Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Weather Service radar, warning systems fail during severe storm outbreak
Tuesday's was not the first instance of such a network failure, but it was perhaps the most consequential in recent memory.
https://www.washingtonpost.com/weather/2024/04/02/weather-radar-warning-outa= ges-storm-outbreak/
Latest Disaster for National Weather Service: Paying Its Bills Jack Fitzpatrick, Bloomberg
A Georgia airport lost access to weather data for pilots. A radio transmitter vital to producing weather alerts for a tornado-prone part of Alabama went down. And two dozen National Weather Service employees were left waiting months to be reimbursed for on the job expenses, including travel to disaster areas.
It all stemmed from the rollout late last year of a new Commerce Department financial system, starting at the National Oceanic and Atmospheric Administration, that immediately stopped tens of millions of dollars worth of invoices and reimbursements from being processed for payment. The fiasco, which hasn't been previously reported, has resulted in electric companies shutting off power to the agency's equipment for nonpayment in at least two cases that could have proven dangerous, if not for a lucky streak of good weather. […] Those affected by the failures say they were lucky there wasn't severe weather when NOAA facilities were shut down and meteorologists were unable to travel.
They also credit good working relationships with local National Weather Service officials in helping to quickly resolve the critical outages, despite frustration with Commerce Department officials in Washington.
Depositions in a civil case over a fatal 2018 crash—set for trial this week—provide insights into how Tesla programmed its Autopilot software to follow lines on the road.
https://www.washingtonpost.com/technology/2024/04/07/tesla-autopilot-crash-t= rial/
https://www.wired.com/story/apra-congress-online-privacy-proposal/
Congress may be closer than ever to passing a comprehensive data privacy framework after key House and Senate committee leaders released a new proposal on Sunday.
The bipartisan proposal, titled the American Privacy Rights Act, or APRA, would limit the types of consumer data that companies can collect, retain, and use, allowing solely what they’d need to operate their services. Users would also be allowed to opt out of targeted advertising, and have the ability to view, correct, delete, and download their data from online services. The proposal would also create a national registry of data brokers, and force those companies to allow users to opt out of having their data sold.
“This landmark legislation gives Americans the right to control where their information goes and who can sell it,” Cathy McMorris Rodgers, House Energy and Commerce Committee chair, said in a statement on Sunday. “It reins in Big Tech by prohibiting them from tracking, predicting, and manipulating people’s behaviors for profit without their knowledge and consent. Americans overwhelmingly want these rights, and they are looking to us, their elected representatives, to act.”
Kevin Poireault, Infosecurity Magazine [Remember his namesake, Air-cool Poirot?]
It’s now official: the US National Institute of Standards and Technology (NIST) will unveil an industry consortium to help it run the world’s most widely used software vulnerability repository.
NIST, an agency within the US Department of Commerce, launched the US National Vulnerability Database (NVD) in 2005 and has operated it ever since.
This situation was expected to change, with vetted organizations helping the agency from as soon as the beginning of April 2024.
The NVD program manager, Tanya Brewer, made the official announcement during VulnCon, a cybersecurity conference hosted by the Forum of Incident Response and Security Teams (FIRST) and held in Raleigh, North Carolina, from March 25 to 27, 2024.
The news came after weeks of speculation over a possible shutdown of the NVD.
NIST Halted CVE Enrichment in February 2024 In early March, many security researchers noticed a significant drop in vulnerability enrichment data uploads on the NVD website that had started in mid-February.
According to its own data, NIST has analyzed only 199 Common Vulnerabilities and Exposures (CVEs) out of the 2957 it has received so far in March.
In total, over 4000 CVEs have not been analyzed since mid-February.
Since the NVD is the most comprehensive vulnerability database in the world, many companies rely on it to deploy updates and patches.
If such issues are not resolved quickly, they could significantly impact the security researcher community and organizations worldwide.
Speaking to Infosecurity, Tom Pace, CEO of firmware security provider NetRise, explained: “It means that you’re asking the entire cybersecurity community, overnight, to somehow go figure out what vulnerability is in what operating system, software package, application, firmware, or device. It’s a totally impossible, untenable task!”
Dan Lorenc, co-founder and CEO of software security provider Chainguard, called the incident a massive issue.
“We are now relying on industry alerts and social media to ensure we triage CVEs as quickly as possible,” he told Infosecurity.
“Scanners, analyzers, and most vulnerability tools rely on the NVD to determine what software is affected by which vulnerabilities,” Lorenc added. “If organizations cannot triage vulnerabilities effectively, it opens them up to increased risk and leaves a significant gap in their vulnerability management posture.”
To stay operational amidst the NVD backlog, several security companies, such as VulnCheck, Anchore and RiskHorizon AI, started working on projects that could provide an alternative to some parts of vulnerability disclosure traditionally provided in the NVD.
This episode coincided with the release of the latest revision of the Federal Risk and Authorization Management Program (FedRAMP Rev. 5), a US federal law requiring any company that wants to do business with the federal government to use the NVD as a source of truth and remediate all known vulnerabilities inside it.
https://www.youtube.com/watch?v=20TAkcy3aBY
Jon Stewart tackles the AI revolution and how its creators are promising a better future while building technology to make human workers obsolete.
Joseph Bambridge, 8 Apr 2024
LONDON—Low-level criminals in England and Wales could be tracked down using facial recognition technology, the government has said, as it confirmed plans for a massive expansion in police use of the technology.
Live facial recognition (LFR), which uses artificial intelligence-powered cameras to identify faces in large crowds from a “watchlist,” has been deployed by police forces in England and Wales at events including football matches, concerts and the King’s Coronation, as well as in busy urban areas.
In a response to a parliamentary inquiry, the Home Office said on Monday that LFR had already helped identify people wanted for “serious crimes” including rape, grievous bodily harm and robbery.
The government is “committed to empowering the police to use the tools and technology they need, and the public expects them to use … to solve and prevent crimes, bring offenders to justice, and maintain public safety,” the Home Office added.
It simultaneously rejected concerns from the inquiry, managed by the House of Lords’ justice and home affairs committee, that the technology is being encouraged despite an “absence of a foundation in law” and “without proper scrutiny and accountability.”
Instead, it said there are already “numerous safeguards” in place over how the technology is used. It also dismissed the committee’s concern that the U.K. is falling behind “other democratic states” in regulating the potentially invasive tech.
“The UK is leading the way in the use of LFR in a clear and transparent way,” the government said. “The government has a duty to keep the country safe by equipping the police with the powers and tools they need.”
Heading off criticism […]
Full steam ahead […]
https://ethz.ch/en/news-and-events/eth-news/news/2024/04/knocking-cloud-security-off-its-game.html
Public cloud services employ special security technologies. Computer scientists at ETH Zurich have now discovered a gap in the latest security mechanisms used by AMD and Intel chips. This affects major cloud pr
How police cast digital dragnets over tech companies' vast banks of user data
https://techcrunch.com/2024/04/02/reverse-searches-police-tap-tech-companies-private-data/
Emily Price, PC Magazine, 30 Mar 2024, via ACM TechNews,
Law enforcement officials in Vermont are warning residents to look for hidden Apple AirTags in their vehicles after returning from road trips to Canada. There has been an increase in the use of AirTags by criminals in Montreal to track cars to steal and sell or to move drugs over the border. Apple notifies iPhone users if it detects an unknown AirTag and has released an app for Android users that allows them to manually search for the trackers.
We evaluated private browsing modes in Chrome and Mozilla, analyzed and measured the effectiveness of the claims made by Google and Firefox. Our main motive is to secure the local user from local attacker such that user’s private browsing experience does not leave any trace on the browser. so that when the browser is opened in public mode by anyone, our local user feels safe. We also propose the notion of ideal private browsing from a browsing experience perspective. We tested the browser from a local user point of view and found the leaks present during and after the browser was exited. Our results suggest that the bookmarks, extensions or plugins and DNS cache leaks present a major threat to the security of the local user from a local attacker. We also studied and analyzed the disk usage and DNS cache leak by both browsers and found the conflict between privacy and performance. We also found that Firefox bookmarking policy has a serious leak which reveals the bookmarks of unvisited URLs that were added in private mode and distinguishes them from those that were added in public mode. We also propose two solutions to make bookmarking and plugins/extension more secure so that they do not leave any explicit trail when private browsing is exited. […]
https://medium.com/@apurvak/demystifying-privacy-in-google-chrome-and-mozilla-firefox-9a651e977171
The identity of the commander of a top-secret Israeli intelligence unit 8200, responsible for cybersecurity and cyberwarfare, has been a guarded secret for decades. But in 2021 the brigadier general wrote a book under an assumed pen-name.
Guardian's journalists were able to follow a special Gmail account, set up specifically for publishing the book on Amazon, to the brigadier's personal account, where his real name was accessible.
Full story at: https://www.theguardian.com/world/2024/apr/05/top-israeli-spy-chief-exposes-his-true-identity-in-online-security-lapse
Naturally, I tried to google his Hebrew name, and found a link to his personal profile page on another site. There was not much activity there, except a message from the site's administrator, sent shortly after the profile was established in 2006:
“Hello Yossi, I would like to draw your attention to the fact that your user page is very public. It's possible that your personal details will be misused, and that's a shame. For example, you will receive a lot of junk mail”…
This profile's history (also exposed) showed some activity was in 2021 (about the time the book was published), and apparently the profile stayed exposed until two days after the Guardian's exposure.
Is it possible that Israel's top cyber security officer is a bit security illiterate about his own pages?
https://arstechnica.com/?p=2015217
https://www.macrumors.com/2024/04/05/disney-plus-password-sharing-crackdown/
Using artificial intelligence, middle and high school students have fabricated explicit images of female classmates and shared the doctored pictures.
https://www.nytimes.com/2024/04/08/technology/deepfake-ai-nudes-westfield-high-school.html
https://www.nytimes.com/2024/04/06/technology/tech-giants-harvest-data-artificial-intelligence.html
In late 2021, OpenAI faced a supply problem. The artificial intelligence lab had exhausted every reservoir of reputable English-language text on the Internet as it developed its latest AIsystem. It needed more data to train the next version of its technology—lots more.
So OpenAI researchers created a speech recognition tool called Whisper. It could transcribe the audio from YouTube videos, yielding new conversational text that would make an A.I. system smarter.
Some OpenAI employees discussed how such a move might go against YouTube's rules, three people with knowledge of the conversations said. YouTube, which is owned by Google, prohibits use of its videos for applications that are independent of the video platform.
Ultimately, an OpenAI team transcribed more than one million hours of YouTube videos, the people said. The team included Greg Brockman, OpenAI's president, who personally helped collect the videos, two of the people said. The texts were then fed into a system called GPT-4, which was widely considered one of the world's most powerful AI models and was the basis of the latest version of the ChatGPT chatbot.
Elon Musk's AI chatbot Grok spread fake news on X which was then promoted by the platform.
https://mashable.com/article/elon-musk-x-twitter-ai-chatbot-grok-fake-news-trending-explore
Can Calmara AI app really detect infections in sex partners? - Los Angeles Times
Late last month, the San Francisco-based startup HeHealth announced tq he launch of Calmara.ai <https://www.calmara.ai/>, a cheerful, emoji-laden website the company describes as “your tech savvy BFF for STI checks.”
The concept is simple. A user concerned about their partner’s sexual health status just snaps a photo (with consent, the service notes) of the partner’s penis (the only part of the human body the software is trained to recognize) and uploads it to Calmara.
In seconds, the site scans the image and returns one of two messages: “Clear! No visible signs of STIs spotted for now” or “Hold!!! We spotted something sus.”
Calmara describes the free service as “the next best thing to a lab test for a quick check,” powered by artificial intelligence with “up to 94.4% accuracy rate” (though finer print on the site clarifies its actual performance is “65% to 96% across various conditions.”)
Since its debut, privacy and public health experts have pointed with alarm to a number of significant oversights <https://insights.priva.cat/p/privacy-clusterfucks-a-depressingly> in Calmara’s design, such as its flimsy consent verification <https://epic.org/forbes-an-ai-app-claiming-to-detect-stis-from-photos-of-genitals-is-a-privacy-disaster/>, its potential to receive child pornography and an over-reliance on images to screen for conditions that are often invisible.
But even as a rudimentary screening tool for visual signs of sexually transmitted infections in one specific human organ, tests of Calmara showed the service to be inaccurate, unreliable and prone to the same kind of stigmatizing information its parent company says it wants to combat. […]
Google's poorly designed passkey implementation continues to cause problems. I have chosen not to use passkeys, and have not enabled them on any sites or devices. Notwithstanding this, some sites still trigger passkey-related device chooser functions in the Chrome browser. Today this caused me to have to retry logging in to an important site over 10 times, because Google's passkey push was interfering with my ability to use my FIDO security key as my chosen second factor. This was intensely annoying and a terrible user experience. Thanks a bunch, Google. -L
> SpaceX's statement that they can “geolocate and turn off individual > terminals when it detects illegal use”—and yet they haven't turned off > many suspicious links, may indicate that Musk may be collaborating with > such moves.
Not to defend Musk, but if this is happening it could also be a matter of compulsion rather than collaboration. Your U.S. security services are big fans of compelling such “cooperation” from companies while also handing out court orders forbidding them from saying anything about it.
Well said, Geoff Kuenning.
I have lectured till … about the dangers of reading emails in any other format than plain text (headers included.) CTRL-U in Thunderbird, a bit more complicated in some other email clients.
I have two fairly simple programs that assist:
1. a decoder from base-64 to plaintext 2. a stripper of html tags.
Prototypes of both may be found on the Internet but they require a little coding to create safe versions for your computer which work the way you want them to. (1) works pretty effortlessly and (2) is a bit off and on but it allows me to get the gist of what the email is trying to say in a quick eye scan. I suppose (2) could be improved by just deleting any html tags that refer the browser to external URIs. Or there may be a decent formatter of html code one could adapt?
I never render further any base64-encoded segment that reveals itself as an image. That's just plain silly.
I wonder if there are any old email hands with better, more up-to-date solutions to combat these risks.
And of course, plain text for sending always “rules.” God bless RISKS.
[Jurek, Thanks]
> … they're trying to outlaw fraudulent email sender addresses
… and if they succeed, only the outlaws will have fraudulent email sender addresses.
I'm sure that sentence wasn't intended to mean what it actually says, but it does win The Internet for today nonetheless.
Please report problems with the web pages to the maintainer