Month: February 2017

Enlarge

Encrypted connections established by at least 949 of the top 1 million websites are leaking potentially sensitive data because of a recently discovered software vulnerability in appliances that stabilize and secure Internet traffic, a security researcher said Thursday.

The bug resides in a wide range of firewalls and load balancers marketed under the F5 BIG-IP name. By sending specially crafted packets to vulnerable sites, an attacker can obtain small chunks of data residing in the memory of connected Web servers. The risk is that by stringing together enough requests, an attacker could obtain cryptographic keys or other secrets used to secure HTTPS sessions end users have established with the sites, security researcher Filippo Valsorda told Ars. He didn't identify the sites that tested positive in his scans, but results returned by a publicly available tool included with his vulnerability disclosure included the following:

• www.adnxs.com
• www.aktuality.sk
• www.ancestry.com
• www.ancestry.co.uk
• www.blesk.cz
• www.clarin.com
• www.findagrave.com
• www.mercadolibre.com.ar
• www.mercadolibre.com.co
• www.mercadolibre.com.mx
• www.mercadolibre.com.pe
• www.mercadolibre.com.ve
• www.mercadolivre.com.br
• www.netteller.com
• www.paychex.com

The threat stems from a vulnerability in F5 code that implements a transport layer security feature known as session tickets. Session tickets can speed up encrypted transactions by allowing previously established HTTPS connections to resume without a key having to be renegotiated all over again. Sites that use the vulnerable F5 appliances and have session tickets enabled are vulnerable.

Judge Randall Rader. (credit: Gene Quinn)

Who's the director of the US Patent and Trademark Office at the moment? It's a tougher question to answer than you'd think.

A patent blog that closely watches USPTO internal politics, IP Watchdog, raised the question earlier this week. Reports last month from Politico and The Hill indicated that Michelle Lee, a former Googler who was appointed in 2014 and is favored by the tech sector, would stay on under the administration of President Donald Trump.

Those reports, published right around Trump's inauguration, seem much less reliable now. IP Watchdog reports that Lee continues to be seen on the 10th floor of the Madison building, where the USPTO director's office is. Yet others continue to advocate for themselves, and on February 3, Lee canceled a scheduled speaking appearance in San Francisco. Since at least February 6, the Commerce Department's website has listed the position of USPTO Director as "vacant" (screenshot by IP Watchdog).

Enlarge / Brad Smith, Microsoft's top lawyer (left), seen here speaking with CEO Satya Nadella on November 30, 2016. (credit: Jason Redmond / Getty Images News)

On Wednesday, a federal judge in Seattle allowed Microsoft’s lawsuit against the government to go forward. US District Judge James Robart ruled that the company does, in fact, have standing to sue the Department of Justice on behalf of its customers.

Microsoft's case has drawn support from a number of major tech companies, including Apple, Twitter, Google, and Snapchat, among others.

The lawsuit first began nearly a year ago. Microsoft sued, arguing that when the government presents it with legal demands for user data held in online storage, those court orders often come with a gag order that has no end date. Because Microsoft is effectively forbidden from alerting its customers, even well after the fact, that such a data handover took place, the company alleged that its customers' First and Fourth Amendment rights are consistently violated.

Enlarge / The COP21 negotiations in Paris.

Most of the information we receive isn't really new. Instead, it's related to things we already know, which means that we have to update our beliefs based on the new information. It may not surprise you that not everyone is great about updating their beliefs. And a new study in Nature Climate Change reports that there's a rather important group that seems to be bad at this process: climate negotiators.

There is some good news. While uncertainty about climate change is generally considered a challenge for setting policy, emphasizing the uncertainties helps negotiators bring their beliefs up to date with the current information.

Uncertainty means different things in different contexts. We may not be sure whether the planet will heat up by 2.7 degrees Celsius or 3.5 degrees Celsius by 2100, but it's pretty likely to be around that range. There's uncertainty there, both in terms of our own carbon emissions and in terms of the climate's sensitivity to them, but it's uncertainty within limits.

Enlarge

The other day over at Evo, Antony Ingram wrote an interesting piece regarding the current trend among automakers for downsized engines. Although it's much more common in Europe, even here in the US automakers are at it. Take the EcoBoost Ford Mustang and Chevrolet Cruze, for example. As Ingram notes, it's mainly a result of emissions and fuel economy test procedures. These small-capacity turbocharged engines are tuned for the tests, running at low rpm—below the point where the turbocharger kicks in—using little fuel and producing little pollution in the process.

Real-world driving can be a far cry from the test cycle, making it hard to replicate official MPG figures, particularly in city driving. But change is coming. Later this year, new emissions regulations come into effect in Europe, with the catchily named "Real Driving Emissions test." In part a response to dieselgate, it's an attempt by EU regulators to correct a system whereby actual car pollution remains a lot worse than it should based on testing requirements.

It's not hard to understand why we've ended up here. Why spend the engineering budget trying to tune a naturally aspirated engine to meet performance and emissions targets when you know you can ace the test and still make that headline horsepower number by bolting on a turbocharger instead? It's not just mainstream models we're talking about, either; even Porsche and Ferrari are dropping naturally aspirated engines for smaller-capacity forced-induction motors.

Enlarge (credit: Tom Hounsell)

At its developer day event yesterday, Microsoft spent a long time extolling the virtues of the Universal Windows Platform and the Windows 10 Creators Update to developers. But subtly, the company slipped in a screenshot that gives us a first look at Project Neon, the next iteration of the company's design language.

The picture shows a refreshed version of the Groove music app on a Windows desktop. The fundamentals of the app and its layout aren't changed, underscoring that Neon is very much an iteration of the current Metro/Microsoft Design Language (MDL). The window has shed its discrete title bar and one pixel border, with the application content now extending to the very edge of the window. The search text field no longer has a box around it, and the left hand pane has a hint of translucency to it.

This adds a little more visual interest. While Metro/MDL has long been assumed to require flat expanses of plain color, this isn't entirely true. High quality and especially photographic imagery are an encouraged part of Metro designs, but this was especially apparent in the early days. Many parts of Windows Phone 7 used "full bleed" (which is to say, edge-to-edge) pictures behind text and other UI elements, and even in Windows 8, some applications such as the Music app were photo-heavy. But this use of artwork is not universal, and in plenty of programs it can be difficult to do appropriately. The translucency in Neon will give developers better ways of demarcating parts of their user interface without requiring the adoption of photos and other artwork.

Enlarge / Martin Shkreli (credit: Drew Angerer/Getty Images)

Martin Shkreli, the former pharmaceutical industry executive and hedge fund manager who is facing trial on accusations that he defrauded investors, is now starting a Manhattan software company that is in the midst of a $1 million debt offering, according to a regulatory filing.

Godel Systems is the company's name, and a job posting for the company notes that its founder is "an elite entrepreneur" with a "tremendous track record." A filing with the Securities and Exchange Commission, unearthed by CNBC, said Godel Systems has already raised $50,000. The issued debt is convertible to "equity securities."

Shkreli came to public attention—and scorn—in 2015 when Turing Pharmaceuticals, the second pharma company he founded, dramatically hiked the price of the life-saving drug Daraprim. The decades-old drug is used to treat a parasitic infection and is often given to AIDS patients and babies. The price increase brought attention to the skyrocketing costs of drugs, and it also opened up a host of criminal legal troubles for Shkreli.