Can The USPS Win At E-commerce?

Dealing with a decline in the mail it has been delivering since the days of America’s Revolutionary War, in 2012 the U.S. Postal Service began aggressively targeting e-commerce and lapsed customers as the way to salvage its slumping business.

“Really it started almost at the level of cold-calling, talking to people who really hadn’t spoken to us in a long time,” said Nagisa Manabe, who joined the USPS in May 2012 as chief marketing and sales officer from Coca-Cola Co after a career in the private sector. “And really trying to persuade them to consider us as a very viable alternative in the shipping market.”

With further drops in its traditional bread-and-butter products ahead, the USPS wants to capitalize on e-commerce, which consulting firm Detroit LLP has predicted should grow 14 percent this holiday season alone. But industry experts question whether the USPS has enough space in its delivery vans and whether its unionized work force can handle a greater proportion of the e-commerce market.

Over the past two years the USPS has rolled out real-time scanning for packages, a vital tool for online retailers and consumers alike to track their packages. It is also upgrading all of its delivery workers’ handheld scanners.

The rise of the Internet has taken a heavy toll on first-class mail, the USPS’s most profitable product. That falling business played a significant role in the USPS’s fiscal 2014 loss of $5.5 billion, its eighth consecutive year in the red.

From 2009 to 2013, the volume of first-class mail deliveries dropped more than 20 percent. In the fiscal year ending Sept. 30, USPS deliveries declined to 155.4 billion pieces from 158.2 billion. First-class deliveries accounted for 2.2 billion pieces of that decline.

But package deliveries rose to more than 4 billion pieces from 3.7 billion, accounting for $1.1 billion of the USPS’s revenue growth of $1.9 billion. In the run-up to Christmas, the USPS has been doing Sunday deliveries for Amazon.com Inc in a number of cities. Manabe adds that the agency will handle the online retailer’s push into same-day and next-day deliveries “in many markets.”

EBay Inc is another major customer and Manabe says “pretty much anyone who’s in the e-commerce space at least does some volume with us.”

Source

Should Encryption Be The Norm?

Encryption should be a matter of priority and used by default. That’s the message from the Internet Architecture Board (IAB), the worldwide body in charge of the internet’s technology infrastructure.

The IAB warned in a statement that “the capabilities and activities of attackers are greater and more pervasive than previously known”.

It goes on to say: “The IAB urges protocol designers to design for confidential operation by default. We strongly encourage developers to include encryption in their implementations, and to make them encrypted by default.

“We similarly encourage network and service operators to deploy encryption where it is not yet deployed, and we urge firewall policy administrators to permit encrypted traffic.”

The purpose, the IAB claims, is to instill public trust in the internet after the myriad high-profile cases in which computer traffic has been intercepted, ranging from bank details to email addresses and all points in between.

The news will be unwelcome to the security services, which have repeatedly objected to initiatives such as the default encryption in iOS8 and Android L, claiming that it is in the interest of the population to retain the right to intercept data for the prevention of terrorism.

However, leaked information, mostly from files appropriated by rogue NSA contractor Edward Snowden, suggests that the right of information interception is abused by security services including the UK’s GCHQ.

These allegations include the collection of irrelevant data, the investigation of cold cases not in the public interest, and the passing of pictures of nude ladies to colleagues.

Source

Google Continues A.I. Expansion

Google Inc is growing its artificial intelligence area, hiring more than half a dozen leading academics and experts in the field and announcing a partnership with Oxford University to “accelerate” its efforts.

Google will make a “substantial contribution” to establish a research partnership with Oxford’s computer science and engineering departments, the company said on Thursday regarding its work to develop the intelligence of machines and software, often to emulate human-like intelligence.

Google did not provide any financial details about the partnership, saying only in a post on its blog that it will include a program of student internships and a series of joint lectures and workshops “to share knowledge and expertise.”

Google, which is based in Mountain View, California, is building up its artificial intelligence capabilities as it strives to maintain its dominance in the Internet search market and to develop new products such as robotics and self-driving cars. In January Google acquired artificial intelligence company Deep Mind for $400 million according to media reports.

The new hires will be joining Google’s Deep Mind team, including three artificial intelligence experts whose work has focused on improving computer visual recognition systems. Among that team is Oxford Professor Andrew Zisserman, a three-time winner of the Marr Prize for computer vision.

The four founders of Dark Blue Labs will also be joining Google where they will be will be leading efforts to help machines “better understand what users are saying to them.”

Google said that three of the professors will hold joint appointments at Oxford, continuing to work part time at the university.

Source

OpenSSL Gets Updated

OPENSSL, the web security layer at the center of the Heartbleed vulnerability, has been issued with a further nine critical patches.

While none are as serious as Heartbleed, patching is recommended for all users according to an advisory released today. The vulnerabilities stem from various security research teams around the web including Google, Logmein and Codenomicom, based on their reports during June and July of this year.

Among the more interesting fixes involves a flaw in the ClientHello message process. If a ClientHello message is badly fragmented, it is vulnerable to a man-in-the-middle attack which could be used to force the server to downgrade itself to the TLS 1.0 protocol, a fifteen year old and therefore pre-Heartbleed patch variant.

Other reports include memory leaks caused by denial of service attacks (DoS) and conversely, crashes caused by an attempt to free up the same portions of memory twice.

OpenSSL now has two full time coders as a result of investment by a consortium of Internet industry companies to form the Core Infrastructure Initiative, a not-for-profit group administered by the Linux Foundation. The Initiative was set up in the wake of Heartbleed, as the industry vowed to ensure such a large hole would never be left unplugged again.

While OpenSSL is used by a large number of encrypted sites, there are a number of forks of the project including LibreSSL and the recently launched Google BoringSSL.

Google recently announced that it would be lowering the page rankings of unencrypted pages in its search results as an added security measure.

Source

Many Websites Still Exposed

The world’s top 1,000 websites have been updated to protect their servers against the “Heartbleed” vulnerability, but up to 2% of the top million remained unprotected as of last week, according to a California security firm.

On Thursday, Menifee, Calif.-based Sucuri Security scanned the top 1 million websites as ranked by Alexa Internet, a subsidiary of Amazon that collects Web traffic data.

Of the top 1,000 Alexa sites, all were either immune or had been patched with the newest OpenSSL libraries, confirmed Daniel Cid, Sucuri’s chief technology officer, in a Sunday email.

Heartbleed, the nickname for the flaw in OpenSSL, an open-source cryptographic library that enables SSL (Secure Sockets Layer) or TLS (Transport Security Layer) encryption, was discovered independently by Neel Mehta, a Google security engineer, and researchers from security firm Codenomicon earlier this month.

The bug had been introduced in OpenSSL in late 2011.

Because of OpenSSL’s widespread use by websites — many relied on it to encrypt traffic between their servers and customers — and the very stealthy nature of its exploit, security experts worried that cyber criminals either had, or could, capture usernames, passwords,\ and even encryption keys used by site servers.

The OpenSSL project issued a patch for the bug on April 7, setting off a rush to patch the software on servers and in some client operating systems.

The vast majority of vulnerable servers had been patched as of April 17, Sucuri said in a blog postthat day.

While all of the top 1,000 sites ranked by Alexa were immune to the exploit by then, as Sucuri went down the list and scanned smaller sites, it found an increasing number still vulnerable. Of the top 10,000, 0.53% were vulnerable, as were 1.5% of the top 100,000 and 2% of the top 1 million.

Other scans found similar percentages of websites open to attack: On Friday, San Diego-based Websense said about 1.6% of the top 50,000 sites as ranked by Alexa remained vulnerable.

Since it’s conceivable that some sites’ encryption keys have been compromised, security experts urged website owners to obtain new SSL certificates and keys, and advised users to be wary of browsing to sites that had not done so.

Sucuri’s scan did not examine sites to see whether they had been reissued new certificates, but Cid said that another swing through the Web, perhaps this week, would. “I bet the results will be much much worse on that one,” Cid said.

Source

Is The Tesla Hackable?

It’s the curse of the connected car once it’s linked to the Internet, it’s, well, on the Internet. In the case of the Tesla Model S, this means that mischievous hackers could, in theory, control some functions of the vehicle and even snoop without the owner’s knowledge.

Tesla offers Android and iPhone apps for Model S owners, which can be used to check the vehicle’s battery, track its location and status, and tweak several other settings, like climate control and the sunroof. It can also be used to unlock the doors on the Model S.

Dell senior engineer George Reese says the REST API used by Tesla to provide access for Android and iPhone apps has several fairly serious security flaws, which could offer a way in for unscrupulous hackers.

According to an article written by Reese for O’Reilly, Tesla appears to have broken from accepted best practice when designing the API for the Model S.

“It’s flawed in a way that makes no sense. Tesla ignored most conventions around API authentication and wrote their own. As much as I talk about the downsides to OAuth (a standard for authenticating consumers of REST APIs–Twitter uses it), this scenario is one that screams for its use,” he wrote.

However, Reese notes, this is merely a potential attack vector, not one that could be immediately exploited. That said, a compromised website particularly one designed to provide “value-added services” via the API to Tesla drivers could prove highly damaging.

“I can … honk their horns, flash their lights, and open and close the sunroof. While none of this is catastrophic, it can certainly be surprising and distracting while someone is driving,” Reese wrote.

Automotive hacking has been posited by experts for some time, and several presentations at this year’s Defcon detailed fairly comprehensive methods of compromising some models.

Source

GM Adds IT Jobs

General Motors Co said on Monday it will add 1,500 jobs at a new software development center in Michigan as part of the U.S. automaker’s previously announced plan to move information technology work back into the company.

GM said it will hire the software developers, database experts, analysts and other IT positions over the next four years for the office in Warren, Michigan. It is the second of four software development centers GM plans to open, following one it announced last month in Austin, Texas.

In July, the Detroit automaker said it would reverse years of outsourcing IT work. GM now outsources about 90 percent of its IT services and provides the rest in-house, but it wants to flip those figures in the next three to five years.

The IT overhaul is spearheaded by GM Chief Information Officer Randy Mott, who outlined the plan to GM’s 1,500 IT employees in June. The former Hewlett-Packard Co executive believes the moves will make GM more efficient and productive.

GM, which has not disclosed the cost or savings of its strategy, plans to cut the automaker’s sprawling list of IT applications by at least 40 percent and move to a more standardized platform. GM will also simplify the way it transmits data.

Source…

Experts Think iPad 3 Coming in March

Apple will debut a new iPad some time in early March, and will start selling it the following week, according to reports and industry analyst expectations.

The March debut of the iPad 3, as some have called it, was first reported today by AllThingsD, the blog owned by Dow Jones, the publisher of the Wall Street Journal. Citing unnamed sources, the blog said Apple will host a launch event the first week of March, likely at the Yerba Buena Center for the Arts in San Francisco, a regular venue for the company’s press announcements.

Last year, then-CEO Steve Jobs returned from medical leave to lead the launch event of the iPad 2 on March 2. Apple started selling the new tablet on March 11, 2011 via its online store.

If Apple follows the same timeline, it will probably conduct the event the week of March 5-9, and begin selling the new model the following week.

It’s possible that Apple will trot out a new iPad on one of the first two days of March — Thursday, March 1 or Friday, March 2 — but Apple usually hosts events earlier in the week.

Next month’s iPad introduction, if it does take place, will be the first without Jobs, who died last October at the age of 56 of complications from his long-running battle with pancreatic cancer.

Source…

« Previous Page