
    Subject: Re: Is curing patients, a sustainable business model? (RISKS-31.???)

    In a country which has some form of democracy, the public have the means
    to pressurise the Government to improve the health care system.

    I may be wrong, but I do not see this occurring in the world now or in the
    past for at least some decades.

    In the UK, the NHS has been providing poor care, and has been a political football, for as long as I can remember. In the US, tax relief on employer provided insurance, which I think a profoundly discouraging factor for
    patient health care, began around the same time, originating if the chain of events is fully followed to the wage freezes imposed by the State in the USA
    in WW2.

    I suspect they both persist for essentially the same reason. It may be extremely arrogant and egoistic to say this, and I may be utterly wrong, but
    I think in general people do not understand the nature and necessity of competition, and so when in situations where they receive an immediate
    benefit for the removal of competition ("free" health care in the UK, tax relief in the US) they prefer that benefit.

    The population as a whole is unable then to pressure the Government to
    improve the situation because they do not understand the situation, either
    to know what to do instead, or to have reason to bear the cost of the loss
    of the immediate benefit. The Government in turn cannot change the
    situation to improve competition, because people would lose their immediate benefit, and they get unhappy about that. Attempts by the State in the UK
    to change the NHS have been political suicide.

    Democracy, if it works by mass will, only works when that will has enough knowledge and intelligence to act effectively.

    On the other hand, if a company has a monopoly on a particular drug or treatment, then they can charge "whatever the market will bear". There
    nowhere else for the sufferer to go.

    Yes and yes. Monopoly however is almost always enforced by the State. In
    the absence of patents, or excessively long patents, other companies rapidly introduce similar products.

    I see this as being an example of ordinary people being forced to endure. Patents were originally intended to last only for four years.

    The best way to get good health care is to take people who are passionate about caring for others (fortunately there are many such people to be
    found) and give them the freedom to do what they love doing.

    How does one choose these particular people? how does one choose the

    Setting this side, to give them freedom, you must be giving them money.
    Where does the money come from?

    If it comes from the State, by taxation, then the State, by controlling the money, controls the health care system. That system will necessarily come
    to prioritize the needs of State -- all care primarily for the needs and concerns of those who pay their salaries and control their job security.

    Voters only very, very weakly control the State. Taxation is mandatory, and all they can do is every few years vote, which may switch between one party
    and one other party. Their influence over the practise of medicine, transmitted through the State, is both minimal and although I may be wrong,
    I think *also* mis-directed, given a lack of understanding of the necessity
    of competition, and in some cases, such as the UK and US, the loss of
    immediate benefit were competition to be introduced.

    The State, where it controls funding, will inexorably, inevitably,
    unavoidably, impose its own wishes upon the practise of medicine, and those wishes will reflect, in proportion to their strength and importance to the State, its own self-interest, politics often partisan, the self-interest of large companies with lobbying power, and the interest, I think often mis-directed, of the voting public.


    Date: Mon, 08 Apr 2019 22:13:40 +0100
    From: Chris Drewe <e767pmk@yahoo.co.uk>
    Subject: Re: Is curing patients, a sustainable business model? (R-31,13-16)

    As a Brit who 'enjoys' the National Health Service ("the envy of the
    world"), which I haven't needed to make much use of, I'm inclined to agree
    with this view. The good thing about the NHS is that we can be ill without having to worry about paying medical bills. The bad thing is that health treatment is something that we have done to us, with little say in the
    matter; the NHS can do a great job, but with the efficiency and user-friendliness expected of a taxpayer-funded monopoly. No matter how
    rich or poor we are, or how serious our medical problem is, we have to wait
    in line with everybody else for whatever service the NHS deigns to offer.
    As well as endless arguments about funding, the big difficulty with a free-on-demand service is the lack of a customer/supplier relationship as exists in other fields.

    Everybody needs something to eat and something to wear, but I've never heard
    a good argument that food and clothing should be issued to the populace free
    of charge by a government agency, and indeed groceries and garment sales are among the most dynamic sectors of the retail environment. In particular, people who work in supermarkets are not superhuman but are generally helpful and professional -- they have to be, because they know that keeping their
    jobs relies on customers wanting to buy stuff. By contrast, in the Stakhanovite world of non-commercial monopolies, everything depends on goodwill.

    [...] it can take a lot of time and effort to change government policy (this has been called "the long route of accountability") -- better to allow
    people to have a choice of service providers.


    Date: Mon, 14 Jan 2019 11:11:11 -0800
    From: RISKS-request@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:

    SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    SPAM challenge-responses will not be honored. Instead, use an
    address from which you never send mail where the address becomes public!
    The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    *** Contributors are assumed to have read the full info file for guidelines!

    OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    Special Offer to Join ACM for readers of the ACM RISKS Forum:


    End of RISKS-FORUM Digest 31.17

    ... Never have more children than you have car windows. - Erma Bombeck
    --- GoldED+/LNX 1.1.5-b20170303
    * Origin: Outpost BBS * Limestone, TN, USA (1:18/200)