Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit precedence: bulk Subject: Risks Digest 34.57 RISKS-LIST: Risks-Forum Digest Thursday 20 Feb 2025 Volume 34 : Issue 57 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at as The current issue can also be found at Contents: Delta Plane Crashes and Overturns While Landing at Toronto Airport (NYTimes) ATC Firings (The Guardian) Too much fuel, not enough planning? (N Herald) Family Of DC Plane Crash Victim Files $250M Legal Claims (Arlington, VA Patch) Top U.S. Election Security Watchdog Forced to Stop Election Security Work (WiReD) Censored Science Can't Save Lives (NYTimes) The war against information (The New Republic) How not to hire for a senior information security role (Ben Rothke) Ransomware, disease, and 'ultra low-cost retailers': Why 3 iconic Canadian clothing stores went broke (CBC) DeepSeek 'shared user data' with TikTok owner ByteDance (YNA) Copter May Have Missed Key (NYTimes, Mark Walker) Re: Lies, Damned Lies and Trumpflation (Gabe Goldberg) Re: Hiding the Fatal Motor Vehicle Crash Record (Ed Ravin) Re: Dear, did you say pastry? meet the AI granny driving scammers up the wall (Amos Shapir. Steve Bacher) Aviation analyst on DC January 29 helicopter crash references "Swiss Cheese human & systems failure model" (James T Reason via Rob Wilcox) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Mon, 17 Feb 2025 17:26:42 -0800 From: "Jim" Subject: Delta Plane Crashes and Overturns While Landing at Toronto Airport (NYTimes) At least 18 people were injured, officials said. Two passengers, including a pediatric patient, were in critical condition but were expected to survive. A Delta Air Lines jet attempting to land at Toronto Pearson Airport amid strong winds and drifting snow crashed and flipped over on the tarmac on Monday afternoon, finally coming to a rest with its belly up and with at least one wing shorn off. Despite the aircraft's dramatic landing, all 80 people aboard the plane Flight 4819 from Minneapolis, were evacuated. The NY Times 17 Feb 2025 ------------------------------ Date: Mon, 17 Feb 2025 09:11:11 -0800 From: "Jim" Subject: ATC Firings (The Guardian) Trump begins firings of FAA air traffic control staff just weeks after fatal Washington DC plane crash The Associated Press reports that the Trump administration has begun firing several hundred Federal Aviation Administration employees, upending staff on a busy air travel weekend and just weeks after a January fatal mid-air collision at Ronald Reagan Washington National airport. Probationary workers were targeted in late-night emails on Friday notifying them they had been fired, David Spero, president of the Professional Aviation Safety Specialists union, said in a statement. The affected workers include personnel hired for FAA radar, landing and navigational aid maintenance, one air traffic controller told the Associated Press. The air traffic controller was not authorized to talk to the media and spoke on condition of anonymity. Spero said messages began arriving after 7pm on Friday and continued late into the night. More might be notified over the long weekend or barred from entering FAA buildings on Tuesday, he said. The employees were fired "without cause nor based on performance or conduct", Spero said, and the emails were "from an 'exec order' Microsoft email address" - not a government email address. The firings hit the FAA when it faces a shortfall in controllers. Federal officials have been raising concerns about an overtaxed and understaffed air traffic control system for years, especially after a series of close calls between planes at U.S. airports. Among the reasons they have cited for staffing shortages are uncompetitive pay, long shifts, intensive training and mandatory retirements. *The Guardian* 18 Feb 2025 ------------------------------ Date: Mon, 17 Feb 2025 09:46:22 -0800 From: "Jim" Subject: Too much fuel, not enough planning? (NZ Herlad) NZ Herald 17 Feb 2025 Passengers on an Air New Zealand flight from Wellington to Dunedin on Saturday were told 13 volunteers would need to get off the plane to lighten the load or all the baggage would be left behind. One of the passengers told RNZ he and other passengers were paid hundreds of dollars each to get off the overweight Air New Zealand flight , which the airline blamed on over-fuelling. Michael Reddell was on the plane to Dunedin to take his daughter to the University of Otago on Saturday when the airline announced passengers would need to disembark or the baggage be unloaded. Passengers were told the aircraft was overweight by 1300kg, Reddell said. ------------------------------ Date: Wed, 19 Feb 2025 17:15:22 -0500 From: Gabe Goldberg Subject: Family Of DC Plane Crash Victim Files $250M Legal Claims (Arlington, VA Patch) Officials said the Black Hawk crew never heard the words *pass behind the plane* during the transmission from the controller because the helicopter's microphone key was depressed. https://patch.com/virginia/annandale/s/j5tyz/family-of-dc-plane-crash-victim-files-250m-legal-claim-reports That's a wonderful protocol; maybe research could develop one that doesn't lose essential transmissions. ------------------------------ Date: Sun, 16 Feb 2025 13:41:15 -0800 From: Jim Subject: Top U.S. Election Security Watchdog Forced to Stop Election Security Work (WiReD) The Cybersecurity and Infrastructure Security Agency has frozen all of its election security work and is reviewing everything it has done to help state and local officials secure their elections for the past eight years, WIRED has learned. The move represents the first major example of the country's cyberdefense agency accommodating President Donald Trump’s false claims of election fraud and online censorship. https://www.wired.com/story/cisa-election-security-freeze-memo/ ------------------------------ Date: Wed, 19 Feb 2025 16:48:55 PST From: Peter Neumann Subject: Censored Science Can't Save Lives (NYTimes) Jehan Alladina. C. Corey Hardin, and Alexander Rabin *The New York Times*, 19 Feb 2025, National Edition, opinion Progress is stifled when researchers are barred from asking certain questions. Censoring research on how to deliver treatments to those most in need isn't just nonsensical, it puts lives at risk and undermines America's leadershop in medical innovation. Progress cannot occur if scientists are barred from asking certain questions. This is not how science works. [...] The question is: Will the government police words and obstruct research, or will it allow doctors to work freely in the name of health? ------------------------------ Date: Mon, 17 Feb 2025 09:58:25 -0800 From: "Jim" Subject: The war against information (The New Republic) https://newrepublic.com/article/191563/trump-musk-war-information-data?utm_source=newsletter With dramatic cuts to departments and efforts to restrict access to certain research, the administration is reshaping a vast data-driven world in its autocratic image. Since reentering the Oval Office last month, President Donald Trump has undertaken several actions to restrict access to public health and education research. The ostensible goals may be to remove certain content related to issues that the administration considers ideologically objectionable-such as references to racial, sexual, and gender identity and information regarding climate change-as well as a nod to cost-cutting. But the end result of this knowledge purge may be the loss of critical data that physicians, researchers, and educators use to inform their work on matters as wide ranging as public health, schooling, and the national economy. In January, agencies scrambled to scrub websites that made references to transgender individuals or "diversity, equity, and inclusion" efforts, with the goal of being in alignment with Trump's executive orders. The Office of Personnel Management ordered agency heads to remove "gender ideology" from websites; this resulted in actions such as the Centers for Disease Control and Prevention removing information on contraception, facts about HIV-positive and transgender individuals, and research showing that transgender youth face higher rates of bullying, depression, and other issues. Data from the CDC's Youth Risk Behavior Surveillance System, which tracks health issues for young people, was removed entirely. in the country -- but due to local uproar, plans are on hold. The solar farm in Central Otago would be located on 660ha of unirrigated land, leased by two local farming families, and is one of several currently in development across New Zealand. https://www.nzherald.co.nz/nz/central-otago-solar-farm-application-on-hold-after-local-uproar/ORGBOEAGJJCXDP23PIDWFE5HF4/ However, residents of the tiny nearby town of Naseby --npopulation 140 at the 2023 Census -- are mostly opposed to the development, citing fire hazards and visual pollution. Former Delta employee Richard Healey, who several years ago was a whistleblower over an energy cost increase by Aurora, has been one of the most vocal critics. He says he is not anti-solar energy, simply concerned at the sheer scale of the project. ------------------------------ Date: Mon, 17 Feb 2025 20:50:12 -0500 From: Ben Rothke Subject: How not to hire for a senior information security role I recently received a flurry of emails from clueless recruiters hiring for a senior medical device information security role. It reminded me of a project I worked on with Bruce Schneier. Bruce met with the client, and they totally misunderstood everything he told them. https://brothke.medium.com/how-not-to-hire-for-a-senior-information-security-role-4bf71ce7ee26?sk=9cab2444ee1ead944e41ab61445aea4c ------------------------------ Date: Sun, 16 Feb 2025 22:04:57 -0700 From: Matthew Kruk Subject: Ransomware, disease, and 'ultra low-cost retailers': Why 3 iconic Canadian clothing stores went broke (CBC) https://www.cbc.ca/news/canada/british-columbia/bootlegger-comark-insolvency-covid-1.7459717 For three weeks in November and December 2021, iconic Canadian clothing chains Bootlegger, Cleo and Ricki's found themselves paralyzed -- staring down the barrel of the "critical holiday season" but prevented by ransomware from moving inventory. The attack occurred on Nov. 23, but the businesses weren't able to regain access to their internal systems until 13.Dec -- lag time that forced the 221 affected stores to mount heavy promotions in order to offload the substantial portion of seasonal clothing caught up in the delay. ------------------------------ Date: Tue, 18 Feb 2025 08:48:39 -0800 From: "Jim" Subject: DeepSeek 'shared user data' with TikTok owner ByteDance (YNA) South Korea has accused Chinese AI startup DeepSeek of sharing user data with the owner of TikTok in China. "We confirmed DeepSeek communicating with ByteDance," the South Korean data protection regulator told Yonhap News Agency. ------------------------------ Date: Sun, 16 Feb 2025 15:42:46 PST From: Peter Neumann Subject: Copter May Have Missed Key (NYTimes, Mark Walker) Instructions Before Crash Then on 15 Feb 2025 comes this headline: Copter May Have Missed Key Instructions Before Crash: The investigative board head cited two instances of when air-traffic control had given instructions to the Black Hawk crew on how to weave through the busy airspace that the crew might not have completely received. But the recording in the helicopter did not include two messages that are in the controller's recording. ------------------------------ Date: Tue, 18 Feb 2025 22:21:47 -0500 From: Gabe Goldberg Subject: Re: Lies, Damned Lies and Trumpflation (Paul Krugman, RISKS-34.56) His fact checkers missed that COBOL isn't obsolete and is still used in the business world, as well as government. And it's not the COBOL language setting missing birth dates to 1875 but very bad programming. X and Threads aren't necessarily the best source for facts, maybe especially technical facts. This makes more sense, except the "rarely" part. And it's still bad programming. https://www.wired.com/story/elon-musk-doge-social-security-150-year-old-benefits Computer programmers quickly claimed that the 150 figure was not evidence of fraud but rather the result of a weird quirk of the Social Security Administration's benefits system, which was largely written in COBOL, a 60-year-old programming language that undergirds SSA's databases as well as systems from many other U.S. government agencies. COBOL is rarely used today, and as such, Musk's cadre of young engineers may well be unfamiliar with it. Because COBOL does not have a date type, some implementations rely instead on a system whereby all dates are coded to a reference point . The most commonly used is May 20, 1875, as this was the date of an international standards-setting conference held in Paris, known as the Convention du Mètre. ------------------------------ Date: Sun, 16 Feb 2025 21:39:01 -0500 From: Ed Ravin Subject: Re: Hiding the Fatal Motor Vehicle Crash Record The FARS data is online again as of February 12 according to : https://static.nhtsa.gov/nhtsa/downloads/FARS/2022/FARS2022%20Release%20Notes.txt They seem to be transparent about what was changed: > 02/11/2025 > Update the renaming of the variable to "Sex" and the replacement of > attribute 3 with attribute 8-Not Reported. There were 22 records in > Person and 1 record in PBTYPE (all in U.S. and none for PR) that were > updated. Removed attribute 3 in the format library. Friends have been telling me that the current upheaval feels like living in a dystopian novel. The above seems straight out of Orwell's "Nineteen Eighty-Four" - for those 23 people, a critical facet of their lives has been erased, tossed down the memory hole. ------------------------------ From: Amos Shapir Date: Wed, 19 Feb 2025 11:27:49 +0200 Subject: Re: Dear, did you say pastry? meet the AI granny driving scammers up the wall (RISKS-34.56) A friend of mine was employing a low-tech solution, since before smartphones even existed: He'd just hand over the phone to his two years old daughter. She liked to chat, and it usually took the perpetrator about 15-20 minutes to realize what was happening. The only drawback of this method is that it requires a steady supply of two year old toddlers. ------------------------------ Date: Mon, 17 Feb 2025 09:05:58 -0800 From: Steve Bacher Subject: Re: Dear, did you say pastry? meet the AI granny driving scammers up the wall (The Guardian) So the AI "granny" declares herself "78 years young," does she/it?  May I point out that the computer-savvy generation has been entering their retirement years for some time now.  I myself am but 7 years behind Daisy.  So the stereotype about oldsters being computer-ignorant is becoming more and more irrelevant. "Daisy" types will have to be in their 90s or even centenarians to keep the deception going. ------------------------------ From: Rob Wilcox Date: Mon, 17 Feb 2025 20:19:25 -0800 Subject: Aviation analyst on DC January 29 helicopter crash references "Swiss Cheese human & systems failure model" (James T Reason) Broncalario, Juan Browne, is one of a group of aviation pilots who contribute post-air disaster and near-miss public analysis to YouTube. They overlay synchronized ATS-B, maps, and ATC voice communications with knowledge of the aircraft, pilots, weather, and other data. My professional interest is electric grid failures and preventing them. They are similar to aviation incidents. In an update on the Washington DC crash on January 29, Browne cites the work of risk analyst James T Reason at University of Manchester, and familiar to Risks readers. He has published extensively. He passed 5 Feb 2025. Reason has extensive contributions in journals and in books. https://www.youtube.com/watch?v=v8sNVcm9TMU ------------------------------ Date: Sat, 28 Oct 2023 11:11:11 -0800 From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) has moved to the ftp.sri.com site: . *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's delightfully searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume/previous directories or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-34.00 ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: ------------------------------ End of RISKS-FORUM Digest 34.57 ************************ .