RISKS-LIST: Risks-Forum Digest Saturday 10 December 2022 Volume 33 : Issue 57

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/33.57>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents:
Dreams of a Future in Big Tech Dim for Computer Science Students
(NYTimes via PGN, Bruce DeBruhl)
Metro May Resume Automatic Train Operation In 2023 (DCist)
Amnesty International Canada hit by cyberattack out of China (CBC)
Data breach of Ontario's vaccine booking system affects hundreds of
thousands, province says (CBC)
How the Global Spyware Industry Spiraled Out of Control (Sundry)
It's Not Science, Just Surveillance -- and It's Under Your Desk (Techworker)
Raspberry Pi hires a former cop, and responds poorly to the public response
(Resetera)
Apple to encrypt iCloud (The Washington Post)
TSA argues for impunity for checkpoint staff who rape travelers
(PaperPlease)
Hertz to pay $168m for falsely accusing customers of theft (BBC)
AI Learns To Write Computer Code In 'Stunning' Advance (Science)
A Row Erupts Over Texas' Bold Bitcoin Battery Plan (WiReD)
A Twitter data tracker inhabits tens of thousands of websites (WashPost)
Sundry Musky Items (PGN-collected from Lauren Weinstein)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Thu, 8 Dec 2022 13:22:53 PST
From: Peter Neumann <neumann@csl.sri.com>
Subject: Dreams of a Future in Big Tech Dim for Computer Science Students
(NYTimes)

Natasha Singer and Kalley Huang, *The New York Times* Business, 8 Dec 2022
After spending years laying the groundwork for lucrative careers, many
recent graduates are left scrambling as coveted jobs dry up.
https://www.nytimes.com/2022/12/06/technology/computer-students-tech-jobs-layoffs.html

[Thursday's print article and the online version from two days prior differ
in titling, but apparently not in content. PGN]

This article seems to have been written primarily in response to Meta
laying off 11,000, and layoffs, hiring freezes, and slowdowns at Twitter,
Alphabet, DoorDash, Luft, Snap, Stripe, and Amazon (which is contemplating
cutting this year's 18,000 summer interns in more than 50% for next
summer). More than 400,000 new jobs are foreseen between 2021 and 2031,
according to the Bureau of Labor Statistics, although ``many of those are
in areas like finance and the automotive industry.'' The article
documents various personal cases, and suggests that graduate school is
also an option to jobs (assuming one can afford it)... PGN-ed

There seems to be a Catch-22 underlying undergraduate computer science,
which has been touted as a great source of future jobs. My guess is that
being just a programming whiz is not enough, and that system-oriented
thinking and the experience that can result therefrom has not been popular
even in graduate programs for many years. Perhaps CS has been
oversimplified in too many schools and colleges? How many of them actually
teach the fundamental principles of total-system architectures, not to
mention formal methods as a basis for developing trustworthy systems?

My CSL colleague Prashanth Mundkur sent me this comment:

Given the reputational damage that Big Tech, Silicon Valley and tech in
general have suffered in recent years, it might be worth including the
ethical impacts of business models (e.g., on violations of privacy, spread
of misinformation/disinformation) into the holistic analysis of
total-system architectures. I'm not sure if the ACM Code of Ethics is
studied in undergraduate or graduate CS curricula.

Many years ago Deborah Johnson taught courses at RPI on the subject of
computer-related ethics, and wrote various books that are still in print.
Considerable effort at Yale was led by Terry Bynum (including a summer
workshop in 1991). There have been numerous efforts to revisit this
subject. I have no idea how many computer science curricula include
relevant courses today. However, I suspect that most of the mentioned
companies are not paying much attention -- where profits are generally
considered more important. PGN

------------------------------

Date: Fri, 9 Dec 2022 21:43:04 +0000
From: Bruce DeBruhl <bruce.debruhl@sri.com>
Subject: Dreams of a Future in Big Tech Dim for Computer Science Students
(Re: PGN, RISKS-33.57)

This is something I have definitely considered a lot as a member of an
undergraduate curriculum committee for computer science and the chair of a
curriculum committee for computer engineering. I think part of the issue is
the overall drift of the ACM/IEEE curricular recommendation for CS has been
moving away from complete system design guidelines are also used, in part,
to define what a program requires to get ABET accreditation - a target for
many CS programs.
(https://www.acm.org/binaries/content/assets/education/cs2013_web_final.pdf). These

For example, architecture and organization for a BS computer science degree
gets only 16 tier-2 hours. That is 1 semester-unit or 1.5 quarter units.
Similarly, a lot of system design topics get a similar small 1 or 2 unit
recommendation. This encourages teaching systematic thinking in a limited
number of survey courses if you want to follow the ACM recommendations and
not have all of your curriculum on specific system topics.

Many departments have to make hard decisions about what curriculum to focus
on also. It is difficult to hire in some specialties for non-R1
universities. Cybersecurity (formal methods or other) is difficult because
industrial demand is high and pay scale is hard to compete with. For
example, most CSUs and similar state schools have 0 or 1 person with formal
background in cybersecurity. Software engineering has similar issues.

In my experience, other domains are hard to hire because of supply side
issues. For example, compilers and programming languages are difficult
because there are fewer people getting PhDs in related fields -- so some
schools have had to cut compilers as a required course because they just
can't staff enough sections. Schools can try to find creative solutions, for
example. cross-training across specialties, but this is a hard task to add
to an already busy job.

------------------------------

Date: Wed, 7 Dec 2022 01:10:29 -0500
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Metro May Resume Automatic Train Operation In 2023 (DCist)

If you've ever cursed your jerky Metro train as it comes into a station,
take comfort in the fact that those days may soon be over.

Metro is seeking to return its Red Line trains to automatic operation --
instead of manual human operation -- by next spring, the transit agency
noted in a presentation Monday. The rest of the system could return to
automation by the end of 2023.

System shut down after 2009 crash

Metro was originally designed to be an automated system. And it operated
that way until 2009 when a sensor in the track malfunctioned, which led to a
train crashing into the back of another train near Fort Totten. The crash
killed nine people and injured 80 others. (The malfunctioning circuit meant
one of the trains involved in the collision was, in essence, invisible on
the system.)

https://dcist.com/story/22/12/06/metro-resume-automatic-train-operation-2009-crash-red-line

------------------------------

Date: Mon, 5 Dec 2022 14:33:38 -0700
From: Matthew Kruk <mkrukg@gmail.com>
Subject: Amnesty International Canada hit by cyberattack out of China (CBC)

https://www.cbc.ca/news/politics/amnesty-international-canada-cyber-attack-china-1.6674788

The Canadian branch of Amnesty International was the target of a
sophisticated cyber-security breach this fall -- an attack forensic
investigators believe originated in China with the blessing of the
government in Beijing.

The intrusion was first detected on October 5, the human rights group said
Monday.

The attack showed signs of being the work of what's known as an advanced
persistent-threat group (APT), according to the cyber security company that
conducted the forensic investigation.

Unlike a typical cybercrime attack, the attack on Amnesty involved
establishing covert surveillance of the operating system of Amnesty's
network, said the report prepared for Amnesty International Canada by the
U.K.-based cybersecurity firm Secureworks.

The hackers appeared to be attempting to obtain a list of Amnesty's contacts
and monitor its plans.

------------------------------

Date: Fri, 9 Dec 2022 20:45:21 -0700
From: Matthew Kruk <mkrukg@gmail.com>
Subject: Data breach of Ontario's vaccine booking system affects hundreds of
thousands, province says (CBC)

https://www.cbc.ca/news/canada/toronto/vaccine-data-breach-ontario-1.6680714

Hundreds of thousands of Ontarians' information may have been compromised in
a data breach of the province's vaccine management system last year.