• RISKS Digest 31.22

    From Sean Dennis@1:18/200 to All on Sunday, May 05, 2019 10:51:06
    RISKS-LIST: Risks-Forum Digest Saturday 4 May 2019 Volume 31 : Issue 22

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as
    The current issue can also be found at

    World's Top Internet User Taps Fake News Busters for Elections
    Wells Fargo and Post Office Horizon (Lindsay Marshall)
    Database Exposes Medical Info, PII Data of 137k People in U.S.
    (Bleeping Computer)
    Ladders Data Leak: Over 13M User Records Exposed Due To Cloud
    Misconfiguration (IBTimes)
    How angry pilots got the Navy to stop dismissing UFO sightings; UFO
    information not expected to go to general public, Navy says (Wash Post)
    This $1,650 pill will tell your doctors whether you've taken it.
    Is it the future of medicine? (WashPost)
    "Telecom giants battle bill which bans Internet service throttling for
    firefighters in emergencies" (ZDNet)
    UK Police Have a Message for Crime Victims- Hand Over Your Private Data
    NSA Reports 75% Increase in Unmasking U.S. Identities... (WSJ)
    New Documents Reveal DHS Asserting Broad, Unconstitutional Authority to
    Search Travelers' Phones and Laptops (EFF)
    Zero-day attackers deliver a double dose of ransomware -- no clicking
    required? (Ars Technica)
    Electronic Health Records and Doctor Burnout (Scientific American)
    Hertz, Accenture, and the blame game (Browser London)
    Monster screwup on dividends (Korea Herald)
    NSA-inspired vulnerability found in Huawei laptops (Bruce Schneier)
    Vodafone found hidden backdoors in Huawei equipment (Bloomberg)
    Vodafone denies Huawei Italy security risk (BBC)
    Re: Huawei's code is a steaming pile... (Keith Thompson, Dmitri Maziuk,
    phil colbourn)
    Re: Should AI be used to catch shoplifters? (Richard Stein)
    Re: A video showed a parked Tesla Model S exploding in Shanghai
    (Roger Bell-West)
    Re: A 'Blockchain Bandit' Is Guessing Private Keys and Scoring Millions
    (Dan Jacobson)
    Re: An Interesting Juxtaposition (Gene Wirchenko)
    Re: Gregory Travis' article on the 737 MAX (Gregory Travis)
    Digital health ... (Rob Slade)
    Re: Is curing patients, a sustainable business model? (Toby Douglass)
    "Bernie Sanders wants you to expose your friends, Facebook-style" (ZDNet) Abridged info on RISKS (comp.risks)


    Date: Sat, 4 May 2019 10:00:56 -1000
    From: the keyboard of geoff goodfellow <geoff@iconia.com>
    Subject: World's Top Internet User Taps Fake News Busters for Elections

    ** Philippines' elections body cracks down on misleading posts*
    ** Media, academe team up to fact check election-related news*

    In the Philippines -- where 76 million Internet users stay online the
    longest in the world -- just a handful of people spend a few hours each day
    to fight fake news about the upcoming midterm elections.

    The Commission on Elections has formed a team of 10 government workers to
    spot and report misleading online posts to Facebook Inc., with whom the
    poll body has an agreement to quickly take down false information. Weeks
    before the May 13 elections, the group has already identified hundreds of
    fake news posts -- mostly those claiming ballots have been tampered with,
    or that the poll results are predetermined.

    ``What we're trying to do is to institutionalize this reporting process in a way that Facebook will not have any other recourse but to act on it,''
    Election Commission spokesman James Jimenez said in an interview. ``Fake
    news could affect how people see the credibility of the elections and the mandate of the winner.''

    Read more: What Happens When the Government Uses Facebook as a Weapon? https://www.bloomberg.com/news/features/2017-12-07/how-rodrigo-duterte-turned-f

    With more voters using social media now, the election body expects fake news
    to spread faster this time compared to the 2016 vote, when President Rodrigo Duterte won. Still, Jimenez said the team formed to fight fake news is not enough to adequately combat disinformation...



    Date: Fri, 3 May 2019 14:13:55 +0000
    From: Lindsay Marshall <Lindsay.Marshall@newcastle.ac.uk>
    Subject: Wells Fargo and Post Office Horizon

    I was recently asked by the BBC to comment on two `computer glitches', and, naturally, I turned to RISKS to get more information. I found to my surprise that neither seemed to have been mentioned. Here are links for the cases:



    Note that neither of these seem to be even remotely ┤glitches'.


    Date: Fri, 3 May 2019 21:25:56 -0400
    From: Monty Solomon <monty@roscom.com>
    Subject: Database Exposes Medical Info, PII Data of 137k People in U.S.
    (Bleeping Computer)



    Date: Fri, 3 May 2019 21:27:20 -0400
    From: Monty Solomon <monty@roscom.com>
    Subject: Ladders Data Leak: Over 13M User Records Exposed Due To Cloud
    Misconfiguration (IBTimes)



    Date: Thu, 2 May 2019 15:18:03 -1000
    From: geoff goodfellow <geoff@iconia.com>
    Subject: How angry pilots got the Navy to stop dismissing UFO sightings;
    UFO information not expected to go to general public, Navy says (Wash Post)

    [AND] https://www.washingtonpost.com/world/national-security/navy-no-release-of-ufo-i




    Date: Wed, 1 May 2019 14:26:17 -1000
    From: geoff goodfellow <geoff@iconia.com>
    Subject: This $1,650 pill will tell your doctors whether you've taken it.
    Is it the future of medicine? (WashPost)

    When the Food and Drug Administration approved in late 2017 a schizophrenia pill that sends a signal to a patient's doctor when ingested, it was
    seen not only as a major step forward for the disease but as a new frontier
    of Internet-connected medicine.

    Patients who have schizophrenia often stop taking their medicine, triggering psychotic episodes that can have severe consequences. So the pill, a 16-year-old medication combined with a tiny microchip, would help doctors intervene before a patient went dangerously off course.

    Seventeen months later, few patients use the medication, known as Abilify MyCite. Doctors and insurance companies say it is a case in which real-world limitations, as well as costs, outweigh the innovations that the medical industry can produce.

    In the case of schizophrenia patients, some doctors warn that Abilify
    MyCite could exacerbate the very delusions that the medication is designed
    to prevent.

    ``Patients who have a lot of paranoia might be uncomfortable with the idea
    of a medicine that is transmitting signals. The patient may be afraid to
    take it,'' said Richmond psychiatrist James Levenson. ``The science of this one is kind of ahead of the data.''

    The debate over Abilify MyCite underscores a dilemma American health care
    will increasingly face as the medical industry and Silicon Valley try to promote innovation. For decades, medicine has been effectively delivered through a few simple mechanisms: a pill, a cream, a nose spray, a needle.

    But in the hopes of improving outcomes further, the industry is turning to
    an array of new technologies against one of the biggest, and most human, challenges in treating disease: getting people to take their medicine in a consistent way.

    Companies are producing apps for substance abuse treatment, diabetes management, and heart and blood pressure monitoring at a rapid clip.
    Studies are underway for more digital pills to treat cancer, cardiovascular conditions and infectious disease.

    And while many of these may pass regulatory hurdles that show they're safe
    -- especially at a time when the Trump administration has been leaning into medical innovation and pushing back against excessive regulation -- doctors
    and insurers are not convinced that the technologies will so easily make
    the difference that the pharmaceutical industry is betting billions on.

    ``I think that these technologies have a lot of potential benefits, but it's going to be a question of evidence -- that they can demonstrate value to patients and payers,'' said Scott Gottlieb, who stepped down this month as
    FDA commissioner, a job in which he made approval of leading technology a hallmark.

    The first digital therapy to win FDA market clearance, Abilify MyCite's sensor-embedded pill remains off the market because of physician and
    insurance industry reservations.

    Now Maryland-based Otsuka Pharmaceutical, which makes the medication, may be able to jump-start its acceptance by offering it to mentally ill people who qualify for low-income government health insurance. Otsuka won approval from Virginia Medicaid authorities last month to begin coverage. The company also
    is starting a pilot program in Florida and is considering another in

    Otsuka considers itself a pioneer. Abilify is an older brand-name drug
    marketed by the company to treat schizophrenia and other serious mental illnesses. Abilify MyCite adds the electronic tracking component and, at
    $1,650 a month, costs almost 30 times as much as a 30-day supply of generic Abilify at a Costco pharmacy.

    Otsuka developed the treatment with Proteus Digital Health, a Silicon
    Valley company that markets the digital component. Proteus is pioneering
    its use in other therapies including cancer patients taking chemotherapy

    After the daily antipsychotic pill is swallowed, a digital sensor the size
    of a grain of sand (and made of copper, magnesium and silicon, which Proteus says are all found in food) transmits a signal when it comes into contact
    with stomach acid. The signal is captured by a patch worn on the patient's torso. The patch sends a signal to an app on the patient's smartphone. The
    app uploads data to a secure website for viewing by doctors. Otsuka has won special federal approval to provide smartphones ``with highly limited functionality'' to people who can't afford them.

    The goal is to solve a vexing problem: Schizophrenia patients often stop
    taking their medicine, triggering psychotic episodes that can have severe consequences. Abilify MyCite is supposed to help doctors keep track of
    which patients are staying on their medication. The app also allows
    patients to enter information about their mood.

    The approval led to debate among psychiatrists about the ethics of invasive monitoring for patients whose mental competency at times may be borderline. They raised questions about patients' autonomy, data privacy and ability to navigate the technical challenges of the system.

    But proponents say the medical need is so great that Abilify MyCite
    deserves a close look.

    Virginia state Sen. R. Creigh Deeds (D-Bath), who chairs a special mental health committee in the legislature, said he had not heard of the therapy
    until contacted by The Washington Post. But he said in an interview that he
    was intrigued by a technology that could help people like his mentally ill
    son, Austin `Gus' Deeds, 24, who slashed Deeds on the face in 2013 before taking his own life. Deeds said his son had stopped taking medication nearly
    a year beforehand. ``There is a need for people who are caregivers to make sure the person's taking the medicine, The other side of it is the civil liberty issue for the person who is sick.''

    Gus Deeds thought his medications ``made him less of who he was. It dumbed
    down his personality,'' Deeds said. But, he added, ``a person does not have
    the right to destroy their life, or the life of others.''

    He said he did not have an opinion on whether Virginia Medicaid should add Abilify MyCite to its list of approved prescription drugs.

    Otsuka emphasizes that no patient will be asked to use Abilify MyCite
    without showing a clear desire to do so. Schizophrenia patients who have paranoid feelings about ingesting a digital pill are unlikely candidates for the drug, the company said.

    ``It's unlike a pharmaceutical launch where you proactively blitz all the states. We're not doing that,'' said John Bardi, Otsuka's vice president
    for public affairs and digital business development. ``It's really about patients who want to improve their treatment goals. If they have any
    concerns, it's probably not the right solution for them.'' ...




    Date: Wed, 01 May 2019 10:15:03 -0700
    From: Gene Wirchenko <gene@shaw.ca>
    Subject: "Telecom giants battle bill which bans Internet service throttling
    for firefighters in emergencies" (ZDnet)

    [What a PR blunder by the telecom industry!]

    Charlie Osborne for Between the Lines | 26 Apr 2019
    The industry faced backlash following last year's wildfires and
    firefighter service throttling. https://www.zdnet.com/article/telecom-firms-battle-to-overturn-unthrottled-serv

    selected text:

    Internet service providers (ISPs) and telecom firms are fighting a bill
    which would force them to provide unfettered broadband services and prevent them from throttling data use in emergency situations.

    The proposed legislation is due to voted upon by California's Communications and Conveyance Committee next week.

    As reported by StateScoop, the bill -- introduced in February -- aims to prevent a repeat of what happened in summer 2018 during the Mendocino
    Complex Fire, one of the largest wildfires recorded in California's history.

    As firefighters from the Santa Clara County Central Fire Protection District fought to contain the fires, they found their Internet service drastically reduced, having been throttled in what Verizon Wireless later called a "customer support mistake."

    Such connectivity can be crucial in emergency situations to coordinate
    rescue and firefighting efforts. The fire department had an "unlimited" plan with Verizon, but Ars Technica reports this service was throttled to speeds
    of either 200kbps or 600kbps once 25GB -- the monthly cap -- was surpassed.

    Verizon said at the time that the company has an internal policy to remove "data speed restrictions when contacted in emergency situations," but this
    did not happen during the wildfires.

    To lift the throttling, instead, Verizon told the department to upgrade to a more expensive plan.


    Date: Wed, 1 May 2019 14:31:01 -1000
    From: geoff goodfellow <geoff@iconia.com>
    Subject: UK Police Have a Message for Crime Victims- Hand Over Your
    Private Data (NYTimes)

    The British police delivered a striking warning to crime victims on Monday:
    If you want the case to be pursued, be prepared to turn over personal data
    from your mobile phone, laptop, tablet or smart watches.

    ``Police have a duty to pursue all reasonable lines of enquiry,'' Assistant Commissioner Nick Ephgrave, the National Police Chiefs' Council lead for criminal justice, said in a statement. ``Those now frequently extend into
    the devices of victims and witnesses as well as suspects -- particularly in cases where suspects and victims know each other.''

    But the new policy raised concerns about potential invasions of privacy and
    the risk of discouraging people from reporting crimes, particularly
    offenses like sexual assault that are already underreported because victims fear being treated like the guilty ones.

    In many cases, the police already search digital trails, which can produce evidence that either backs up an accusation or casts doubt on it. Privacy advocates say that police departments often improperly download cellphone
    data from people they detain, without their knowledge or consent.

    Under the new approach, victims and witnesses will routinely be asked to
    sign a form saying that they consent to the police extracting data from
    their electronic devices, which can mean text messages, emails, contacts, social media records, Internet browsing history and more. Otherwise, the
    case might not proceed...



    Date: Wed, 1 May 2019 14:29:09 -1000
    From: the keyboard of geoff goodfellow <geoff@iconia.com>
    Subject: NSA Reports 75% Increase in Unmasking U.S. Identities... (WSJ)

    *The National Security Agency, responsible for electronic eavesdropping, disclosed the identities of people or entities that are normally redacted
    in intelligence reports*

    The National Security Agency revealed to federal agencies the identities of almost 17,000 U.S. residents or corporations whose information was
    collected under a foreign surveillance law in 2018, registering about a 75% increase in unmaskings over the previous year, according to an annual transparency report released Tuesday.

    The NSA, responsible for electronic eavesdropping, disclosed the identities
    of people or entities that are normally redacted in intelligence reports --
    in response to specific requests from other government agencies to reveal
    the identities, a process known as unmasking.

    In 2018, NSA said it unmasked 16,721 U.S. identities caught up in
    intelligence intercepts produced by a foreign intelligence law, the report said. It unmasked 9,529 in 2017 and 9,217 in a 12-month period across 2015
    and 2016.

    The surge in the number of unmaskings last year was fueled in part by an
    effort to determine the identities of victims of cyberattacks from foreign intelligence agencies, according to Alex Joel, head of civil liberties and transparency at the Office of the Director of National Intelligence which released Tuesday's report.

    Mr. Joel, in a call with reporters, said there were a number of varied
    factors -- including world events and evolving threats--that could result in statistical fluctuations in a given year for a certain type of surveillance.

    Unmasking is a term used when the identity of a U.S. citizen, lawful
    resident, or corporate entity is revealed in classified intelligence
    reports. Unmasking is designed to be only used for national-security
    reasons, such as helping officials assess intelligence by providing the identity of someone two foreign spies may be discussing on a call. But the process is governed by strict rules across the U.S. intelligence apparatus
    that make it illegal to use unmaskings for political purposes or to leak classified information...

    [...] https://www.wsj.com/articles/nsa-reports-75-increase-in-unmasking-u-s-identitie


    /35739e80-6b50-11e9-9d56-1c0cf2c7ac04 story.html


    Date: Wed, 1 May 2019 14:32:01 -1000
    From: geoff goodfellow <geoff@iconia.com>
    Subject: New Documents Reveal DHS Asserting Broad, Unconstitutional
    Authority to Search Travelers' Phones and Laptops (EFF)

    *EFF, ACLU Move for Summary Judgment to Block Warrantless Searches of Electronic Devices at Airports, U.S. Ports of Entry*

    BOSTON--The Electronic Frontier Foundation (EFF) and the ACLU today asked a federal court to rule without trial that the Department of Homeland Security violates the First and Fourth Amendments by searching travelers' smartphones and laptops at airports and other U.S. ports of entry without a warrant.

    The request for summary judgment https://www.eff.org/document/alasaad-motion-summary-judgment comes
    after the groups obtained documents and deposition testimony revealing that U.S. Customs and Border Protection and U.S. Immigration and Customs Enforcement authorize border officials to search travelers' phones and
    laptops for general law enforcement purposes, and consider requests from
    other government agencies when deciding whether to conduct such warrantless searches.

    EFF Senior Staff Attorney Adam Schwartz: ``The evidence we have presented
    the court shows that the scope of ICE and CBP border searches is unconstitutionally broad. ICE and CBP policies and practices allow
    unfettered, warrantless searches of travelers' digital devices, and empower officers to dodge the Fourth Amendment when rifling through highly personal information contained on laptops and phones.''

    The previously undisclosed government information was obtained as part of a lawsuit, Alasaad v. McAleenan
    EFF, ACLU, and ACLU of Massachusetts filed in September 2017 on behalf of
    11 travelers--10 U.S. citizens and one lawful permanent resident=94whose smartphones and laptops were searched without warrants at U.S. ports of

    Esha Bhandari, staff attorney with the ACLU's Speech, Privacy, and
    Technology Project: ``This new evidence reveals that government agencies are using the pretext of the border to make an end run around the First and
    Fourth Amendments, The border is not a lawless place, ICE and CBP are not exempt from the Constitution, and the information on our electronic devices
    is not devoid of Fourth Amendment protections. We're asking the court to
    stop these unlawful searches and require the government to get a warrant.''

    The government documents and testimony, portions of which were publicly
    filed in court today, reveal CBP and ICE are asserting broad and unconstitutional authority to search and seize travelers' devices. The evidence includes ICE and CBP policies and practices that authorize border officers to conduct warrantless and suspicionless device searches for
    purposes beyond the enforcement of immigration and customs laws. Officials
    can search devices for general law enforcement purposes, such as enforcing bankruptcy, environmental, and consumer protection laws, and for
    intelligence gathering or to advance pre-existing investigations. Officers
    also consider requests from other government agencies to search devices. In addition, the agencies assert the authority to search electronic devices
    when the subject of interest is someone other than the traveler -- such as
    when the traveler is a journalist or scholar with foreign sources who are of interest to the U.S. government, or even when the traveler is the business partner of someone under investigation. Both agencies further allow officers
    to retain information from travelers' electronic devices and share it with other government entities, including state, local, and foreign law
    enforcement agencies.

    The plaintiffs are asking the court to rule that the government must have a warrant based on probable cause before conducting searches of electronic devices, which contain highly detailed personal information about people's lives. The plaintiffs, which include a limousine driver, a military veteran, journalists, students, an artist, a NASA engineer, and a business owner, are also requesting the court to hold that the government must have probable
    cause to confiscate a traveler's device.

    The district court previously rejected the government's motion to dismiss the lawsuit.


    The number of electronic device searches at the border has increased dramatically in the last few years. Last year, CBP conducted more than
    33,000 border device searches, almost four times the number from just three years prior. CBP and ICE policies allow border officers to manually search anyone's smartphone with no suspicion at all, and to conduct a forensic
    search with reasonable suspicion of wrongdoing. CBP also allows
    suspicionless device searches for a `national security concern'.
    [PGN-pruned for RISKS ...]


    For more information about this case: https://www.eff.org/cases/alasaad-v-duke https://www.eff.org/press/releases/new-documents-reveal-dhs-asserting-broad-unc


    Date: Thu, 2 May 2019 15:16:07 -1000
    From: geoff goodfellow <geoff@iconia.com>
    Subject: Zero-day attackers deliver a double dose of ransomware -- no
    clicking required? (Ars Technica)

    *High-severity hole in Oracle WebLogic under active exploit for 9 days.
    Patch now.*


    Attackers have been actively exploiting a critical zero-day vulnerability
    in the widely used Oracle WebLogic server to install ransomware, with no clicking or other interaction necessary on the part of end users,
    researchers from Cisco Talos said on Tuesday.

    The vulnerability and working exploit code first became public two weeks
    ago on the Chinese National Vulnerability Database, according to
    researchers from the security educational group SANS ISC, who warned that
    the vulnerability was under active attack. The vulnerability is easy to
    exploit and gives attackers the ability to execute code of their choice on cloud servers. Because of their power, bandwidth, and use in high-security cloud environments, these servers are considered high-value targets. The disclosure prompted Oracle to release an emergency patch on Friday.

    On Tuesday, researchers with Cisco Talos said CVE-2019-2725, as the vulnerability has been indexed, has been under active exploit since at least April 21. Starting last Thursday -- a day before Oracle patched the zero-day vulnerability, attackers started using the exploits in a campaign to install `Sodinokibi', a new piece of ransomware. In addition to encrypting valuable data on infected computers, the malicious program attempts to destroy shadow copy backups to prevent targets from simply restoring the lost data. Oddly enough, about eight hours after infection, the attackers exploited the same vulnerability to install a different piece of ransomware known as GandCrab.

    No interaction required...



    Date: Fri, 3 May 2019 21:23:06 +0800
    From: Richard Stein <rmstein@ieee.org>
    Subject: Electronic Health Records and Doctor Burnout (Scientific American)

    [Beware of Dr. Burnout. He is notoriously unready. PGN]


    The essay cites numerous factors contributing to physician burnout, the the Agency for Healthcare Research and Quality (AHRQ) identifies: "family responsibilities, time pressure, chaotic environment, low control of pace,
    and the electronic health record."

    A few cherry-picked items from the essay follow. Attributed to the EHR, the author writes:

    "In 2013 the Journal of Emergency Medicine reported that, over the course of
    a 10-hour shift, resident physicians in a busy emergency room spent 28
    percent of their work time with patients and 43 percent on data entry,
    during which they made 4,000 keystrokes."

    These input keystrokes trace to patient outcome/care/administration metrics: "159 publicly available measures of outpatient care and that physicians
    spent 2.6 hours and staff 12.5 hours per week attending to them. Insurers
    and government massaged clinical and billing data with over 500 insurer and 1,700 government standards."

    "No matter how good your intentions, if you just keep piling onto a harried clinician's workday more stuff to do and more data to collect, you run the
    risk of actually making care worse, angering patients and alienating
    providers. Time pressure, chaotic environment, and low control of pace are
    all exacerbated by overzealous oversight via the EHR."

    The author suggests one technological fix to lighten clinicians' manual data entry load: "To date, no maker of an electronic health record has figured
    out how to do adequate justice to [patient] stories without sacrificing
    data. Automated transcription of dictated notes is a start. Artificial intelligence that can parse sentences and paragraphs into data should help a lot."

    Certain speech-to-text (STT) platforms advertise transcription success rates
    at 99% for certain vocabularies and contexts, with medical specialties of particular focus.


    "Error rates increase as the vocabulary size grows: e.g. the 10 digits
    'zero' to 'nine' can be recognized essentially perfectly, but vocabulary
    sizes of 200, 5000 or 100000 may have error rates of 3%, 7% or 45% respectively."

    Single word error rate and command success rate are two key metrics which
    are influenced by numerous usage/capability attributes:

    "Vocabulary size and confusability, speaker dependence versus independence, isolated, discontinuous or continuous speech, task and language constraints, read versus spontaneous speech, and adverse conditions."

    https://www.nejm.org/doi/abs/10.1056/NEJMp0910140 on early voice recognition/transcription. There are numerous commercial blogs that offer automated voice transcription systems. See https://blog.speech.com/2019/01/03/voice-recognition-and-the-electronic-health-
    for example.

    Risks: Patient outcome benefit by replacing manual data entry with speech-to-text (STT) transcription. Physician burnout reduction attributed
    to STT deployment v. manual data entry.

    Why not hire more physicians to unburden their clinical load? $, probably.


    Date: Thu, 2 May 2019 23:52:26 -0400
    From: Gabe Goldberg <gabe@gabegold.com>
    Subject: Hertz, Accenture, and the blame game (Browser London)

    The author says:

    Either way, much of the reporting I've seen on this story has focused on the sheer cost of the works and made many excellent points suggesting that the business model of companies such as Accenture deliberately works to inflate fees once the client is already heavily committed. Beyond $7 million for
    the initial discovery work https://www.browserlondon.com/services/research-analysis/ doesn't
    say what the agreed contract fee was, but it does detail how -- once tied in
    -- Hertz was continually billed by Accenture for fixes or new technology of dubious value.

    What stands out to me, however, is the other aspect of this situation. How
    did the amount spent by Hertz balloon up to $32 million before a stop was called to the work?

    This highlights to me the fundamental issue many businesses seem to
    encounter when embarking on large projects that are not within their own
    core competency - namely their engagement with the day to day running of the project. After all, it wasn't until Hertz executive asked about progress on tablet views that the penny dropped that Accenture simply hadn't done many
    of the things Hertz has asked of it.

    I've read anecdotal evidence
    https://news.ycombinator.com/item%3Fid%3D19740706 on this project with Accenture, Hertz, in fact, fired much of its internal digital and
    developmental talent, handing over full control to Accenture. This, in my opinion, is its first (if not biggest) mistake.



    Date: Tue, 30 Apr 2019 00:30:34 -0400
    From: Gabe Goldberg <gabe@gabegold.com>
    Subject: Monster screwup on dividends (Korea Herald)

    But someone screwed up. Instead of issuing a KRW1,000 per share dividend, the person in charge of hitting that button issued a 1,000 share per share dividend. As the Korea Herald reported, dividends offered to employees due
    to the `fat-finger' slip-up came to 112.6 trillion won (about $100
    million), over 40,000 times the intended value and 33 times greater than the company's market cap. Suffice it to say that, if the company couldn't
    reverse the error, the company would cease to exist once these 200 or so employees sold these phantom shares.

    http://www.koreaherald.com/view.php%3Fud%3D20180408000221 http://nowiknow.com/why-you-shouldnt-take-advice-from-a-board-game/


    Date: Mon, 15 Apr 2019 06:51:56 +0000
    From: Bruce Schneier <schneier@schneier.com>
    Subject: NSA-inspired vulnerability found in Huawei laptops

    CRYPTO-GRAM, April 15, 2019

    This is an interesting story of a serious vulnerability in a Huawei driver
    that Microsoft found. The vulnerability is similar in style to the NSA's DOUBLEPULSAR that was leaked by the Shadow Brokers -- believed to be the Russian government -- and it's obvious that this attack copied that

    What is less clear is whether the vulnerability -- which has been fixed --
    was put into the Huwei driver accidentally or on purpose.




    Date: Tue, 30 Apr 2019 15:24:55 -0700
    From: "Peter G. Neumann" <neumann@CSL.SRI.COM>
    Subject: Vodafone found hidden backdoors in Huawei equipment

    For more than a decade, executives, intelligence agencies and conspiracy theorists have been warning about the dangers of equipment from China's
    Huawei Technologies Co.

    And for almost as long, Huawei has denied that its telecommunications
    products pose any kind of security threat.

    The West has finally found its smoking gun. Yet it may not be enough
    to sway those on either side of the debate.

    As far back as 2009, Vodafone Group Plc -- one of the world's most powerful
    and far-reaching telecom companies -- found hidden backdoors that could have given Huawei access to its fixed-line network in Italy, Bloomberg News's Daniele Lepido reported Tuesday, citing security briefing documents from the London-based company.



    Date: Tue, 30 Apr 2019 11:53:53 -1000
    From: geoff goodfellow <geoff@iconia.com>
    Subject: Vodafone denies Huawei Italy security risk (BBC)

    Vodafone has denied a report saying issues found in equipment supplied to it
    by Huawei in Italy in 2011 and 2012 could have allowed unauthorised access
    to its fixed-line network there.

    A Bloomberg report said that Vodafone spotted security flaws in software
    that could have given Huawei unauthorised access to Italian homes and businesses.

    The US refuses to use Huawei equipment for security reasons.

    However, reports suggest the UK may let the firm help build its 5G network.

    This is despite the US wanting the UK and its other allies in the "Five
    Eyes" intelligence grouping -- Canada, Australia and New Zealand -- to
    exclude the company.

    Australia and New Zealand have already blocked telecoms companies from using Huawei equipment in 5G networks, while Canada is reviewing its relationship with the Chinese telecoms firm.



    Date: Mon, 29 Apr 2019 18:53:09 -0700
    From: Keith Thompson <keithsthompson@gmail.com>
    Subject: Re: Huawei's code is a steaming pile... (Shapir, RISKS-31.21)

    Amos Shapir <amos083@gmail.com> writes:
    C does not force anyone to use strcpy() etc., it had always provided also similar length-limiting functions strncpy() etc.

    strncpy() is not a "safer" version of strcpy(), as I've discussed here: https://the-flat-trantor-society.blogspot.com/2012/03/no-strncpy-is-not-safer-s

    Even a length-limiting string copy function would not necessarily be
    "safe". Consider a copying operation that silently truncates

    "rm -rf /home/username/tmpdir"
    "rm -rf /home/user/name"


    Date: Tue, 30 Apr 2019 13:51:04 -0500
    From: Dimitri Maziuk <dmaziuk@bmrb.wisc.edu>
    Subject: Re: Huawei's code is a steaming pile ... (Ward, RISKS-31.21)

    First, nobody's *forcing* anyone to juggle chainsaws.

    Second, short answer is no, longer one is "define 'better'". Programming language is a tool just like a hammer: you can make one that won't hurt your thumb when you hit it. There will be a trade-off, though. Those trying to
    drive in nails might even call that trade-off "undesirable".

    (There is in fact a whole "c-minus" argument along the lines that modern
    C has already gone too far in the "thumb safety" direction.)

    Third, and on another tangent, the idea that computer programs are not aware
    of the larger context seems to a recurring motif in RISKS lately.

    The problem with "unsafe foo()-like functions" is whether the tool that classified it "unsafe" based on the context in which the function is
    invoked; if not, it may well be a false positive. Without knowing the specificity and sensitivity of the "safety" test, assertion that "22% of
    foo() invocations are unsafe" isn't really worth much, and if lack of
    context awareness is a systemic problem, it likely isn't.


    Date: Fri, 3 May 2019 14:01:17 +1000
    From: phil colbourn <philcolbourn@gmail.com>
    Subject: Re: Huawei's code is a steaming pile... (RISKS 31.16)

    If Cisco is correct (see https://blogs.cisco.com/news/huawei-and-ciscos-source-code-correcting-the-recor
    then Huawei's code may still be Cisco's code (or based on it).

    Comparing Cisco STRCMP and Huawei's [CODE]: ``It must be concluded that
    Huawei misappropriated this code.''

    ``Because of the many functional choices available to the Huawei developers (including three of their own routines), the fact that they made the same functional choice as Cisco would suggest access to the Cisco code even if
    the routines had implementation differences. The exactness of the comments
    and spacing not only indicate that Huawei has access to the Cisco code but
    that the Cisco code was electronically copied and inserted into [Huawei's] [CODE].''

    ``The nearly identical STRCMP routines are beyond coincidence. The Huawei [CODE] routine was copied from the strcmp routine in Cisco strcmp.c file.''

    Therefore, HCSEC [Huawei Cyber Security Evaluation Centre] should consider reviewing code of other manufacturer's equipment used in UK critical
    national infrastructure.

    If Cisco is correct, then Huawei's code may still be Cisco. https://blogs.cisco.com/news/huawei-and-ciscos-source-code-correcting-the-recor


    Date: Tue, 30 Apr 2019 18:54:34 +0800
    From: Richard Stein <rmstein@ieee.org>
    Subject: Re: Should AI be used to catch shoplifters? (cnn.com, R 31 20))

    Busted! That is, I have been busted for expressing highly cynical and condescending, even snarky, remarks about AI deployment as a crime deterrent mechanism.

    A software stack that can accurately and consistently detect larceny or discriminate larcenous intent from a random customer pool, and then alert authorities, would be astonishing.


    The article mentions:

    1) The "VaakEye" algorithm was trained against 100K hours of
    store-captured surveillance video;
    2) A 77% reduction in shoplifting across 50 stores in Japan;
    3) Global retail shoplifting losses accrued to $34 billion in 2017.

    I will be convinced of VaakEye's product efficacy when/if statistics are published that confirm accuracy and consistency of larcenous detection, and show a sufficient reliability guarantee of false positive/negative findings. Sufficient means 3+ nines, preferably 4+ nines, of accurate and consistent theft detection.

    Until then, a big warning sign should be posted at the shop entrance that states something like:

    "These premises deploy automated shoplifting surveillance technology to
    deter stock theft. The surveillance captures and analyzes your shopping
    habits, including hand/arm motion between the stock items and your clothes and/or shopping cart/toke bag. Your facial profile is automatically
    constructed and mapped to improve future theft detection capabilities. We
    hope your shopping experience is pleasant. Come back again soon!"


    Date: Tue, 30 Apr 2019 09:14:17 +0100
    From: Roger Bell-West <roger@nospam.firedrake.org>
    Subject: Re: A video showed a parked Tesla Model S exploding in Shanghai
    (Stein, RISKS-31.21)

    But the energy density of petrol (gasoline) is over ten times as much (46.7MJ/kg), which is what makes it such a good fuel in the first place;
    and yet, somehow, parked conventional cars rarely catch fire.


    Date: Tue, 30 Apr 2019 19:27:25 +0800
    From: Dan Jacobson <jidanni@jidanni.org>
    Subject: Re: A 'Blockchain Bandit' Is Guessing Private Keys and Scoring
    Millions (WiReD via Meacham)

    "BM" -- Bill Meacham <bmeacham98@yahoo.com> writes:
    ... the odds of guessing a randomly generated Ethereum private key is 1
    115 quattuorvigintillion. (Or, as a fraction: 1/2256.) That denominator
    very roughly around the number of atoms in the universe. ... But as he

    I just see "1/2256" above. One in two thousand.


    Date: Tue, 30 Apr 2019 18:57:24 -0700
    From: Gene Wirchenko <gene@shaw.ca>
    Subject: Re: An Interesting Juxtaposition (Wol, RISKS-31.21)

    "I think Gene should be blaming the expensive GPS's, not the cheap ones!
    Many of my colleagues use Google Maps or Waze because they're so much

    How about I blame them all?

    Google Maps has some, ah, interesting quirks.


    Date: Sat, 4 May 2019 00:23:39 -0400
    From: Gregory Travis <greg@littlebear.com>
    Subject: Re: Gregory Travis' article on the 737 MAX

    First, I am delighted to once again be a part of the RISKS community. Some
    may remember postings I made in the (very) early 1990s here, including a (humorous) sendup of the A320.

    Second, the point of my article was to convey to the lay public:

    1. Unlike previous 737 models, Boeing's 737 MAX 8 airframe could (and does)
    not meet the pitch stability and control force requirements of FAR part 25. 2. Boeing realized this fairly early in the development process with wind
    tunnel and computer simulations.
    3. Boeing determined that a fairly simple bit of software would make the
    problem "go away." Namely programming that took AOA input from a single
    (AOA) sensor and used that input to determine whether or not to drive the
    horizontal stabilizer trim.
    4. Later, during actual flight tests, it was determined that the pitch
    instability and control force problems of the airframe were far more
    serious than the early wind tunnel and simulations indicated (this is
    somewhat common in the industry).
    5. Conversely, the software was changed to MUCH more aggressively trim the
    horizontal stabilizer. In fact, it could drive the stabilizer to its
    mechanical stops in roughly 20-30 seconds.


    1. There is an inherent and deep engineering problem in any system that
    relies on a single sensor as input without any data validation,
    particular a system that can use that data to drive very large flight
    surfaces to their mechanical stops in seconds (I am sure some pedant will
    complain that the electric motor running the jackscrew has a different
    set of stops than the mechanical trim wheel. I am tired of responding to
    such irrelevant nonsense).
    2. What is often not mentioned is that Boeing explicitly changed the trim
    disconnect function for this system. It will not stop if the pilot exerts
    countering control force. This is a nonintuitive behavior for any pilot who
    are used to autopilots and electric trim automatic disconnects if the pilots
    exert a control force contrary to the direction of trim.
    3. Aerodynamic loads on the horizontal stabilizer can exceed a human's
    ability to move the stabilizer trim manually. Boeing has known this for
    nearly thirty years, yet they suggested a fix to the problem was to
    disconnect the electric trim (use the cutoff switches) and manually trim.
    As the Ethiopian Air pilots found out, that is impossible. Boeing knew


    1. Boeing intentionally hid the existence of this system (so that pilot
    training would not be required) not only from the line pilots flying
    revenue, but from its own test pilots.
    2. For example, the Master Minimum Equipment List (MMEL) for the 737 MAX
    makes no mention of the system. Although there are cockpit failure
    indications for the yaw damper, the speed trim system, the mach trim
    system, etc. there is no failure indication for MCAS.
    3. Angle of attack sensor failure is common, contrary to assertions
    otherwise. The service difficulty database has about 200 entries and that
    typically represents 5% of the real-world situation., Frozen water
    (heater failure) in the system is a very common failure cause.
    4. The 737 MAX MMEL allows the 737 MAX to take off with all angle of attack
    sensor heaters inoperative.even though Boeing knew that a single angle of
    attack sensor failure could render the aircraft uncontrollable with this
    5. In contrast, the MMEL for the A320 requires that at least two of the
    three angle of attack sensor heaters be operational before flight.


    1. All of this can be traced back to a change in Boeing's corporate culture
    that began with the McDonnell Douglas takeover of Boeing in 1997 (where they
    used Boeing's own money).
    2. Because the cultural change was most manifested in the tying of executive
    compensation to stock price, not revenue or other metrics. Stock prices
    are irrational, as John Maynard Keynes so famously noted and easily
    manipulated by statements from management that sound good to Wall Street
    but are devastating to the company's ability to create new products, build
    quality products, or even stay in business (as McDonnell Douglas
    3. 1&2, above, were enabled by regulatory changes, particularly the 2005
    change, that delegated virtually *all* certification from the FAA to Boeing

    Finally, I am delighted that some of the most substantive criticism of my article has been the inaccuracy of equating Lycoming pistons to dinner
    plates. Some people just don't get it, and never will.


    Date: Tue, 30 Apr 2019 15:56:10 -0700
    From: Rob Slade <rmslade@shaw.ca>
    Subject: Digital health ...

    So Gloria found, and read to me, an article on "digital nutrition." The
    term seems to be promoted by one Jocelyn Brewer, and is probably trademarked and copyrighted all to heck, even though is it just a variation on digital detox/digital vacation, with some "vary your online activity diet" thrown in for good measure.

    Martin Ward wrote:
    For those who still think that competition improves heathcare, consider
    drug naloxone hydrochloride. This is sold by five big pharmaceutical companies and demand is soaring, but far from driving the price down, the cost has soared:

    Martin Ward wrote:
    For those who still think that competition improves heathcare, consider
    drug naloxone hydrochloride. This is sold by five big pharmaceutical companies and demand is soaring, but far from driving the price down, the cost has soared:


    I tend to think more in terms of a healthy attitude to the net. The phrase "benign neglect" somehow seems appropriate.

    Every time I come across one of these pieces, it seems everyone is using the Internet differently than I am. Everyone else is madly glued to their smartphones and the apps on them. Mostly I use the computer, usually with a Web browser. At my desk. Everyone else gets alerted by their apps. I
    allow most of my apps to notify me, but the volume is turned way down, and often, when I'm out, I miss the notifications. Sorry for those who are desperately trying to reach me on Whatsapp, but I just haven't yet found
    that any of those missed notifications could have changed my life.

    I really wonder why I use the Internet so differently than most other
    people. I use the same social media applications. I just use them differently. I really like Twitter. To a certain extent I use it to follow some of my friends. But mostly I follow news sources. CBC, BBC, NPR, The Economist, Sydney Morning Herald, and others. And, of course, a number of sources of information security news. I use other news sources, of course,
    but Twitter gives me a bit more breadth. (Knowing that Twitter, like most social media, supports a kind of "bubble effect" of reinforcing views you already agree with, I deliberately follow some people I don't like, just to mess with the algorithm.)

    It's possible that it's because I've been on the Internet a lot longer than most people. I was using the Internet in 1983. At that time it wasn't even called the Internet, yet, and the population, as near as I can estimate, was about a thousand people. Social media was mostly mailing lists (mail was
    used for almost everything, including file transfers), with some people
    having various levels of access to Usenet. I had, perforce, to learn an
    awful lot about the underlying technologies, since it was extremely unlikely that I was going to find anyone to give me any help if I ran into any
    problems. This kind of background is not good if you want to continue to
    view each new social media app as a magical new toy. You tend to see each
    one as yet another database, with yet another new interface.

    Which tends to give you a different perspective. Instead of a new bandwagon
    to jump on, or group to join, you tend to think of new systems in terms of "what new information can I get here that I can't get elsewhere?" If I can
    get this info elsewhere, is it sufficiently worthwhile, in terms of
    accuracy, volume, or query granularity, to learn this new interface? (The answer, very often, is "no.")

    I love the Internet. I really do. I have, ever since I first discovered
    it. I hate it, almost to the point of feeling physical pain, whenever there
    is some new attack on it or through it. But I've got more than three and a half decades of experience on it. I know how important it is, and isn't. I know which parts are important, and which are temporary fads. (I get it
    wrong, sometimes. I admit it. One of my biggest mistakes was in thinking
    the World Wide Web was only another interface, like gopher. Why did we need it, when we had archie?) (Anybody remember gopher? Or archie? No, I
    didn't think so.)

    The Internet is great. It's informative, and entertaining. But it's not everything.

    And now I'm going to stop wasting time posting this, and go for a walk. In
    the sunshine.


    Date: Tue, 30 Apr 2019 22:40:14 +0100
    From: Toby Douglass <risks@winterflaw.net>
    Subject: Re: Is curing patients, a sustainable business model? (Ward, R-31.21)

    An increase in demand, all other things being equal, in a free market, leads
    to an increase in price. I may be wrong, and I certainly am not looking to
    put words in your mouth so you must correct me if I am mistaken, but I think perhaps what you may have in mind is that you expect, when demand increases, for supply to increase, and so for prices not to soar.

    from $0.92 a dose ten years ago up to $15.00 a dose. Why is
    this? Google "Opioid Crisis" for the answer.

    Given an increase in demand, in a free market, supply should increase.
    Although I may be wrong, when this does not happen, I always or almost
    always find it is due to a lack of competition, and that lack usually comes from State regulation. For example, why are there only a few big pharmaceutical companies? I may be wrong, but I think the answer is that regulation has led to enormous barriers to enter that market. New entry is basically impossible.

    Drug companies in the US spend tens of billions a year advertising drugs:
    how does this help anyone's health? The USA has some of the highest
    of anxiety and depression in the world:

    I suspect those living in repressive or violent countries, such as Venezuela
    or Ethiopia, or those countries where mass poverty leads hundreds of
    millions to live on one or two dollars a day, have a great deal more on
    their plates.

    It may be you have in mind *of comparable countries*, so first world Western countries. In this case, perhaps we are comparing on a scale of 1 to 100 a range which goes from say 10 to 15, with the USA at 15 and Venezuela at say
    80. I don't know, though, since I've never seen a study investigating this matter and so I've no idea how the research would be done, and so if it is credible.

    Finally, I would point out that happiness and unhappiness are not absolutes. People can be happy for the wrong reasons, and it would be better if they
    were unhappy, but living with their eyes open. I see some cultures where
    the people are when growing up and when educated inculcated with a certain social uniformity, with certain sets of beliefs, and so they fit better into the societies in which they live (Japan comes to mind -- the recent case
    where a girl with brown hair was instructed to dye her hair black so she
    would fit in with the rest of the class). This is really properly
    tantamount to mild brainwashing, since the infants and children on the receiving end have no choice in the matter, and so that it makes them
    happier as adults does not mean it is actually a good thing.

    I am of the view the USA, of all countries I know, has the most

    not surprising when you consider that the purpose of advertising is to
    make people more anxious and unhappy.

    I may be wrong, but I find it hard to imagine advertising is so effective
    that it is a primary factor in shaping the minds and characters of hundreds
    of millions of people. I suspect there are larger factors at work in
    people's lives, such as their health, income, job security and personal relationships with their family and partners.

    Naturally, the drug companies are ready with a handful of pills to
    the anxiety: followed by another handful to alleviate the side-effects
    from the first lot! A happy, contented population would be terrible for
    the drug companies bottom line: so must be averted at all costs.

    I think you could say the same about any advertising. Car companies wish
    for a population of people wholly unsatisfied with their current vehicle; a population happy with their current models would be a disaster! Cue demonic advertising to induce mass auto dissatisfaction.

    MacDonald's, similarly, dreads a world where people are satisfied with
    burgers from Burger King! cue massive advertising budgets to convince
    people they desperately need a Big Mac.

    I rather think most people have become very good at ignoring most

    A friend of mine once opined that advertising was a zero-sum game. If no
    one advertised, it would be the same as if everyone was doing it -- so if we could all trust each other never to advertise, we could use all that money
    for something else! the problem of course is that if even one company
    begins to advertise, then all must, or their sales go through the floor.
    Not sure if I agree or not, but it's interesting.

    Attempts to introduce competition into the NHS have been a disaster and, rightly, resisted by the public.

    Attempts to introduce competition into the Soviet economy were a disaster. However, attempts to run an economy (the Soviet economy again) without competition were also a disaster. It's entirely possible to fall between
    two stools. If you have for example a centralized, command economy, and you attempt to introduce competition, it's a disaster. The two are not
    compatible -- it's one or the other. However, if you try to run a large
    system or economy as a centralized, command economy, you find out it's staggeringly inefficient and just doesn't work, so actually it's not one or
    the other, it's competition only, because centralized control of any large system doesn't work as there are fundamental problems of incentives and information, to which no one has ever found a solution -- the Soviets
    certainty didn't, and the UK hasn't in the NHS either. You pump more and
    more money into these systems, for less and less output. (There are other problems too, such as a profound discouragement to technical innovation; you need to meet your targets, and the disruption from introducing new
    technology only hinders this.)

    How do you choose the people who are passionate about caring for others? Fortunately, they are largely self-selecting: you set up an organisation whose explicit purpose and top priority is caring for others. Pay enough
    for a comfortable living, but not so much that you attract those who are "just in it for the money".

    Whomever pays the money controls the organization, and it will, in the end,
    be shaped to meet their needs. If the State is paying the money, it will be held responsible for the performance of the organization, and it will consequently want to control that organization; there is no way, ever, under any circumstances whatsoever, that the State will take a hands-off approach
    and simply hand the money over. No State has ever done this, and no State
    ever will.

    When the State intervenes, it is unavoidable that control as it is from
    on-high fails utterly, purely to the law of unintended consequences, where a simple system attempts to control a complex system, even without considering the incredible blunders and appalling choices political control always inflicts, in pursuit of populism, votes, pork-barrel politics or simply hair-brained schemes.

    Finally, I must mention supply and demand and the pricing of wages for
    medical staff. The economy is large and complex. There are a multitude of different professions. All of these will then be priced by the market,
    except for medical care. What happens to the quantity and quality of the supply of medical staff if the "comfortable-living" wages chosen by the
    State are lower, or much lower, or if they are higher, or much higher, than comparable wages in other professions for the same investment of training
    and skill? you end up either with too many, perhaps far too many, or too
    few, perhaps far too few, people wanting to be doctors.

    Talking about people only coming into the profession because they care, I
    mean, how does this respond to and meet the actual level of demand for
    medical care? what if we actually *do* need to give people money to be doctors, so there are *enough* doctors? right now we live in a world with a massive shortage of doctors, because the supply of doctors is so tightly constrained by State regulation -- we find it hard to imagine a world where there could be a shortage of people actually *wanting* to become a doctor. However, if the pay for the profession is, compared to other choices, far
    too low, it would be so. You cannot say "people would come because they
    care" and then assume there would be enough people. There is no mechanism which links these two statements.

    This then leads to the problem of getting the price right -- of manually emulating the mechanism which the free market provides. The State is
    incapable of this, absolutely and totally, because there is too much information involved, and because of political meddling. This can be seen already in the UK, with the NHS. Nurses are paid the same, everywhere,
    except for an increment if they live in London. Those nurses living in the North do well, where living costs are lower. Those living in the South, and
    in London even with the increment, do badly and in the South, and in London, there is a chronic shortage of nursing staff and as such, heavy use of temporary staff. Teams which work together and know each other are more efficient, and morality rates in hospitals in the South and in London which heavily use temporary staff are consequently significantly higher -- people
    are *dying* because of this -- and this has never been fixed, and will never
    be fixed, because span-of-control problems dictate simple solutions.

    The State cannot handle large number of different options, because it is impossible to process the data involved (let alone whether anyone actually *cares* enough to solve this problem, or get past bureaucratic inertia).
    This is why the Soviets had collective farms; the system couldn't handle a
    few million farms of the correct size, but it could handle 50,000 or so enormous farms (which were fabulously inefficient -- far too big and this in fact, along with general economic stagnation, ultimately led to the collapse
    of the Soviet Union).


    Date: Tue, 30 Apr 2019 21:44:01 -0700
    From: Gene Wirchenko <gene@shaw.ca>
    Subject: "Bernie Sanders wants you to expose your friends, Facebook-style"

    Chris Matyszczyk for Technically Incorrect | 30 Apr 2019 https://www.zdnet.com/article/bernie-sanders-wants-you-to-expose-your-friends-f

    The Democratic candidate launches an app that asks users to snitch on the political beliefs of family, friends, and even strangers.

    [``even strangers'' is `even stranger'! ``odd strangers'' would
    certainly be uneven. PGN]


    Date: Mon, 14 Jan 2019 11:11:11 -0800
    From: RISKS-request@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:

    SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    SPAM challenge-responses will not be honored. Instead, use an
    address from which you never send mail where the address becomes public!
    The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    *** Contributors are assumed to have read the full info file for guidelines!

    OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    Special Offer to Join ACM for readers of the ACM RISKS Forum:


    End of RISKS-FORUM Digest 31.22

    ... I have never been hurt by what I have not said. - Calvin Coolidge
    --- GoldED+/LNX 1.1.5-b20180707
    * Origin: Outpost BBS * Limestone, TN, USA (1:18/200)