Your Holiday Shopping Could Get More Expensive, Thanks To UPS

1 Share

If you were planning to do your holiday shopping from the comfort of home, scooping up bargains with a click, you should know that you may have to pay a little more this year since UPS is tacking on a holiday delivery surcharge during the busiest weeks of the year.

In a first for the delivery company, UPS will charge “Peak” rates during certain periods: Between Nov. 19 and Dec. 2., it’ll cost $0.27 per package for all ground shipments sent to residential addresses.

The surcharges then go away during the early December lull, but return with a vengeance for last-minute shoppers: Between Dec. 17-23, there’s a $.27 surcharge for ground shipments, $.81 for Next-Day Air, and a $.97 fee for two- or three-day delivery.

An extra $.27-$.97 per package might not seem like a lot at first, but retailers — who ship out thousands, sometimes millions — of packages via UPS during the holidays will be facing a choice: Add the fee to the customer’s bill, raise prices a bit (or not lower them as much), or eat the surcharge as a cost of doing business. This may be a particularly tough deal for online retailers who promise free ground shipping.


Extra large or super heavy packages will also incur peak surcharges between Nov. 19 and Dec. 23, in addition to normal surcharges applicable to those shipments.

The money UPS makes from these charges it can use to offset expenses for things like seasonal workers, additional delivery trucks, and other operational costs involved with surviving the holidays: During the 2016 holiday season, UPS’s average daily volume was more than 30 million packages on more than half of the available shipping days, the company says. To handle that volume, UPS hired about 95,000 seasonal employees to handle the peak shipping period.







Read the whole story
Share this story
Delete

Too much of the oncogene Bcl-3 leads to chronic intestinal diseases

1 Share

Immune biology homes in on gene blockade

The protein Bcl-3 (red) leads to chronic intestinal diseases

Researchers at the University Medical Center of Johannes Gutenberg University Mainz and the German Research Center for Environmental Health, Helmholtz Zentrum München have discovered that too much of the oncogene Bcl-3 leads to chronic intestinal diseases. They describe in Nature Communications exactly how it throws the immune system off-balance.

Chronic intestinal disorders such as ulcerative colitis and Crohn’s disease are caused by the body’s own immune defense system. Sufferers frequently experience episodic symptoms such as abdominal pain, cramps, and diarrhea. Researchers are still trying to identify the precise underlying origins of these problems. A team led by Dr. Nadine Hövelmeyer and Professor Ari Waisman of the Mainz University Medical Center in collaboration with Dr. Elke Glasmacher of Helmholtz Zentrum München has discovered a new mechanism that causes intestinal inflammation.

"With the help of our cooperation partners, we were able to demonstrate that the level of the Bcl-3 protein, which also plays a role in the development of various cancerous diseases, is elevated in the intestinal tract of colitis patients and is indeed a trigger of the disease," said Dr. Nadine Hövelmeyer, head of the work group at the Mainz-based Institute for Molecular Medicine. According to the study, Bcl-3 develops its effect on intestinal health through interaction with the so-called regulatory T-cells (Tregs). Their main task is to prevent overreaction of the immune system and to develop a level of tolerance towards the body they serve.

Gene blockade in the spotlight

"We were able to demonstrate that Bcl-3 suppresses the activation of Tregs by preventing the necessary genes from being read," explained Dr. Elke Glasmacher, head of the team at the Institute for Diabetes and Obesity in Munich. "Bcl-3 interacts with the transcription factor p50, which is otherwise responsible for activation, and blocks it."

"Consequentially, the regulatory T-cells remain passive, the immune system is no longer regulated, and inflammatory processes begin to take place. Experiments using various models have revealed that elevated quantities of Bcl-3 cause certain cells to migrate to the intestines, where they trigger a severe inflammatory response," Dr. Sonja Reissig, lead author of the publication and research associate at Mainz University Medical Center, pointed out.

"The results represent a major contribution towards our understanding of chronic intestinal inflammation and hopefully over the long-term will help us discover aspects that we can target with new therapies," concluded Hövelmeyer. Her colleague Professor Ari Waisman, Director of the Institute for Molecular Medicine at the Mainz University Medical Center, added: "We are currently focusing on the search for new active agents that will prevent the interaction between Bcl-3 and p50, thus maintaining normal Treg functionality."

Original publication:
Reissig, S. et al. (2017): Bcl-3 Inhibits NF-κB Gene Activity in Regulatory T cells and Modulates their Suppressive Capacity. Nature Communications, DOI: 10.1038/NCOMMS15069


Further information:
Caption:
 The protein Bcl-3 (red) leads to chronic intestinal diseases
Source:  Mainz University Medical Center

Contact Mainz University Medical Center:
Professor Dr. Ari Waisman, Director of the Institute for Molecular Medicine at the Mainz University Medical Center, phone +49 6131 17-9129, fax +49 6131 17-9039, e-mail:  waisman@uni-mainz.de

Dr. Nadine Hövelmeyer, Group leader at the Institute for Molecular Medicine at the Mainz University Medical Center, phone +49 6131 17-9205, fax +49 6131 17-9039,
e-mail:  hoevelme@uni-mainz.de

Contact Helmholtz Zentrum München:
Dr. Elke Glasmacher, German Research Center for Environmental Health, Helmholtz Zentrum München, Institute for Diabetes and Obesity, Ingolstädter Landstr. 1, 85764 Neuherberg, phone +49 89 3187 2038, e-mail:  elke.glasmacher@helmholtz-muenchen.de

Press contact Mainz University Medical Center:
Barbara Reinke, Press and Public Relations, Mainz University Medical Center,
phone +49 6131 17-7428, fax +49 6131 17-3496, e-mail:  pr@unimedizin-mainz.de

Press contact Helmholtz Zentrum München:
Communication Department, German Research Center for Environmental Health,
Helmholtz Zentrum München, Ingolstädter Landstr. 1, 85764 Neuherberg, phone +49 89 3187-2238,
e-mail:  presse@helmholtz-muenchen.de

About the University Medical Center of Johannes Gutenberg University Mainz
The University Medical Center of Johannes Gutenberg University Mainz is the only medical facility providing supramaximal care in Rhineland-Palatinate while also functioning as an internationally recognized hub of medical science. It has more than 60 clinics, institutes, and departments that collaborate across the various disciplines. Highly specialized patient care, research, and teaching form an integral whole at the Mainz University Medical Center. Approximately 3,300 students are trained in medicine and dentistry in Mainz. With its approximately 7,500 personnel, the Mainz University Medical Center is also one of the largest employers in the region and an important driver of growth and innovation. Further information is available online at www.unimedizin-mainz.de

As the German Research Center for Environmental Health, Helmholtz Zentrum München pursues the goal of developing personalized medicine for the diagnosis, treatment and prevention of wide-spread common disorders such as diabetes mellitus and pulmonary diseases. For this purpose, it conducts research at the points where genetics, environmental factors and lifestyle interact. The center is headquartered in Neuherberg in the north of Munich. Helmholtz Zentrum München employs around 2,300 staff and is a member of the Helmholtz Association, a union of 18 scientific-technical and biological-medical research centers with around 37,000 personnel. www.helmholtz-muenchen.de

The Institute for Diabetes and Obesity (IDO) adopts systems biology and translational approaches to investigate the mechanisms involved in metabolic syndrome. Cellular systems, genetically modified mouse models and clinical intervention studies are employed in order to identify new signal routes and target structures. The goal is the interdisciplinary development of innovative therapeutic approaches to the personalized prevention and treatment of obesity, diabetes and concomitant diseases. The IDO is a part of the Helmholtz Diabetes Center (HDC). www.helmholtz-muenchen.de/ido

Read the whole story
Share this story
Delete

Elk Grove Village plans to opt out of Cook County minimum wage law

1 Share
Elk Grove Village plans to opt out of a Cook County ordinance raising the minimum wage and requiring sick-leave time.
Read the whole story
Share this story
Delete

Pet expo begins at Arlington Park

1 Share
The 25th annual Chicagoland Family Pet Expo opened Friday and tuns through Sunday at Arlington Park in Arlington Heights.
Read the whole story
Share this story
Delete

Password Rules Are Bullshit

3 Comments and 19 Shares

Of the many, many, many bad things about passwords, you know what the worst is? Password rules.

Let this pledge be duly noted on the permanent record of the Internet. I don't know if there's an afterlife, but I'll be finding out soon enough, and I plan to go out mad as hell.

The world is absolutely awash in terrible password rules:

But I don't need to tell you this. The more likely you are to use a truly random password generation tool, like us über-geeks are supposed to, the more likely you have suffered mightily – and daily – under this regime.

Have you seen the classic XKCD about passwords?

To anyone who understands information theory and security and is in an infuriating argument with someone who does not (possibly involving mixed case), I sincerely apologize.

We can certainly debate whether "correct horse battery staple" is a viable password strategy or not, but the argument here is mostly that length matters.

That's What She Said

No, seriously, it does. I'll go so far as to say your password is too damn short. These days, given the state of cloud computing and GPU password hash cracking, any password of 8 characters or less is perilously close to no password at all.

So then perhaps we have one rule, that passwords must not be short. A long password is much more likely to be secure than a short one … right?

What about this four character password?

✅🐎🔋🖇️

What about this eight character password?

正确马电池订书钉

Or this (hypothetical, but all too real) seven character password?

You may also be surprised, if you paste the above four Unicode emojis into your favorite login dialog (go ahead – try it), to discover that it … isn't in fact four characters.

Oh dear.

"💩".length === 2

Our old pal Unicode strikes again.

As it turns out, even the simple rule that "your password must be of reasonable length" … ain't necessarily so. Particularly if we stop thinking like Ugly ASCII Americans.

And what of those nice, long passwords? Are they always secure?

aaaaaaaaaaaaaaaaaaa
0123456789012345689
passwordpassword
usernamepassword

Of course not, because have you met any users lately?

I changed all my passwords to

They consistently ruin every piece of software I've ever written. Yes, yes, I know you, Mr. or Ms. über-geek, know all about the concept of entropy. But expressing your love of entropy as terrible, idiosyncratic password rules …

  • must contain uppercase
  • must contain lowercase
  • must contain a number
  • must contain a special character

… is a spectacular failure of imagination in a world of Unicode and Emoji.

As we built Discourse, I discovered that the login dialog was a remarkably complex piece of software, despite its surface simplicity. The primary password rule we used was also the simplest one: length. Since I wrote that, we've already increased our minimum password default length from 8 to 10 characters. And if you happen to be an admin or moderator, we decided the minimum has to be even more, 15 characters.

I also advocated checking passwords against the 100,000 most common passwords. If you look at 10 million passwords from data breaches in 2016, you'll find the top 25 most used passwords are:

123456
123456789
qwerty
12345678
111111
1234567890
1234567
password
123123
987654321
qwertyuiop
mynoob
123321
666666
18atcskd2w
7777777
1q2w3e4r
654321
555555
3rjs1la7qe
google
1q2w3e4r5t
123qwe
zxcvbnm
1q2w3e

Even this data betrays some ASCII-centrism. The numbers are the same in any culture I suppose, but I find it hard to believe the average Chinese person will ever choose the passwords "password", "quertyuiop", or "mynoob". So this list has to be customizable, localizable.

(One interesting idea is to search for common shorter password matches inside longer passwords, but I think this would cause too many false positives.)

If you examine the data, this also turns into an argument in favor of password length. Note that only 5 of the top 25 passwords are 10 characters, so if we require 10 character passwords, we've already reduced our exposure to the most common passwords by 80%. I saw this originally when I gathered millions and millions of leaked passwords for Discourse research, then filtered the list down to just those passwords reflecting our new minimum requirement of 10 characters or more.

It suddenly became a tiny list. (If you've done similar common password research, please do share your results in the comments.)

I'd like to offer the following common sense advice to my fellow developers:

1. Password rules are bullshit

  • They don't work.
  • They heavily penalize your ideal audience, people that use real random password generators. Hey guess what, that password randomly didn't have a number or symbol in it. I just double checked my math textbook, and yep, it's possible. I'm pretty sure.
  • They frustrate average users, who then become uncooperative and use "creative" workarounds that make their passwords less secure.
  • They are often wrong, in the sense that the rules chosen are grossly incomplete and/or insane, per the many shaming links I've shared above.
  • Seriously, for the love of God, stop with this arbitrary password rule nonsense already. If you won't take my word for it, read this 2016 NIST password rules recommendation. It's right there, "no composition rules". However, I do see one error, it should have said "no bullshit composition rules".

2. Enforce a minimum Unicode password length

One rule is at least easy to remember, understand, and enforce. This is the proverbial one rule to bring them all, and in the darkness bind them.

  • It's simple. Users can count. Most of them, anyway.
  • It works. The data shows us it works; just download any common password list of your choice and group by password length.
  • The math doesn't lie. All other things being equal, a longer password will be more random – and thus more secure – than a short password.
  • Accept that even this one rule isn't inviolate. A minimum password length of 6 on a Chinese site might be perfectly reasonable. A 20 character password can be ridiculously insecure.
  • If you don't allow (almost) every single unicode character in the password input field, you are probably doing it wrong.
  • It's a bit of an implementation detail, but make sure maximum password length is reasonable as well.

3. Check for common passwords

As I've already noted, the definition of "common" depends on your audience, and language, but it is a terrible disservice to users when you let them choose passwords that exist in the list of 10k, 100k, or million most common known passwords from data breaches. There's no question that a hacker will submit these common passwords in a hack attempt – and it's shocking how far you can get, even with aggressive password attempt rate limiting, using just the 1,000 most common passwords.

  • 1.6% have a password from the top 10 passwords
  • 4.4% have a password from the top 100 passwords
  • 9.7% have a password from the top 500 passwords
  • 13.2% have a password from the top 1,000 passwords
  • 30% have a password from the top 10,000 passwords

Lucky you, there are millions and millions of real breached password lists out there to sift through. It is sort of fun to do data forensics, because these aren't hypothetical synthetic Jack the Ripper password rules some bored programmer dreamed up, these are real passwords used by real users.

Do the research. Collect the data. Protect your users from themselves.

4. Check for basic entropy

No need to get fancy here; pick the measure of entropy that satisfies you deep in the truthiness of your gut. But remember you have to be able to explain it to users when they fail the check, too.

entropy visualized

I had a bit of a sad when I realized that we were perfectly fine with users selecting a 10 character password that was literally "aaaaaaaaaa". In my opinion, the simplest way to do this is to ensure that there are at least (x) unique characters out of (y) total characters. And that's what we do as of the current beta version of Discourse. But I'd love your ideas in the comments, too. The simpler and clearer the better!

5. Check for special case passwords

I'm embarrassed to admit that when building the Discourse login, as I discussed in The God Login, we missed two common cases that you really have to block:

  • password equal to username
  • password equal to email address

🤦 If you are using Discourse versions earlier than 1.4, I'm so sorry and please upgrade immediately.

Similarly, you might also want to block other special cases like

  • password equal to URL or domain of website
  • password equal to app name

In short, try to think outside the password input box, like a user would.

🔔 Clarification

A few people have interpeted this post as "all the other password rules are bullshit, except these four I will now list." That's not what I'm trying to say here.

The idea is to focus on the one understandable, simple, practical, works-in-real-life-in-every-situation rule: length. Users can enter (almost) anything, in proper Unicode, provided it's long enough. That's the one rule to bind them all that we need to teach users: length!

Items #3 through #5 are more like genie-special-exception checks, a you can't wish for infinite wishes kind of thing. It doesn't need to be discussed up front because it should be really rare. You must stop users from having passwords that equal their username, or aaaaaaaaaaa or 0123456789, but only as post-entry checks, not as rules that need to be explained in advance.

So TL;DR: one rule. Length. Enter whatever you want, just make sure it's long enough to be a reasonable password.

[advertisement] Building out your tech team? Stack Overflow Careers helps you hire from the largest community for programmers on the planet. We built our site with developers like you in mind.
Read the whole story
popular
108 days ago
reply
GreenChange
103 days ago
At my previous employer, they used to give you a prize (just a lolly) when you first started, if you could pick a password that passed the stupid rules restrictions on the first try. Hardly anyone ever did it, even though the rules were listed clearly!
Share this story
Delete
3 public comments
chrisminett
107 days ago
reply
We need to check the last points (username, app name)
Milton Keynes, UK
wmorrell
109 days ago
reply
True story: work wants to roll out Microsoft Office 365, and I was one of the first trial users. I got a post-it with an 8 character password from the IT grunt tapped to be the AD admin. As is my habit, I immediately changed the password with a random one created by a password manager. The password was 20 characters. The change password form accepts the new password and prints a happy "password changed!" message. I log out, then try to log back in; the login page then informs me that the maximum … *maximum* password length is 16 characters and rejects my login. Okay … truncate it to 16, maybe the change form cut it off. Login fails. Go back to IT grunt to get a password reset, get a new 8-character password. Login fails. Reset again. Be very careful copying down password, very careful entering it back in. Login fails.
So, it turns out that there is no length validation on Office 365 password change forms, and going over the 16-character minimum mentioned nowhere on the page will *permanently* lock your account. 👍
expatpaul
108 days ago
Why is there even an upper limit? If the password is properly salted and hashed then only the hash should matter.
wmorrell
108 days ago
From what I found, it is some backward-compatible dependency thing with Active Directory syncing, which Microsoft has not cared enough about to fix. Possibly something with early Windows versions storing passwords as reversible hashes, and definitions of the protocols for remote logins defining a now-too-short field for passwords. The limitation could have made sense in the early 1990s, but then got carried forward far too long, and we are still stuck with it 25 years later.
expatpaul
108 days ago
Ah, I can see how that would happen. In my experience, many of the problems with Windows can be traced to poor early implementation that was never (or becomes increasingly difficult to) fix.
expatpaul
109 days ago
reply
Possibly the worst password rule is the one that demands you change your password on a regular basis. Either people will start writing down their passwords, or come up with a pattern that ensures their passwords are always easy to guess.
Belgium
wffurr
109 days ago
What's wrong with writing down passwords? A written copy is extremely useful, if you secure it the same way you do your money and credit cards, i.e. carry it in your pocket.
expatpaul
109 days ago
Point taken, wffurr. I was thinking more about the corporate environment which is where I usually see mad password rules like these. The number of times I have seen passwords on post-it notes, whichg are stuck somewhere convenient, is quite frightening.
expatpaul
109 days ago
That said, the best approach is to use a password manager to store randomly generated passwords. Of course, my current employer bans the use of password mangers.
HarlandCorbin
109 days ago
Must change password every 21 days. Cannot reuse last 50 passwords. **These** rules make my passwords less secure than they could be. I have given up generating passwords that I can reasonably type that follow the rules. I mean, 21 days?!?
expatpaul
108 days ago
21 days? Ouch! The worst I saw was every 30 days, and I know a number of people using a combination on month and year for their password.
HarlandCorbin
108 days ago
And the new password can only have (IIRC) one point of similarity with the previous one.
expatpaul
108 days ago
That's just painful. It's rules like that which are just asking everyone to write their password on the nearest available post-it note.
Aatch
108 days ago
That's weirdly strict. We have a change every 90 days and you can't use your last 2 passwords. That's it. Simple enough to rotate a handful of passwords 4 times a year.
chrisrosa
108 days ago
this one drives me crazy. the damn auditors eat password expiry up and are always pushing for less time. total bs.
mareino
108 days ago
There is a government personnel website I've used where (1) the average user logs in about 2x/year, (2) the password resets monthly.
WorldMaker
104 days ago
The NIST guidelines link in the post also strongly recommend against arbitrary password expiration. I sent the NIST document to my corporate IT when they changed password expiration rules just recently. It hasn't impacted any change, but at least I tried to talk sense to power.
expatpaul
103 days ago
@WorldMaker: I'm impressed that you tried to talk sense, but the main problem with large corporations is that they tend to adopt a checkbox approach to these things. People have to prove that they are doing _something_ about security; no-one ever asks whether what they are doing is actually useful.
WorldMaker
102 days ago
@expatpaul: Arguably as a software developer a part of my role is to evaluate and better the company's software. Even if that just means writing a ticket every few weeks to try to argue true industry best practices against fads and security theater. Of course, without a CTO title they don't have to listen to me, but I can hope they might at least read it. Even if they are hearing stupid crap from outside security consultants and terrible software vendors that should be destroyed for the betterment of the corporate world like Oracle. The only way we might see change is to keep talking sense to power and hope someone listens or promotes us until they have to listen.
chrisrosa
102 days ago
As long as companies want to do business with companies the require SOC2, HIPPA, SOX, etc. (not to mention their own compliance BS), it doesn't really matter. At least NIST is on board.

Study Links Depression With Gut Bacteria Imbalance

1 Share

The future of depression treatment might be chilling in the dairy case. A study published this week in Nature Scientific Reports finds that beneficial bacteria commonly found in yogurt can help relieve depression-like symptoms in mice.

Over the last few decades, scientists have begun exploring the connections between our brains and all the microbes that live on and inside our bodies, and they've learned that those little microbes have an awful lot of power. Some studies have shown that bacterial imbalances can affect nervous system function, while others have suggested that people with bacterial imbalances may be more prone to anxiety and depression.

To test these hypotheses, researchers at the University of Virginia decided to begin at the overlap between the nervous system and mood: stress. Stress increases depression risk; it also affects, and is affected by, the function of the nervous system.

The scientists began by collecting a group of unlucky mice and subjecting them to a variety of intense stressors. Some were kept in crowded cages; others had to sit under strobe lights or listen to loud noises. Predictably, the stressful situations took a toll, and the mice began exhibiting what the researchers called “despair behavior.”

The researchers collected poop samples from the mice before and after the stress sessions, then ran genetic analyses to determine the species and quantities of bacteria living in each mouse’s gut. The results showed that the stress resulted in a pretty significant drop in a microbe called Lactobacillus—the same type of so-called "good" bacteria found in yogurt.

But the rodents’ despair would not prove permanent. The researchers began giving the mice small doses of Lactobacillus with their meals, and, over time, their symptoms resolved.

Lead author Alban Gaultier. Image Credit: Josh Barney | University of Virginia Health System

 
"This is the most consistent change we've seen across different experiments and different settings we call microbiome profiles," co-author Ioana Marin said in a statement. "This is a consistent change. We see Lactobacillus levels correlate directly with the behavior of these mice."

The team hopes to take their experiments into the human body next. Lead author Alban Gaultier said he has “big hope” that probiotics could someday augment or even replace side-effect–heavy antidepressant drugs. “It would be magical just to change your diet,” he said, “to change the bacteria you take, and fix your health—and your mood.”

March 10, 2017 - 10:30am
Read the whole story
Share this story
Delete
Next Page of Stories