Tag: 杭州狼族419龙凤

BC rejects Northern Gateway tar sands pipeline

first_imgAPTN National News VICTORIA–The British Columbia government has rejected the proposed Northern Gateway pipeline, which plans to ship Alberta mined bitumen to the West Coast for shipping to Asian markets, over environmental concerns.In its final written submission to joint review panel studying the project, the provincial government said it could not accept Enbridge’s project as presented because it failed to address persistent environmental concerns.“British Columbia thoroughly reviewed all the evidence and submissions made to the panel and asked substantive questions about the project including its route, spill response capacity and financial structure to handle any incidents,” said Environment Minister Terry Lake, in a statement. “Our questions were not satisfactorily answered during these hearings.”Lake said the Northern Gateway Pipeline Joint Review Panel needed to “determine if it is appropriate to grant a certificate for the project as currently proposed on the basis of a promise to do more study and planning.” Lake said the outstanding questions should be answered before the project gets a green light from the panel.The B.C. government says the project needed a “world-leading marine oil spill response,” along with similar land oil spill prevention measures, settlement of Aboriginal and treaty rights issues along with the province getting a “fair share” of the economic benefits that reflect its risks from having the majority of the pipeline crossing its territory.Lake said Enbridge failed to provide “little evidence” it could initiate adequate spill response in the event of a pipeline rupture.“Our government cannot support the issuance of a certificate for the pipeline as it was presented,” said Lake.Enbridge, however, didn’t interpret the B.C. government’s position as a rejection, but rather an affirmation it would support the project if its conditions are met.Janet Holder, executive vice-president for western access, said the project’s proponent would meet the conditions by the end fo the panel’s review.“We are working hard to meet the conditions of the government and the people of B.C.,” said Holder, in a statement.The province will be providing their oral arguments to the panel on June 17 during a hearing in Terrace, [email protected]last_img read more

Smokers notice health warnings more on plainpackaged cigarettes

first_imgHealth warnings on plain-packaged cigarettes affect smokers more than those marked on branded packs, finds a new study. Warnings used on standardised packs were novel and larger than those on fully-branded packs – and displayed pictorial images on both main display areas, the team said. “Consistent with the broad objectives of standardised packaging, our research found that it was associated with increased warning salience, and thoughts about risks and quitting,” said lead researcher Crawford Moodie from the University of Stirling in Scotland. Also Read – Add new books to your shelf”This study adds to the growing body of evidence that standardised packaging reduces the appeal of tobacco products,” said George Butterworth, Senior Policy Manager at Cancer Research, UK. The study showed that smokers who bought standardised packs were more likely to have noticed and read the warnings compared to those who had never used standardised packs. Those who bought standardised packs also thought about the health risks of smoking and quitting and were more likely to have noticed a stop smoking sign on packs. For the study, the team included 1,865 current smokers aged 16 and above.last_img read more

How Twitter is defending against the Silhouette attack that discovers user identity

first_imgTwitter Inc. disclosed that it is learning to defend against a new cyber attack technique, Silhouette, that discovers the identity of logged-in twitter users. This issue was reported to Twitter first in December 2017 through their vulnerability rewards program by a group of researchers from Waseda University and NTT. The researchers submitted a draft of their paper for the IEEE European Symposium on Security and Privacy in April 2018. Following this, Twitter’s security team prioritized the issue and routed it to several relevant teams and also contacted several other at-risk sites and browser companies to urgently address the problem. The researchers too recognized the significance of the problem and formed a cross-functional squad to address it. The Silhouette attack This attack exploits variability during the time taken by web pages to load. This threat is established by exploiting a function called ‘user blocking’ that is widely adopted in (Social Web Services) SWSs. Here the malicious user can also control the visibility of pages from legitimate users. As a preliminary step, the malicious third party creates personal accounts within the target SWS (referred to below as “signaling accounts”) and uses these accounts to systematically block some users on the same service thereby constructing a combination of non-blocked/blocked users. This pattern can be used as information for uniquely identifying user accounts. At the time of identification execution, that is, when a user visits a website on which a script for identifying account names has been installed, that user will be forced to communicate with pages of each of those signaling accounts. This communication, however, is protected by the Same-Origin Policy*5, so the third party will not be able to directly obtain the content of a response from such a communication. The action taken against Silhouette attack The Waseda University and NTT researchers provided various ideas for mitigating the issue in their research paper. The ideal solution was to use the SameSite attribute for the twitter login cookies. This would mean that requests to Twitter from other sites would not be considered logged-in requests. If the requests aren’t logged-in requests, identity can’t be detected. However, this feature was an expired draft specification and it had only been implemented by Chrome. Although Chrome is one of biggest browser clients by usage, Twitter needed to cover other browsers as well. Hence, they decided to look into other options to mitigate this issue. Twitter decided to reduce the response size differences by loading a page shell and then loading all content with JavaScript using AJAX. Page-to-page navigation for the website already works this way. However, the server processing differences were still significant for the page shell, because the shell still needed to provide header information and those queries made a noticeable impact on response times. Twitter’s CSRF protection mechanism for POST requests checks if the origin and referer headers of the request are sourced from Twitter. This proved effective in addressing the vulnerability, but it prevented this initial load of the website. Users might load Twitter from a Google search result or by typing the URL into the browser. To address this case, Twitter created a blank page on their site which did nothing but reload itself. Upon reload, the referer would be set to twitter.com, and so it would load correctly. There is no way for non-Twitter sites to follow that reload. The blank page is super-small, so while a roundtrip load is incurred, it doesn’t impact load times too much. With this solution, Twitter was able to apply it to various high-level web stacks. There were a bunch of other considerations twitter had to make. Some of them include: They supported a legacy version of Twitter (known internally as M2) that operates without the need for JavaScript. They also made sure that the reloading solution didn’t require JavaScript. They made use of CSP for security to make sure that their blank reloading page followed Twitter’s own CSP rules, which can vary from service to service. Twitter needed to pass through the original HTTP referrer to make sure metrics were still accurately attributing search engine referrals. They had to make sure the page wasn’t cached by the browser, or the blank page would reload itself indefinitely. Thus, they used cookies to detect those loops, showing a short friendly message and a manual link if the page appeared to be reloading more than once. Implementing the SameSite cookie on major browsers Although Twitter has implemented the mitigation, they have discussed this issue with other major browser vendors regarding the SameSite cookie attribute. All major browsers have now implemented SameSite cookie support. This includes Chrome, Firefox, Edge, Internet Explorer 11, and Safari. Rather than adding the attribute to Twitter’s existing login cookie, they added two new cookies for SameSite, to reduce the risk of logout should a browser or network issue corrupt the cookie when it encounters the SameSite attribute. Adding the SameSite attribute to a cookie is not at all time-consuming. One just needs to add “SameSite=lax” to the set-cookie HTTP header. However, Twitter’s servers depend on Finagle, which is a wrapper around Netty, which does not support extensions to the Cookie object. As per a Twitter post, “When investigating, we were surprised to find a feature request from one of our own developers the year before! But because SameSite was not an approved part of the spec, there was no commitment from the Netty team to implement. Ultimately we managed to add an override into our implementation of Finagle to support the new cookie attribute.” Read more about this in detail on Twitter’s blog post. Read Next The much loved reverse chronological Twitter timeline is back as Twitter attempts to break the ‘filter bubble’ Building a Twitter news bot using Twitter API [Tutorial] Facebook, Twitter open up at Senate Intelligence hearing, the committee does ‘homework’ this timelast_img read more