news.buyenne.com

Airlander 10's second test flight, which took place this morning, ended with the giant airship nosediving into the ground. The cockpit was damaged, but Hybrid Air Vehicles says the crew members are "safe and well."

HAV told Ars that the flight lasted for 100 minutes and that it "completed all the planned tasks." HAV said the incident was not an unplanned dealtitudinal craft-terrafirma conflict, but rather "a heavy landing" as the craft returned to Cardington Airfield.

HAV said it will now run through a "robust set of procedures for flight test activities and investigation of issues" to work out what went wrong. We'll update this story when the company releases more info.

Enlarge / From an upcoming paper laying out a new attack against 64-bit block ciphers used by HTTPS and OpenVPN. (credit: Karthikeyan Bhargavan and Gaëtan Leurent)

Researchers have devised a new attack that can decrypt secret session cookies from about 1 percent of the Internet's HTTPS traffic and could affect about 600 of the Internet's most visited sites, including nasdaq.com, walmart.com, match.com, and ebay.in.

The attack isn't particularly easy to carry out because it requires an attacker to have the ability to monitor traffic passing between the end user and one of the vulnerable websites and to also control JavaScript on a webpage loaded by the user's browser. The latter must be done either by actively manipulating an HTTP response on the wire or by hosting a malicious website that the user is tricked into visiting. The JavaScript then spends the next 38 hours collecting about 785GB worth of data to decrypt the cookie, which allows the attacker to log into the visitor's account from another browser. A related attack against OpenVPN requires 18 hours and 705GB of data to recover a 16-byte authentication token.

Impractical no more

Despite the difficulty in carrying out the attack, the researchers said it works in their laboratory and should be taken seriously. They are calling on developers to stop using legacy 64-bit block-ciphers. For transport layer security, the protocol websites use to create encrypted HTTPS connections, that means disabling the Triple DES symmetric key cipher, while for OpenVPN it requires retiring a symmetric key cipher known as Blowfish. Ciphers with larger block sizes, such as AES, are immune to the attack.

Enlarge (credit: The Last Ship, Warner Bros Television)

A massive leak of documents on India’s new military submarines from French shipbuilder DCNS is the result of a hack, the country's defence minister said on Wednesday.

Manohar Parrikar claimed, according to local reports, that the entire designs of its Scorpene submarines hadn't been disclosed. “First step is to identify if its related to us, and anyway its not all 100 percent leak,” he was quoted as saying.

The documents were made public by The Australian on Tuesday, which described the breach as an “Edward Snowden-sized leak.”

Enlarge / NASA is unhappy with its HPE services contract. (credit: NASA)

As part of a plan to help NASA "modernize" its desktop and laptop computers, the space agency signed a $2.5 billion (~£1.9 billion) services contract with HP Enterprise Services in 2011. According to HP (now HPE), part of the Agency Consolidated End-User Service (ACES) program the computing company would "modernize NASA’s entire end-user infrastructure by delivering a full range of personal computing services and devices to more than 60,000 users." HPE also said the program would "allow (NASA) employees to more easily collaborate in a secure computing environment."

The services contract, alas, hasn't gone quite as well as one might have hoped. This week Federal News Radio reported that HPE is doing such a poor job that NASA's chief information officer, Renee Wynn, could no longer accept the security risks associated with the contract. Wynn, therefore, did not sign off on the authority to operate (ATO) for systems and tools.

A NASA spokeswoman confirmed the ATO expired on July 24. She said Wynn signed a “conditional” ATO for the systems under ACES, but internal NASA sources said the authorization is just for the management tools and not for the desktops, laptops and other end user devices.

“NASA continues to work with HPE to remediate vulnerabilities,” the spokeswoman said. “As required by NASA policy, system owners must accomplish this remediation within a specified period of time. For those vulnerabilities that cannot be fully remediated within the established time frame, a Plan of Actions and Milestones (POAM) must be developed, approved, and tracked to closure.”

Letting an ATO expire on a major agency network is unheard of in government.

Practically, this probably won't change much on the ground for NASA's computing systems immediately. But operating without an ATO indicates that the agency is accepting (or perhaps "accepting") a large amount of operational IT security risks, instead of trying to understand and mitigate them.

(credit: Google)

Pop-up ads are annoying on desktop, but even more frustrating on mobile devices when they sometimes take over the browser. Google wants to fix that: in a blog post, the company announced that, starting next year, websites with intrusive advertisements will be punished and may be pushed down in search results.

Essentially, Google wants search results to favor sites that have the best information and the least annoying advertisements that cover up that information. "While the underlying content is present on the page and available to be indexed by Google," the blog post says, "content may be visually obscured by an interstitial. This can frustrate users because they are unable to easily access the content that they were expecting when they tapped on the search result."

Google claims these intrusive ads and interstitials create "a poorer experience" for users, particularly on mobile where space is limited by smaller screens. It's not wrong—sometimes pop-up or pop-over ads that show up on mobile websites can take up the entire display, forcing you to view them while furiously trying to find the "X" to close them. After January 10, 2017, sites that show these kinds of ads (which include content-obscuring "please subscribe to our newsletter!" pop-overs) "may not rank as highly" in search results.