Daily Tech Digest - February 25, 2017

EFF: Half of web traffic is now encrypted

Google played a significant role, having put pressure on websites to adopt HTTPS by beginning to use HTTPS as a signal in its search ranking algorithms. This year, it also ramped up the push towards HTTPS by marking websites that use HTTP connections for transmitting passwords and credit data as insecure. HTTPS, which encrypts data in transit and helps prevent a site from being modified by a malicious user on the network, has gained increased attention in recent years as users have woken up to how much of their web usage is tracked, and even spied on by their own government. Large-scale hacks have also generally made people more security-minded as well. A number of larger players on the web also switched on HTTPS in 2016, like WordPress.com which added support for HTTPS for all its custom domains, meaning the security and performance of the encryption technology became available every blog and website it hosted.

AI and Robotics Trends: Experts Predict

Many people fear losing their jobs to robots, but more than likely you will have a robot for a co-worker. Then again, if you've been in the workforce long enough, you've probably already had a robot for a co-worker, just in human form. "In 2017, we are seeing a growing emergence of robots designed to operate alongside people in everyday human environments. Autonomous service robots that assist workers in warehouses, deliver supplies in hospitals, and maintain inventory of items in grocery stores are emerging onto the market," said Sonia Chernova, assistant professor at Georgia Tech College of Computing. These systems need humans because one thing robotics researchers are still struggling with is robotic arms. There's no substitute for the human arm to pick things up and manipulate objects.

IT unbounded: The business potential of IT transformation

Creating an unbounded IT organization will require that CIOs think beyond their own experiences and domain expertise and begin viewing IT through a different operational and strategic lens. For example, they can take a look at the efficiency and effectiveness of current budgeting, portfolio planning, and vendor selection processes and try to identify procedural, administrative, and other constraints that can be eliminated. ... Likewise, they can help streamline their development processes by coming up with fresh approaches to testing, releasing, and monitoring newly deployed solutions. Important to development, IT organizations can work to replace bloated, inefficient skillset silos with nimble, multiskill teams that work in tandem with the business to drive rapid development of products from ideation all the way through to deployment.

Machine Learning-driven Firewall

A few days ago, I happened to come across a website called ZENEDGE which is offering AI driven web application firewall. I liked the concept and thought of making something similar and sharing it with the community. So, lets make one. The first thing to do was to find labelled data but the data I could find was quite old (2010). There is a website called SecRepo that has a lot of security related datasets. One of them was of http logs containing millions of queries. That was the dataset I wanted but it was not labelled. I used some heuristics and my previous knowledge of security to label the data set by writing a few scripts. After pruning the data, I wanted to collect some more malicious queries. Therefore, I went on for payloads and found some famous GitHub repositories containing Xss, SQL and other attack payloads and used all of them in my malicious queries dataset.

Bleeding clouds: Cloudflare server errors blamed for leaked customer data

According to Cloudflare, the problem could have started five months ago, on September 22, 2016. "The greatest period of impact was from February 13 and February 18 with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage (that’s about 0.00003% of requests)," a blog post by Cloudflare's CTO, John Graham-Cumming, explains. In an email exchange, Cloudflare pointed Ormandy to the company bug bounty, which offers a reward of a t-shirt instead of financial compensation, leading Ormandy to speculate the company doesn't take the program seriously. As the disclosure deadline quickly approached, Cloudflare engineers worked around the clock to resolve the problem. Google has started removing cached copies of the leaked data, but other search engines are still holding some copies.

Is Your Industry at High Risk of Insider Threat?

In the movies, data theft is usually the work of outsiders. You’ve witnessed the scene a million times: A cyber thief breaks into a business, avoiding security measures, dodging guards and employees, and making off with a USB stick of valuable data seconds before he or she would have been spotted. But in the real world, data theft is much more mundane. Most cyberattacks are carried out by someone within the company or someone posing as such. Sometimes they take data that’s essentially harmless, like personal files they feel entitled to keep. Other times, what they take is potentially much more harmful. According to a 2016 report from Deloitte, 59 percent of employees who leave an organization say they take sensitive data with them! With IP making up 80 percent of a company’s value, insider threat is something that every company should take seriously.

Smart cities must be people-centered, equitable cities

The development of smart cities builds upon this strong historical foundation with a digital foundation that allows cities to function more efficiently, be more responsive to community members and ultimately create better, more equitable urban environments where people thrive. Cities are beginning to, and will continue to, integrate technological dynamism into municipal operations, from transportation to infrastructure repair and more. The back ends of these systems are not always apparent to the end user — but, as the integration of smart-city technology becomes more visible in our everyday lives, we will continue to see positive changes in our cities.

Report: Why the big challenges in AI aren't close to being solved

For most companies, the initial investment in AI comes in the form of a digital assistant or chat bot. These tools are often being offered free of charge, or folded into other core products, in order to generate and collect the data needed to strengthen the AI behind them. Digital assistant are "a good first yardstick of each ecosystem's competence in AI," the report said. AI is built on data, as is another product many people use everyday: Search engines. As such, it makes sense that companies like Google, Baidu, and Russia's Yandex are growing leaders in the AI space due to their focus on data-powered search. Under these leader, companies like Microsoft, Apple, and Amazon are also investing heavily in their own AI efforts as well.

What Will Tomorrow's Engineers Look Like?

To be sure, a good engineer is someone who has received solid scientific and technical training that allows him or her to devise a pertinent response to a problem, sometimes in a very short amount of time. An engineer must study a situation seriously, go out into the field to understand the facts and listen carefully to analyze phenomena and make improvements. An engineer is also someone who is not afraid of hard work, for more than ever, nothing is granted to anyone without effort. Work provides the opportunity to play a role and make a meaningful contribution to the community. However, as the digital revolution shows, in today's very open and rapidly changing world, an engineer also needs to demonstrate persistence, boldness, team spirit and leadership.

Doing Scrum with Multiple Teams: Comparing Scaling Frameworks

According to Craig Larman and Bass Vodde (the creators of LeSS) the primary rule of scaling agile is: don’t do it! If you have problems with: Cross team dependencies; Risks that affect several teams; and Scheduling of (coordinated) deliveries, you might need a scaling framework. If you can deal with these problems by re-arranging your teams and product structure, you are better off without one. If you can’t, please continue reading. All three frameworks start with cross-functional, self-organizing Scrum teams. The teams vertically slice requirements into the smallest possible increments that can be deployed independently. Teams are also expected to focus on technical excellence such as doing continuous integration and automated regression testing.

Quote for the day:

“Capital isn’t scarce; vision is.” -- Sam Walton

Daily Tech Digest - February 24, 2017

The Future of Serverless Compute

Serverless compute, or Functions-as-a-Service (FaaS), is a more recent part of this massive change in how we consider ‘IT’. It is the natural evolution of our continuing desire to remove all baggage and infrastructural inventory from how we deliver applications to our customers. A huge number of applications we develop consist of many small pieces of behavior. Each of those are given a small input set and informational context, will do some work for a few 10s or 100s of milliseconds, and finally may respond with a result and/or update the world around them. This is the sweet spot of Serverless compute. We predict that many teams will embrace FaaS due to how easy, fast and cheap it makes deploying, managing and scaling the infrastructure necessary for this type of logic.

Go-to People Considered Harmful

Dependency issues in social systems can take a variety of forms. One that comes easily to mind is what is referred to as the “bus factor” – how badly the team is affected if a person is lost (e.g. hit by a bus). Roy Osherove’s post from today, “A Critical Chain of Bus Factors”, expands on this. ... A particularly nasty effect of relying on go-to people is that it’s self-reinforcing if not recognized and actively worked against. People get used to relying on the specialist (which is, admittedly, very effective right up until the bus arrives) and neglect learning to do for themselves. Osherove suggests several methods to mitigate these problems: pairing, teaching, rotating positions, etc. The key idea being, spreading the knowledge around.

How to harden MySQL security with a single command

Chances are, your data center depends upon a MySQL database server or two. If that is the case, you'll want to make sure your databases are set up with an eye to security.Thankfully, MySQL offers a handy command that goes a very long way to improve the security of your MySQL installation. This single command will: update the password plugin; set a password for the root account (if one already exists, you can opt to keep it or change it); remove root accounts that are accessible from outside the local host; remove anonymous-user accounts; and remove the test database and privileges that permit anyone to access databases with names that start with test_. Although the above tasks aren't overly complicated, they are easily overlooked and, if you have a lot of databases, can be time-consuming.

The Rise in SSL-based Threats

The majority of Internet traffic is now encrypted. With the advent of free SSL providers like Let’s Encrypt, the move to encryption has become easy and free. On any given day in the Zscaler cloud, more than half of the traffic that is inspected uses SSL. It is no surprise, then, that malicious actors have also been using the SSL protocol in their activities over the last several years. The increasing use of SSL creates problems for organizations that are unable to monitor SSL traffic, as they must rely on less-effective techniques like IP and domain blocking in an attempt to identify and block threats. In this report, we will outline trends we have seen in the use of SSL in the malware lifecycle and in adware distribution, based on a review of traffic on the Zscaler cloud from August 2016 through January 2017.

How Far Are We From ‘True’ Artificial Intelligence – And Do We Really Want To Go There?

The question has ethical implications, particularly if we bring the controversial topic of consciousness into the equation. From a scientific viewpoint, consciousness is a state that arises when a biological brain interprets the flood of sensory input streaming in from the world around it, leading, somehow, to the conclusion that it exists as an entity. It’s not well understood at all – but most of us can conceive how this massive flood of images and sounds is interpreted through a biological neuro-network which leads to “thoughts” – and among those thoughts are concepts of individual existence such as “I am a human”, “I exist” and “I am experiencing thoughts”. So, it’s only a small step of logic to assume that machines will one day – perhaps soon, given how broad the stream of data they are capable of ingesting and processing is becoming – in some way experience this phenomena, too.

Let’s Sell and Buy Fair: How Not Asking for a Discount Can Save You Money

If we stop asking to get something cheaper, you’ll eventually at some point be presented with the proper fair pricing. If we stop asking for discounts, we’ll settle the deal a lot faster, without days and weeks of delay and that ultimately saves money as well. The time for email ping pong and conference calls is nowhere listed. It’s not on a single bill. If you talked about a deal for weeks or months, you probably lost a lot of your money on the way and didn’t save anything at all. Your time is a currency as well. What comes now is a theory, and I don’t recommend it to any kind of operations. Yet, you might find it disruptive or at least intriguing. The counter conception to fight discount business culture is to put a price increase to every bit of interaction that unnaturally extended the required work to get to closure.

Transforming companies must put cyber security front and center

When you hear the term ‘cyber security’, there’s a very good chance that, like many executives, you immediately think of one thing: an IT infrastructure challenge. Of course, a strong IT security infrastructure is a critical part of any cyber security program. However, it is not the only part. In a 2017 world, this traditional ‘defense-first’ mindset is too limited and can actually hinder your company’s long-term growth prospects. Indeed, there is another important element at play and that is the potential impact of cyber under-preparedness to your company’s future business growth. This is particularly true in a business environment in which so many companies are undertaking ambitious customer-focused transformation programs amid widespread technological disruption and competitive threats.

Embracing a Strategic Paradox

Creating solutions that meet conflicting needs can do more than resolve a political dilemma. Because they are built with Aeon’s unique blend of local and national capabilities in mind, the complexity of the solutions often deters imitation. The consensus solution, whether it involves designing stylish clothes for women living in a Japanese ski village or finding a way to turn a tiny available quantity of pears into a national product, tends to be one that can be executed well by Aeon but not easily copied by anyone else. Of course, resolving these conflicts requires ongoing work. Managing this built-in strategic paradox of pursuing both localization and nationwide standardization demands the continual attention of management.

Why government-driven digital transformation is a train wreck

This is basically the case with all of the major government-driven digital transformation initiatives around the world. Each is positioned as game changing and disruptive in terms of impact and immensely beneficial to the economy and citizens’ lives, but this has not been the case. What has happened to these once-noble initiatives is that all have been whipsawed by politics and politicians, and driven to failure by feckless bureaucrats and civil servants – with a number of contractors thrown in for good measure. This toxic mix of politics, fecklessness and incompetence has produced some major train wrecks in terms of cost-benefit analysis and positive societal impacts. The three most visible of these are in the UK, the US and Australia, and their fate is seen by many as a pre-cursor to others on the horizon.

Untangling an API-first Transformation at Scale.

Business capabilities represent the core, reusable building blocks that your business needs to support the business processes required to function. By defining your business capability taxonomy, you establish a shared language that can be used by all domains to describe the logical relationships in any given process. This serves as a stable, business-driven (not technology-driven) context in which to discuss solutions that, hopefully, remains relatively consistent over time. Is also provides a critical link between how the Business thinks about its investments and how Technology leverages them. In a small company, the set of capabilities is quite limited. Being highly resource constrained, you may build some core services that differentiate your business and leverage other service providers for generic things like messaging, identity, payments, etc.

Quote for the day:

"Be a yardstick of quality. Some people aren't used to an environment where excellence is expected." -- Steve Jobs

Daily Tech Digest - February 23, 2017

Here's why self-driving cars may never really be self-driving

The issue with self-driving vehicles extends well beyond safety; it's also a legal one. As autonomous vehicles gain in popularity, liability questions about who is to blame when an autonomous car crashes are also growing. If an autonomous car crashes, who is at fault? The driver -- even though the car was driving itself? The manufacturer? The developer who created the autonomous software? "Supposed I write a piece of software and it has an inherent flaw. It starts causing injuries and property damage. Am I protected? The answer is: Unlikely," said Michael Overly, a partner and intellectual property lawyer with Foley & Lardner LLP. "People whose property was damaged or they were injured would sue for negligence."

2017 Predictions For AI, Big Data, IoT, Cybersecurity, And Jobs From Senior Tech Executives

The recent success of deep learning in tasks such as image recognition and machine translation has served as a catalyst for investments in and experimentation with AI and Bill Franks, Chief Analytics Officer, Teradata, predicts that “Deep learning will move out of the hype zone and into reality.” Says Franks, sounding a note of caution: “Deep learning is getting massive buzz recently. Unfortunately, many people are once again making the mistake of thinking that deep learning is a magic, cure-all bullet for all things analytics. ... While deep learning will be in place at a large number of companies in the coming year, the market will start to recognize where it really makes sense and where it does not. By better defining where deep learning plays, it will increase focus on the right areas and speed the delivery of value.”

Insecure Android apps put connected cars at risk

While compromising connected car apps might not directly enable theft, it could make it easier for would-be thieves. Most such apps, or the credentials they store, can be used to remotely unlock the vehicle and disable its alarm system. "Also, the risks should not be limited to mere car theft," the Kaspersky researchers said in a blog post. "Accessing the car and deliberate tampering with its elements may lead to road accidents, injuries, or death." While manufacturers are rushing to add smart features to cars that are meant to improve the experience for car owners, they tend to focus more on securing the back-end infrastructure and the communications channels. However, the Kaspersky researchers warn that client-side code, such as the accompanying mobile apps, should not be ignored as it's the easiest target for attackers and most likely the most vulnerable spot.

Fighting the hidden enemy: how can your organisation combat cybercrime?

Administrative frameworks, however, can achieve only so much. When it comes to improving cybersecurity, employees also have a vital role to play. Again, there are two sides to this coin. One concerns the human vulnerabilities associated with cybercrime. As efficient as a firm’s cyber strategy might be, one simple mistake from an employee can render these defences futile. ... At the same time, any internal threats must be treated with this same level of vigilance. As a significant number of cyberattacks reported by organisations are actually carried out from within the company, it is not unreasonable to claim that many of these breaches could have been avoided, had employees been able to recognise that their colleague was stealing valuable information. Again using education as a resource, firms can promote a culture of self-regulation which allows rogue workers to be identified and reported before their efforts are successful.

Reinforcement learning

Reinforcement learning copies a very simple principle from nature. The psychologist Edward Thorndike documented it more than 100 years ago. Thorndike placed cats inside boxes from which they could escape only by pressing a lever. ... Reinforcement learning works because researchers figured out how to get a computer to calculate the value that should be assigned to, say, each right or wrong turn that a rat might make on its way out of its maze. Each value is stored in a large table, and the computer updates all these values as it learns. For large and complicated tasks, this becomes computationally impractical. In recent years, however, deep learning has proved an extremely efficient way to recognize patterns in data, whether the data refers to the turns in a maze, the positions on a Go board, or the pixels shown on screen during a computer game.

Data-related jobs see huge growth in January hirings

Data processing/hosting/related services also had a healthy January, posting 1,200 new jobs. That segment had been adding an average of 233 per jobs per month on average in 2016. Commenting on this segment, Foote noted that employers need to scale to stay competitive. “When they dig their heels into a solution that works, be it in cloud, security, big data, mobile, or digital technology, they tend to add headcount because they know these people will be making contributions for a long time to come,” Foote said. ... “Ideally each new hire must have a measurable impact on the business: they can’t just be a cost item for them. What will drive new job creation in 2017 will be hiring in niche areas such as big data and analytics, information/cyber security, cloud computing, and certain areas of applications development and software engineering like DevOps and digital product development.”

A hard drive's LED light can be used to covertly leak data

The latest hack leverages the LED activity light for the hard disk drive, which can be found on many servers and desktop PCs and is used to indicate when memory is read or written. The researchers found that with malware, they could control the LED light to emit binary signals by flashing on and off. That flickering could send out a maximum of 4,000 bits per second, or enough to leak out passwords, encryption keys and files, according to their paper. It's likely no one would notice anything wrong. "The hard drive LED flickers frequently, and therefore the user won't be suspicious about changes in its activity,” said Mordechai Guri, who led the research, in a statement. To read the signals from the LED light, all that’s needed is a camera or an optical sensor to record the patterns.

A Sweeter Spot for the CDO?

First of all kudos for a correct use of the term Venn Diagram Second I agree that the role of CDO is one which touches on many different areas. In each of these, while as Bruno says, the CDO may not need to be an expert, a working knowledge would be advantageous. Third I wholeheartedly support the assertion that a CDO who focusses primarily on compliance will fail to get traction. It is only by blending compliance work with the leveraging of data for commercial advantage in which organizations will see value in what a CDO does. Finally, Bruno’s diagram put me in mind of the one I introduced in The Chief Data Officer “Sweet Spot”. In this article, the image I presented touched each of the principle points of a compass. My assertion was that the CDO needed to sit at the sweet spot between respectively Data Synthesis / Data Compliance and Business Expertise / Technical Expertise. At the end of this piece,

The March Of Financial Services Giants Into Bitcoin And Blockchain Startups In One Chart

It should be noted, though, that consortia are not included on the chart below. One such example is R3 CEV, which counts a bevy of banks and insurers including Credit Suisse, JPMorgan and Deutsche Bank collaborating to advance ledger solutions and standards that meet banking requirements. R3 has hit a few bumps of late, with Goldman Sachs and Santander – among others – leaving the consortium in favor of private blockchain investments. Among the financial services investors are insurance providers such as TransAmerica, New York Life, and Mitsui Sumitomo Insurance Group (MSIG); payments giants including Visa, MasterCard, and American Express; as well as banks like Mitsubishi UFJ Financial Group (MUFG), Citi, Santander, and Canadian Imperial Bank of Commerce (CIBC).

Amid cyberattacks, ISPs try to clean up the internet

Even when ISPs send warning messages to users, what then? Not every PC user knows how to resolve a malware infection, Clayton said. For ISPs, it can also be a matter of cost. “Of course we want to see ISPs helping, but they are in a competitive market,” he said. “They are trying to cut their costs wherever they can, and talking to customers and passing on a message is not a cheap thing to do.” In addition, ISPs can’t identify every malicious cyberattack. Most hacking attacks masquerade as normal traffic and even ISP detection methods can occasionally generate errors, Clayton said. “If you have a 99 percent detection rate, in an academic paper, that sounds fantastic,” he said. “But that basically means one out of 100 times, you’ll be plain wrong.”

Quote for the day:

"If you don't make it easy for people to do the right thing, you're wasting money on security awareness." -- Angela Sasse