Home Tags Gasoline

Tag: gasoline

A diesel emissions test you can’t game? We try it out

From September, Euro 6 rules mean diesels have to prove theyrsquo;re clean in the real world.

NY prosecutor says Exxon needs to hand over documents on climate...

Oil giant faces ongoing battle over whether it presented good information to investors.

Fuel economy rules would decouple “miles traveled” trend from “gas used”...

But whether those rules are enacted is in jeopardy with Trump and EPA chief Pruitt.

Volvo says no more diesel engines, the future is electric

Stricter nitrogen oxide emissions regulations mean an end to diesel-engine development.

Amazon will replace some of its electric forklifts with hydrogen fuel...

The deal with Plug Power is good news for a faltering hydrogen fuel cell economy.

Trump’s cyber-guru Giuliani runs ancient ‘easily hackable website’

Stunned security experts tear strips off president-elect pick hours after announcementUS president-elect Donald Trump's freshly minted cyber-tsar Rudy Giuliani runs a website with a content management system years out of date and potentially utterly hackable. Former New York City mayor and Donald loyalist Giuliani was today unveiled by Trump's transition team as the future president's cybersecurity adviser – meaning Giuliani will play a crucial role in the defense of America's computer infrastructure. Giulianisecurity.com, the website for the ex-mayor's eponymous infosec consultancy firm, is powered by a roughly five-year-old build of Joomla! that is packed with vulnerabilities.
Some of those bugs can be potentially exploited by miscreants using basic SQL injection techniques to compromise the server. This seemingly insecure system also has a surprising number of network ports open – from MySQL and anonymous LDAP to a very out-of-date OpenSSH 4.7 that was released in 2007. Security gurus are right now tearing strips off Trump's cyber-wizard pick.

Top hacker Dan Tentler was first to point out the severely out-of-date Joomla! install. "It speaks volumes," Tentler told The Register, referring to Giuliani's computer security credentials, or lack of, and fitness for the top post. "Seventy-year-old luddite autocrats who often brag about not using technology are somehow put in charge of technology: it's like setting our country on fire and giving every extranational hacker a roman candle – or, rather, not setting on fire, but dousing in gasoline." Content management system developer Michael Fienen also pulled no punches: It gets worse. "Giuliani is running a version of PHP that was released in 2013, and a version of Joomla that was released around 2012," said Ty Miller, a director at Sydney-based infosec biz Threat Intelligence. "Using the version information, within minutes we were able to identify a combined list of 41 publicly known vulnerabilities and 19 publicly available exploits.

Depending upon the configuration of the website, these exploits may or may not work, but is an indication that Giuliani's security needs to be taken up a level." Found on /r/sysadmin, presented without comment. pic.twitter.com/UmWe7tHURv — Ryan Castellucci (@ryancdotorg) January 12, 2017 The most surprising fact in all of this is that the Giuliani Security website hasn't ALREADY been hacked.

They might as well put out a sign. — Michael Fienen (@fienen) January 12, 2017 Another computer security expert, speaking to The Register on condition of anonymity, analyzed Giuliani's website for us. Our guru, based in Australia, said that while the pending cyber-tsar is likely to have outsourced management of his online base, the fact that the mayor-turned-cyber-expert didn't check for lax security on his own website is not going to instill any confidence. We have reproduced our contact's assessment in full on the next page. ® 'Someone should be taken to task for this' Well, talking nuts and bolts: that website is hosted with a hosting provider.
It looks like it has its own IP address based on having a single DNS PTR object (reverse address to the name giulianisecurity.com) which means its unlikely to be in use by other organisations (except maybe his own... who knows.) That IP address is allocated out of a block of addresses registered to Japanese giant NTT but these could also be provided to NTT’s customers such as web developers/hosting providers etc. Without actively poking at the site – which I’m terrified to do, frankly – it may be shared hosting, may be a VPS, or may be a physically separate dedicated hosting solution.
I’m betting it’s a cheap VPS-based ‘dedicated’ solution. My experience with this kind of hosting means that a nice attack vector is identifying the hosting provider and trying to get allocated a similar hosting solution in the adjacent IP address space, getting root on it (or having it if it’s a VPS) and then using ‘layer 2’ fun and games to redirect the victim site’s traffic to the attacker.

This still works amazingly well and is why smart people try to do things like statically publish layer-2 addresses for layer 3 IP gateways (although this is only so effective, really). For the giulianisecurity.com domain they seem to use Microsoft Office 365 for his email. Not a bad choice.

Email security sucks and, unless you know what you’re doing/are a glutton for punishment or are generally my kind of tinfoilhat wearer (hey, friends), it’s best to leave email security to someone reasonably credible. I also note they use a large trademark monitor company – MarkMonitor.com – for the DNS service provider for the domain name giulianisecurity.com. Which is hilarious.

Because, yeah, you’d want to intrude trademark-wise on this guy’s name because it’s such a valuable brand. Like Trump’s, you know? The reality is someone else makes these choices for him for his business.
It’s not like he’s there, updating his ancient and known vulnerable Joomla content management system himself (he’d get props from me if that were the case :) Anyone truly trying to protect your brand would avoid putting a giant red flag like an unpatched CMS in a commodity hosting environment out there. Whether it’s Giuliani’s company’s responsibility or an outsourced provider’s (very likely) the ‘having ancient Joomla’ in place is a pretty bad look.
Someone should be taken to task a bit for this.

And if you’re a security and safety company with an understanding of information security threats you’d have threat management programs in place to identify and improve your controls. For example, if you were undertaking actual security testing of your site I’d wager anyone in infosec – or in IT generally really – would’ve noticed the ancient CMS and its default install remnants using the crappiest, free-est tools out there.
So respectfully, Rudy, get someone to patch your shit and seek out some kind of specialist advice. Snarky comments aside – it really comes down to this greater concern: there’s literally millions of people in infosec who would be better cyber security advisors than Giuliani or whomever his technical advisors are that he’d call on for advice. So I’d ask – again respectfully – that the president elect cast a slightly wider net than he has to receive ‘cyber’ security advice.

As much as most people in infosec are a bunch of opinionated jerks (oh, and we are) we’re all here to help. Just ask a professional.

First sign in knowing one? It’s the person who doesn’t use the word ‘cyber’ to prefix everything they say.

'Molecular' Cybersecurity Vs. Information Cybersecurity

When it comes to industrial processes, security begins at the molecular level. Not all cybersecurity risk is created equal.

Case in point: when Sony was hacked, information was stolen, systems were wiped, and society was temporarily deprived of a Seth Rogan movie.

These were mostly bad outcomes, and Sony certainly suffered a significant financial loss. Now, imagine a similar attack on an oil refinery where compromised systems include the proprietary industrial control systems that manage volatile processes. When I say volatile, I'm referring to processes where a boiler is heating oil by hundreds of degrees separating molecules to produce gasoline and other products. With appropriate access, a bad actor can change how hot that boiler is configured to run.
If you combine that with disabled safety systems, production, environments —  even lives —  can be severely affected.

A German steel mill experienced this in 2014 when a boiler exploded after an industrial control system attack; and 225,000 Ukrainians lost power in December 2015 when a hacker group shut down substation systems. I don't want to diminish the impact that malicious attacks have on our financial industry and others. However, chemical, oil and gas, and power generation attacks can have much graver outcomes — yet, surprisingly, these industries are in some ways the most vulnerable.
If you examine cybersecurity within a typical industrial process company, you find many of the same protections you find in any other company — antivirus software, firewalls, application whitelisting, and more.

These security controls are focused on protecting workstations, servers, routers, and other IT-based technology.
In other words, they protect the flow of information. But systems that move and manipulate molecules (for example, oil separating into constituent parts) are not nearly as secure. Why? Because many of these systems were built and deployed before cybersecurity was even a thing.
Industrial facilities rely primarily on layered defenses in front of industrial control systems, security by obscurity (think complex systems on which it takes years to become an expert), and air gapping (physical isolation from other networks). The reality is that layered defenses and air gapping can be bypassed.
Industrial facilities, for instance, periodically have turnarounds where they perform maintenance or switch production output.

This requires hundreds of engineers — many of them third-party ones — working multiple shifts to get production back online.

They are authorized users who could accidentally (or intentionally) introduce malicious code or configuration changes into a control system. Relying on obscurity as a strategy only has limited effect. With the rise of nation-sponsored cyber warfare, the capability of manipulating complex control systems is also on the rise.

The Ukrainian power attack, for instance, included malicious firmware updates that were believed to have been developed and tested on the hacking group's own industrial control equipment. Heck, you can even buy a programmable logic controller (a type of industrial control system) on eBay. Potential ImpactThe Obama administration's Commission on Enhancing National Cybersecurity report was released in early December.

There were some good recommendations in the report, particularly around having a security rating system for Internet of Things devices. What I found disturbing was that the report stated the distinction between critical infrastructure systems (found in the industries highlighted in this post plus others, such as transportation, that also rely on industrial control systems) and other devices is becoming impractical.

The point is that in a connected world, everything is vulnerable and attacks can come from any quarter.
It's a fair point, but this idea diminishes the importance of impact, which is essential to driving priority, policy, and investment decisions. Protecting the systems that manipulate molecules must have priority and, in some cases, have precedence over the ones that maintain information. So, where do you start? Where should investment flow? Most companies need to start at the beginning and simply begin to track the cyber assets they have in an industrial facility.

Another fun fact: many don't track that data today, or do so in a highly manual way, which means there are data gaps and errors. Without visibility into the cyber assets in a plant, you can't effectively secure them. And when we talk about cyber assets, any credible inventory plan must include the controllers, smart field instruments, and other systems that manage the volatile processes we've discussed (these systems, by the way, make up 80% of the cyber assets you find in an industrial facility).

This can't happen in a spreadsheet, but it must happen through automation software that can pull data from the many disparate, proprietary systems that can exist in a single facility. With an automated, detailed inventory that is updated regularly, companies can begin to do the things they know are important for securing any system — they can monitor for unauthorized changes, set security policies, and more.

Doing so allows companies not only to secure information, but also secure the molecules — the lifeblood of an industrial process company. Related Content: As General Manager of the Cybersecurity Business Unit at PAS, David Zahn leads corporate marketing and strategic development of the PAS Integrity Software Suite.

David has held numerous leadership positions in the oil and gas, information technology, and outsourcing ...
View Full Bio More Insights

Presidential candidates promise to change America’s roads, but how?

Gridlock in Houston, Texas.aJ Gazmen Campaign 2016 Hillary Clinton vs.

Donald Trump on broadband: She has a plan, he doesn’t FCC official: “Something’s not right” with Wi-Fi at Monday’s debate Trump: “The security aspect of cyber is very, very tough” Journalists must fork over $200 for Wi-Fi at presidential debate Trump takes on “Crooked Hillary” with Snapchat geofilter View more storiesreader comments 12 Share this story Here at Ars, we like thinking about the future.

And some of the biggest problems we’ll have to solve in the future are related to transportation.

The population of the US is increasing, fossil fuel consumption must be cut or climate will change more dramatically than it already is, and autonomy is coming to vehicles.
So it’s worth asking our presidential candidates their views on transportation policy.

After all, the policies of the next four years could impact how automakers implement autonomous systems, whether large train systems will be built (hello, Hyperloop?), and how quickly electric vehicles will be adopted. Unfortunately, although Ars reached out to Hillary Clinton, Donald Trump, Gary Johnson, and Jill Stein’s campaigns, not one of the candidates’ teams got back to us.

That left us with statements on the candidates’ websites and comments they made during debates and interviews earlier this year. Clinton Clinton’s policies are by far the most thorough, although there are still gaps in her plan that leave room for questions. The Democratic Party nominee says she would set aside $275 billion for infrastructure, $25 billion of which would be used to create an infrastructure bank that would allow the government to leverage another $225 billion in loans and credit, which would be used for building even more infrastructure. The former secretary of state added that she’d raise the money for this endeavor by overhauling how businesses that keep assets abroad get taxed on those assets. Clinton also says she'll renew and expand the Build American Bonds program that President Barack Obama started in 2009 to fund some of her infrastructure projects. But figuring how much of this huge infrastructure outlay would go toward building trains or upgrading networks for automotive and air fleets is difficult.

The plan Clinton articulates on her website groups all federal infrastructure projects together and doesn’t detail how much, for example, she’d like to devote to building roads better equipped for smart vehicles versus how much she’d like to devote to less-transportation-minded endeavors, like building more broadband infrastructure which Ars’ Jon Brodkin covered in a separate piece. Enlarge / A crowded compressed natural gas station. Scott Lowe But among the goals listed on her website, Secretary Clinton says she wants to use at least part of that $275 billion to create roads that can talk to autonomous vehicles.

Clinton’s website doesn’t get more specific than that, but one idea that’s been floated involves building wireless beacons at intersections where the glare of the sun makes traffic lights difficult to see.

Automakers could then equip their cars so that the vehicles will know automatically if the light is green or red. The Democratic candidate also said she’d use some of the infrastructure money to build “advanced fueling stations,” as well as equip roads with “sensors capable of alerting drivers to a dangerous icy patch a mile ahead.” She promised to also use some of those infrastructure billions to “provide more funding for basic research in transportation technology,” especially tackling problems that are “too far in the future for private industry to address." Clinton’s campaign claims that this funding will result in fewer accidents and less traffic due to the introduction of “vehicles that can sense and communicate with one another.” The funding would also theoretically reduce pollution after “more efficient and effective parking management systems,” are introduced. In her official statement, Clinton didn’t mention California’s bungled High Speed Rail project, and neither did her campaign share any opinion on the likelihood of Elon Musk’s Hyperloop idea making it from the hands of turmoil-ridden private companies to the real world.

But she did offer some salient details on improving aviation technology.

The Clinton campaign writes that World War II-era air traffic control systems need to be chucked in favor of “NextGen,” a satellite- (rather than radar-) based system that has been in the works since 2007.

The system is projected to ultimately cost the Federal Aviation Administration $17 billion in total (including funds that have already been spent), as well as $15 billion in private sector costs—that is, getting airlines to upgrade their equipment to work with the new system. “These efforts have fallen chronically behind schedule and well short of expectations,” Clinton’s campaign writes. “Clinton will get this crucial program back on track and ensure that it is managed effectively and with accountability.

These changes will save air travelers and airlines an estimated $100 billion in avoided delays over the next 15 years.” Despite campaign promises, getting the money to fund all this would be a real challenge. The US has traditionally funded transportation infrastructure with the Highway Trust Fund, financed by the federal gas tax, which hasn’t been raised in decades. Republicans would like to see the gas tax abolished and infrastructure spending tossed back to the states.

The Obama Administration has fought to increase funds for infrastructure spending to no avail.
If Congress’ demographics don’t change dramatically, Clinton could have as difficult a time as Obama did getting tax hikes for infrastructure spending approved. Trump Trump’s written and stated plans, compared to Clinton, are much, much more vague, but also more surprising, as they break significantly with the 2016 platform put forth by the Republican party. His campaign, like Clinton’s, did not respond to Ars’ request for comment. Throughout the summer, the businessman told reporters that he would more than double Clinton’s proposed spending on infrastructure, bringing the cost of his plan into the half-a-trillion-dollars range. But Trump’s plan to fund all this spending hasn’t been adequately articulated, except for in a couple of offhand comments he’s made on the campaign trial. According to The Hill, over the summer Trump told Fox Business Network’s Stuart Varney that he’d set up a fund to finance his infrastructure projects, offering only that “people, investors,” would be the primary contributors to that fund. “We’ll get a fund, we’ll make a phenomenal deal with the low interest rates and rebuild our infrastructure,” Trump told Varney. “The citizens would put money into the fund... and it will be a great investment, and it’s going to put a lot of people to work.” The Republican candidate explained that the money for the fund would come from selling infrastructure bonds. No matter where the money comes from, Trump’s ideas reflect a break from his party.

Typical Republicans try to kill most federal infrastructure spending initiatives that come through Congress in favor of letting states fund transportation and infrastructure as they wish.

The Washington Post wrote that when federal GOP lawmakers put together their party’s platform, it called for a significant reduction in how the Highway Trust Fund is funded, including a repeal of gas taxes.

The GOP wrote: We propose to remove from the Highway Trust Fund programs that should not be the business of the federal government. More than a quarter of the Fund’s spending is diverted from its original purpose. One fifth of its funds are spent on mass transit, an inherently local affair that serves only a small portion of the population, concentrated in six big cities.

Additional funds are used for bike-share programs, sidewalks, recreational trails, landscaping, and historical renovations. Now, Trump doesn’t seem to be against cutting taxes that feed the Highway Trust Fund—he said wants to subsidize all his planned building by selling infrastructure bonds, after all.

But the Republican candidate has repeatedly called for a national effort to repair roads and bridges beyond what many Republicans would deem kosher.

According to The Hill, Trump made a promise in June to “build the greatest infrastructure on the planet Earth—the roads and railways and airports of tomorrow.” Trump at the time also called for the rebuilding of “dilapidated airports,” a sentiment he echoed in the first presidential debate at Hofstra College on Sept. 26. Enlarge / A light rail station in Phoenix. RightBrainPhotography Outside of building massive airports, road networks, and train stations, Trump’s campaign website doesn’t directly target any policies regarding future transportation. He’s called for a general “temporary pause on new regulations and a review of previous regulations to see which need to be scrapped,” which could, among many other things, impact the way the federal government regulates automakers or the shipping industry or any number of transportation-related government endeavors. The Republican candidate also said he would not support the Trans-Pacific Partnership (TPP)—a multi-national trade agreement that covers everything from intellectual property to tariffs in trade between countries.

Trump’s website specifically called out the auto industry as a potential victim of the TPP, saying the trade deal “will hammer the car industry because it does not resolve, among other things, the substantial non-tariff barriers to US cars being sold in Japan and other countries—including currency manipulation, excess supply, and closed dealerships." Trump’s plan does dovetail with Republicans in that it seeks to make gasoline cheaper. His website calls for a renewal of the Keystone Pipeline deal and claims that his “America First Energy Plan will bring down residential and transportation energy costs, leaving more money in for American families as they pay less each month on power bills and gasoline for cars.” Trump’s “America First Energy Plan” calls for increased oil and gas drilling, as well as increased coal mining in the US—a policy that would be disastrous for the planet according to every scientific endeavor to quantify and explain climate change, despite Trump's well-documented false claims that climate change is a hoax. Johnson Unlike the two top candidates, Libertarian Party candidate Gary Johnson has made very little mention of transportation infrastructure in his campaign. His website doesn’t mention it, and his campaign did not respond to our request for comment. Johnson, however, has been a vocal proponent of reducing taxes and reducing federal spending dramatically.
So it’s unlikely he’s interested in a massive federal bid to renew transportation infrastructure spending like Clinton or Trump. Johnson isn’t against technological progress itself, it seems.
In an August article by transhumanist writer Zoltan Istvan (who says he was on a short list to be Johnson’s running mate before Weld was chosen), Johnson said he welcomes the idea of driverless secret service cars (which would cut down on government staff in the form of chauffeurs, at least). Also unlike Clinton and Trump, Johnson seems to believe in a kind of privatization of transportation beyond making gas cheaper.

According to TechCruch, the Libertarian candidate gushed this summer about so-called “car sharing,” saying that the US needs to “Uber everything.” Stein Green Party candidate Dr. Jill Stein unsurprisingly believes in a more collective vision of the future of transportation.
She also did not respond to Ars’ request for comments, but her website calls for a move to 100 percent renewable energy in the US by 2030, although her plan on how to get there is not detailed. Dr.
Stein says she wants to “redirect research funds from fossil fuels into renewable energy and conservation,” and to “end all subsidies for fossil fuels and impose a greenhouse gas fee / tax to charge polluters for the damage they have created.” How Stein would pass such a radical gas tax increase when even moderate proposed increases over the last several decades have been killed in Congress is not explained. Stein also says she would enact what she calls a Green Deal (a spiritual successor to the New Deal, apparently), which would create “full employment” by opening up 20 million jobs in sustainable energy, mass-transit, and improved infrastructure building projects, among other service-related jobs.
Stein’s administration would also invest in “active transportation such as bike paths and safe sidewalks that dovetail with public transit.” How would Stein pay for all this? Her campaign suggests that investing in her full employment plan would increase income tax revenue for the government.

By combining this increased revenue with aggressively “cutting the bloated, dangerous military budget, and cutting private health insurance waste,” the government could pay for her mass transit plans. The way of the future Hillary Clinton’s plan to fund roads, aviation technology, and research relating to new transportation is probably the most coherent and realistic.

But without support in Congress, much of it could be wishful thinking.

Donald Trump’s platform lacks specifics, not only in how transportation infrastructure would be paid for, but also in what exactly he would prioritize if he had the money to do something.

Gary Johnson’s viewpoints may mesh well with Silicon Valley-types—less regulation of research and a stark reduction in taxes on startups would certainly benefit some players in the tech world. Jill Stein’s vision of 100 percent renewable energy by 2030 is laudable, but the office of President has historically required extensive compromise, and getting industry players already entrenched in non-renewable energy sources to play nice would be a stark challenge to her plan. Still, unless you work in some transportation-related industry, chances are you aren’t going to vote on the candidates’ transportation policies alone.

But knowing their attitudes toward a quickly-changing field that’s so dominated by technology, and being able to assess the coherence of their plans, might help an Ars reader feel more confident in their decision.

Pot, kettle, black: Dealerships say Tesla “misleading” consumers on car costs

Car dealerships complain that Tesla's site obfuscates pricing, confuses consumers.