http://www.bloomberg.com/news/articles/2016-08-10/i-just-drove-8-hours-on-tesla-autopilot-and-lived-to-tell-the-tale [If you believe in basing probabilities on past experience, the odds of not living to tell the tale are one in a tens of thousands for Tesla X and S computer-assisted cars, and zero in millions of miles for Google self-driving cars. PGN]
In an Irony of Ironies, Sunday's editorial page of *The New York Times* (with mentions of "the internet" [all lower case]) has the following sentence in an editorial on the shortage of vaccines for the current epidemic of yellow fever in Angola and the Democratic Republic of Congo: Angola couldn't account for a million doses [the W.H.O.] sent it early this year, The Associated Press recently reported. ^^^ My apologies to *The Times*: all these years in RISKS I have been mistakenly referring to this newspaper as *the New York Times*, when actually the Masthead clearly says its name is "The New York Times". So now we must refer to "The Associated Press" (although as previously noted, I think they have earned the lower-case "the associated press") and "The Boston Globe" and so on. However, to be utterly consistent, I will also consistently now refer to "The Internet" rather than my previous otherwise use of "the Internet" (certainly a proper term) rather than the emerging media's preference the amorphous use of "the internet". (I actually learned the proper use of unique proper names in my high school, which our then long-time Principal Elizabeth Jean Brown consistently reminded us is "The Rye High School"!) Cheers! Note that *The NY Times* is apparently using W.H.O. (as an incomplete initialism for The World Health Organization), presumably because WHO would be confusing as an mistakenly emphatic version of "who" if lower-cased—an example I could have noted in my rant in RISKS-29.68. I presume it would otherwise be "The WHO" (which conjures up Dr Seuss), or "the Who" (which conjures up the English rock band). Yes, consistency is the hobgoblin of little minds, so I'm certainly not trying to be consistent—just perhaps a little annoying to some RISKS readers in pointing out a pervasive lack of consistency elsewhere. Maybe the doubters might now realize why it should be "The Internet". PGN
I'll add the Dutch perspective, here, just for comparison: according to the Green Booklet, which contains spelling regulations for the Dutch language, the *official* name of a *unique* institution gets a capital letter; the same name when applied to a general category does not. This can get a little weird at first sight. For example, Dutch capitalises the British Parliament, but not the German parliament, because the UK Parliament is officially called that, while the German one is the Bundestag, which is *a* parliament. The issue is now to determine whether the Internet, or the internet, is an official institution with an official name, or merely the largest and most well-regulated example of an inter-network. I offer no opinion in this case (the Green Booklet certainly doesn't!), I merely note how Dutch would capitalise the word in each case. In fact, I can see arguments for both sides. Brand names also get capitals by default. So do names of companies and organisations. In the latter cases (and presumably the former, though I can't find this noted explicitly) the trademark holder can decide to write his own name lower-case after all, and the public is supposed to follow suit. However, whatever the i/Internet is, as far as I know it's not a legal trademark. (Also, genericised trademarks get decapitalised, so "aspirine" is a generic analgesic while "Aspirine" is (still?) the specific Bayer product; but the whole discussion is whether I/internet has become genericised enough, so that doesn't help us here.)
InfoWorld, 17 Aug 2016 Google's Adsense advertising program is used by many sites across the Internet. But Android users should beware of some nasty malware that is being spread by Google's Adsense network. http://www.infoworld.com/article/3108655/android/android-malware-being-spread-via-google-adsense.html selected text: More at Neowin [I like to quote a relevant portion so RISKS readers can determine whether they should go to the full article. Neowin disables cut-and-paste on the article on my computer. Let InfoWorld get the hits.]
"It's Snowden Junior" - Former NSA Employees Say NSA Hack Is The Work Of A "Rogue Insider" Motherboard, 18 Aug 2016, zero hedge The last time an NSA insider claimed that a rogue agent originating at the spy agency itself may be the source of the recent Democratic server (and George Soros) hacks and subsequent leaks, was three weeks ago when former NSA employee, William Binney said that " NSA Has All Of Hillary's Deleted Emails, It May Be The Leak <http://www.zerohedge.com/news/2016-07-31/whistleblowers-stunning-claim-nsa-has-all-hillarys-deleted-emails-it-may-be-leak > ." Now, in the aftermath of the latest major hack, one involving none other than the NSA's special operations team, the "Equation Group" by a mysterious hacker collective calling itself "The Shadow Brokers" which even the likes of Edward Snowden <http://www.zerohedge.com/news/2016-08-16/edward-snowden-explains-historic-nsa-hack-escalation-could-get-messy-fast> hinted may have been done by Russia, speculation has returned that this latest, and most troubling hack yet, was also an inside job. In an interview with Motherboard, titled " Former NSA Staffers: Rogue Insider Could Be Behind NSA Data Dump <https://motherboard.vice.com/read/former-nsa-staffers-rogue-insider-shadow-brokers-theory> " an anonymous insider has said that the chances of a hacker remotely breaking into the National Security Agency's systems are very unlikely. Despite accusations that the leak is Russia's meddling, the data dropped online under the name "the Shadow Brokers" would have required someone with the ability to access the NSA's server, the former NSA employee told the news outlet. As Motherboard puts it, an insider could have stolen the NSA hacking tools from the NSA, in a similar fashion to how former NSA contractor Edward Snowden stole an untold number of the spy agency's top secret documents. This theory is being pushed by someone who claims to be, himself, a former NSA insider. [...] http://www.zerohedge.com/news/2016-08-18/%E2%80%9Cit%E2%80%99s-snowden-junior-former-nsa-employees-say-nsa-hack-work-rogue-insider
Sam Biddle, 19 Aug 2016 [Re: RISKS-29.69.70] https://theintercept.com/2016/08/19/the-nsa-was-hacked-snowden-documents-confirm/ On Monday, a hacking group calling itself the ShadowBrokers announced an auction for what it claimed were cyberweapons made by the NSA. Based on never-before-published documents provided by the whistleblower Edward Snowden, The Intercept can confirm that the arsenal contains authentic NSA software, part of a powerful constellation of tools used to covertly infect computers worldwide. The provenance of the code has been a matter of heated debate this week among cybersecurity experts, and while it remains unclear how the software leaked, one thing is now beyond speculation: The malware is covered with the NSA's virtual fingerprints and clearly originates from the agency. The evidence that ties the ShadowBrokers dump to the NSA comes in an agency manual for implanting malware, classified top secret, provided by Snowden, and not previously available to the public. The draft manual instructs NSA operators to track their use of one malware program using a specific 16-character string, ace02468bdf13579. That exact same string appears throughout the ShadowBrokers leak in code associated with the same program, SECONDDATE. SECONDDATE plays a specialized role inside a complex global system built by the U.S. government to infect and monitor what one document estimated to be millions of computers around the world. Its release by ShadowBrokers, alongside dozens of other malicious tools, marks the first time any full copies of the NSA's offensive software have been available to the public, providing a glimpse at how an elaborate system outlined in the Snowden documents looks when deployed in the real world, as well as concrete evidence that NSA hackers don't always have the last word when it comes to computer exploitation. But malicious software of this sophistication doesn't just pose a threat to foreign governments, Johns Hopkins University cryptographer Matthew Green told The Intercept: The danger of these exploits is that they can be used to target anyone who is using a vulnerable router. This is the equivalent of leaving lockpicking tools lying around a high school cafeteria. It's worse, in fact, because many of these exploits are not available through any other means, so they're just now coming to the attention of the firewall and router manufacturers that need to fix them, as well as the customers that are vulnerable. So the risk is twofold: first, that the person or persons who stole this information might have used them against us. If this is indeed Russia, then one assumes that they probably have their own exploits, but there's no need to give them any more. And now that the exploits have been released, we run the risk that ordinary criminals will use them against corporate targets. The NSA did not respond to questions concerning ShadowBrokers, the Snowden documents, or its malware.
Ars Technica via NNSquad http://arstechnica.com/security/2016/08/cisco-confirms-nsa-linked-zeroday-targeted-its-firewalls-for-years/ To exploit the vulnerability, an attacker must control a computer already authorized to access the firewall or the firewall must have been misconfigured to omit this standard safeguard. "It's still a critical vulnerability even though it requires access to the internal or management network, as once exploited it gives the attacker the opportunity to monitor all network traffic," Mustafa Al-Bassam, a security researcher, told Ars. "I wouldn't imagine it would be difficult for the NSA to get access to a device in a large company's internal network, especially if it was a datacenter." Depends on the company, of course. But still another reason why moving away from enterprise firewall models toward individual device/user authentication models is important.
Woody Leonhard, InfoWorld, 16 Aug, 2016 Starting in October, patches will be cumulative and Win7/8.1 customers will effectively cede control of their PCs to Microsoft Microsoft changes Win7/8.1 updates, pushes even harder for Windows 10 http://www.infoworld.com/article/3108405/microsoft-windows/microsoft-changes-win781-updates-pushes-even-harder-for-windows-10.html opening text: Windows 7 and 8.1 have had a good run, but that's about to come to a close. According to new guidelines, Microsoft will start rolling out Windows 7 and 8.1 (as well as Server 2008 R2, 2012, and 2012 R2) patches in undifferentiated monthly blobs. The patches will be cumulative, which eliminates the need to exercise judgment in selecting the patches you want. At the same time, though, the new approach severely hampers your ability to recover from bad patches—and it allows Microsoft to put anything it wants on your Win7/8.1 PC. If you haven't yet read Nathan Mercer's Aug. 15 post on further simplifying servicing models for Windows 7 and Windows 8.1, I suggest you do so now. <https://blogs.technet.microsoft.com/windowsitpro/2016/08/15/further-simplifying-servicing-model-for-windows-7-and-windows-8-1/>
Phys.org via NNSquad http://phys.org/news/2016-08-people-software-percent.html A new study from BYU, in collaboration with Google Chrome engineers, finds the status quo of warning messages appearing haphazardly—while people are typing, watching a video, uploading files, etc.—results in up to 90 percent of users disregarding them. Researchers found these times are less effective because of "dual task interference," a neural limitation where even simple tasks can't be simultaneously performed without significant performance loss. Or, in human terms, multitasking. It's not just a matter of when they're presented. Another aspect of the problem is that people stop paying attention to these warnings because they simply don't trust them. They've been bombarded by so many fake warnings and crooked false alarms—and in millions of cases burned by them—that they simply refuse to react to new warnings on a reliable basis because they don't have the expertise to judge if they're real or not. A completely sensible attitude in key respects from their standpoints, unfortunately.
NNSquad http://arstechnica.com/information-technology/2016/08/comcasts-70-gigabit-offer-is-only-good-in-cities-with-google-fiber/ But when Comcast announced gigabit Internet for parts of Chicago this week, the no-contract price of $139.95 was the only one mentioned. The difference, as DSLRreports wrote today, is that there's no Google Fiber providing competition in Chicago yet. While Google Fiber has tentative plans to expand to Chicago, its $70 gigabit Internet service is already available in parts of Atlanta and Nashville ... Unlike Google Fiber and AT&T's GigaPower fiber service, Comcast's gigabit cable doesn't offer symmetrical speeds. New DOCSIS 3.1 (Data over Cable Service Interface Specification) technology dramatically increases download speeds, but the Comcast offering is just 35Mbps upstream. Comcast does have a symmetrical 2Gbps residential Internet service that uses fiber, but it costs $300 a month with installation and activation fees of up to $1,000. If this doesn't shine a floodlight on the impact of competition in the ISP access marketplace, nothing can. Proof that when a dominant ISP doesn't have effective competition, they feel free to screw consumers. It's right there in black and white!
And another bit of Dutch perspective: this happened in our country, too, and I don't think anyone wants the voting machines back. (Then again, we don't vote for prison directors or dog inspectors, and we don't have half a dozen elections on the same day.)
> It should be noted that Google has *long* offered detailed controls to users > over both local and third-party ad targeting, at: > https://www.google.com/settings/ads Well, except that (1) this setting *demands* that you accept third-party cookies, which is in itself a privacy risk - and Google knows that; and (2) it works properly only if you're permanently logged in to a Google account, which ditto and ditto. "Do No Evil" is less and less applicable. Just use an ad blocker; it's a necessity these days, not so much to stop seeing ads (I don't care much about static, silent, non-executing ads) as to stop the malware, both the intentional kind and the ones that lag your machine out of sheer incompetence. These kinds of ads keep appearing despite the advertisers' and advertisement vendors' "best" efforts; unless and until they *provably* clean up their act, an ad blocker is a requirement for safely browsing the web. And Google isn't even the worst, merely the largest -- but they're hardly to be trusted, either.
Please report problems with the web pages to the maintainer