RISKS Forum mailing list archives
Risks Digest 34.15
From: RISKS List Owner <risko () csl sri com>
Date: Mon, 8 Apr 2024 15:50:46 PDT
RISKS-LIST: Risks-Forum Digest Monday 8 April 2024 Volume 34 : Issue 15 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/34.15> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Weather Service radar, warning systems fail during severe storm outbreak (WashPost) No weather report? It helps if NOAA pays its electric (Bloomberg) In 2018 crash, Tesla's Autopilot just followed the lane lines (WashPost) APRA Privacy Legislation (WiReD) Data brokers are gearing up to fight privacy bills (The Verge) NIST Unveils New Consortium to Operate National Vulnerability (PGN) Jon Stewart On The False Promises of AI (The Daily Show) UK plots massive expansion of live facial recognition (Joseph Bambridge) Knocking cloud security off its game (ETH Zurich) ‘Reverse’ searches: The sneaky ways that police tap tech companies for your private data (TechCrunch) U.S. Police Warn Those Driving to Canada to Watch for Hidden AirTags (Emily Price) Demystifying privacy in Google Chrome and Mozilla Firefox (Apurvak) Top Israeli spy chief exposes his true identity in online security lapse (The Guardian) Roku patent invents a way to show ads over anything you plug into your TV (ArsTechnica) Disney+ Password Sharing Crackdown to Start in June (MacRumors) Teen Girls Confront an Epidemic of Deepfake Nudes in Schools (NYTimes) How Tech Giants Cut Corners to Harvest Data for AI (NYTimes) Elon Musk's X pushed a fake headline about Iran attacking Israel. X's AI chatbot Grok made it up. (Mashable) An AI app claims it can detect sexually transmitted infections. (LATimes) Google's passkey mess (Lauren Weinstein) Re: Starlink Terminals (Charles Cazabon) Re: Your boss could forward a mail message to you that show you text he won't see, but you will (Jurek Kirakowski) Re: The FTC is trying to help (Dmitri Mazziuk) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Mon, 8 Apr 2024 12:46:30 -0400 From: Monty Solomon <monty () roscom com> Subject: Weather Service radar, warning systems fail during severe storm outbreak (WashPost) Weather Service radar, warning systems fail during severe storm outbreak Tuesday's was not the first instance of such a network failure, but it was perhaps the most consequential in recent memory. https://www.washingtonpost.com/weather/2024/04/02/weather-radar-warning-outa= ges-storm-outbreak/ ------------------------------ Date: Mon, 8 Apr 2024 13:01:07 +0000 () From: danny burstein <dannyb () panix com> Subject: No weather report? It helps if NOAA pays its electric bill... (Bloomberg) Latest Disaster for National Weather Service: Paying Its Bills Jack Fitzpatrick, Bloomberg A Georgia airport lost access to weather data for pilots. A radio transmitter vital to producing weather alerts for a tornado-prone part of Alabama went down. And two dozen National Weather Service employees were left waiting months to be reimbursed for on the job expenses, including travel to disaster areas. It all stemmed from the rollout late last year of a new Commerce Department financial system, starting at the National Oceanic and Atmospheric Administration, that immediately stopped tens of millions of dollars worth of invoices and reimbursements from being processed for payment. The fiasco, which hasn't been previously reported, has resulted in electric companies shutting off power to the agency's equipment for nonpayment in at least two cases that could have proven dangerous, if not for a lucky streak of good weather. [...] Those affected by the failures say they were lucky there wasn't severe weather when NOAA facilities were shut down and meteorologists were unable to travel. They also credit good working relationships with local National Weather Service officials in helping to quickly resolve the critical outages, despite frustration with Commerce Department officials in Washington. https://news.bgov.com/bloomberg-government-news/latest-disaster-for-national-weather-service-paying-its-bills ------------------------------ Date: Mon, 8 Apr 2024 12:53:18 -0400 From: Monty Solomon <monty () roscom com> Subject: In 2018 crash, Tesla's Autopilot just followed the lane lines (WashPost) Depositions in a civil case over a fatal 2018 crash -- set for trial this week -- provide insights into how Tesla programmed its Autopilot software to follow lines on the road. https://www.washingtonpost.com/technology/2024/04/07/tesla-autopilot-crash-t= rial/ [Follow your lines precisely, and everyone else will get out of your way? But that may not work for two Teslas approaching each other, and certainly not for other drivers who are under the influence. PGN] ------------------------------ Date: Mon, 8 Apr 2024 9:38:50 PDT From: Peter Neumann <neumann () csl sri com> Subject: APRA Privacy Legislation https://www.wired.com/story/apra-congress-online-privacy-proposal/ Congress may be closer than ever to passing a comprehensive data privacy framework after key House and Senate committee leaders released a new proposal on Sunday. The bipartisan proposal, titled the American Privacy Rights Act, or APRA, would limit the types of consumer data that companies can collect, retain, and use, allowing solely what they’d need to operate their services. Users would also be allowed to opt out of targeted advertising, and have the ability to view, correct, delete, and download their data from online services. The proposal would also create a national registry of data brokers, and force those companies to allow users to opt out of having their data sold. “This landmark legislation gives Americans the right to control where their information goes and who can sell it,” Cathy McMorris Rodgers, House Energy and Commerce Committee chair, said in a statement on Sunday. “It reins in Big Tech by prohibiting them from tracking, predicting, and manipulating people’s behaviors for profit without their knowledge and consent. Americans overwhelmingly want these rights, and they are looking to us, their elected representatives, to act.” [See also Lawmakers unveil sprawling plan to expand online privacy protections: Sen. Maria Cantwell (D-Wash.) and Rep. Cathy McMorris Rodgers (R-Wash.) announced a major breakthrough in the decades-long fight to address online privacy. https://www.washingtonpost.com/technology/2024/04/07/congress-privacy-deal-cantwell-rodgers/ PGN] ------------------------------ From: Monty Solomon <monty () roscom com> Date: Sun, 7 Apr 2024 22:11:25 -0400 Subject: Data brokers are gearing up to fight privacy bills https://www.theverge.com/2024/4/5/24122079/data-brokers-fisa-extension-nsa-section-702-surveillance-lexis-nexis ------------------------------ Date: Mon, 8 Apr 2024 10:33:48 PDT From: Peter Neumann <neumann () csl sri com> Subject: NIST Unveils New Consortium to Operate National Vulnerability Database (Kevin Poireault) [The existing NIST/MITRE CVE repository should now have grown to more than 200,000 CVE common vulerabilities (Wow!), but has apparently not been updated with the huge backlog of new CVEs. It is really depressing that the industry is not able to develop new systems without continually adding so many new CVEs. PGN] Kevin Poireault, Infosecurity Magazine [Remember his namesake, Air-cool Poirot?] It’s now official: the US National Institute of Standards and Technology (NIST) will unveil an industry consortium to help it run the world’s most widely used software vulnerability repository. NIST, an agency within the US Department of Commerce, launched the US National Vulnerability Database (NVD) in 2005 and has operated it ever since. This situation was expected to change, with vetted organizations helping the agency from as soon as the beginning of April 2024. The NVD program manager, Tanya Brewer, made the official announcement during VulnCon, a cybersecurity conference hosted by the Forum of Incident Response and Security Teams (FIRST) and held in Raleigh, North Carolina, from March 25 to 27, 2024. The news came after weeks of speculation over a possible shutdown of the NVD. NIST Halted CVE Enrichment in February 2024 In early March, many security researchers noticed a significant drop in vulnerability enrichment data uploads on the NVD website that had started in mid-February. According to its own data, NIST has analyzed only 199 Common Vulnerabilities and Exposures (CVEs) out of the 2957 it has received so far in March. In total, over 4000 CVEs have not been analyzed since mid-February. Since the NVD is the most comprehensive vulnerability database in the world, many companies rely on it to deploy updates and patches. If such issues are not resolved quickly, they could significantly impact the security researcher community and organizations worldwide. Speaking to Infosecurity, Tom Pace, CEO of firmware security provider NetRise, explained: “It means that you’re asking the entire cybersecurity community, overnight, to somehow go figure out what vulnerability is in what operating system, software package, application, firmware, or device. It’s a totally impossible, untenable task!” Dan Lorenc, co-founder and CEO of software security provider Chainguard, called the incident a *massive issue*. ``We are now relying on industry alerts and social media to ensure we triage CVEs as quickly as possible,'' he told Infosecurity. “Scanners, analyzers, and most vulnerability tools rely on the NVD to determine what software is affected by which vulnerabilities,” Lorenc added. “If organizations cannot triage vulnerabilities effectively, it opens them up to increased risk and leaves a significant gap in their vulnerability management posture.” To stay operational amidst the NVD backlog, several security companies, such as VulnCheck, Anchore and RiskHorizon AI, started working on projects that could provide an alternative to some parts of vulnerability disclosure traditionally provided in the NVD. This episode coincided with the release of the latest revision of the Federal Risk and Authorization Management Program (FedRAMP Rev. 5), a US federal law requiring any company that wants to do business with the federal government to use the NVD as a source of truth and remediate all known vulnerabilities inside it. ------------------------------ Date: Mon, 8 Apr 2024 09:54:08 -0600 From: Matthew Kruk <mkrukg () gmail com> Subject: Jon Stewart On The False Promises of AI (The Daily Show) https://www.youtube.com/watch?v=20TAkcy3aBY Jon Stewart tackles the AI revolution and how its creators are promising a better future while building technology to make human workers obsolete. ------------------------------ Date: Mon, 8 Apr 2024 9:26:29 PDT From: Peter G Neumann <Peter.Neumann () SRI COM> Subject: UK plots massive expansion of live facial recognition (Joseph Bambridge) Joseph Bambridge, 8 Apr 2024 LONDON -- Low-level criminals in England and Wales could be tracked down using facial recognition technology, the government has said, as it confirmed plans for a massive expansion in police use of the technology. Live facial recognition (LFR), which uses artificial intelligence-powered cameras to identify faces in large crowds from a “watchlist,” has been deployed by police forces in England and Wales at events including football matches, concerts and the King’s Coronation, as well as in busy urban areas. In a response to a parliamentary inquiry, the Home Office said on Monday that LFR had already helped identify people wanted for “serious crimes” including rape, grievous bodily harm and robbery. The government is “committed to empowering the police to use the tools and technology they need, and the public expects them to use … to solve and prevent crimes, bring offenders to justice, and maintain public safety,” the Home Office added. It simultaneously rejected concerns from the inquiry, managed by the House of Lords’ justice and home affairs committee, that the technology is being encouraged despite an “absence of a foundation in law” and “without proper scrutiny and accountability.” Instead, it said there are already “numerous safeguards” in place over how the technology is used. It also dismissed the committee’s concern that the U.K. is falling behind “other democratic states” in regulating the potentially invasive tech. “The UK is leading the way in the use of LFR in a clear and transparent way,” the government said. “The government has a duty to keep the country safe by equipping the police with the powers and tools they need.” Heading off criticism [...] Full steam ahead [...] [This article seems to have disappeared from the WWWeb. Too truthful? PGN] ------------------------------ Date: Sun, 7 Apr 2024 01:55:27 +0000 From: Victor Miller <victorsmiller () gmail com> Subject: Knocking cloud security off its game (ETH Zurich) https://ethz.ch/en/news-and-events/eth-news/news/2024/04/knocking-cloud-security-off-its-game.html Public cloud services employ special security technologies. Computer scientists at ETH Zurich have now discovered a gap in the latest security mechanisms used by AMD and Intel chips. This affects major cloud pr ------------------------------ Date: Sun, 7 Apr 2024 10:53:09 -0400 From: Monty Solomon <monty () roscom com> Subject: ‘Reverse’ searches: The sneaky ways that police tap tech companies for your private data How police cast digital dragnets over tech companies' vast banks of user data https://techcrunch.com/2024/04/02/reverse-searches-police-tap-tech-companies-private-data/ ------------------------------ Date: Mon, 8 Apr 2024 11:58:51 -0400 (EDT) From: ACM TechNews <technews-editor () acm org> Subject: U.S. Police Warn Those Driving to Canada to Watch for Hidden AirTags (Emily Price) Emily Price, *PC Magazine*, 30 Mar 2024, via ACM TechNews, Law enforcement officials in Vermont are warning residents to look for hidden Apple AirTags in their vehicles after returning from road trips to Canada. There has been an increase in the use of AirTags by criminals in Montreal to track cars to steal and sell or to move drugs over the border. Apple notifies iPhone users if it detects an unknown AirTag and has released an app for Android users that allows them to manually search for the trackers. ------------------------------ Date: Sat, 6 Apr 2024 23:27:30 -0400 From: Monty Solomon <monty () roscom com> Subject: Demystifying privacy in Google Chrome and Mozilla Firefox (Apurvak) We evaluated private browsing modes in Chrome and Mozilla, analyzed and measured the effectiveness of the claims made by Google and Firefox. Our main motive is to secure the local user from local attacker such that user’s private browsing experience does not leave any trace on the browser. so that when the browser is opened in public mode by anyone, our local user feels safe. We also propose the notion of ideal private browsing from a browsing experience perspective. We tested the browser from a local user point of view and found the leaks present during and after the browser was exited. Our results suggest that the bookmarks, extensions or plugins and DNS cache leaks present a major threat to the security of the local user from a local attacker. We also studied and analyzed the disk usage and DNS cache leak by both browsers and found the conflict between privacy and performance. We also found that Firefox bookmarking policy has a serious leak which reveals the bookmarks of unvisited URLs that were added in private mode and distinguishes them from those that were added in public mode. We also propose two solutions to make bookmarking and plugins/extension more secure so that they do not leave any explicit trail when private browsing is exited. [...] https://medium.com/@apurvak/demystifying-privacy-in-google-chrome-and-mozilla-firefox-9a651e977171 ------------------------------ Date: Mon, 8 Apr 2024 17:24:42 +0300 From: Amos Shapir <amos083 () gmail com> Subject: Top Israeli spy chief exposes his true identity in online security lapse (Guardian) The identity of the commander of a top-secret Israeli intelligence unit 8200, responsible for cybersecurity and cyberwarfare, has been a guarded secret for decades. But in 2021 the brigadier general wrote a book under an assumed pen-name. Guardian's journalists were able to follow a special Gmail account, set up specifically for publishing the book on Amazon, to the brigadier's personal account, where his real name was accessible. Full story at: https://www.theguardian.com/world/2024/apr/05/top-israeli-spy-chief-exposes-his-true-identity-in-online-security-lapse Naturally, I tried to google his Hebrew name, and found a link to his personal profile page on another site. There was not much activity there, except a message from the site's administrator, sent shortly after the profile was established in 2006: "Hello Yossi, I would like to draw your attention to the fact that your user page is very public. It's possible that your personal details will be misused, and that's a shame. For example, you will receive a lot of junk mail"... This profile's history (also exposed) showed some activity was in 2021 (about the time the book was published), and apparently the profile stayed exposed until two days after the Guardian's exposure. Is it possible that Israel's top cyber security officer is a bit security illiterate about his own pages? ------------------------------ Date: Sun, 7 Apr 2024 23:15:17 -0400 From: Monty Solomon <monty () roscom com> Subject: Roku patent invents a way to show ads over anything you plug into your TV (ArsTechnica) https://arstechnica.com/?p=2015217 ------------------------------ From: Monty Solomon <monty () roscom com> Date: Sun, 7 Apr 2024 23:17:59 -0400 Subject: Disney+ Password Sharing Crackdown to Start in June (MacRumors) https://www.macrumors.com/2024/04/05/disney-plus-password-sharing-crackdown/ ------------------------------ Date: Mon, 8 Apr 2024 13:44:43 -0400 From: Monty Solomon <monty () roscom com> Subject: Teen Girls Confront an Epidemic of Deepfake Nudes in Schools (NYTimes) Using artificial intelligence, middle and high school students have fabricated explicit images of female classmates and shared the doctored pictures. https://www.nytimes.com/2024/04/08/technology/deepfake-ai-nudes-westfield-high-school.html ------------------------------ Date: Sat, 6 Apr 2024 22:35:00 -0600 From: Matthew Kruk <mkrukg () gmail com> Subject: How Tech Giants Cut Corners to Harvest Data for AI (NYTimes) https://www.nytimes.com/2024/04/06/technology/tech-giants-harvest-data-artificial-intelligence.html In late 2021, OpenAI faced a supply problem. The artificial intelligence lab had exhausted every reservoir of reputable English-language text on the Internet as it developed its latest AIsystem. It needed more data to train the next version of its technology -- lots more. So OpenAI researchers created a speech recognition tool called Whisper. It could transcribe the audio from YouTube videos, yielding new conversational text that would make an A.I. system smarter. Some OpenAI employees discussed how such a move might go against YouTube's rules, three people with knowledge of the conversations said. YouTube, which is owned by Google, prohibits use of its videos for applications that are *independent* of the video platform. Ultimately, an OpenAI team transcribed more than one million hours of YouTube videos, the people said. The team included Greg Brockman, OpenAI's president, who personally helped collect the videos, two of the people said. The texts were then fed into a system called GPT-4, which was widely considered one of the world's most powerful AI models and was the basis of the latest version of the ChatGPT chatbot. ------------------------------ Date: Mon, 8 Apr 2024 06:27:49 -0700 From: Steve Bacher <sebmb1 () verizon net> Subject: Elon Musk's X pushed a fake headline about Iran attacking Israel. X's AI chatbot Grok made it up. Elon Musk's AI chatbot Grok spread fake news on X which was then promoted by the platform. https://mashable.com/article/elon-musk-x-twitter-ai-chatbot-grok-fake-news-trending-explore ------------------------------ Date: Sun, 7 Apr 2024 06:42:47 -0700 From: Steve Bacher <sebmb1 () verizon net> Subject: An AI app claims it can detect sexually transmitted infections. Doctors say it's a disaster (Calmara) Can Calmara AI app really detect infections in sex partners? - Los Angeles Times Late last month, the San Francisco-based startup HeHealth announced tq he launch of Calmara.ai <https://www.calmara.ai/>, a cheerful, emoji-laden website the company describes as “your tech savvy BFF for STI checks.” The concept is simple. A user concerned about their partner’s sexual health status just snaps a photo (with consent, the service notes) of the partner’s penis (the only part of the human body the software is trained to recognize) and uploads it to Calmara. In seconds, the site scans the image and returns one of two messages: “Clear! No visible signs of STIs spotted for now” or “Hold!!! We spotted something sus.” Calmara describes the free service as “the next best thing to a lab test for a quick check,” powered by artificial intelligence with “up to 94.4% accuracy rate” (though finer print on the site clarifies its actual performance is “65% to 96% across various conditions.”) Since its debut, privacy and public health experts have pointed with alarm to a number of significant oversights <https://insights.priva.cat/p/privacy-clusterfucks-a-depressingly> in Calmara’s design, such as its flimsy consent verification <https://epic.org/forbes-an-ai-app-claiming-to-detect-stis-from-photos-of-genitals-is-a-privacy-disaster/>, its potential to receive child pornography and an over-reliance on images to screen for conditions that are often invisible. But even as a rudimentary screening tool for visual signs of sexually transmitted infections in one specific human organ, tests of Calmara showed the service to be inaccurate, unreliable and prone to the same kind of stigmatizing information its parent company says it wants to combat. [...] https://www.latimes.com/science/story/2024-04-07/calmara-claims-it-can-detect-stis-doctors-say-its-a-disaster ------------------------------ Date: Sun, 7 Apr 2024 14:54:23 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Google's passkey mess Google's poorly designed passkey implementation continues to cause problems. I have chosen not to use passkeys, and have not enabled them on any sites or devices. Notwithstanding this, some sites still trigger passkey-related device chooser functions in the Chrome browser. Today this caused me to have to retry logging in to an important site over 10 times, because Google's passkey push was interfering with my ability to use my FIDO security key as my chosen second factor. This was intensely annoying and a terrible user experience. Thanks a bunch, Google. -L ------------------------------ Date: Sat, 6 Apr 2024 21:16:44 -0600 From: Charles Cazabon <charlesc-risksdigest () pyropus ca> Subject: Re: Starlink Terminals (Shapir, RISKS-34.14)
SpaceX's statement that they can "geolocate and turn off individual terminals when it detects illegal use" -- and yet they haven't turned off many suspicious links, may indicate that Musk may be collaborating with such moves.
Not to defend Musk, but if this is happening it could also be a matter of compulsion rather than collaboration. Your U.S. security services are big fans of compelling such "cooperation" from companies while also handing out court orders forbidding them from saying anything about it. ------------------------------ Date: Sun, 7 Apr 2024 14:25:15 +0100 From: Jurek Kirakowski <jzk () uxp ie> Subject: Re: Your boss could forward a mail message to you that show you text he won't see, but you will (Kuenning, RISKS-34.14) Well said, Geoff Kuenning. I have lectured till ... about the dangers of reading emails in any other format than plain text (headers included.) CTRL-U in Thunderbird, a bit more complicated in some other email clients. I have two fairly simple programs that assist: 1. a decoder from base-64 to plaintext 2. a stripper of html tags. Prototypes of both may be found on the Internet but they require a little coding to create safe versions for your computer which work the way you want them to. (1) works pretty effortlessly and (2) is a bit off and on but it allows me to get the gist of what the email is trying to say in a quick eye scan. I suppose (2) could be improved by just deleting any html tags that refer the browser to external URIs. Or there may be a decent formatter of html code one could adapt? I never render further any base64-encoded segment that reveals itself as an image. That's just plain silly. I wonder if there are any old email hands with better, more up-to-date solutions to combat these risks. And of course, plain text for sending always "rules." God bless RISKS. [Jurek, Thanks] ------------------------------ Date: Sun, 7 Apr 2024 11:06:39 -0500 From: Dmitri Maziuk <dmitri.maziuk () gmail com> Subject: Re: The FTC is trying to help (Bacher, RISKS-34.14)
... they're trying to outlaw fraudulent email sender addresses
... and if they succeed, only the outlaws will have fraudulent email sender addresses. I'm sure that sentence wasn't intended to mean what it actually says, but it does win The Internet for today nonetheless. ------------------------------ Date: Sat, 28 Oct 2023 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) has moved to the ftp.sri.com site: <risksinfo.html>. *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's delightfully searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume/previous directories or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-34.00 ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 34.15 ************************
Current thread:
- Risks Digest 34.15 RISKS List Owner (Apr 08)