RISKS-LIST: Risks-Forum Digest Wednesday 3 August 2022 Volume 33 : Issue 36

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/33.36>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents:
Today's Robotic Surgery Turns Surgical Trainees Into Spectators
(IEEE Spectrum)
Experts show how to unlock several Honda models via Rolling-PWN attack
(Security Affairs)
Post-quantum encryption contender is taken out by single-core PC and 1 hour
(Ars Technica)
Data Centers Are Facing a Climate Crisis (WiReD)
The Default Tech Settings You Should Turn Off Right Away (NYTimes)
Alex Jones' attorney mistakenly sent two years of his text messages to Sandy
Hook family's lawyer (The Independent)
About the W3C official Decentralized Identifier recommendation announced
today (Lauren Weinstein)
Study finds Wikipedia influences judicial behavior (MIT)
Re: BMW's Heated as a Service Model Has Drivers Seeking Hacks
(Barry Gold, John Levine, Gabe Goldberg, Pete Resiak)
Re: Students and staff are entirely prohibited from using Google Search
(Lars-Henrik Eriksson)
Re: Tim Hortons Offers a Free Coffee and Pastry for Spying on People for
Over a Year (Jonathan Levine, Steve Bacher)
Re: Tech giants, including Meta, Google, and Amazon, want to put an end to
leap-seconds (Steve Bacher)
Re: Drone Contraband Deliveries Are Rampant at U.S. Prisons (Amos Shapir)
Re: Online pricing algorithms are gaming the system, and could mean you pay
more (Amos Shapir)
Re: Jeopardy! player causes `at-home-disturbance' (Steve Bacher,
Amos Shapir)
Re: "Dr. Birx ADMITS She 'Knew' COVID-19 Vaccines 'Were Not Going to Protect
Against Infection' (John Levine)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Mon, 01 Aug 2022 23:59:01 +0000
From: Richard Marlon Stein <rmstein@protonmail.com>
Subject: Today's Robotic Surgery Turns Surgical Trainees Into Spectators
(IEEE Spectrum)

https://spectrum.ieee.org/files/17305/08 Spectrum_22Med.pdf retrieved on
02AUG2022. IEEE membership might be required to access.

"Medical training in the robotics age leaves tomorrow's surgeons short on
skills."

"Once the robotic arms are in place and instruments are inserted, the
surgeon 'scrubs out' and takes up position perhaps 15 feet away from the
patient in the immersive daVinci control console, which provides a
stereoscopic view. The surgeon's hands are on two multipurpose controllers
that can move and rotate the instruments in all directions; by switching
between controllers, the surgeon's two hands can easily manage all four
robotic arms.

"And the trainee... well, the trainee gets to watch from another console, if
there is one. While the lead surgeon could theoretically give the trainee
one of the robot arms to control, in practice it never happens. And surgeons
are reluctant to give the trainee control over all the arms because they
know that will make the procedure take longer, and the risk to the patient
goes up nonlinearly with elapsed time under anesthesia."

Sawbone v. Robot patient outcome comparisons for certain procedures, such as
prostate surgery, are challenging to interpret. Why?

The FDA is required to collect and report data for adverse events. The
medical device reports (MDRs) document and standardize adverse event
resulting in patient injury, death, and device malfunction. MDRs are almost
exclusively prepared and reported by device manufacturer representatives:
significant subject matter expertise necessary to accurately document an
adverse event.

The FDA is NOT required to collect data on the total number of robotic
surgical procedures performed over time. The robot surgeon device
manufacturers know, but are not required to disclose.

This practice explains why most (if not all) long-term medical device
recipient studies reveal events per population (usually per 100,000) per
year. This data can be extracted from billing records kept at the Centers
for Medicare & Medicaid Services (cms.gov). Trend reporting can smooth and
obscure event clusters.

The total robot procedures performed, devices implanted/explanted or
in-service per year constitute "proprietary data." Expecting consumers to
interpolate medical device counts or surgical procedures by examining MDR
filings is burdensome.

Would a legal requirement for periodic manufacturer disclosure of aggregate
medical device implants/explants or procedure counts improve safety? MDRs
v. actual counts information may enlighten more than device per patient
population trends.

Refer to
https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfTPLC/tplc.cfm?id=5692&min_report_year=2017
from FDA's TPLC platform for Product Code NAY: System, surgical, computer
controlled instrument. This product code groups several manufacturer devices
into equivalent categories. Intuitive Surgical, Inc.'s DaVinci is
prominently featured in the report.

The TPLC MDR summary shows robotic surgical device adverse event reports per
year. That total adverse event-report frequency grows year-over-year
suggests robotic-driven surgical procedures are in demand. In CSV format:

MDR Year MDR Reports MDR Events
2017 1049 1049
2018 1074 1074
2019 1154 1154
2020 1558 1558
2021 1997 1997
2022 2465 2465

"Break" or "Detachment of Device or Device Component" events characterize
the most common robot surgeon faults.

------------------------------

Date: Wed, 3 Aug 2022 11:13:04 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Experts show how to unlock several Honda models via Rolling-PWN
attack (Security Affairs)

Bad news for the owners of several Honda models, the Rolling-PWN Attack
vulnerability can allow unlocking their vehicles.

https://securityaffairs.co/wordpress/133090/hacking/honda-rolling-pwn-attack.html

------------------------------

Date: Tue, 2 Aug 2022 11:14:18 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Post-quantum encryption contender is taken out by single-core PC
and 1 hour (Ars Technica)

[Oops!]

https://arstechnica.com/information-technology/2022/08/sike-once-a-post-quantum-encryption-contender-is-koed-in-nist-smackdown/

------------------------------

Date: Mon, 1 Aug 2022 20:05:31 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Data Centers Are Facing a Climate Crisis (WiReD)

Companies are racing to cool down their servers as energy prices and
temperatures soar. And the worst is yet to come.

https://www.wired.com/story/data-centers-climate-change

------------------------------

Date: Mon, 1 Aug 2022 17:47:27 -0700
From: geoff goodfellow <geoff@iconia.com>
Subject: The Default Tech Settings You Should Turn Off Right Away (NYTimes)

These controls, which are buried inside products from Apple, Google,
Meta and others, make us share more data than we need to. [...]

https://www.nytimes.com/2022/07/27/technology/personaltech/default-settings-turn-off.html

------------------------------

Date: Wed, 3 Aug 2022 11:17:50 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Alex Jones' attorney mistakenly sent two years of his text messages
to Sandy Hook family's lawyer (The Independent)

https://www.independent.co.uk/news/world/americas/alex-jones-sandy-hook-text-messages-b2137543.html

------------------------------

Date: Mon, 1 Aug 2022 17:48:06 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: About the W3C official Decentralized Identifier recommendation
announced today

You may be hearing about this, and I'm not going to try critique it in
detail here right now. But I will express an overall opinion of it. My
sense is that it is an unmitigated mess. Nor is it obvious to me that it
will ever not be an unmitigated mess. The list of reasons why is long and
technical. But that's my executive summary for right now based on what I've
seen about this to date. -L

------------------------------

Date: Tue, 2 Aug 2022 13:44:08 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Study finds Wikipedia influences judicial behavior (MIT)

https://news.mit.edu/2022/study-finds-wikipedia-influences-judicial-behavior-0727

------------------------------

Date: Mon, 1 Aug 2022 22:02:20 -0700
From: Barry Gold <BarryDGold@ca.rr.com>
Subject: Re: BMW's Heated as a Service Model Has Drivers Seeking Hacks
(RISKS-33.35)

In the 1970s, IBM sold the 370/145, which did not have virtual memory. Or
at least, that's what the POP (Principles of Operation = instruction set
handbook) said.

Being a moderately large customer, we had an on-site CE (repairman), with an
office set aside for his use. There was a hardcopy listing of the 145's
microcode (looking very much like any other assembly language) bound in a
large folder in the office -- which was not kept locked. One of our
programmers, having some time on his hands was leafing through this out of
idle curiosity and noticed that there were gaps in the address column: