Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit precedence: bulk Subject: Risks Digest 32.01 RISKS-LIST: Risks-Forum Digest Tuesday 16 June 2020 Volume 32 : Issue 01 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at as The current issue can also be found at Contents: Russia Exploits Conspiracy Mill Americans Built (Nicole Perlroth) Fox News runs digitally altered images in coverage of Seattle's protests in the Capitol Hill Autonomous Zone (sundry sources) Harassment and cyberstalking (Travis Andersen) Elite CIA unit that developed hacking tools failed to secure its own systems, allowing massive leak, an internal report found (WashPost) Digitality, Personal Security & Privacy Risks (Robert Mathews) South African bank to replace 12M cards after employees stole master key (ZDNet) Spies Can Listen to Your Conversations by Watching a Light Bulb in the Room (The Hacker News) Feds allege eBay terror campaign against Natick publishers of articles the company didn't like (Universal Hub) USA T-Mobile Hit by Widespread Voice and Data Outage (jonathan spira) Google is messing with the address bar again -- new experiment hides URL path (Ars Technica) 30,000 Unsuspecting Rose Bowl Attendees Were Scooped Up in a Facial Recognition Test (Medium) Joanna Hoffman: Facebook is peddling 'an addictive drug called anger' (CNBC) Why jK8v!ge4D isn't a good password (Toward Data Science) IoT Nutrition Labels (Keith Medcalf) What Zebra Mussels Can Tell Us About Errors In Coronavirus Tests (npr.org) Re: Election fiasco: Georgia on my mind (Bob Brown) Re: Multiple US agencies have purchased this mysterious mobile (Steve Singer) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Tue, 16 Jun 2020 11:55:14 PDT From: "Peter G. Neumann" Subject: Russia Exploits Conspiracy Mill Americans Built (Nicole Perlroth) *The New York Times* front page today 16 Jun 2020 [PGN-ed] This is a remarkably comprehensive take on the saga that began in the Iowa caucuses in February 2016, Robby Mook (who was falsely accused of developing the app that came from Shadow Inc.), the Kremlin-backed Russian Internet Research Agency, and more that continues today. Clint Watts, former FBI special agent: "The Kremlin doesn't need to make fake news any more. It's all American made." Russians have concluded that it is easier to identify divisive content from real Americans [rather than masquerading as real Americans] and help it spread through low-profile networks of social media accounts. Cindy Otis, former CIA analyst: "Russia's trolls learned it is far more effective to find the sore spots and amplify content by native English speakers than it is to spin out their own wackadoodle conspiracy theories." @DanRadov [who had earlier promulgated various Russian fake news as formerly @DanWals83975326, and who is still active]: "U.S. has long been in the position when one spark can burn the whole country down and all of the United West for that matter. Buckle your seatbelts people. We are up for a rough ride." ------------------------------ Date: Mon, 15 Jun 2020 19:19:11 -0400 From: Monty Solomon Subject: Fox News runs digitally altered images in coverage of Seattle's protests in the Capitol Hill Autonomous Zone (sundry sources) Fox News published digitally altered and misleading photos on stories about Seattle's Capitol Hill Autonomous Zone (CHAZ) in what photojournalism experts called a clear violation of ethical standards for news organizations. As part of a package of stories Friday about the zone, where demonstrators have taken over several city blocks on Capitol Hill after Seattle police abandoned the East Precinct, Fox's website for much of the day featured a photo of a man standing with a military-style rifle in front of what appeared to be a smashed retail storefront. The image was actually a mashup of photos from different days, taken by different photographers — it was done by splicing a Getty Images photo of an armed man, who had been at the protest zone June 10, with other images from May 30 of smashed windows in downtown Seattle. Another altered image combined the gunman photo with yet another image, making it appear as though he was standing in front of a sign declaring “You are now entering Free Cap Hill.” https://www.seattletimes.com/seattle-news/politics/fox-news-runs-digitally-altered-images-in-coverage-of-seattles-protests-capitol-hill-autonomous-zone/ Fox News Removes a Digitally Altered Image of Seattle Protests Fox News acknowledged that one photo was a combination of several images, and a second was taken in a different city. https://www.nytimes.com/2020/06/13/business/media/fox-news-george-floyd-protests-seattle.html Fox News Removes Digitally Altered, Misleading Photos of Seattle 'Autonomous Zone' From Website https://time.com/5853408/fox-news-altered-photo-seattle/ Fox News removes altered images from Seattle protest https://www.axios.com/fox-news-removes-seattle-protest-altered-images-dfad3cf6-3784-4eaf-89e8-896705387d64.html ------------------------------ Date: Mon, 15 Jun 2020 14:30:48 -0400 From: Monty Solomon Subject: Harassment and cyberstalking (Travis Andersen) `We are going to crush this lady': Six former eBay employees charged in federal cyberstalking case targeting Natick couple Travis Andersen, *The Boston Globe*, 15 Jun 2020 Six eBay employees including a former police captain in California last year engaged in a relentless campaign of harassment and cyberstalking of a Natick couple that published a newsletter critical of the online retailer, sending items including fly larvae, live spiders, and a bloody pig mask to their home and traveling to Massachusetts to conduct surveillance of the victims in an effort to get them to stop publishing, authorities alleged Monday. https://www.bostonglobe.com/2020/06/15/metro/six-former-ebay-employees-charged-federal-cyberstalking-case-targeting-natick-couple/ ------------------------------ Date: Tue, 16 Jun 2020 10:33:59 -0400 From: Monty Solomon Subject: Elite CIA unit that developed hacking tools failed to secure its own systems, allowing massive leak, an internal report found (WashPost) The publication of ‘Vault 7’ cyber tools by WikiLeaks marked the largest data loss in agency history, a task force concluded. https://www.washingtonpost.com/national-security/elite-cia-unit-that-developed-hacking-tools-failed-to-secure-its-own-systems-allowing-massive-leak-an-internal-report-found/2020/06/15/502e3456-ae9d-11ea-8f56-63f38c990077_story.html ------------------------------ Date: Fri, 12 Jun 2020 17:20:10 -0700 (PDT) From: "Robert Mathews (OSIA)" Subject: Digitality, Personal Security & Privacy Risks (sundry sources) Who are their targets?   NGOs, Journalists, Activists for now....  but, literally, ANYONE and EVERYONE are at risk .....  Immediately following are TWO VERY different reports that represent TWO very DIFFERENT angles and hazards to personal safety, personal security and personal privacy in the digital universe. John Scott-Railton, Adam Hulcoop, Bahr Abdul Razzak, Bill Marczak, Siena Anstis, and Ron Deibert, *Dark Basin*, Uncovering a Massive Hack-For-Hire Operation, *THE CITIZEN LAB*, 9 Jun 2020 https://citizenlab.ca/2020/06/dark-basin-uncovering-a-massive-hack-for-hire-operation/ and...   "The thrill of the hunt".....  except, in this case....  the fox may not have a tail, be red...  or even be a fox! ... MISTAKEN IDENTITY Olivia Nuzzi, *New York Magazine - Intelligencer*, 8 Jun 2020 *What It's Like to Get Doxed for Taking a Bike Ride* https://nymag.com/intelligencer/2020/06/what-its-like-to-get-doxed-for-taking-a-bike-ride.html Sasha Ingber, *Newsy, 11 Jun 2020 Former Air Force Officer Fears Intelligence Collected On Protesters https://www.newsy.com/stories/surveillance-planes-above-floyd-protests/ [Nuzzi is Newsy!!! PGN] ------------------------------ Date: Mon, 15 Jun 2020 10:33:31 PDT From: "Peter G. Neumann" Subject: South African bank to replace 12M cards after employees stole master key (ZDNet) [Thanks to Gene Spafford] https://www.zdnet.com/article/south-african-bank-to-replace-12m-cards-after-employees-stole-master-key/ [Risks of all the nest-eggs in one basket. PGN] ------------------------------ Date: Sun, 14 Jun 2020 11:04:02 -1000 From: geoff goodfellow Subject: Spies Can Listen to Your Conversations by Watching a Light Bulb in the Room (The Hacker News) You might not believe it, but it's possible to spy on secret conversations happening in a room from a nearby remote location just by observing a light bulb hanging in there -- visible from a window -- and measuring the amount of light it emits. A team of cybersecurity researchers has developed and demonstrated a novel side-channel attacking technique that can be applied by eavesdroppers to recover full sound from a victim's room that contains an overhead hanging bulb. The findings were published in a new paper by a team of academics -- en Nassi, Yaron Pirutin, Adi Shamir, Yuval Elovici and Boris Zadov -- from the Israeli's Ben-Gurion University of the Negev and the Weizmann Institute of Science, which will also be presented at the Black Hat USA 2020 conference later this August. The technique for long-distance eavesdropping, called "Lamphone ," works by capturing minuscule sound waves optically through an electro-optical sensor directed at the bulb and using it to recover speech and recognize music. How Does the 'Lamphone Attack' Work?. [...] https://thehackernews.com/2020/06/lamphone-light-bulb-spy.html ------------------------------ Date: Mon, 15 Jun 2020 21:30:29 -0400 From: Monty Solomon Subject: Feds allege eBay terror campaign against Natick publishers of articles the company didn't like (Universal Hub) https://www.universalhub.com/2020/feds-allege-ebay-terror-campaign-against-natick ------------------------------ Date: June 16, 2020 at 10:07:52 GMT+9 From: jonathan.spira@accuramediagroup.com Subject: USA T-Mobile Hit by Widespread Voice and Data Outage This has been driving us crazy all day... T-Mobile Hit by Widespread Voice and Data Outage "T-Mobile customers across the country are reporting issues placing and receiving calls as well as when using data services. The self-proclaimed *Uncarrier* said it began to experience an unspecific network outage that is impacting hundreds of thousands of customers starting in the early afternoon. ``Our engineers are working to resolve the widespread voice and text issue,'' the company said on its website. It went on to recommend that customers use third-party messaging. ------------------------------ Date: Mon, 15 Jun 2020 11:44:50 -0700 From: Lauren Weinstein Subject: Google is messing with the address bar again -- new experiment hides URL path (Ars Technica) [BAD IDEA!] I've noted in the past why this is a TERRIBLE idea. Yes, URLs can be long and messy, but they frequently provide *critical* cues that you're on the correct pages. Further tampering with them is an invitation to new kinds of confusion and hack attacks. Google is messing with the address bar again--new experiment hides URL path https://arstechnica.com/gadgets/2020/06/google-is-messing-with-the-address-bar-again-new-experiment-hides-url-path/ ------------------------------ Date: Fri, 12 Jun 2020 16:49:18 -0700 From: Lauren Weinstein Subject: 30,000 Unsuspecting Rose Bowl Attendees Were Scooped Up in a Facial Recognition Test (Medium) https://onezero.medium.com/90-000-unsuspecting-rose-bowl-attendees-were-scooped-up-in-a-facial-recognition-test-18c843909858 ------------------------------ Date: Sat, 13 Jun 2020 17:23:32 +0900 From: Dave Farber Subject: Joanna Hoffman: Facebook is peddling 'an addictive drug called anger' (CNBC) https://www.cnbc.com/2020/06/12/joanna-hoffman-facebook-is-peddling-an-addictive-drug-called-anger.html ------------------------------ Date: Sat, 13 Jun 2020 11:57:13 -0400 From: Monty Solomon Subject: Why jK8v!ge4D isn't a good password (Toward Data Science) There's a fundamental issue with password validation https://towardsdatascience.com/why-password-validation-is-garbage-56e0d766c12e ------------------------------ Date: Sat, 13 Jun 2020 08:33:52 -0600 From: "Keith Medcalf" Subject: IoT Nutrition Labels The major items missing from the "Nutrition Label" is whether or not the "Thing" will still "Thing" when the "Internet" is not and never has been present. Without that information it is impossible for any rational decision to be made and one must assume that the "Thing" will not "Thing" and is therefore completely unsuitable for use. ------------------------------ Date: Tue, 16 Jun 2020 09:03:14 +0800 From: Richard Stein Subject: What Zebra Mussels Can Tell Us About Errors In Coronavirus Tests (npr.org) https://www.npr.org/sections/health-shots/2020/06/15/871186164/what-zebra-mussels-can-tell-us-about-errors-in-coronavirus-tests Good discussion of false negative/positive outcomes for polymerase chain reaction (PCR) diagnostic tests. "The PCR tests, when done perfectly, do boast a very low false-positive rate. But they're not always done perfectly. "Certified labs like hers use procedures to reduce the risk of false test results, since a false-positive test can lead to a medical misdiagnosis. But slip-ups are inevitable. "Most errors are caused by poor sample handling or other errors even before a sample gets to the lab, she says. "And PCR is so incredibly sensitive, contamination is a particular concern. Even the tiniest amount of stray material in a lab can spell trouble, Pritt says." ------------------------------ Date: Fri, 12 Jun 2020 21:19:33 -0400 From: Bob Brown Subject: Re: Election fiasco: Georgia on my mind (RISKS-31.99) Every registered voter in Georgia received an absentee ballot request form. While the voter still had to return the form to receive an absentee ballot, every Georgia voter had an opportunity to vote using an hand-marked paper ballot submitted by postal mail. ------------------------------ Date: Sat, 13 Jun 2020 10:09:56 -0400 From: Steve Singer Subject: Re: Multiple US agencies have purchased this mysterious mobile eavesdropping device (RISKS-31.98) The only way to view site content is to disable ad blocking or more generally, script blocking -- and I find that unappealing, even temporarily. A business model apparently overrides any information-providing mission. My personal vote is thumbs-down; others are free to choose differently. - - - - - "AD BLOCKER INTERFERENCE DETECTED Thank you for visiting this site. Unfortunately we have detected that you might be running custom adblocking scripts or installations that might interfere with the running of the site. We don't mind you running adblocker, but could you please either disable these scripts or alternatively whitelist the site, in order to continue. Thanks for your support" ------------------------------ Date: Mon, 1 Jun 2020 11:11:11 -0800 From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00 ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: ------------------------------ End of RISKS-FORUM Digest 32.01 ************************