Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit precedence: bulk Subject: Risks Digest 32.62 RISKS-LIST: Risks-Forum Digest Sunday 25 April 2021 Volume 32 : Issue 62 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at as The current issue can also be found at Contents: China's domestic surveillance programmes benefit foreign spies (The Economist) Two cases of two+two - 777 & ETOPS (David Lesher) AS8003 or What IPV4 shortage?? (kentik) Eversource Energy data breach caused by unsecured cloud storage (Jan Wolitzky) Believe the computer, and Do Not Pass Go. (The Register) Researchers Uncover Advertising Scam Targeting Streaming-TV Apps (WSJ) Apple's new Find My Network application enables third-party tracking (MacRumors) Apple's Ransomware Mess Is the Future of Online Extortion (WiReD) Apple sued for terminating account with $25,000 worth of apps and videos (Ars Technica) Now for AI's Latest Trick: Writing Computer Code (WiReD) Minutes before Trump left office, millions of the Pentagon's dormant IP addresses sprang to life (Craig Timberg and Paul Sonne) Re: Fiery Tesla crash with no one driving (Henry Baker) Re: In bot we trust: People put more faith in computers than other humans (John Levine) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Sun, 25 Apr 2021 21:30:32 +0100 From: Ross Anderson Subject: China's domestic surveillance programmes benefit foreign spies (The Economist) https://www.economist.com/china/2021/04/22/chinas-domestic-surveillance-programmes-benefit-foreign-spies An aversion to encryption makes the country's networks vulnerable [This item is relevant to China, but also to every other country! PGN] In March Elon Musk, the world's third-richest man, spoke to a conference in Beijing by video link. The cars that Tesla sells in China do not, Mr Musk insisted, share data with American security services. He was responding to the news that the Chinese armed forces had banned Teslas from their facilities over such concerns. A month later the firm took to Chinese social media to assure customers that the numerous cameras in their vehicles were ``not activated outside North America,'' and so could not be used to snoop. Concerns about security define the trade of technology between America and China. Most attention is focused on the extent to which Chinese giants such as TikTok and Huawei might be infiltrating America for nefarious purposes. But China has had concerns of its own. After the contours of American surveillance were laid bare in 2013 by Edward Snowden, a National Security Agency (NSA) contractor and whistleblower, the Chinese government began a campaign to replace all Western technology in government offices, lest it be used to spy. The brouhaha over Tesla's cars shows how much security concerns have grown in the decade since Mr Snowden's revelations. As connectivity becomes part of more consumer products, paranoia about their other uses rises. China's suspicion contains an irony, however. Removing Western devices from Chinese networks will not keep China secure from its adversaries, because the Chinese government itself insists upon weakening the security of those networks and devices for its own purposes. Though America tends to hyperventilate about Chinese intrusion, it is China whose digital security is more precarious. This is because of the Chinese government's insistence on being able to monitor and control the information that flows through the country's digital networks. For instance, all messages sent on WeChat, China's most widely used messaging application, must pass through central servers as plain text, unencrypted, so that the company can filter and censor them according to the government's requirements. This makes those servers a ripe target for any foreign agents who want to spy on Chinese citizens, who between them have more than a billion WeChat accounts. Tencent, the app's corporate owner, must build elaborate digital-security systems to allow it to keep inspecting its users' messages while simultaneously denying that ability to attackers. That is a difficult task. “If I were a Western intelligence agency, those servers would be incredibly valuable,” says Matthew Green, a cryptography expert at Johns Hopkins University. Weak security is the rule, not the exception, in digital services for the Chinese public. Email and social media must all facilitate state access, as must industrial networks used to run factories and offices, even if the extent to which the government uses that access varies. In August it banned the most up-to-date version of a protocol used to encrypt web traffic, known as TLS, from the Chinese Internet, because it makes online surveillance harder. The government has different security standards for itself, but these are secret. Speculation about the devices and systems that senior party members use to communicate is common. In 2013 Peng Liyuan, the wife of President Xi Jinping, was photographed using an iPhone, one of the few devices available in China which does offer a measure of security through its iMessage program. It was news around the world. Within a year Ms Peng was seen using a Chinese device. Internet users in China have long objected to the low standards of data protection. Online crime and leaked databases are rife. Last year someone stole the account details for all 538m users of Sina Weibo, a microblog, and posted them on the dark web for sale. The government has responded by promoting programs for companies to improve customer-data protection, even as it simultaneously enforces weakness in the security of all systems. But as long as the government demands access to data on Chinese people, those data can never be robustly protected. Though the American government does not publicise its cyber-operations, leaks demonstrate their extent. The documents provided to journalists by Mr Snowden show that the NSA found its way inside Huawei's networks starting in 2007, looking for evidence they were being used as a back door by the Chinese government (if it found any, it was never made public). There is little question that spy agencies in America and other countries use China's weak security to their advantage. China's jeopardy increases as the value of data which flow through poorly secured networks goes up, both in economic and national-security terms. The Chinese government's plan for economic growth ensures that this is what will happen. It plans to expand its digital economy, automating factories and creating smart-transport infrastructure. As with WeChat, if the government wishes to monitor these systems, it will build them to be less secure than they could be and so vulnerable to foreign interference in a way that equivalent networks in the West do not have to be. “The Chinese government knows the trade-off,” says Matt Perault, a technology-policy scholar at Duke University in North Carolina. “They are willing to bear it, which suggests that they are willing to tolerate a significant amount of foreign surveillance on their citizens.” The government's calculation is unlikely to change. Its focus on surveillance and censorship of its own people is growing. But the tension between security against enemies within and those without will intensify. Cyber-attacks using weaknesses that the government itself has demanded might prove embarrassing. If the stand-off with Taiwan were to escalate, China's weak security would be a serious disadvantage. And the more entrenched its reliance on surveillance and censorship becomes, the harder it will be to remove the weakness on which that control is built, should the day ever come when it no longer believes the trade-off worthwhile. This article appeared in the China section of the print edition under the headline "Watching them watching you" ------------------------------ Date: Sat, 24 Apr 2021 16:23:22 -0400 From: David Lesher Subject: Two cases of two+two - 777 & ETOPS Airlines have been moving from 3 & 4-engine airframes such as the DC-10 & 747 to newer twins (757, 767, 777 etc.) for many years. The reason is compelling: lower fuel consumption. Years earlier, they shed flight engineers/navigators as navigation got easier and aircraft got more reliable. But they are constrained by ICAO/FAA limitations as to how far they can be away from the nearest suitable runway; officially this is "Extended-range Twin-engine Operations Performance Standards" or ETOPS. Given the usual relevant case is trans-oceanic flight, it's popularly called "Engines Turn, or Passengers Swim.." Airlines/aircraft must be certified for ETOPS; this involves specific rules such as no mechanic shall work on both engines, (This because of the Eastern 855 case ) and multiple other safeguards. There are various grades of ETOPS, extending the time allowed to reach the safe airport. The fantastic Great Circle Mapper covers the ETOPS program and allows you see airspace off-limits for each level. Two 777's have had violent PW4077 engine failures; UAL1175 in 2018 (NTSB DCA18IA092), and UAL328 earlier this year after departing Denver. In both cases, large parts of engine shroud/fairings were ejected; the 328 crew returned to Denver without major difficulties. But UAL1175 was 120 miles out from Honolulu. It also lost many aspects of automation; the autopilot and other important tools failed. An interview with the captain of 1175 at is telling; the crew had their hands full getting their marginally controllable aircraft to HNL for a safe landing. And Captain Chris Behnam was emphatic about how vital the jumpseat occupant, a third 777 pilot, had been to their successful outcome. Two risks come to mind. Does ETOPS, conceived years ago, sufficiently cover the issue of engine failures that shed aerodynamically important parts, and may well hit the elevators and/or tail as they do? [In theory, the cowling shall contain any broken parts within, but...] Large aircraft are designed and built for the lowest drag, yep, fuel efficiency again. But when you have a large airbrake flapping on the wing... Will a 2-person crew have enough human-MIPS to deal with cascading failures & their alarms? Another case of this is QF32's engine failure. And will they have enough recent experience in hand-flying/"steam gauges" to cope with such failures? Capt. Behnam is a active general aviation pilot; I don't know about his co-pilot and jump-seater. ------------------------------ Date: Sat, 24 Apr 2021 12:47:35 -0400 From: David Lesher Subject: AS8003 or What IPV4 shortage?? (kentik) On 20 Jan 2021, a great mystery appeared in the Internet's global routing table. An entity that hadn't been heard from in over a decade began announcing large swaths of formerly unused IPv4 address space belonging to the U.S. Department of Defense. Registered as GRS-DoD, AS8003 began announcing 11.0.0.0/8 among other large DoD IPv4 ranges. ... The questions that started to surface included: Who is AS8003? Why are they announcing huge amounts of IPv4 space belonging to the U.S. Department of Defense? And perhaps most interestingly, why did it come alive within the final three minutes of the Trump administration? By late January, AS8003 was announcing about 56 million IPv4 addresses, making it the sixth largest AS in the IPv4 global routing table by originated address space. By mid-April, AS8003 dramatically increased the amount of formerly unused DoD address space that it announced to 175 million unique addresses. Following the increase, AS8003 became, far and away, the largest AS in the history of the Internet as measured by originated IPv4 space. By comparison, AS8003 now announces 61 million more IP addresses than the now-second biggest AS in the world, China Telecom, and over 100 million more addresses than Comcast, the largest residential Internet provider in the U.S. [...] ------------------------------ Date: Sat, 24 Apr 2021 20:11:46 -0400 From: Jan Wolitzky Subject: Eversource Energy data breach caused by unsecured cloud storage I received a letter the other day from Eversource, the regional gas and electric utility company here in Eastern Massachusetts: "We are writing to inform you about the exposure of certain personal information.... The following personal information was involved in the incident: your name, address, phone number, social security number, utility account number and service address in Massachusetts and billing address.... On March 16, 2021, we discovered that a Company cloud storage site had been misconfigured so that its files could have been publicly accessed...." As required, they offered two years of credit monitoring, through a company called Cyberscout. I went to the website provided to sign up, but around the point where they asked for my Social Security number, I got suspicious. How hard would it be to send a mass mailing on utility company letterhead, warning people of a non-existent data breach, and sending them to some website to sign up for credit monitoring, thereby quickly collecting all the information you'd otherwise have to wait for a careless utility company to provide? A Google search turned up a few reports on minor cybersecurity sites, but nothing on the Eversource site, or the Boston Globe, e.g. Hmmm.... https://www.bleepingcomputer.com/news/security/eversource-energy-data-breach-caused-by-unsecured-cloud-storage/ ------------------------------ Date: Sun, 25 Apr 2021 00:51:16 -0400 From: David Lesher Subject: Believe the computer, and Do Not Pass Go. (The Register) In the UK, 39 Post Office employees convicted for theft have now been vindicated. A Fujitsu-provided Post Office accounting system named Horizon had shown the employees were responsible for significant shortfalls. Some were imprisoned. It took years for the truth to emerge, that Horizon had significant bugs. Despite that: Post Office awards Fujitsu a £42.5m contract extension for the IT system behind wrongful subpostmaster prosecutions ------------------------------ Date: Fri, 23 Apr 2021 12:02:24 -0400 (EDT) From: ACM TechNews Subject: Researchers Uncover Advertising Scam Targeting Streaming-TV Apps (WSJ) Patience Haggin and Jeff Horwitz, *The Wall Street Journal*, 21 Apr 2021 via ACM TechNews, 23 Apr 2021 Nearly 1 million mobile devices were infected with malware that emulated streaming-TV applications and collected revenue from unwitting advertisers, according to researchers at cybersecurity firm Human Security. The researchers said the orchestrators of this so-called "Pareto" scheme spoofed an average of 650 million ad placement opportunities daily in online ad exchanges, stealing money intended for apps available on streaming-TV platforms run by Roku, Amazon.com, Apple, and Google. The creator of 29 apps underpinning the fraud was identified as TopTop Media, a subsidiary of Israel-based M51 Group. The analysts said the operation could be thwarted if digital ad companies strictly followed industry guidance for tracking the origins of traffic and deployed certain security measures. Human Security's Michael McNally said, "Measurement and security companies will just play whack-a-mole, as long as the industry hasn't upgraded to better defenses." https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2aa40x22aa4ax070363& ------------------------------ Date: Sat, 24 Apr 2021 12:14:56 +0300 From: Amos Shapir Subject: Apple's new Find My Network application enables third-party tracking (MacRumors) Apple announced a new Find My network accessory program available on the new release of iOS 14. A new feature is that "... if you lose an item and someone else with an Phone, iPad, or Mac comes close to it, it can communicate with their device with the approximate location of the item relayed securely and privately back to you". https://www.macrumors.com/guide/find-my-network-accessory-program/ Of course, Apple assures us that this network of little snitchers will only track your devices when *you* tell them to, and report their location only to *you*, "securely and privately". ------------------------------ From: Gabe Goldberg Date: Sat, 24 Apr 2021 01:01:25 -0400 Subject: Apple's Ransomware Mess Is the Future of Online Extortion (WiReD) This week, hackers stole confidential schematics from a third-party supplier and demanded $50 million not to release them. https://www.wired.com/story/apple-ransomware-attack-quanta-computer/ ------------------------------ Date: Fri, 23 Apr 2021 17:19:52 -0400 From: Monty Solomon Subject: Apple sued for terminating account with $25,000 worth of apps and videos (Ars Technica) Lawsuits claim people don't truly own content they purchase on digital platforms. Apple is facing two class-action lawsuits over the meaning of the words *rent* and *buy*. In the first suit, lead plaintiff David Andino argues that Apple's definition of the two words is deceptive since the company can terminate people's Apple IDs and, along with them, access to content they purchased using the *buy* button. Thus, Andino is arguing that Apple allows consumers to rent content rather than purchase it outright. If he had known that his access could be cut off at any time, he says he would have not spent as much on iTunes content. [...] https://arstechnica.com/tech-policy/2021/04/apple-faces-class-action-lawsuit-over-its-definition-of-the-word-buy/ ------------------------------ Date: Sat, 24 Apr 2021 01:09:55 -0400 From: Gabe Goldberg Subject: Now for AI's Latest Trick: Writing Computer Code (WiReD) Programs such as GPT-3 can compose convincing text. Some people are using the tool to automate software development and hunt for bugs. Brendan Dolan-Gavitt, an assistant professor in the Computer Science and Engineering Department at NYU, says language models such as GPT-3 will most likely be used to help human programmers. Other products will use the models to ``identify likely bugs in your code as you write it, by looking for things that are *surprising* to the language model,'' he says. [...] Dolan-Gavitt, the NYU professor, says the nature of the language models being used to generate coding tools also poses problems. “I think using language models directly would probably end up producing buggy and even insecure code,” he says. ``After all, they're trained on human-written code, which is very often buggy and insecure.'' https://www.wired.com/story/ai-latest-trick-writing-computer-code/ What fun -- being second-guessed in real time by software that doesn't understand my code, and software written to emulate that of a million monkeys (programmers). ------------------------------ Date: April 25, 2021 1:09:28 JST From: Dewayne Hendricks Subject: Minutes before Trump left office, millions of the Pentagon's dormant IP addresses sprang to life (Craig Timberg and Paul Sonne) After decades of not using a huge chunk of the Internet, the Pentagon has given control of millions of computer addresses to a previously unknown company in an effort to identify possible cyber vulnerabilities and threats Craig Timberg and Paul Sonne, *The Washington Post*, 24 Apr 2021 While the world was distracted with President Donald Trump leaving office on Jan. 20, an obscure Florida company discreetly announced to the world's computer networks a startling development: It now was managing a huge unused swath of the Internet that, for several decades, had been owned by the U.S. military. What happened next was stranger still. The company, Global Resource Systems LLC, kept adding to its zone of control. Soon it had claimed 56 million IP addresses owned by the Pentagon. Three months later, the total was nearly 175 million. That's almost 6 percent of a coveted traditional section of Internet real estate -- called IPv4 -- where such large chunks are worth billions of dollars on the open market. The entities controlling the largest swaths of the Internet generally are telecommunications giants whose names are familiar: AT&T, China Telecom, Verizon. But now at the top of the list was Global Resource Systems -- a company founded only in September that has no publicly reported federal contracts and no obvious public-facing website. As listed in records, the company's address in Plantation, Fla., outside Fort Lauderdale, is a shared workspace in an office building that doesn't show Global Resource Systems on its lobby directory. A receptionist at the shared workspace said Friday that she could provide no information about the company and asked a reporter to leave. The company did not respond to requests for comment. The only announcement of Global Resources Systems' management of Pentagon addresses happened in the obscure world of Border Gateway Protocol (BGP) -- the messaging system that tells Internet companies how to route traffic across the world. There, messages began to arrive telling network administrators that IP addresses assigned to the Pentagon but long dormant could now accept traffic -- but it should be routed to Global Resource Systems. Network administrators began speculating about perhaps the most dramatic shift in IP address space allotment since BGP was introduced in the 1980s. ``They are now announcing more address space than anything ever in the history of the Internet,'' said Doug Madory, director of Internet analysis for Kentik, a network monitoring company, who was among those trying to figure out what was happening. He published a blog post on the mystery Saturday morning. The theories were many. Did someone at the Defense Department sell off part of the military's vast collection of sought-after IP addresses as Trump left office? Had the Pentagon finally acted on demands to unload the billions of dollars worth of IP address space the military has been sitting on, largely unused, for decades? An answer, of sorts, came Friday. The change is the handiwork of an elite Pentagon unit known as the Defense Digital Service, which reports directly to the secretary of defense. The DDS bills itself as a ``SWAT team of nerds'' tasked with solving emergency problems for the department and conducting experimental work to make big technological leaps for the military. Created in 2015, the DDS operates a Silicon Valley-like office within the Pentagon. It has carried out a range of special projects in recent years, from developing a biometric app to help service members identify friendly and enemy forces on the battlefield to ensuring the encryption of emails Pentagon staff were exchanging about coronavirus vaccines with external parties. Brett Goldstein, the DDS's director, said in a statement that his unit had authorized a ``pilot effort'' publicizing the IP space owned by the Pentagon. ``This pilot will assess, evaluate and prevent unauthorized use of DoD IP address space,'' Goldstein said. ``Additionally, this pilot may identify potential vulnerabilities.'' Goldstein described the project as one of the Defense Department's ``many efforts focused on continually improving our cyber posture and defense in response to advanced persistent threats. We are partnering throughout DoD to ensure potential vulnerabilities are mitigated.'' The specifics of what the effort is trying to achieve remain unclear. The Defense Department declined to answer a number of questions about the project, and Pentagon officials declined to say why Goldstein's unit had used a little-known Florida company to carry out the pilot effort rather than have the Defense Department itself ``announce'' the addresses through BGP messages -- a far more routine approach. What is clear, however, is the Global Resource Systems announcements directed a fire hose of Internet traffic toward the Defense Department addresses. Madory said his monitoring showed the broad movements of Internet traffic began immediately after the IP addresses were announced Jan. 20. Madory said such large amounts of data could provide several benefits for those in a position to collect and analyze it for threat intelligence and other purposes. The data may provide information about how malicious actors operate online and could reveal exploitable weaknesses in computer systems. In addition, several Chinese companies use network numbering systems that resemble the U.S. military's IP addresses in their internal systems, Madory said. By announcing the address space through Global Resource Systems, that could cause some of that information to be routed to systems controlled by the U.S. military. The data could also include accidental misconfigurations that could be exploited or fixed, Madory said. ``If you have a very large amount of traffic, and someone knows how to go through it, you'll find stuff,'' Madory added. ------------------------------ Date: Sat, 24 Apr 2021 10:16:11 -0700 From: Henry Baker Subject: Re: Fiery Tesla crash with no one driving (RISKS-32.61) Re: first responders had to use 30,000 gallons of water over four hours to put out the fire Let's see; my high school chemistry is a bit rusty, but here goes: a Tesla might have 85Kwh battery; typical fireplace fire is 1500 watts, so a fully charged Tesla could replace a fireplace burning for 2.4 *DAYS*. Lithium metal floats on water. Good cooks know that you can't extinguish a grease fire with water, because (duh!) grease floats on water! Lithium reacts with water, generating a lot of heat, but not quite fast enough to melt the lithium. You can try to cool the lithium, but even cold lithium will continue to react with water. Worse, lithium steals the oxygen from water, leaving hydrogen gas, which burns w/o giving off visible light. So, pouring water onto lithium is like pouring gasoline onto a really hot fire you can't see. Only 4 hours and only 30,000 gals of water? They're lucky. When you've dug yourself into a hole, first order of business is to stop digging. ------------------------------ Date: 24 Apr 2021 10:34:49 -0400 From: "John Levine" Subject: Re: In bot we trust: People put more faith in computers than other humans (StudyFinds) Life imitates art. Isaac Asimov wrote "The Feeling of Power" in 1957: https://urbigenous.net/library/power.html ------------------------------ Date: Mon, 1 Aug 2020 11:11:11 -0800 From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume/previous directories or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00 ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: ------------------------------ End of RISKS-FORUM Digest 32.62 ************************