February 14, 2017 – Page 3 – Peter's Quasi-Daily Blah-g

February 14, 2017

Newly discovered flaw undermines HTTPS connections for almost 1,000 sites

Encrypted connections established by at least 949 of the top 1 million websites are leaking potentially sensitive data because of a recently discovered software vulnerability in appliances that stabilize and secure Internet traffic, a security researcher said Thursday.

The bug resides in a wide range of firewalls and load balancers marketed under the F5 BIG-IP name. By sending specially crafted packets to vulnerable sites, an attacker can obtain small chunks of data residing in the memory of connected Web servers. The risk is that by stringing together enough requests, an attacker could obtain cryptographic keys or other secrets used to secure HTTPS sessions end users have established with the sites, security researcher Filippo Valsorda told Ars. He didn’t identify the sites that tested positive in his scans, but results returned by a publicly available tool included with his vulnerability disclosure included the following:

www.adnxs.com
www.aktuality.sk
www.ancestry.com
www.ancestry.co.uk
www.blesk.cz
www.clarin.com
www.findagrave.com
http://ift.tt/ua88fu
http://ift.tt/NYCAW0
http://ift.tt/nEUVCj
http://ift.tt/PUci8d
http://ift.tt/LxUxKh
http://ift.tt/HuxBab
www.netteller.com
www.paychex.com

The threat stems from a vulnerability in F5 code that implements a transport layer security feature known as session tickets. Session tickets can speed up encrypted transactions by allowing previously established HTTPS connections without a key having to be renegotiated all over again. Sites that use the vulnerable F5 appliances and have session tickets enabled are vulnerable.

It’s not yet clear precisely what kind of data can be extracted by exploiting the bug. Valsorda, who is a cryptography engineer for content delivery network Cloudflare, said he discovered the flaw by chance as he and a colleague helped troubleshoot error messages received by customer using an F5 load balancer (Valsorda has more details here). So far, Valsorda has observed the bug returning other users’ session IDs, which by themselves isn’t particularly sensitive.

Remember Heartbleed?

Although he has deliberately not attempted to do so, he said he wouldn’t be surprised if the flaw exposed the same types of sensitive information that were exposed by Heartbleed, an extremely high-severity bug in the OpenSSL cryptographic library that came to light in 2014. As a Cloudflare community challenge quickly demonstrated, Heartbleed could be exploited to reveal the secret cryptographic key attackers needed to impersonate a vulnerable website.

“I didn’t want to risk obtaining key material of a third party, and anyway low-level memory analysis is not my expertise,” he told Ars. “The Cloudflare Heartbleed challenge taught us that optimistic assumptions can prove wrong under better scrutiny, so both F5 and I just assumed all memory could be potentially compromised since allocation patterns are undefined.”

The bug is technically known as a buffer overread. It’s the result of F5 developers hardcoding a value of 32 for the length of a Session ID and not accounting for the possibility of receiving shorter lengths. The failure “suggests that F5 software is written in a language that lacks memory safety (possibly C, like OpenSSL and a lot of Internet software today),” Valsorda wrote in an e-mail. “This vulnerability couldn’t have happened in a Go or a Rust codebase. Switching is much easier said than done, but this underscores how important it is.”

F5 has issued a fix for the vulnerability, which is indexed as CVE-2016-9244 and has been dubbed Ticketbleed. Vulnerable sites can also workaround the bug by turning off session-ticket capabilities.

Discussions of the bug on social media are rife with comparisons to Heartbleed, and there are some clear similarities. For instance, they both stem from a vulnerability in widely used TLS implementation that undermine the security of encrypted connections. Both also leak random uninitialized memory, are the result of mistakes made in programming languages that provide no memory safety, and are exploitable using simple code.

But there are also some key differences. For one, the F5 implementation is proprietary and not as widely used as the open-source OpenSSL package. Another is that Ticketbleed exposes much smaller chunks of memory, a trait that requires more effort to exploit. In short, Ticketbleed is no Heartbleed, but it’s still worth patching immediately.

from Ars Technica http://ift.tt/2k80tmV
via IFTTT

February 14, 2017

Hereâ€™s why a commercial space group endorsed NASAâ€™s SLS rocket

Why did a commercial organization endorse the SLS rocket?

NASA

This week, the Commercial Spaceflight Federation, which counts rocket builders SpaceX and Blue Origin among its executive members, made news by declaring its support for NASAâ€™s Space Launch System rocket. The organizationâ€™s new chairman, Alan Stern, announced during a conference that â€œwe see many benefits in the development of NASAâ€™s SLS.â€ This caused a stir in the commercial space community.

Later, during an interview with Ars, Stern explained that the commercial space organization has, in the past, engaged in a â€œbruising battleâ€ over the governmentâ€™s massive rocket and its influential prime contractor Boeing. The commercial space industry group (of which Boeing is not a member) contended the private sector could deliver the same capability as the SLS for far less than the $2 billion NASA has spent annually this decade to develop the rocket. The SLS will initially be able to heft 70 metric tons to low Earth orbit, but that could grow to 130 metric tons by the late 2020s.

But now, Stern said the organization believes the SLS will enable the aims of commercial companies to develop businesses on the Moon, as well as support asteroid mining and other ventures his members are interested in. â€œWe are taking a long view,â€ Stern said. â€œThis is clearly to the advantage of the expansion of commercial spaceflight. Now, with a new administration and a new Congress, we wanted to put our stake down on the side of SLS.â€

Donâ€™t forget Sessions

At the same time this week, a Politico article noted the efforts of former NASA consultant and SLS critic Charles Miller to push the Trump space program toward an aggressive campaign to begin lunar landings by the end of 2020. Miller is a former member of Trumpâ€™s NASA transition team, and he envisions lunar landings becoming possible by leveraging commercial capabilities.

The Politico article says Miller is pushing the concept of an â€œinternal competitionâ€ within NASA for launch and spacecraft contracts. The competition would be between NASAâ€™s traditional contractors, such as Boeing and Lockheed Martin, and new space firms such as SpaceX and Blue Origin. For launches, a fair competition would almost certainly favor SpaceX and Blue Origin, both of whom are developing heavy lift rockets that are roughly in the same class as the 70-metric ton variant of the SLS. This is because both companies are essentially developing their rockets out of their existing fundsâ€”at no direct cost to taxpayersâ€”and their per-launch costs would be a fraction of those forecast for the SLS.

The Politico piece likely overplays the influence of Miller, who is but one voice in the battle over NASAâ€™s future. Itâ€™s worth remembering that a number of staffers from Jeff Sessionsâ€™ Senate office have moved over to positions in the White House, and they will have considerable say in NASA policy. Sessions is from Alabama, where the SLS rocket is being designed and developed at Marshall Space Flight Center.

Settled on the pad

So what does all this mean for the rocket wars? Instead of an â€œus vs. themâ€ attitude, many aerospace insiders are taking an â€œall of the aboveâ€ approach during the next few years when it comes to rocket capabilities. Given the politics, NASA will probably continue to devote about $2 billion of its $18 billion annual budget to the SLS rocket. At the same time, Congress can continue to pass legislation that does not hinder private efforts to develop heavy-lift rockets.

Ultimately, this issue will probably be decided on the launchpadâ€”where it should be. After all, SpaceXâ€™s Falcon Heavy has not yet flown, although it may finally do so this year. NASAâ€™s SLS rocket is nominally slated for a November 2018 launch, although Ars understands this launch date will probably slip into early 2019. And while not much is known about Blue Originâ€™s New Glenn orbital rocket, company founder Jeff Bezos has said it will fly by the end of this decade.

Theoretically, then, the United States could have three heavy lift rockets at its disposal in 2020. If the reusable Falcon Heavy costs $200 million per flight, and the reusable New Glenn costs $200 million, while an expendable SLS rocket costs $1.5 billion, the agencyâ€”and by extension Congress and the White Houseâ€”will have an easy choice to make.

One could argue at that time that NASA should never have spent in excess of $10 billion developing the SLS. But the bottom line is that, six years ago, Congress did not believe in the capacity of SpaceX to build a heavy lift rocket, and Blue Originâ€™s intentions were not known at that time. So Congress bet on NASA and its traditional contractor Boeing, and the agency kept its large base of employees intact.

The Commercial Spaceflight Federation likely recognizes that raising its voice now, publicly at least, against the SLS has limited political upside with a Congress predisposed to favor NASAâ€™s big rocket. Instead ofÂ poking NASA or Congress in the eye with a stick, better to stay relevant. Ultimately, when SpaceX, Blue Origin, or both have aÂ launch capability that costs far less than the public alternative, the commercial space organization will have a much more potent argument to make.

from Ars Technica http://ift.tt/2ly8OfH
via IFTTT

February 14, 2017

Humans must become cyborgs to survive, says Elon Musk

Humans must become cyborgs and develop a direct high-bandwidth connection with machines, or risk irrelevance and obsolescence, says Tesla and SpaceX founder Elon Musk.

Musk’s latest cheery thoughts were imparted at the World Government Summit in the UAE. “Over time I think we will probably see a closer merger of biological intelligence and digital intelligence,” Musk said, according to CNBC.

The main thrust of Musk’s argument seems to hinge on the limited bandwidth and processing power of a single human being. Computers can ingest, transfer, and process gigabytes of data per second, every second, forever. Meatbags, however, are severely limited by an input/output rateâ€”talking, typing, listeningâ€”that’s best measured in bits per second. Thus, to risk being replaced by a robot or artificial intelligence, we need to becomeÂ machines.

By way of example, Musk spoke about self-driving cars, which will very soon start displacing jobsâ€”lots and lots of jobs.Â “The most near term impact from a technology standpoint is autonomous cars … There are many people whose jobs are to drive. In fact I think it might be the single largest employer of people … We need to figure out new roles for what do those people do, but it will be very disruptive and very quick.”

Enlarge /

Elon Musk hanging out with one of the first sentient robots.

Justin Sullivan/Getty Images

Autonomous vehicles areÂ perhaps theÂ most visible prominence when it comes to recent developments in AI, but rest assured (or not) that we aren’t even close to AI’s capability ceiling. Current deployments of AI are quite limited in thatÂ they can only perform one or two tasks adequatelyâ€”drive a car, lift a piece of steel, flip a burgerâ€”but AI research is slowly bubbling towards artificial general intelligence (AGI), which can ostensibly perform everyÂ task that a human is capable of.

Once that happens, it’s fairly safe to assume that AGI will continue to improve until, in the words of Elon Musk, it is “smarter than the smartest human on earth.”

As for how humans might achieve silicon symbiosis, the jury’s still out. Musk, according to CNBC, proposed a brain-attached high-bandwidth computer link, perhaps viaÂ neural lace. Low-speed and low-resolution EEG-based brain-computer interfaces already exist, of course, but I doubt that’s what Musk has in mind. In all likelihood, we will need to massively improve our understanding of the human brain before any such interface can be created.

from Ars Technica http://ift.tt/2lLyir2
via IFTTT

February 14, 2017

70-Fold Price Increase Puts Drug at $89,000

Marathon Pharmaceuticals to Charge $89,000 for Muscular Dystrophy Drug - WSJ

Marathon Pharmaceuticals LLC says it will charge $89,000 annually in the U.S. for a decades-old steroidal drug that was approved for U.S. sale for the first time on Thursday, a price that is as much as 70 times higher than drugâ€™s price overseas.

The U.S. Food and Drug Administration approved the drug, called deflazacort, on Thursday to treat a rare type of muscular dystrophy that affects some 12,000 boys in the U.S., most of whom die in their 20s and 30s. The drug isnâ€™t a cure, but it has been shown to improve muscle…

from WSJ.com: What’s News US http://ift.tt/2kAjCfF
via IFTTT

February 14, 2017

Kellyanne Conway Tells Americans To Buy Ivanka Trump’s Products

Kellyanne Conway Tells Americans To Buy Ivanka Trump's Products : The Two-Way : NPR

A worker cleaned the windows of the Ivanka Trump Collection in the lobby of Trump Tower in New York last month.

Andrew Harnik/AP

hide caption

toggle caption

Andrew Harnik/AP

A worker cleaned the windows of the Ivanka Trump Collection in the lobby of Trump Tower in New York last month.

Andrew Harnik/AP

Kellyanne Conway, a top adviser to President Trump, may have violated federal ethics rules today when she urged shoppers to buy Ivanka Trump’s retail brand, in the wake of the decision by several retail companies to drop the line because of poor sales.

“Go buy Ivanka’s stuff, is what I was [saying] â€” I hate shopping and I’m going to go get some myself today,” Conway said in an interview on Fox & Friends.

“This is just [a] wonderful line,” she added. “I’m going to give a free commercial here. Go buy it today, everybody. You can find it online.”

White House press secretary Sean Spicer said Thursday that Conway had been “counseled” over her remarks.

Federal ethics rules bar executive branch employees from profiting off their positions, but the statute exempts the president.

Conway, however, is a White House employee, and her comments urging people to buy the products appear to violate the rules, says Kathleen Clark, professor of law at Washington University in St. Louis.

“The ethics regulation says government employees must not endorse any product, service or enterprise,” Clark told NPR in an interview. She added:

“The broader rule is that government employees shouldn’t use public office for private gain. They shouldn’t use it for their own personal private gain or for somebody else’s private gain. Public office should be used for the good of the public, for the good of the country, for the good of the government, rather than singling out her boss’ daughter’s enterprise and encouraging people to shop Ivanka.”

Clark also noted that Trump’s tweet Wednesday about his daughter was retweeted by someone from the official White House account @POTUS.

“That was a violation of the ethics regulation if it was done by anybody other than the president or the vice president. But even if the president himself did that, it was improper, because there he is using a government resource for his own personal vendetta,” she said.

Meanwhile, the progressive group Public Citizen urged the U.S. Office of Government Ethics to investigate whether Conway’s comments violated the rules.

“Anyone harboring illusions that there was some separation between the Trump administration and the Trump family businesses has had their fantasy shattered,” said Robert Weissman, the organization’s president.

“Kellyanne Conway’s self-proclaimed advertisement for the Ivanka Trump fashion line demonstrates again what anyone with common sense already knew: President Trump and the Trump administration will use the government apparatus to advance the interests of the family businesses.”

In the Fox interview, Conway suggested retailers are dropping the line because of politics.

“They’re using her, who’s been a champion for women in power and women in the workplace to get to him. I think people can see through that,” she said.

T.J. Maxx and Marshalls told employees last week to stop using signs promoting Ivanka Trump’s brand and mix in her products with others the store sells in order to make them less prominent.

Nordstrom has also that it would no longer sell Ivanka Trump jewelry and clothing because sales have been disappointing. Neither the company nor Ivanka Trump’s brand released any sales figures.

The line is still carried by other retailers.

After Nordstrom’s decision, President Trump himself tweeted that his daughter “has been treated so unfairly” by the chain, and his son Donald retweeted an article today about angry store customers cutting up their credit cards.

It’s not clear how shoppers will react to the clothing controversy.

Outside a Marshalls store in Washington, D.C., a housewife from Argentina wasn’t impressed by all the controversy.

“If I like it, I buy it. If I don’t, I don’t,” said Andrea Ponzio, 47. “It doesn’t mean I wouldn’t buy it because of any politics.”

NPR intern Lucia Maffei contributed to this report.

from NPR Topics: News http://ift.tt/2loUsSR
via IFTTT

February 14, 2017

The self-balancing motorcycle is such a Soichiro Honda solution to a problem

You might remember the

Riding Assist Motorcycle concept

, a self-balancing bike that debuted at CES. At first blush a self-balancing motorcycle that doesn’t use gyroscopes to level itself â€“ instead using automated steering inputs and a variable-geometry front fork, the particulars of which are explained in the great video by

Engineering Explained

host Jason Fenske above â€“ you might not be so shocked. “Gyros are heavy,” you might think, “and expensive. Of course it makes sense to ditch ’em. Why didn’t anyone think of this sooner?”

You’ve seen bicyclists doing “track stands”, balancing at a stop light either for practical reasons (they’re clipped into the pedals) or less so (it looks cool). That’s the same idea at play here, except to get a motorcycle to do this on its own you’ve got to add some serious complexity. Honda’s solution is emulate what a skilled bicyclist does during a track stand: move the wheels around. To do this, you need to utilize indirect steering; it’s steer-by-wire, with a motor actually providing the front wheel movement, just like cars with electric steering racks. There’s a motor that changes the rake of the front fork, changing the trail. To provide more stability at low speeds, the Riding Assist Motorcycle removes trail to make the wheelbase longer at low speeds.

honda s360

It’s the sort of elegant, slightly unexpected solution to a problem that at one point was the hallmark of Soichiro Honda’s company. He was famously an unconventional thinker. Honda was originally a motorcycle manufacturer, and the company’s very first car, the S360 roadster seen above, used wildly exotic features like a crankshaft that spun on needle-roller bearings, dual overhead cams, and quad carburetors â€“ one for each cylinder. It was tiny â€“ 354 cubic centimeters â€“ but it represented cutting edge, race-derived technology. It was a very Soichiro debut.

From there, things got weirder and more wonderful. There was the oval-piston NR500 racing motorcycle of 1979, which was about as different as it could possibly be from everything it raced against. It was a four-stroke when everyone else was using light, powerful two-strokes. The creative engineering got around a rigid issue: the rules only allowed four cylinders. To make the engine competitive, the engineers wanted to double the number of valves. There simply wasn’t enough room above round pistons to do this, so why not oval pistons? It worked, although Honda ended up shelving it after coming close to resolving its teething problems. While not a success on the track, it was a powerful demonstration of Honda’s philosophy.

Honda’s history page

has the whole story, if you want to know more.

Not to say Soichiro or his company were faultless. The Honda 1300, a predecessor to the Accord, clung to air-cooling and lost the plot. It focused on fancy engineering, not consumer desires. But there were more successes than failures, somehow. The CVCC engine, which met 1970s emissions standards without an expensive catalytic converter. Or VTEC, which probably doesn’t need any introduction.

So it is with the Riding Assist Motorcycle. Soichiro Honda died in 1991, but his influence remains (in a diminished form, certainly) in the spirit to which Honda’s engineering staff will still explore unconventional solutions when less-than-ideal, conventional ones would suffice. Incidentally, the last car he approved personally was the Beat, a quirky roadster that embodies a lot of what he believed about cars and echoing his first vehicle, the Honda S360 discussed above. One of them is owned by our Editor-in-Chief, Michael Austin,

whose drawn-out ordeal

to bring the car into this country and fondness for it’s esoteric charms serves as a reminder of the fascination Soichiro Honda’s creations hold for some car enthusiasts.

The Riding Assist Motorcycle is only a concept, but if it goes into production will it engender the same sort of geeky charm that Mike’s Beat does for him? Who knows, but hopefully whoever buys one will appreciate the philosophy behind its wonderfully different approach.

Related Video:

from Autoblog http://ift.tt/2lJ5qQ5
via IFTTT