RISKS-LIST: Risks-Forum Digest Monday 8 April 2024 Volume 34 : Issue 15

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.15>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents:
Weather Service radar, warning systems fail during severe storm
outbreak (WashPost)
No weather report? It helps if NOAA pays its electric (Bloomberg)
In 2018 crash, Tesla's Autopilot just followed the lane lines (WashPost)
APRA Privacy Legislation (WiReD)
Data brokers are gearing up to fight privacy bills (The Verge)
NIST Unveils New Consortium to Operate National Vulnerability (PGN)
Jon Stewart On The False Promises of AI (The Daily Show)
UK plots massive expansion of live facial recognition (Joseph Bambridge)
Knocking cloud security off its game (ETH Zurich)
‘Reverse’ searches: The sneaky ways that police tap tech companies
for your private data (TechCrunch)
U.S. Police Warn Those Driving to Canada to Watch for Hidden AirTags
(Emily Price)
Demystifying privacy in Google Chrome and Mozilla Firefox (Apurvak)
Top Israeli spy chief exposes his true identity in online security lapse
(The Guardian)
Roku patent invents a way to show ads over anything you plug into your TV
(ArsTechnica)
Disney+ Password Sharing Crackdown to Start in June (MacRumors)
Teen Girls Confront an Epidemic of Deepfake Nudes in Schools (NYTimes)
How Tech Giants Cut Corners to Harvest Data for AI (NYTimes)
Elon Musk's X pushed a fake headline about Iran attacking Israel. X's AI
chatbot Grok made it up. (Mashable)
An AI app claims it can detect sexually transmitted infections. (LATimes)
Google's passkey mess (Lauren Weinstein)
Re: Starlink Terminals (Charles Cazabon)
Re: Your boss could forward a mail message to you that show you text he
won't see, but you will (Jurek Kirakowski)
Re: The FTC is trying to help (Dmitri Mazziuk)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Mon, 8 Apr 2024 12:46:30 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Weather Service radar, warning systems fail during severe storm
outbreak (WashPost)

Weather Service radar, warning systems fail during severe storm outbreak

Tuesday's was not the first instance of such a network failure, but it was
perhaps the most consequential in recent memory.

https://www.washingtonpost.com/weather/2024/04/02/weather-radar-warning-outa=
ges-storm-outbreak/

------------------------------

Date: Mon, 8 Apr 2024 13:01:07 +0000 ()
From: danny burstein <dannyb@panix.com>
Subject: No weather report? It helps if NOAA pays its electric
bill... (Bloomberg)

Latest Disaster for National Weather Service: Paying Its Bills
Jack Fitzpatrick, Bloomberg

A Georgia airport lost access to weather data for pilots. A radio
transmitter vital to producing weather alerts for a tornado-prone part of
Alabama went down. And two dozen National Weather Service employees were
left waiting months to be reimbursed for on the job expenses, including
travel to disaster areas.

It all stemmed from the rollout late last year of a new Commerce Department
financial system, starting at the National Oceanic and Atmospheric
Administration, that immediately stopped tens of millions of dollars worth
of invoices and reimbursements from being processed for payment. The fiasco,
which hasn't been previously reported, has resulted in electric companies
shutting off power to the agency's equipment for nonpayment in at least two
cases that could have proven dangerous, if not for a lucky streak of good
weather. [...] Those affected by the failures say they were lucky there
wasn't severe weather when NOAA facilities were shut down and meteorologists
were unable to travel.

They also credit good working relationships with local National Weather
Service officials in helping to quickly resolve the critical outages,
despite frustration with Commerce Department officials in Washington.

https://news.bgov.com/bloomberg-government-news/latest-disaster-for-national-weather-service-paying-its-bills

------------------------------

Date: Mon, 8 Apr 2024 12:53:18 -0400
From: Monty Solomon <monty@roscom.com>
Subject: In 2018 crash, Tesla's Autopilot just followed the lane lines
(WashPost)

Depositions in a civil case over a fatal 2018 crash -- set for trial this
week -- provide insights into how Tesla programmed its Autopilot software to
follow lines on the road.

https://www.washingtonpost.com/technology/2024/04/07/tesla-autopilot-crash-t=
rial/

[Follow your lines precisely, and everyone else will get out of your way?
But that may not work for two Teslas approaching each other, and certainly
not for other drivers who are under the influence. PGN]

------------------------------

Date: Mon, 8 Apr 2024 9:38:50 PDT
From: Peter Neumann <neumann@csl.sri.com>
Subject: APRA Privacy Legislation

https://www.wired.com/story/apra-congress-online-privacy-proposal/

Congress may be closer than ever to passing a comprehensive data privacy
framework after key House and Senate committee leaders released a new
proposal on Sunday.

The bipartisan proposal, titled the American Privacy Rights Act, or
APRA, would limit the types of consumer data that companies can
collect, retain, and use, allowing solely what they’d need to operate
their services. Users would also be allowed to opt out of targeted
advertising, and have the ability to view, correct, delete, and
download their data from online services. The proposal would also
create a national registry of data brokers, and force those companies
to allow users to opt out of having their data sold.

“This landmark legislation gives Americans the right to control where their
information goes and who can sell it,” Cathy McMorris Rodgers, House Energy
and Commerce Committee chair, said in a statement on Sunday. “It reins in
Big Tech by prohibiting them from tracking, predicting, and manipulating
people’s behaviors for profit without their knowledge and consent. Americans
overwhelmingly want these rights, and they are looking to us, their elected
representatives, to act.”

[See also Lawmakers unveil sprawling plan to expand online privacy
protections: Sen. Maria Cantwell (D-Wash.) and Rep. Cathy McMorris Rodgers
(R-Wash.) announced a major breakthrough in the decades-long fight to
address online privacy.
https://www.washingtonpost.com/technology/2024/04/07/congress-privacy-deal-cantwell-rodgers/
PGN]

------------------------------

From: Monty Solomon <monty@roscom.com>
Date: Sun, 7 Apr 2024 22:11:25 -0400
Subject: Data brokers are gearing up to fight privacy bills

https://www.theverge.com/2024/4/5/24122079/data-brokers-fisa-extension-nsa-section-702-surveillance-lexis-nexis

------------------------------

Date: Mon, 8 Apr 2024 10:33:48 PDT
From: Peter Neumann <neumann@csl.sri.com>
Subject: NIST Unveils New Consortium to Operate National Vulnerability
Database (Kevin Poireault)

[The existing NIST/MITRE CVE repository should now have grown to
more than 200,000 CVE common vulerabilities (Wow!), but has
apparently not been updated with the huge backlog of new CVEs. It
is really depressing that the industry is not able to develop new
systems without continually adding so many new CVEs. PGN]

Kevin Poireault, Infosecurity Magazine
[Remember his namesake, Air-cool Poirot?]

It’s now official: the US National Institute of Standards and
Technology (NIST) will unveil an industry consortium to help it run
the world’s most widely used software vulnerability repository.

NIST, an agency within the US Department of Commerce, launched the US National Vulnerability Database (NVD) in 2005 and has operated it ever since.

This situation was expected to change, with vetted organizations
helping the agency from as soon as the beginning of April 2024.

The NVD program manager, Tanya Brewer, made the official announcement
during VulnCon, a cybersecurity conference hosted by the Forum of
Incident Response and Security Teams (FIRST) and held in Raleigh,
North Carolina, from March 25 to 27, 2024.

The news came after weeks of speculation over a possible shutdown of the NVD.

NIST Halted CVE Enrichment in February 2024 In early March, many
security researchers noticed a significant drop in vulnerability
enrichment data uploads on the NVD website that had started in
mid-February.

According to its own data, NIST has analyzed only 199 Common
Vulnerabilities and Exposures (CVEs) out of the 2957 it has received
so far in March.

In total, over 4000 CVEs have not been analyzed since mid-February.

Since the NVD is the most comprehensive vulnerability database in the
world, many companies rely on it to deploy updates and patches.

If such issues are not resolved quickly, they could significantly impact the security researcher community and organizations worldwide.

Speaking to Infosecurity, Tom Pace, CEO of firmware security provider
NetRise, explained: “It means that you’re asking the entire
cybersecurity community, overnight, to somehow go figure out what
vulnerability is in what operating system, software package,
application, firmware, or device. It’s a totally impossible, untenable
task!”