Feed aggregator

Security advisories for Monday

LWN Headlines -

Arch Linux has updated curl (two vulnerabilities) and libwmf (multiple vulnerabilities).

Debian has updated libgd2 (denial of service) and libphp-phpmailer (code execution).

Debian-LTS has updated hdf5 (multiple vulnerabilities), hplip (man-in-the-middle attack from 2015), kernel (multiple vulnerabilities), libphp-phpmailer (code execution), pgpdump (denial of service), postgresql-common (file overwrites), python-crypto (denial of service), and shutter (code execution from 2015).

Fedora has updated curl (F24: buffer overflow), cxf (F25: two vulnerabilities), game-music-emu (F24: multiple vulnerabilities), libbsd (F25; F24: denial of service), libpng (F25: NULL dereference bug), mingw-openjpeg2 (F25; F24: multiple vulnerabilities), openjpeg2 (F24: two vulnerabilities), php-zendframework-zend-mail (F25; F24: parameter injection), springframework (F25: directory traversal), tor (F25; F24: denial of service), xen (F24: three vulnerabilities), and zookeeper (F25; F24: buffer overflow).

Gentoo has updated bash (code execution), busybox (denial of service), chicken (multiple vulnerabilities going back to 2013), cyassl (multiple vulnerabilities from 2014), e2fsprogs (code execution from 2015), hdf5 (multiple vulnerabilities), icinga (privilege escalation), libarchive (multiple vulnerabilities, some from 2015), libjpeg-turbo (code execution), libotr (code execution), lzo (code execution from 2014), mariadb (multiple unspecified vulnerabilities), memcached (code execution), musl (code execution), mutt (denial of service from 2014), openfire (multiple vulnerabilities from 2015), openvswitch (code execution), pillow (multiple vulnerabilities, two from 2014), w3m (multiple vulnerabilities), xdg-utils (command execution from 2014), and xen (multiple vulnerabilities).

Mageia has updated mcabber (roster push attack) and tracker (denial of service).

openSUSE has updated firefox (13.1: multiple vulnerabilities), gd (42.2, 42.1: stack overflow), GNU Health (42.2: two vulnerabilities), roundcubemail (13.1: cross-site scripting), kernel (42.1: information leak), thunderbird (42.2, 42.1, 13.2; SPH for SLE12: multiple vulnerabilities), and xen (42.2; 42.1; 13.2: multiple vulnerabilities).

Red Hat has updated ipa (RHEL7: two vulnerabilities) and rh-nodejs4-nodejs and rh-nodejs4-http-parser (RHSCL: multiple vulnerabilities).

Slackware has updated libpng (NULL dereference bug), thunderbird (code execution), and seamonkey (multiple vulnerabilities).

SUSE has updated gstreamer-plugins-good (SLE12-SP2: multiple vulnerabilities) and kernel (SLERTE12-SP1: multiple vulnerabilities).

SpaceX Moves Past Explosion With New Launch Plans

Slashdot -

SpaceX plans to resume launching rockets as soon as next week, after completing an investigation into a spectacular launch pad explosion that destroyed a rocket and a satellite in September. From a report on CNN: The news comes following an in-depth investigation into the explosion of a rocket from SpaceX's September mission. The company said in a statement Monday the botched launch was due to a failed pressure vessel in a liquid oxygen tank. The vessel buckled, causing liquid oxygen to accumulate. It believes this led to friction, sparks and the explosion. SpaceX conducted the investigation along with officials from NASA, the Federal Aviation Authority, the U.S. Air Force and the National Transportation Safety Board. The Federal Aviation Administration will have to sign off on the report and issue SpaceX a license to launch. SpaceX appears optimistic it will be launching rockets again soon.

Read more of this story at Slashdot.

Palantir: Saving Money With Open Source

Drupal Planet -

Saving Money With Open Source brandt Mon, 01/02/2017 - 12:44 Ken Rickard Jan 2, 2017" typeof="foaf:Image" />

Open source software like Drupal helps remove common business constraints.

In this post we will cover...
  • what the fundamental tenets of open source software are
  • how open source software can have a direct impact on total cost of your project
  • some items to consider when planning your budget

We want to make your project a success.

Let's Chat.

Software decisions are a critical part of business strategy. Software powers everything from marketing websites (content management systems — CMS) to student and customer records. It stores employee records, provides communications infrastructure, and creates and distributes marketing campaigns (marketing automation, customer relationship management — CRM).

When we discuss software purchasing and usage with our partners, we need to take into account the different contexts and uses of that software. The question of context is central to how we think about software decisions. What are your constraints? Are you constrained by budgets? Security policies? License agreements?

One of the main reasons that we work with open source software like Drupal is that it helps remove business constraints. The fundamental tenets of open source software are:

  • Included source code and the ability to modify that code 
  • The right to freely redistribute the software and any modifications
  • Bans on discriminating who may use the software, and for what purpose
  • Non-restrictive licensing, so the software is neither tied to a specific product nor restricts the development or functioning of other software.

These freedoms have a direct effect on the cost of acquisition and maintenance for your software project. Need to connect disparate systems together? An open source license makes that easier, since it removes any restrictions on how you might integrate those systems. For marketing applications, the use of open source software platforms such as Drupal and WordPress ensures your content management system can be extended and adapted to meet your needs.

Open source software frequently runs on community contributions such as money, time, or expertise. You need to factor this aspect of open source into your software decisions. Do you have the resources to devote to supporting the software? If not, is your goal to encourage adding the needed resources within your organization? For example, a 1,000-person organization may need to dedicate three full-time employees to supporting an open source application.

The pros and cons of a commitment to maintaining open source systems must be measured as a question of total return. In the example just given, having three developers devoted to the project may be less expensive than purchasing an application that could be licensed to all users. It may also be cheaper than building and maintaining the software in-house. The skills and training that the three people develop, and putting them in an active, committed role of improving the software, may produce a better return on investment than having them install and maintain proprietary software.

When planning your budgets, look for these items, and consider where you get the best value for investing your time and money:

Licensing. Proprietary software solutions charge license fees. I’ve worked on projects where we replaced proprietary software that had a 7-figure license fee. These used to be one-time fees but now tend to be annual subscription costs (such as you might pay on a smaller scale for Adobe Creative Suite). In extreme cases, the license fee can be per user (also called per seat licensing). In such cases, moving from a team of 3 to a team of 5 can have exponential cost increases.

Support. Before I joined Palantir, I worked at a company that made and sold software. We included a fee of 20% of the purchase price per year as a support fee, which is still fairly standard for enterprise software. The fee was collected regardless of the level of support actually provided. Without it, security and other critical updates wouldn’t be provided.

Hosting. Many software applications have moved into the cloud. While this lessens the cost of hosting applications internally, it can increase the chance of vendor lock-in, as the entire application is outside of your direct control. With both Drupal and WordPress, there are good, effective hosting options that lower your total cost of ownership without locking you in to a specific software or service provider. (Full disclosure, we partner with both Acquia and Pantheon, who provide such services.)

Hidden costs. When we talk about lock-in, we refer to a business model that forces the customer to become dependent on the original service provider. (Lock-in, put simply, is why cable and telecom companies have such horrible customer service ratings.) A software system that doesn’t give you access to the source code — or, even worse, access to your data — is trying to lock you in long-term. That software is restricting the freedom to run your business they way you want to.

It’s that final cost that makes the open source software movement so attractive to many IT professionals. We work with software all day, and we don’t want to be restricted in how we can use it. So we resolve to work together to provide tools that are freely given to all.

In the end, consider the logic behind your decisions. Return on investment and staff commitment are metrics that matter internally. For instance, does your support of LibreOffice, an open source alternative to Microsoft Office, make it possible for your organization to save money? Quite possibly.

But are there larger issues at play? Advantages can also accrue outside your organization. We began by making the case for the free exchange of information that should apply to both medicine and software design. So when you ask the question “What could we do?”, consider expanding the scope to include “What could we do that would help us and others?” That small change in thinking could have profound effects on the way you evaluate your ultimate return on investment.

Stay connected with the latest news on web strategy, design, and development.

Sign up for our newsletter.

All the Features Facebook Copied From Snapchat in 2016

Slashdot -

Last year, Facebook looked several times at Snapchat, a company that reportedly refused to be acquired by the social giant, for new features in Facebook Messenger, and its Instagram services. From a report on Recode: Here's the list of features Facebook launched this year that appear to be direct threats to Snapchat: 1. Facebook bought MSQRD, an app that creates silly face filters, in March. 2. It has since added the face filter technology to the main Facebook app and Messenger. 3. Facebook started testing a new Snapchat-style camera inside its main app. Messages sent using the new camera are ephemeral. 4. Facebook built a Snapchat clone app called Flash specifically for emerging markets like Brazil. 5. Instagram ripped off Snapchat's Stories feature. (It actually works pretty well.) Instagram also added ephemeral messaging.

Read more of this story at Slashdot.

Japanese White-Collar Workers Are Already Being Replaced by Artificial Intelligence

Slashdot -

Most of the attention around automation focuses on how factory robots and self-driving cars may fundamentally change our workforce, potentially eliminating millions of jobs. But AI that can handle knowledge-based, white-collar work is also becoming increasingly competent. From a report on Quartz: One Japanese insurance company, Fukoku Mutual Life Insurance, is reportedly replacing 34 human insurance claim workers with "IBM Watson Explorer," starting by this month. The AI will scan hospital records and other documents to determine insurance payouts, according to a company press release, factoring injuries, patient medical histories, and procedures administered. Automation of these research and data gathering tasks will help the remaining human workers process the final payout faster, the release says.

Read more of this story at Slashdot.

Tesla Rolling Out Autopilot Software Updates to 1,000 Cars

Slashdot -

Tesla Motors began rolling out software updates to customers with newer cars, bringing them to parity with owners who have what's known as "Autopilot 1" and setting the stage to ultimately unleash full self-driving capability. From a report on Bloomberg:"HW2 Autopilot software uploading to 1,000 cars this eve. Will then hold to verify no field issues and upload to rest of fleet next week," Tesla Chief Executive Officer Elon Musk said. When Musk announced in October that all vehicles now being produced at the Fremont, California, factory are shipping with a new hardware suite to enable full self-driving, he warned that the cars would temporarily lack some of the features currently available on Tesla vehicles with "first generation" Autopilot as the company validated the software. That includes some standard safety features like automatic emergency breaking, collision warning and active cruise control. Now customers with the âoeHardware 2â suite will have those features. .

Read more of this story at Slashdot.

Palantir: Palantir.net's Guide to Digital Governance: Broadcast Email

Drupal Planet -

Palantir.net's Guide to Digital Governance: Broadcast Email Palantir.net's Guide to Digital Governance brandt Mon, 01/02/2017 - 09:10 Scott DiPerna Jan 2, 2017

This is the fourteenth installment of Palantir.net’s Guide to Digital Governance, a comprehensive guide intended to help get you started when developing a governance plan for your institution’s digital communications.

In this post we will cover...
  • What qualifies as spam
  • Questions to consider when defining your email communication policies
  • Constituent preferences you should also take into account

We want to make your project a success.

Let's Chat.

Broadcast email (i.e. email marketing campaigns, email newsletters, etc.) is loosely defined as email sent and addressed to a group of people rather than a specific person or persons, typically using an email list, contact list, or database of email addresses. It is frequently used for the purposes of email marketing, though it essentially refers to broadcasting a communication to a group of recipients via email to convey information.

When communicating with an external audience, broadcast email typically is sent through an email marketing service (such as MailChimp, Constant Contact, Campaign Monitor, etc.) or through the email platform of a larger enterprise system that may include a CRM and other marketing functions (such as Blackbaud, Salsa, Convio, etc.). Your organization may also have internal mass-email distribution systems in place for broadcast email to internal audiences. For the purposes of this article, we will be speaking mostly about email to external audiences.


An important issue to address in any broadcast email guidelines is the sending of spam email. Spam email is generally understood to be any email message that is unsolicited and sent in bulk, though whether it is sent in bulk or to an individual is significantly less important than whether the recipients have approved of receiving such emails. This applies to email sent to an address that was not given to the sender explicitly for the purpose of receiving mass email messages from the sender.

Common activities which may qualify as spam:

  • sending a mass email to a list purchased from a company
  • sending a mass email to a list borrowed from another organization
  • sending a mass email to a list compiled by scouring websites for email addresses
  • sending a mass email to a list of recipients to which you have not been given permission to email
  • sending a mass email to a list compiled from a database without permission from the database administrator(s)

It is critically important to have policies governing broadcast email communication, as it will certainly impact your efficacy in communicating with many of your most important constituencies. Here are many other questions and issues to consider while crafting your governance plan:

  • What broadcast email platforms are available?
  • Who has access?
  • May individuals use their own email accounts (i.e. their personal email account provided by your organization) for broadcast email?
  • Are there multiple lists of broadcast email recipients such as various subscriber lists, audiences, or groups?
  • Who is responsible for maintaining each of these lists?
  • Are permissions and approvals required for sending email to broadcast email lists?
  • Are there any regularly scheduled broadcast emails (such as newsletters)?
  • May an individual add information to regularly scheduled broadcast emails?
  • May broadcast email recipients unsubscribe from the list(s)?
  • Do you have an official unsubscribe policy?
  • May members of your organization create and maintain their own custom broadcast email lists?
  • What are the guidelines for custom lists?
  • Do you have a policy regarding the sending of spam email?
  • How does your organization define spam email?
Balancing Internal Needs vs Constituents Needs

The end goal of a good broadcast email governance plan is to balance the organization’s need to distribute information with the needs and preferences of your various constituencies. It is certainly a fine balance to strike.

Some good practices include learning more about your constituents preferences and providing them with options for configuring their communication preferences. For example:

  • How often do they like to receive emails from you?
  • Do they prefer occasional summary-type communications over daily alerts, or vice-versa, or both?
  • What topics do they like to hear from you about?
  • Do they want to read all of the content in the email itself, or be provided with links to full articles on the website?
  • Would they like to be able to change their preferences as their relationship with your organization evolves?

The more you know your audience, the better you can accommodate their needs and minimize the risk that your communications will be perceived as irrelevant, or worse, as spam.


This post is part of a larger series of posts, which make up a Guide to Digital Governance Planning. The sections follow a specific order intended to help you start at a high-level of thinking and then focus on greater and greater levels of detail. The sections of the guide are as follows:

  1. Starting at the 10,000ft View – Define the digital ecosystem your governance planning will encompass.
  2. Properties and Platforms – Define all the sites, applications and tools that live in your digital ecosystem.
  3. Ownership – Consider who ultimately owns and is responsible for each site, application and tool.
  4. Intended Use – Establish the fundamental purpose for the use of each site, application and tool.
  5. Roles and Permissions – Define who should be able to do what in each system.
  6. Content – Understand how ownership and permissions should apply to content.
  7. Organization – Establish how the content in your digital properties should be organized and structured.
  8. URL Naming Conventions – Define how URL patterns should be structured in your websites.
  9. Design – Determine who owns and is responsible for the many aspects design plays in digital communications and properties.
  10. Personal Websites – Consider the relationship your organization should have with personal websites of members of your organization.
  11. Private Websites, Intranets and Portals – Determine the policies that should govern site which are not available to the public.
  12. Web-Based Applications – Consider use and ownership of web-based tools and applications.
  13. E-Commerce – Determine the role of e-commerce in your website.
  14. Broadcast Email – Establish guidelines for the use of broadcast email to constituents and customers.
  15. Social Media – Set standards for the establishment and use of social media tools within the organization.
  16. Digital Communications Governance – Keep the guidelines you create updated and relevant.

Stay connected with the latest news on web strategy, design, and development.

Sign up for our newsletter.

Samsung To Reveal This Month What Caused the Galaxy Note 7 Smartphone To Catch Fire - Report

Slashdot -

One of the biggest mysteries of 2016 will come to an end sometime this month. Samsung will make public the results of its months-long investigation into what caused several Galaxy Note 7 smartphones to turn into flames later this month, according to a report on Reuters. From the report: The South Korean firm said in October it was examining all aspects of the phone, suggesting there may be a combination of factors that contributed to one of the costliest product safety failures in tech history. Samsung has also previously noted that it was working with several third-party sources and experts to figure out what could have caused the error. A popular theory among many is that Samsung attempted to further slim the form factor of the Galaxy Note 7, which resulted in the battery to be held too tightly within the device -- which in turn, caused the layers of lithium cobalt oxide and graphite to touch.

Read more of this story at Slashdot.

Bitcoin Breaks $1,000 Level, Highest in More Than 3 Years

Slashdot -

The price of digital currency bitcoin has hit the $1,000 mark for the first time in three years. From a report on CNBC: The cryptocurrency was trading at $1,021 at the time of publication, according to CoinDesk data, at level not seen since November 2013, with its market capitalization exceeding $16 billion. Bitcoin has been on a steady march higher for the past few months, driven by a number of factors such as the devaluation of the yuan, geopolitical uncertainty and an increase in professional investors taking an interest in the asset class. "We are seeing the aftermath of zero interest rates run amok. So bitcoin is a healthy reminder that we don't have to hold on to dollars or renminbi, which is subject to capital controls and loss of purchasing power. Rather it's a new asset class," Bobby Lee, chief executive of BTC China, one of the world's largest bitcoin exchanges, told CNBC by phone.

Read more of this story at Slashdot.

7 notable legal developments in open source in 2016 (opensource.com)

LWN Headlines -

Richard Fontana reviews legal development in 2016 on opensource.com. "The Federal Source Code Policy is notable for placing emphasis on adhering to proper standards for open development as well as open source licensing. Agencies releasing open source code are directed to do so in a manner that encourages engagement with existing communities, fosters growth of new communities, and facilitates contribution both by the community to the federal code and by federal employees and contractors to upstream projects."

Kernel prepatch 4.10-rc2

LWN Headlines -

The second 4.10 kernel prepatch is out for testing. "Hey, it's been a really slow week between Christmas Day and New Years Day, and I am not complaining at all. It does mean that rc2 is ridiculously and unrealistically small. I almost decided to skip rc2 entirely, but a small little meaningless release every once in a while never hurt anybody. So here it is."

Intel Finds Moore's Law's Next Step At 10 Nanometers

Slashdot -

An anonymous reader writes: Sometime in 2017, Intel will ship the first processors built using the company's new, 10-nanometer chip-manufacturing technology. Intel says transistors produced in this way will be cheaper than those that came before, continuing the decades-long trend at the heart of Moore's Law -- and contradicting widespread talk that transistor-production costs have already sunk as low as they will go. In the coming years, Intel plans to make further improvements to the design of these transistors. And, for the first time, the company will optimize its manufacturing technology to accommodate other companies that wish to use Intel's facilities to produce chips based on ARM architecture, which is nearly ubiquitous in modern mobile processors.

Read more of this story at Slashdot.

CodeSOD: Do You Think This is a Game?

The Daily WTF -

We’ve passed Christmas and made our way through a Steam sale with our wallets mostly intact, and now most of us have a pile of games that we’ll probably never actually play.

Game programming is hard. Setting aside the “cultural” problems in the industry- endless crunches, compensation tied to review scores, conflicts between publishers and studios, and a veneer of glamour over unglamorous work- the actual work of developing a game is a hard job.

Building a game engine is even harder. Not only do you have to build highly performant code, you have to build a system flexible enough so that game developers can build a game on top of it. You need to provide a set of high-level abstractions that make it easy for them to build a game, and this is where the problems come in.

For example, I went through a brief period of playing Frozen Cortex, an interesting approach at a turn-based sports game. I was stunned at how badly it performs, though. Weirdly, it’s not during gameplay that performance stinks, but when staring at the menus. I was puzzling over this for some time, when Anonymous sent us a message.

You see, Frozen Cortex is build on the Torque engine, and our anonymous submitter is working on a different game that also uses the Torque engine. And they’ve encountered a few… special warts.

First, take a look at this code:

a = getWords("The quick brown fox jumped over the lazy programmer.", 3); b = getWords("The quick brown fox jumped over the lazy programmer.", 3, 5); c = getWords("The quick brown fox jumped over the lazy programmer.", 3, 2);

getWords is a substring function, taking a string, the starting index and the ending index. Now, what would you expect to happen if the ending index comes before the starting index? Would you expect it to throw an exception? Well, bad news- TorqueScript has no concept of exceptions. It just crashes the entire game. This is a great tool to teach you how to be a better defensive programmer.

Now, you could argue that prohibiting exceptions is a pretty clever optimization- exceptions and stack unwinding are expensive operations. We have to wonder though, because here’s a performance comparison between calling a function and in-lining the operation:

==>%r=getRealTime();for(%i=0;%i<999999;%i++)%d=getMin(getRandom(),getRandom());echo(getRealTime()-%r); 7040 ==>%r=getRealTime();for(%i=0;%i<999999;%i++)%d=(%a=getRandom()<%b=getRandom()?%a:%b);echo(getRealTime()-%r); 448

If you do a little arithmetic, it’s 15.7 times more expensive to call a function rather than in-line it.

The final stinger Anonymous wanted to share with us was this:

TorqueScript’s “variables”, behind the scenes, involve a lookup table to match a variable name to its stored value. But this isn’t done quite right - even when a function has exited, its local variable names are never cleaned up. So the lookup table simply grows and grows over time… until, eventually, TorqueScript’s already poor performance reaches unteneble levels of slowness. Essentially, it’s a memory leak in the scripting language itself. You can restart the game to clear the lookup table and bring it back to its original level of “speed”, or you could just let Torque eventually crash.

Now, this is a bit unfair. Torque was released by a small company, and after a few years of trying to find some market traction, became an open source product. I’m sure for the specific cases the developers were shooting for, some of these trade offs make sense. We certainly wouldn’t expect to see anything so strange in a big-budget game engine, right?

Well, Rich D is trying his hand at making a few X-COM 2 mods, and thus is exploring the quirks of Unreal Script for Unreal Engine 3 (or, more precisely, the highly modified version of the Unreal Engine used by X-COM 2).

He’s found a few quirks of his own:

1) Basic data structures that we take for granted, like maps and sets, don’t exist.
2) If you’re in a static function, you can’t call another static function that takes a delegate as a parameter. Even if the delegate is also a static function.
3) If you’re looping over an array of structs, for and foreach have different behavior
4) If a variable is None (Unrealscript’s equivalent of null) and you try to access something in it, that only results in a warning and your function continues executing anyway. No need to declare “On Error Resume Next”; for convenience

Again, many of these tradeoffs probably are there to optimize for performance, and can be avoided by defensive programming. But take a look at these two code blocks:

static function bool IsUnitValidForCrossTrainSlot(XComGameState_StaffSlot SlotState, StaffUnitInfo UnitInfo) { local XComGameState_Unit Unit; Unit = XComGameState_Unit(`XCOMHISTORY.GetGameStateForObjectID(UnitInfo.UnitRef.ObjectID)); if (Unit.IsASoldier() && !Unit.IsInjured() && !Unit.IsTraining() && !Unit.IsPsiTraining() && class'CrossTrainUtilities'.static.GetCrossClassAbilities(Unit).Length > 0) { return true; } return false; }


static function bool IsUnitValidForCrossTrainSlot(XComGameState_StaffSlot SlotState, StaffUnitInfo UnitInfo) { local XComGameState_Unit Unit; local array<SoldierClassAbilityType> Abilities; Unit = XComGameState_Unit(`XCOMHISTORY.GetGameStateForObjectID(UnitInfo.UnitRef.ObjectID)); if (Unit.IsASoldier() && !Unit.IsInjured() && !Unit.IsTraining() && !Unit.IsPsiTraining()) { Abilities = class'CrossTrainUtilities'.static.GetCrossClassAbilities(Unit); if (Abilities.Length > 0) { return true; } } return false; }

Tracing through the logic, you’ll see that both of these are logically equivalent. The only difference is that first example accesses the array in the if condition, while the second stuffs the array into a local variable. Which… as it turns out, is required. If the array doesn’t get put into a local variable, the entire contents of that array are wiped.

Game programming is hard, but sometimes, it seems like game engines make it actively harder.

hljs.initHighlightingOnLoad(); [Advertisement] Release! is a light card game about software and the people who make it. Play with 2-5 people, or up to 10 with two copies - only $9.95 shipped!

Despite Piracy Claims, North American Box Office Hits Record $11.4 Billion In 2016

Slashdot -

Slashdot reader rudy_wayne writes: Despite constant claims of losing billions of dollars to "piracy", the North American box office closed out 2016 with $11.4 billion in ticket sales. That marks a new record for the industry, bypassing the previous record of $11.1 billion that was established in 2015. Disney had four of the top five highest-grossing films, including "Finding Dory," the year's top film with $486.3 million. "When holdovers are taken into account, Disney had six of the year's ten highest-grossing releases, a group that includes Star Wars: The Force Awakens, which debuted in 2015," reports Variety. Other top films include Rogue One: A Star Wars Story ($408.2 million), Captain America: Civil War ($408.1 million), The Secret Life of Pets ($368.4 million), and The Jungle Book ($364 million). Disney "controlled more than a quarter of the domestic market share despite releasing fewer films than any of the major studios," according to the article, which notes that the record was achieved despite the absence of big releases in several major movie franchises partly through higher ticket prices (and possibly also inflation).

Read more of this story at Slashdot.

Changing Other People's Flight Bookings Is Too Easy

Slashdot -

"The security of online travel booking systems are stuck in the 1990s, according to security researchers," reports Computerworld. An anonymous reader quotes their article, which argues that the ancient systems are also "woefully insecure": This allows attackers to easily modify other people's reservations, cancel their flights and even use the refunds to book tickets for themselves, according a team of researchers who analyzed this online ecosystem... They presented their findings Tuesday at the 33rd Chaos Communications Congress in Hamburg. The three major Global Distribution Systems operators...store Passenger Name Records for hundreds of millions of travelers at any given time. Any data added or modification made to a booking is stored in their systems and all that's required to access that information is typically a last name and a six-character booking code. There are multiple access points into these systems and this includes the websites operated by airlines and travel agencies, but also third-party websites like CheckMyTrip... The booking code itself is far from secret. It's printed on luggage tags that most people throw away after each flight -- even if their entire trip has not concluded yet -- and is also embedded in the QR codes printed on tickets that an alarmingly large number of travellers photograph and post on social media websites, the researchers said.

Read more of this story at Slashdot.


Subscribe to Heydon Consulting aggregator