Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit precedence: bulk Subject: Risks Digest 32.33 RISKS-LIST: Risks-Forum Digest Saturday 24 October 2020 Volume 32 : Issue 33 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at as The current issue can also be found at Contents: Air Force updates code on plane mid-flight (The Aviationist) Alexa Causes Evacuation Panic in Boulder County, Colorado (William Kucharski) Experts: Florida Voting Machines Ripe for Foreign Hackers (John Pacenti) FDA Hid Names of Dietary Supplements Linked to Hundreds of Reports of Harm (Consumer Reports) Censorship or Sensibility? (The Intercept) Six Russians Tied to Hacks Aroound Globe (NYTimes) "We've collected tens of millions of posts to underground crime forums (Ross Anderson) Exponential growth in DDoS attack volumes (Google) The Contest to Protect Almost Everything on the Internet (Sara Castellanos) Researchers find huge, sophisticated black market for trade in online 'fingerprints' (techxplore.com) Annoying-as-hell ransomware attack in Finland (mikko) Adblockers installed 300,000 times are malicious and should be removed now (Ars Technica) POTUS Twitter account reportedly hacked by Dutch whitehat (Volkskrant) A shadowy AI service has transformed thousands of women's photos into fake nudes: ``Make fantasy a reality'' (WashPost) The AI that spots Alzheimer's from cookie drawing (bbc.com) Twitter is currently down, perhaps globally (Lauren Weinstein) How does Google's monopoly hurt you? (WashPost) DHS, USCIS to Modernize, Define the Collection of Biometrics (THomas Kuhn) Sony PS5 enables voice recording (The Verge) Paleontologists See Stars as Software Bleeps Scientific Terms (NYTimes) Ailments in Covid-19 Trials Raise Questions About Vaccine Method (Bloomberg) Networking Theory and Superspreader Events (Rob Slade) Some notes on publishing (Rob Slade) Cochlear and bone conduction implants to mitigate hearing (Richard Stein) 'E.T.' 1982 Atari Game: The True Story Behind the Worst Video Game Ever (MelMagazine) Re: Fifth of countries at risk of ecosystem collapse (Richard Stein) Re: Why cars are more "fragile": more technology has reduced robustness (Wol) Re: SpaceX Is Building a Military Rocket to Ship Weapons Anywhere in the World in 1 hour (David Alexander, Erling Kristiansen) Re: A different way the news is dividing America (John Levine, Richard Stein, John R. Levine, Steve Bacher) Re: Continuous glucose monitoring/insulin dosing systems (Richard Stein) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Tue, 20 Oct 2020 13:14:38 -0400 From: Steve Klein Subject: Air Force updates code on plane mid-flight (The Aviationist) U.S. Air Force Performs First Ever Code Change On A Flying U-2 Spyplane Running Kubernetes Story: https://theaviationist.com/2020/10/19/u-s-air-force-performs-first-ever-code-change-on-a-flying-u-2-spyplane-running-kubernetes/ Comment: What could possibly go wrong? ------------------------------ Date: Mon, 19 Oct 2020 03:25:19 -0600 From: William Kucharski Subject: Alexa Causes Evacuation Panic in Boulder County, Colorado Due to a wildfire, the Boulder County, CO Office of Emergency Management issued an evacuation order for a region and, to reach people who may have not had power, they also had the NWS issue a civil evacuation message via NOAA All Hazards Radio (typically used by NWS for severe weather, but its charter includes dissemination of all official Government warning messages.) However, the WRSAME codes used to encode location data on AHR can only be delineated down to a county or portion of county. Normally this isn't an issue as the accompanying voice message broadcast on NOAA AHR gives further information as to the nature of the hazard and the actions required. However, third-party services like Amazon's Alexa only parse the geographic area and the type of alert from the data header. This normally results in people in the county being alerted there is a Tornado Warning, for example. However, this time this resulted in Boulder County residents as a whole being warned by their Alexa devices that they needed to evacuate their homes, causing confusion, fear and some panic. It's hard to know how this could be fixed in the future without inserting a human into the loop to listen to or read the actual message sent and intervene accordingly. https://www.boulderoem.com/issue-with-noaa-weather-radio-alert/ ------------------------------ Date: Wed, 21 Oct 2020 12:05:06 -0400 (EDT) From: ACM TechNews Subject: Experts: Florida Voting Machines Ripe for Foreign Hackers (John Pacenti) via ACM TechNews, Wednesday, October 21, 2020 Experts: Florida Voting Machines Ripe for Foreign Hackers Government Technology (10/16/20) John Pacenti Computer scientists have expressed concerns about the security of voting machines used in 49 Florida counties. Although election officials claim the machines are not vulnerable to remote hacking because they are never connected to the Internet, the DS200 voting tabulator uses a wireless connection to transmit results. Finnish computer scientist Harri Hursti said the machine features software that operates like a cellphone and uses Internet Protocol when connecting to the wireless network. Princeton University's Andrew Appel said a hacker could penetrate a border router from the Internet or by walking near a polling place with a Stingray, a portable device that can capture data by mimicking a cellphone tower. https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-279a2x225bc1x066052& ------------------------------ Date: Sat, 17 Oct 2020 19:44:07 -1000 From: geoff goodfellow Subject: FDA Hid Names of Dietary Supplements Linked to Hundreds of Reports of Harm (Consumer Reports) https://www.consumerreports.org/dietary-supplements/fda-hid-names-of-dietary-supplements-linked-to-hundreds-of-reports-of-harm/ ------------------------------ Date: Mon, 19 Oct 2020 11:48:13 PDT From: "Peter G. Neumann" Subject: Censorship or Sensibility? (The Intercept) Just weeks before the election, the tech giants unite to block access to incriminating reporting about their preferred candidate. [...] https://theintercept.com/2020/10/15/facebook-and-twitter-cross-a-line-far-more-dangerous-than-what-they-censor/ ------------------------------ Date: Tue, 20 Oct 2020 12:52:31 PDT From: "Peter G. Neumann" Subject: Six Russians Tied to Hacks Aroound Globe (NYTimes) Michael S. Schmidt and Nicole Perlroth, *The New York Times*, 20 Oct 2020 (front page, National Edition) This article consiers the charges that have just been unsealed relating to "an aggressive worldwide hacking campaign that caused mass disruption and cost billions of dollars attaching targets like a French presidential election, the electricity grid in Ukraine and Internet access to the 2018 Winter Olympics." John Demers (Asst AG for national security) is quoted: "Their cyberattack combined the emotional maturity of a petulant child with the resources of a nation-state." ------------------------------ Date: Fri, 16 Oct 2020 13:32:19 -1000 From: geoff goodfellow Subject: We've collected tens of millions of posts to underground crime forums (Ross Anderson) They're not just an amazing resource for research in cybersecurity and criminology, but also for natural language processing: https://www.lightbluetouchpaper.org/2020/10/15/three-paper-thursday-applying-natural-language-processing-to-underground-forums/ via https://twitter.com/rossjanderson/status/1317070576696123393 ------------------------------ Date: Fri, 16 Oct 2020 13:27:49 -1000 From: geoff goodfellow Subject: Exponential growth in DDoS attack volumes (Google) Security threats such as distributed denial-of-service (DDoS) attacks disrupt businesses of all sizes, leading to outages, and worse, loss of user trust. These threats are a big reason why at Google we put a premium on service reliability that's built on the foundation of a rugged network. To help ensure reliability, we've devised some innovative ways to defend against advanced attacks. In this post, we'll take a deep dive into DDoS threats, showing the trends we're seeing and describing how we prepare for multi-terabit attacks, so your sites stay up and running. Taxonomy of attacker capabilities With a DDoS attack, an adversary hopes to disrupt their victim's service with a flood of useless traffic. While this attack doesn't expose user data and doesn't lead to a compromise, it can result in an outage and loss of user trust if not quickly mitigated. Attackers are constantly developing new techniques to disrupt systems. They give their attacks fanciful names, like Smurf, Tsunami, XMAS tree, HULK, Slowloris, cache bust, TCP amplification, javascript injection, and a dozen variants of reflected attacks. Meanwhile, the defender must consider every possible target of a DDoS attack, from the network layer (routers/switches and link capacity) to the application layer (web, DNS, and mail servers). Some attacks may not even focus on a specific target, but instead attack every IP in a network. Multiplying the dozens of attack types by the diversity of infrastructure that must be defended leads to endless possibilities. So, how can we simplify the problem to make it manageable? Rather than focus on attack methods, Google groups volumetric attacks into a handful of key metrics: - bps network bits per second: attacks targeting network links - pps network packets per second: attacks targeting network equipment or DNS servers - rps HTTP(S) requests per second: attacks targeting application servers This way, we can focus our efforts on ensuring each system has sufficient capacity to withstand attacks, as measured by the relevant metrics. Trends in DDoS attack volumes. [...] https://cloud.google.com/blog/products/identity-security/identifying-and-protecting-against-the-largest-ddos-attacks ------------------------------ Date: Mon, 19 Oct 2020 12:04:59 -0400 (EDT) From: ACM TechNews Subject: The Contest to Protect Almost Everything on the Internet (Sara Castellanos) Sara Castellanos, *The Wall Street Journal(, 7 Oct 2020, via ACM TechNews, 19 Oct 2020 Hundreds of the world's leading cryptographers are participating in a competition overseen by the U.S. National Institute of Standards and Technology to develop new encryption standards for protecting online data against classical and quantum-computing cyberattacks. The contest aims to replace commonly used public-key cryptography methods by 2023, including the popular RSA approach, whose basis on integer factorization makes it vulnerable to quantum computers. Cryptographers warn that hackers could already be harvesting massive amounts of data to decrypt, in anticipation of quantum computers. Among the most promising contest submissions are algorithms based on mathematical lattices, which can resemble geometric shapes with more than 1,000 dimensions. https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-27924x225a4fx066851& ------------------------------ Date: Sat, 24 Oct 2020 09:28:14 +0800 From: Richard Stein Subject: Researchers find huge, sophisticated black market for trade in online 'fingerprints' (techxplore.com) https://techxplore.com/news/2020-10-huge-sophisticated-black-online-fingerprints.html "Impersonation-as-a-Service: Characterizing the Emerging Criminal Infrastructure for User Impersonation at Scale" @ https://arxiv.org/pdf/2009.04344.pdf details "evidence of an emerging criminal infrastructure enabling impersonation attacks at scale. Impersonation-as-a-Service (IMPaaS) allows attackers to systematically collect and enforce user profiles (consisting of user credentials, cookies, device and behavioural fingerprints, and other metadata) to circumvent risk-based authentication system and effectively bypass multi-factor authentication mechanisms." The authors attribute leaked credentials, phishing kits, and malware as key attack strategies contributing to IMPaaS operations. Excellent detective and research reveals the scope and sophistication of this criminal enterprise, a worrisome synthesis of technical skills and motivation to rake profit from targeted individuals. The IMPaaS business model and life cycle is explored in substantial detail. ------------------------------ Date: Sat, 24 Oct 2020 19:09:29 +0000 () From: danny burstein Subject: Annoying-as-hell ransomware attack in Finland (mikko) Highly unusual ransom case underway here in Finland: a private psychotherapy clinic was hacked, and the therapist notes for maybe even 40,000 patients were stolen. Now the attacker has emailed the victims, asking each for 200 [euro's] ransom in Bitcoin. rest (thread, some in Finnish): https://twitter.com/mikko/status/1320061214647439360 ------------------------------ Date: Tue, 20 Oct 2020 20:44:23 -0400 From: Monty Solomon Subject: Adblockers installed 300,000 times are malicious and should be removed now (Ars Technica) https://arstechnica.com/information-technology/2020/10/popular-chromium-ad-blockers-caught-stealing-user-data-and-accessing-accounts/ ------------------------------ Date: Thu, 22 Oct 2020 11:10:58 -0400 From: Richard Forno Subject: POTUS Twitter account reportedly hacked by Dutch whitehat (Volkskrant) Dutch Ethical Hacker Logs into Trump's Twitter Account https://www.volkskrant.nl/nieuws-achtergrond/dutch-ethical-hacker-logs-into-trump-s-twitter-account~badaa815/ Last week a Dutch security researcher succeeded in logging into the Twitter account of the American President Donald Trump. Trump, an active Twitterer with 87 million followers, had an extremely weak and easy to guess password and had according to the researcher, not applied two-step verification. On Friday morning, almost absentmindedly, Gevers tries a number of passwords and their variations. On the fifth attempt: bingo! He tries `maga2020' (short for make America great again) and suddenly finds himself in the Twitter account of the American President. He is flabbergasted. Gevers: ``I expected to be blocked after four failed attempts. Or at least would be asked to provide additional information.'' None of that. On that Friday morning, Gevers has access to what is perhaps the most important Twitter account in the world and is in a position to send a message to 87 million people, the attentive world press, and government leaders. Gevers: ``I did think: Here we go again.'' [This item needs some verification. A screenshot is provided.] ------------------------------ Date: Tue, 20 Oct 2020 17:46:39 -0400 From: Monty Solomon Subject: A shadowy AI service has transformed thousands of women's photos into fake nudes: ``Make fantasy a reality'' (WashPost) More than 100,000 photos of women have had their clothing removed by the software, including of girls younger than 18. ``Would a lab not dominated by men have been so cavalier and so careless about the risks?â'' https://www.washingtonpost.com/technology/2020/10/20/deep-fake-nudes/ ------------------------------ Date: Fri, 23 Oct 2020 10:34:22 +0800 From: Richard Stein Subject: The AI that spots Alzheimer's from cookie drawing (bbc.com) https://www.bbc.com/news/technology-54538228 "The AI model, developed by IBM Research and pharmaceutical giant Pfizer, uses natural language processing to analyse short excerpts of speech taken from the Cookie Theft cognitive test. The test, used for many years in the diagnosis of dementia and other cognitive illnesses, asks people to describe what they see in the picture. "The AI spotted subtle changes to language, such as grammatical errors and different sentence structure, which indicate cognitive decline." https://www.researchgate.net/publication/332061806_Describing_the_Cookie_Theft_picture_Sources_of_breakdown_in_Alzheimer's_dementia explains Cookie Theft test merit and apparent success: "Speech-language pathologists routinely use picture description tasks to assess expository discourse in clients with disorders such as aphasia and dementia." https://catless.ncl.ac.uk/Risks/search?query=speech+recognition&evol=1&lvol=32 reveals 37 prior comp.risks submission and replies. Speech can be used as a bio-marker to assist neurological health assessment. See https://en.wikipedia.org/wiki/Speech_disorder. Automated speech recognition has at least a 5% false positive/false negative conversion-to-text error rate. Applying this technology to indicate dementia or Alzheimer's risks appears convenient, especially if there's a deficit of specialized and qualified personnel. As a definitive diagnostic tool, there's much to improve. The essay acknowledges deficiencies. ------------------------------ Date: Thu, 15 Oct 2020 15:04:13 -0700 From: Lauren Weinstein Subject: Twitter is currently down, perhaps globally Twitter is currently down, perhaps globally ------------------------------ Date: Tue, 20 Oct 2020 01:17:52 -0400 From: Gabe Goldberg Subject: How does Google's monopoly hurt you? (WashPost) Right under our noses, the Internet's most-used website has been getting worse. https://www.washingtonpost.com/technology/2020/10/19/google-search-results-monopoly/ ------------------------------ Date: Sat, 17 Oct 2020 15:05:02 -0400 From: Thomson Kuhn Subject: DHS, USCIS to Modernize, Define the Collection of Biometrics [Unfortunately, the comment period has closed.] *The proposed rule would authorize biometrics collection for identity verification in addition to new techniques. Voice, iris and facial recognition technologies are fast, accurate ways to confirm the identity of an applicant that don't require physical contact. The proposed rule also authorizes DHS to collect DNA or DNA test results to verify a claimed genetic relationship when the applicant or petitioner is unable to provide sufficient documentary evidence to establish the claimed relationship. Using DNA or DNA test results to help establish *family units* would help petitioners and DHS verify claims of genetic relationships and keep adults who are in custody from misrepresenting themselves as biological parents of minors who are not related to them. By using DNA or DNA tests to establish bona-fide genetic relationship between adults and minors in DHS custody, DHS can better protect the well-being of children.* https://www.dhs.gov/news/2020/09/01/dhs-uscis-modernize-define-collection-biometrics ------------------------------ Date: Sat, 17 Oct 2020 14:44:56 -0700 From: Henry Baker Subject: Sony PS5 enables voice recording (The Verge) "Anything you say in a voice chat *could* be sent to Sony without your explicit consent" "It doesn't seem as if Sony is actively listening to *all* of your conversations you're having with your pals" Is it just me, or do others think that this 'feature' may run afoul of many *state laws* regarding the consents necessary for the recording of conversations? Jay Peters@jaypeters, *The Verge*, 14 Oct 2020 Sony will let PS5 owners record their voice chats and snitch on fellow players The perhaps unwelcome feature arrived as part of the PS4's 8.0 update https://www.theverge.com/2020/10/14/21516928/sony-ps5-playstation-5-owners-record-listen-voice-chats-moderation-4-8-0-software-update Some PlayStation 4 users who downloaded the latest 8.0 update got an unwelcome surprise this morning: their console informed them that Sony had the right to record their voice for moderation purposes. Here are some examples: Not only did sony break every ps4 due to how bad the update was, they're even recording us #PS4 pic.twitter.com/006eQznRdf -- Mini (@_Minii17) October 14, 2020 So apparently, in case y'all didn't know this beforehand. But apparently the newest Sony update to the PS4 and will continue onto 5 will be recording your voice while in party chat. pic.twitter.com/T0VIbwIpZe -- TSN | Ittarra BooOda : Still recovering (@IttarraOda) October 14, 2020 Initially, the update's release notes contained no mention of voice recordings. But at some point today, Sony clarified what the messages meant in an update to its official blog post. Here is Sony's exact language: Following this update, users are seeing a notification about Party Safety and that voice chats in parties may be recorded. Voice chat recording for moderation is a feature that will be available on PS5 when it launches, and will enable users to record their voice chats on PS5 and submit them for moderation review. The pop up you're seeing on PS4 right now is to let you know that when you participate in a chat with a PS5 user (post-launch), they may submit those recordings from their PS5 console to SIE. To translate that statement, it seems that by joining a voice chat, even with the older PlayStation 4, your voice can be recorded and submitted to Sony for moderation by another user. This could certainly be invasive -- in theory, anything you say in a voice chat could be sent to Sony without your explicit consent. But the feature could also be a useful tool to help people report bad party members that may be harassing them. Based on Sony's language, it doesn't seem as if Sony is actively listening to all of your conversations you're having with your pals during your latest rounds of Fall Guys. The 8.0 software also changes the way parties and messages work and adds new avatars, parental communication controls, and support for authenticator apps for two-factor authentication. And in another move to prepare for the PS5's launch, Sony has rebranded the PS4 Remote Play mobile, Mac, and PC apps to PS Remote Play, and you'll be able to use the app to connect to a PlayStation 5 when the new console launches next month. ------------------------------ Date: Mon, 19 Oct 2020 05:42:34 -0400 From: Jan Wolitzky Subject: Paleontologists See Stars as Software Bleeps Scientific Terms (NYTimes) https://www.nytimes.com/2020/10/18/science/paleontology-banned-words-convey.html ------------------------------ Date: Sat, 17 Oct 2020 19:43:23 -1000 From: geoff goodfellow Subject: Ailments in Covid-19 Trials Raise Questions About Vaccine Method (Bloomberg) https://www.bloomberg.com/news/articles/2020-10-17/ailments-in-covid-19-trials-raise-questions-about-vaccine-method or https://www.msn.com/en-us/health/medical/ailments-in-covid-19-trials-raise-questions-about-vaccine-method/ar-BB1a7yuE ------------------------------ Date: Sat, 17 Oct 2020 11:23:18 -0700 From: Rob Slade Subject: Networking Theory and Superspreader Events Recently there has been a great deal of concern about the exact interpretation of rules about how many people you can have at your dinner party, or wedding, or funeral, or school classroom (or funeral following a dinner party). Journalists are tasking medical experts for precise numbers. People are saying they won't follow *the rules* because they aren't clear. That's kind of like saying that you won't wear warm clothes when you go out because the weather forecast is predicting five to thirty millimetres of rain, and that isn't explicit enough. Very few people understand formal, mathematical, networking theory, including many of those who work in the field of networking. This seems to be the basis of a great deal of the misunderstanding or objection to limitations on gathering numbers. First of all, the more people you are in contact with, the greater your risk of getting this (or any other communicable) disease. The closer the contact, the greater the risk. The longer the contact, the greater the risk. This is basic. Location, duration, relation. In regard to numbers, *the rules* are different in different places. And they are *best guess* advice. Nobody can say that a dinner party of six is safe, but a dinner party of seven will result in someone getting CoVID. However, let's take six as an example. You can have a dinner party with five other people. That's probably OK. But if you then have another five people over for dinner the next night, and then five more over the night after that, by the end of two weeks (which is a good period to consider because it is widely acknowledged as the rough estimate of when most people will be infectious) you will have had dinner with seventy people. Six people might be relatively safe. Seventy people is definitely getting dangerous. Keeping your individual party small is not terribly safe if you keep having a lot of different parties. And that's just basic numbers, even before we start to add in the real networking aspects. If you have five people over for dinner, were each of them out to dinner with five other people the night before? You now have indirect contact with twenty-five people with your small dinner party. And if we go back to the day before that, you then have third-party contact with one hundred and twenty-five people. (By the time we get back two weeks, you are almost exceeding the population of the planet.) In terms of sexually transmitted infections, it is often said that whenever you have sex with someone, you have sex with everyone they ever had sex with. That is the way to think about how safe your small party is. And that's just dinner. If anyone in any of those circles plays football, that adds contact with twenty-five more people, closely, and breathing very heavily, for every practice, and fifty for every game. Where do any of those people work? And, if still working, does their work environment involve people/not many people, masks/no masks, partitions/no partitions? And then there are the *bubbles*. Originally, bubbles referred to your household, and the people you couldn't avoid having contact with. Then people started to talk about expanding the bubbles, so that you could pick one other family, or household, to bubble with, to safely (and even that's questionable) expand your social circle. After all, if you are taking precautions, and the one other family is taking precautions, then it should be reasonably safe. The thing is, when talking about expanding the bubbles, people immediately forgot that *one other* aspect. One other family might be safe. It's manageable. You know what's going on in that one other family. But as soon as you get beyond one other, all bets are off. If you bubble with only two other bubbles, and each of them bubbles with two others, then indirectly you are connected with four other bubbles. And if each of them is doing two bubbles, then at third hand ... Most of us humans aren't good at numbers. We can usually “see” seven items. Anything more than that is just “a lot,” and we have only a vague idea of how big anything is beyond that. By dint of practice, we learn arithmetic, but, aside from a relative few, it never really comes naturally to us. And exponential growth in numbers is something that seems to be beyond our immediate comprehension. This becomes very dangerous when we are faced with having to make decisions, literally life and death decisions, about how big of a network, and how many contacts, are safe, when every additional contact increases the risk. That is why public health agencies try to provides rules with specific numbers. The thing is, those numbers are estimates. They are not perfect. That's why there is so little agreement between them. And each jurisdiction has slight differences in environment and situation, which also modifies the numbers. So many people think that, if the numbers don't agree, then you can just ignore the rules. The thing is, the public health agencies, and their calculations, may not be perfect. But they are based on work, and facts, and study, and expertise that the agencies have, and you don't. Their guesses may be guesses, but they are better than yours. Follow the rules. Look for accommodation, not loopholes. Now go wash your hands. ------------------------------ Date: Wed, 21 Oct 2020 12:25:33 -0700 From: Rob Slade Subject: Some notes on publishing Well, I finished and turned in the text of my latest book at the end of August. (As I always say to those who want advice on getting published, that's the easy part done.) It won't actually be available in hard copy for about another four months now, but. shortly thereafter, I did a search on Amazon (using the title, "Cybersecurity Lessons from CoVID-19") and found that the publisher had already announced it, and even given it an ISBN. It was (unsurprisingly) the first item that popped up when I searched using the title. (A note on titles: the title is not my fault. It's the publisher who gets the final say on titles.) So, in the ongoing process of getting to print, I got the galley proofs yesterday. (I have to answer questions, check that they haven't added any errors, and do the index.) An error reminded me to check on Amazon again, and see if the error was reproduced there. I searched on the title again, and the results were quite different. A number of titles have had SEO (Search Engine Optimization) done on them in the month or so since I first checked, and a number of titles having nothing to do with security and CoVID popped up, even before mine. In addition, someone has produced a pamphlet entitled "Cybersecurity Lessons From the COVID-19 Pandemic," which seems to be merely a "stay safe online" article. There's more than one type of plagiarism in the publishing world these days ... ------------------------------ Date: Fri, 16 Oct 2020 11:34:12 +0800 From: Richard Stein Subject: Cochlear and bone conduction implants to mitigate hearing This RISKS submission summarizes product problems and patient medical device reports for cochlear and bone conduction implants extracted from the FDA's Total Product Lifecycle (TPLC) reporting system. Cochlear hearing-assist devices are implanted in a patient's middle ear, connecting amplified audio output to the ear's bone structure. Battery powered, they require periodic servicing. An overview of these devices can found here: https://en.wikipedia.org/wiki/Cochlear_implant. Digital signal processors comprise part of these devices. CI reprogramming via telehealth engagement: https://www.yalemedicine.org/stories/remote-cochlear-implants/ Bone-conduction implantation: https://www.earscience.org.au/clinic/hearing-implants/bone-conduction-implants The FDA product code classification scheme allocates several product codes to categorize hearing assist devices. The product codes classify device regulatory scope, and are used for reporting purposes (recalls, premarket approvals, device reports, etc.). These seven (7) hearing-assist device product codes yield comparatively few retrieved TPLC records: OSM, PLK, QDD, EWD, EWE, OAF, and PGQ. The product codes yielding the largest record counts of product device issues and medical device reports (MDRs) extracted from TPLC are: MCM -- cochlear implants, and MAH, LXB -- bone conduction implant devices. To learn the apparent advantages/disadvantages of each: https://www.aarp.org/health/conditions-treatments/info-2015/implanted-hearing-devices.html Product device problems and MDRs comprise two TPLC categories. Both categories, and their TPLC search yield, are directly correlated. The MDRs linked to the TPLC Patient Problem tabulations are extracted from FDAs MAUDE platform. Refer to the MAUDE page for significant disclaimers about MDRs @ https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfmaude/search.cfm. An MDR can be filed for a benign reasons: a chipped knob, worn package label, or blurred device marking, etc. MDRs usually originate from patient-device interactions that may result for an EVENT TYPE: Injury, Malfunction, or Death. An EVENT TYPE for "Other" is allocated for device EVENT TYPE that neither cause injury or death or from malfunction. MAUDE also sponsors an EVENT TYPE for "No Answer Provided" category. For example, https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfmaude/results.cfm?start_search=1&searchyear=&productcode=MCM&productproblem=2993&devicename=&knumber=k&pmanumber=p&manufacturer=&brandname=&eventtype=&reportdatefrom=01/1/2015&reportdateto=&pagenum=10 gives an TPLC URL that says "Adverse Event Without Identified Device or Use Problem (2993)." Accessing that link shows all (up to 500) contributing MAUDE MDRs to the TPLC device problem category. What did the patient experience with this device to merit an MDR submission? For an example, see https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfmaude/detail.cfm?mdrfoi__id=10609891&pc=MCM. Observe this MDR text: Patient Problem Therapeutic Response, Decreased (2271), and then read the Event Type (Malfunction) and Event Description. MDRs are often, but not exclusively, written by manufacturer representatives consulting with the physician who performed the implant procedure and/or reported the patient event. MDR content can be challenging to interpret: significant medical and device subject matter expertise are often required. Consider a consumer who might become a patient/device recipient. Before surgery, they may desire to know which device will likely yield the best outcome, and satisfy their quality of life expectations. How can a consumer make a good choice, other than considering the price tag of the device implant, procedure expense, convalescent period, etc. if they can't understand what the device has or hasn't achieved based on historical outcomes? There's no "Consumer Reports" article to study on cochlear or bone conduction implants. One wonders if physicians read, or are required to read, the historical MAUDE MDRs before deciding on what device to consider. What motivates their device selection? What weight do physicians allocate to device track record? https://www.nidcd.nih.gov/health/statistics/hearing-charts-tables#hearing-aids-adults reveals several charts on hearing impairment by population segments: loss of hearing in adults by age and gender, cochlear implants by 1,000 population and age, etc. Using https://www.healthypeople.gov/2020/data/Chart/4410?category=1&by=Total&fips=-1, for people aged 70+ in the calendar year 2013, the rate of cochlear implant per 1,000 population is 323. That's ~32% of that cohort. The US Census 2019 estimated total for persons aged 70-85+ years is 35.431M: https://www2.census.gov/programs-surveys/demo/tables/age-and-sex/2019/age-sex-composition/2019gender_table1.xlsx The estimated number of cochlear implants in this cohort, using 2013 NIH implant data, is 0.323*35.431M ~= 11.44M. SUMMARY The tabulations indicate, given the comparatively low device problem report and MDR densities in light of eligible recipient population, that the devices in these product codes appear broadly successful. Recipients that experience an unfortunate device problem may require additional medical care to ameliorate these unfortunate outcomes. It is these untoward and often unexpected events, though proportionately rare, which device suppliers must minimize to reduce frequency. DEVICE PROBLEM AND PATIENT PROBLEM TABULATIONS For product code MCM, from 01JAN2015 to 30SEP2020 https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfTPLC/tplc.cfm?id=1694&min_report_year=2015, the Top-10 TPLC Device Problems (in CSV format): Device Problems,MDRs with this Device Problem,Events in those MDRs Appropriate Term/Code Not Available,5444,5444 Device Operates Differently Than Expected,3297,3297 Output Problem,2264,2264 Adverse Event Without Identified Device or Use Problem,1530,1530 Receiver Stimulator Unit,1255,1255 No Device Output,1220,1220 Insufficient Information,1083,1083 Migration or Expulsion of Device,745,745 Electrode,731,731 Migration,510,510 The same report yields medical device reports (MDR) originating with patients. Here's the Top-10: Patient Problems,MDRs with this Patient Problem,Events in those MDRs Failure of Implant,4495,4495 No Code Available,2830,2830 Hearing Impairment,2660,2660 No Known Impact Or Consequence To Patient,1496,1496 Unspecified Infection,1319,1319 Pain,1252,1252 No Information,1031,1031 Patient Problem/Medical Problem,668,668 Bacterial Infection,666,666 Deafness,543,543 For product code MCM, from 01JAN2015 to 30SEP2020 https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfTPLC/tplc.cfm?id=1640&min_report_year=2015, the Top-10 TPLC Device Problems (in CSV format): Device Problems,MDRs with this Device Problem,Events in those MDRs Appropriate Term/Code Not Available,1593,1593 Loss of Osseointegration,434,434 Failure to Osseointegrate,394,394 Adverse Event Without Identified Device or Use Problem,274,274 Insufficient Information,39,39 Osseointegration Problem,17,17 Extrusion,9,9 Patient-Device Incompatibility,7,7 Biocompatibility,6,6 Loosening of Implant Not Related to Bone-Ingrowth,6,6 The same report yields medical device reports (MDR) originating with patients. Here's the Top-10: Patient Problems,MDRs with this Patient Problem,Events in those MDRs Unspecified Infection,525,525 No Code Available,522,522 Host-Tissue Reaction,399,399 Bacterial Infection,382,382 Inadequate Osseointegration,373,373 Patient Problem/Medical Problem,309,309 Pain,206,206 Head Injury,71,71 Inflammation,64,64 Skin Irritation,55,55 Swelling,53,53 For product code LXB, from 01JAN2015 to 30SEP2020 https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfTPLC/tplc.cfm?id=1635&min_report_year=2015, the Top-10 TPLC Device Problems (in CSV format): Device Problems,MDRs with this Device Problem,Events in those MDRs Appropriate Term/Code Not Available,2157,2157 Loss of Osseointegration,505,505 Adverse Event Without Identified Device or Use Problem,185,185 Insufficient Information,124,124 Failure to Osseointegrate,34,34 Magnet,31,31 Patient Device Interaction Problem,22,22 Biocompatibility,20,20 Extrusion,17,17 Patient-Device Incompatibility,17,17 Osseointegration Problem,10,10 The same report yields medical device reports (MDR) originating with patients. Here's the Top-10: Patient Problems,MDRs with this Patient Problem,Events in those MDRs No Code Available,671,671 Unspecified Infection,458,458 Bacterial Infection,455,455 No Information,371,371 Patient Problem/Medical Problem,359,359 Pain,304,304 Host-Tissue Reaction,240,240 Hearing Impairment,104,104 Swelling,75,75 Head Injury,65,65 ------------------------------ Date: Fri, 16 Oct 2020 14:59:16 -0400 From: Gabe Goldberg Subject: 'E.T.' 1982 Atari Game: The True Story Behind the Worst Video Game Ever (MelMagazine)x Atari's 1982 E.T. game was so disastrous it's been blamed for the company's downfall and the crash of the entire industry. The man responsible for the game, however, has taken it surprisingly well. [...] Warshaw agrees that the pits were a problem he didn't foresee. Unfortunately, he was in such a rush to finish the game he never got to the *first playable* stage, which is when a game is tested by users to work out any design kinks and flaws. https://melmagazine.com/en-us/story/et-1982-atari-game What could go wrong with toxic compressed schedule without time for testing? ------------------------------ Date: Fri, 16 Oct 2020 10:47:57 +0800 From: Richard Stein Subject: Re: Fifth of countries at risk of ecosystem collapse (RISKS-32.32) With ecosystems at risk globally, economies will also experience knock-on effects. Corbin Hiar, Natural Disasters May Push Global Finances to the Brink, concisely summarizes anthropogenic climate forcing impact on sovereign economies. https://www.scientificamerican.com/article/natural-disasters-may-push-global-finances-to-the-brink/ See "Climate Change and Sovereign Risk": https://www.eenews.net/assets/2020/10/13/document_cw_01.pdf for details. ------------------------------ Date: Fri, 16 Oct 2020 09:52:34 +0100 From: Wols Lists Subject: Re: Why cars are more "fragile": more technology has reduced robustness (Drewe, RISKS-32.32) aiui, UK law defines a "historic vehicle" as one over 25 years old (it was originally one made before a certain date, but that was never updated as the years went by). That explains the surge in old vehicles on UK roads, as these cars are exempt from tax, they're now exempt from the MOT, and I believe they are also exempt from the congestion charge and low emission zones. ------------------------------ Date: Fri, 16 Oct 2020 13:16:09 +0100 (BST) From: David Alexander Subject: Re: SpaceX Is Building a Military Rocket to Ship Weapons Anywhere in the World in 1 hour (RISKS-32.32) The SpaceX initiative to build a rocket to deliver good anywhere in the world in less than an hour is not a novel idea. In January 1956 the (UK) BBC radio comedy The Goons had a show on this very subject, called the Jet-propelled NAAFI ------------------------------ Date: Fri, 16 Oct 2020 21:10:04 +0200 From: Erling Kristiansen Subject: Re: SpaceX Is Building a Military Rocket to Ship Weapons Anywhere in the World, in 1 hour (RISKS-32.32) The distance from the launch site to its antipode (the point on the Earth exactly opposite) is roughly 20,000 km or 12,500 miles. At 7,500 mph that will take 1 hour 40 minutes. And you have to add the extra time spent in the acceleration and deceleration phases where the speed is a lot lower. So something like 2 1/2 to 3 hours is probably about the best one can dream of doing. And what about the time to fuel the rocket and prepare it for launch? Typically takes days if everything goes smoothly. ------------------------------ Date: 16 Oct 2020 13:40:42 -0400 From: "John Levine" Subject: Re: A different way the news is dividing America (Stein, RISKS-31.32) While it is absolutely true that we have a crisis in the news business, calling it "redlining" is gratuitous and pretty offensive. Actual redlining was a policy of not selling real estate to minorities, regardless of their income or ability to pay. Newspaper web sites don't charge because they want to keep poor people out, they charge because print advertising has collapsed, online advertising pays very little*, and they have to pay the reporters and keep the lights on. As I'm sure we all remember, they tried free web sites with online ads and it didn't work. Where is all this high quality free news supposed to come from? For a much better analysis, see "Ghosting the News: Local Journalism and the Crisis of American Democracy" by Margaret Sullivan, published in August by Columbia Global Reports. She looks primarily at the growing local news deserts and the not great options for fixing them. https://globalreports.columbia.edu/books/ghosting-the-news/ * -- unless you are gatekeeper Google or Facebook. ------------------------------ Date: Sun, 18 Oct 2020 11:29:59 +0800 From: Richard Stein Subject: Re: A different way the news is dividing America (Levine, RISKS-32.32) John -- Thank you for a civil critique and rebuttal. It was not my intent to promote offense. What word might best encapsulate societal division based on preference to consume freely available, misleading and false news reports versus those who purchase professionally authored, edited, and published news reports? Infolining? No such word exists. The definition of redlining @ https://www.merriam-webster.com/legal/redlining states, "the illegal practice of refusing to offer credit or insurance in a particular community on a discriminatory basis (as because of the race or ethnicity of its residents)." The definition does not incorporate poverty or encompass affordable access to information or news. As you note, government policies/regulations have promoted business redlining policies and practices, an immoral betrayal of the democratic idea that "all men are created equal." See https://www.nytimes.com/2020/01/20/opinion/fair-housing-act-trump.html, for a historical perspective. Choosing to believe that fictional news stories are real and merit re-circulation confounds explanation. A captive audience that endorses falsehoods and conspiracy theories characterizes the allure and effectiveness of weaponized free speech. https://www.nytimes.com/2020/10/13/magazine/free-speech.html I certainly agree that professional news writing, editing, and reporting requires revenue that funds deserving publication businesses. The access price to premium factual information is exclusionary: disposable income is needed to procure this modest, daily essential. Viable reporting holds governments accountable, and promotes economy development, public health, education, civil discourse, and enriches culture -- all subjects of historical and immediate social merit. "News is the first rough draft of history" per Philip Graham (https://www.forbes.com/quotes/7446/). Mr. Graham's quote applies to factual and meretricious news, not the pink stuff. ------------------------------ Date: 18 Oct 2020 11:31:25 -0400 From: "John R. Levine" Subject: Re: A different way the news is dividing America (RISKS-32.32) > Infolining? No such word exists. ... The phrase people use is "news desert" but that is more for places with no newspapers at all, not ones that people can't afford. It's news as luxury good, not the snappiest of terms. But that's not at issue -- what I object to is the misuse of the term redlining, and the author's airy assertion that if the greedy capitalists would just tear down the paywalls everything would be fine. The particular evil of redlining was that it was pure bigotry with no economic rationale -- real estate agents sell property and banks make loans the same way they always had, only now to the full set of buyers rather than just to one race. This is nothing like that. For several centuries the news business had an economic model where advertisers paid to have their messages included with the news, first in newspapers, then magazines, then radio, then TV. This let the publishers provide the news below cost, for a few cents for newspapers and free for radio and TV. The Internet totally destroyed that economic model. The costs of distribution dropped and are shared with consumers, which allowed competing marketplaces to handle ads for cheap, or as at Craigslist mostly for free. Advertising revenue isn't going back to newsrooms, reporters have to eat, and saying everyone should have a pony doesn't help. [PS: Insert obvious snark here about an academic who never had to worry about where his next paycheck was coming from.] ------------------------------ Date: Fri, 23 Oct 2020 16:35:45 +0000 (UTC) From: Steve Bacher Subject: Re: A different way the news is dividing America (RISKS-32.32) This article seems somewhat specious to me. If putting the content of some news sources behind a paywall constitutes creating an "information have" vs. "information have-not" class system, then in the pre-Internet world where people had to actually purchase papers, was there a divide between those who could afford the handful of change for the day's news vs. those who couldn't? Or between those who went to the trouble of subscribing and those who just dug into their pockets each day? And FWIW, there are numerous ways to access content from most of those online journalistic sites while bypassing the paywalls. ------------------------------ Date: Mon, 19 Oct 2020 09:18:40 +0800 From: Richard Stein Subject: Re: Continuous glucose monitoring/insulin dosing systems (RISKS-32.32) FOLLOW UP FROM ADA I received this email message in response to my inquiry on glucose monitoring/insulin dosing device deployment from a representative of the American Diabetes Association: "Hi Richard; "I assume you mean traditional insulin pumps and CGMs, not implantable. There are no implanted pumps on the market, and just one CGM that's implanted subcutaneously, with what I assume is a very small share of the market. "Regardless, unfortunately, ADA doesn't have any data other than what one can find by googling for the results. The companies are guarded with their sales and usage data, and what I find online is both speculative and dated. I wish I could give a more substantive answer--this is a question I get a lot and I never have a very good answer." Matt Petersen Vice President, Medical Information and Professional Engagement 2451 Crystal Dr. | Arlington | VA | 22202 Phone: +1 (703) 299-2071 diabetes.org 1-800-DIABETES (800-342-2383) ------------------------------ Date: Mon, 1 Aug 2020 11:11:11 -0800 From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume/previous directories or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00 ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: ------------------------------ End of RISKS-FORUM Digest 32.33 ************************