Thursday, August 16, 2018

Over at Slashdot, we read:

A forum thread on QRZ.com indicates that the shortwave time broadcasts by the National Institute of Standards and Technology (NIST) from stations WWV (Colorado) and WWVH (Hawaii) may be slashed in budget year 2019. [One of the proposed reductions includes "$6.3 million supporting fundamental measurement dissemination, including the shutdown of NIST radio stations in Colorado and Hawaii."]

While the WWV broadcasts may seem like an anachronism to some Slashdotters, they remain a crucial component in many unexpected services, from over-the-air broadcasters and traffic signals, to medical devices, wall clocks, and wrist watches. The signals serve as standard beacons for radio propagation, and as a frequency reference for alignment of a broad range of communications equipment. It's easy to imagine that not even the NIST knows every service and device that could be impacted by this decision.

Friday, August 10, 2018

At ZDNet, we read:

Security researchers are warning Linux system users of a bug in the Linux kernel version 4.9 and up that could be used to hit systems with a denial-of-service attack on networking kit. The warning comes from Carnegie Mellon University's CERT/CC, which notes that newer versions of the Linux kernel can be "forced to make very expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() for every incoming packet which can lead to a denial of service (DoS)".

It lists a number of network-equipment vendors, PC and server manufacturers, mobile vendors, and operating-system makers that may be affected but notes that it hasn't confirmed whether any of them actually are. But, given the widespread use of Linux, the bug could affect every vendor from Amazon and Apple through to Ubuntu and ZyXEL. A remote attacker could cause a DoS by sending specially modified packets within ongoing TCP sessions. But sustaining the DoS condition would mean an attacker needs to have continuous two-way TCP sessions to a reachable and open port.

Thursday, August 9, 2018

From Gizmodo:

An investigation carried out by Federal Communication Commission's own inspector general officially refutes controversial claims that a cyberattack was responsible for disrupting the FCC's comment system in May 2017, at the height of the agency's efforts to kill off net neutrality. The investigation also uncovered that FCC officials had provided congressional lawmakers with misleading information regarding conversations between an FCC employee and the Federal Bureau of Investigation's cybercrime task force. A report from the inspector general's office (OIG) released Tuesday afternoon states that the comment system's downtime was likely caused by a combination of "system design issues" and a massive surge in traffic caused when Last Week Tonight host John Oliver directed millions of TV viewers to flood the FCC's website with pro-net neutrality comments.

Investigators were unable to "substantiate the allegations of multiple DDoS attacks" alleged by then-FCC Chief Information Officer David Bray, the report says. "At best, the published reports were the result of a rush to judgment and the failure to conduct analyses needed to identify the true cause of the disruption to system availability." [Here's an excerpt from the report:] "While we identified a small amount of anomalous activity and could not entirely rule out the possibility of individual DoS attempts during the period from May 7 through May 9, 2017, we do not believe this activity resulted in any measurable degradation of system availability given the minuscule scale of the anomalous activity relative to the contemporaneous voluminous viral traffic."

Wednesday, August 8, 2018

From Slashdot: Oracle has filed a protest regarding plans to award the Pentagon's huge cloud contract to a single vendor. Rebecca Hill writes:

The Joint Enterprise Defense Infrastructure (JEDI) contract, which has a massive scope, covering different levels of secrecy and classification across all branches of the military, will run for a maximum of 10 years and is worth a potential $10 billion. In spite of this pressure from vendors and the tech lobby -- as well as concerns from Congress -- the US Department of Defense (DoD) refused to budge, and launched a request for proposals (RFP) at the end of last month. Oracle is less than impressed with the Pentagon's failure to back down, and this week filed a bid protest to congressional watchdog the Government Accountability Office asking for the RFP to be amended.

In the protest, the database goliath sets out its arguments against a single vendor award -- broadly that it could damage innovation, competition, and security. Reading between the lines, it doesn't want either of Amazon or Microsoft or Google to get the whole pie to itself, and thus endanger Oracle's cosiness with Uncle Sam. Summing up its position in a statement to The Register, Oracle said that JEDI "virtually assures DoD will be locked into legacy cloud for a decade or more" at a time when cloud technology is changing at an unprecedented pace.
Read more at The Register