Daily Tech Digest - November 13, 2018

Colmena, an Architecture for Highly-Scalable Web Services

Cells are self-contained services that follow the hexagonal architecture. Each cell: Has a clear purpose and responsibility; Has some internal domain that represents, validates and transforms the cell’s state; Relies on a series of interfaces to receive input from (and send output to) external services and technologies; Exposes a public API (a contract stating what it can do). You can think of cells as very small microservices. In fact, we encourage you to try to make your cells as small as possible. In our experience, granulating your domain around entities and relationships helps you understand, test and maintain the codebase in the long run. In Colmena, changes to the domain are represented as a sequence of events. This sequence of events is append-only, as events are immutable (they are facts that have already taken place). In event sourcing, this sequence is called a “Source of truth”, and it provides: An audit log of all the actions that have modified the domain; The ability for other components (in the same or different cells) to listen to certain events and react to them.

How Millennials Should View the World of Data Science

So to summarize, here is what I feel MBA students (and business leaders) need to understand about the growing capabilities and power of Data Science: Data Science is a team sport that equally includes data engineers (who gather and prepare and enrich the data for advanced analytics), data scientists (who build analytic models that codify cause and effect and measure goodness of fit”), and business stakeholders; Embrace the “Thinking Like A Data Scientist” approach in order to determine what problems to target with data science and how to apply the resulting customer, product and operational insights to derive and drive business value; Understand how to collaborate with the data science team around the Hypothesis Development Canvas that cements the relationship between the organization’s business strategy and specific AI and Machine Learning efforts; and Gain a high-level understanding of “what” advanced analytic capabilities, such as deep learning, machine learning and reinforcement learning, can do in uncovering customer, product and operational insights buried in the organization’s data

Internet Explorer scripting engine becomes North Korean APT's favorite target in 2018

Microsoft became well aware of this component's security flaws many years ago. That's why, in July 2017, Microsoft announced that it was disabling the automatic execution of VBScript code in the latest IE version that was included with the Windows 10 Fall Creators Update, released in the fall of last year. That change meant that hackers couldn't use VBScript code to attack users via Internet Explorer in Windows 10. Microsoft also promised patches to disable VBScript code execution in IE versions on older Windows releases. That change stopped many cybercrime operations, but DarkHotel seems to have adapted to Microsoft's recent VBScript deprecation announcement. According to reports, DarkHotel apparently opted to use VBScript exploits embedded inside Office documents and did not target Internet Explorer users via the browser directly.

AMD continues server push, introduces Zen 2 architecture
As part of the news conference, AMD acknowledged that Zen 4 is “in design,” meaning still on paper. Given Zen 3 is due in 2020, don’t figure on seeing Zen 4 until 2022 or so. Beyond that, the company said only it would offer higher performance and performance per watt when compared to prior generations. It’s been a good few weeks for AMD and EPYC. Last week, Oracle announced it would offer bare-metal instances on Epyc, and today Amazon Web Services (AWS) announced that Amazon Elastic Compute Cloud (EC2) will use Epyc CPUs, as well, so customers can get access today to instances running on the AMD processors. Intel noted that it, too, has an extensive relationship with AWS. So, now AMD has license deals with all of the major server vendors (HPE, Dell, Lenovo, Cisco) and almost all of the major cloud vendors. It had previously announced deals with Microsoft Azure and China’s Baidu and Tencent.

A foundational strategy pattern for analysis: MECE

MECE, pronounced "mee-see," is a tool created by the leading business strategy firm McKinsey. It stands for "mutually exclusive, collectively exhaustive," and dictates the relation of the content, but not the format, of your lists. Because of the vital importance of lists, this is one of the most useful tools you can have in your tool box. The single most important thing you can do to improve your chances of making a winning technology is to become quite good at making lists. Lists are the raw material of strategy and technology architecture. They are the building blocks, the lifeblood. They are the foundation of your strategy work. And they are everywhere. Therefore, if they are weak, your strategy will crumble. You can be a strong technologist, have a good idea, and care about it passionately. But if you aren’t practically perfect at list-making, your strategy will flounder and your efforts will fail. That’s because everything you do as you create your technology strategy starts its life as a list, and then blossoms into something else.

Many firms need more evidence of full benefits of artificial intelligence

Much of executives’ enthusiasm is justified. AI is already being deployed in a range of arenas, from digital assistants and self-driving cars to predictive analytics software providing early detection of diseases or recommending consumer goods based on shopping habits. A recent Gartner study finds that AI will generate $1.2 trillion in business value in 2018—a striking 70 percent increase over last year. According to Gartner, the number could swell to close to $4 trillion by 2022. This dramatic growth is likely reinforcing the perception among executives that such technologies can transform their respective industries. When looking at the external environment, encompassing economic, political, social, and other external developments that affect business, one-third of executives flagged positive technological disruption in their industry as a top opportunity.

Cylance researchers discover powerful new nation-state APT

group of hackers in digital environment
The malware didn't just evade antivirus detection, however, it let itself be discovered by different antivirus vendors on preprogrammed dates, likely as a distraction tactic. "What we've got here in this case is a threat actor who has figured out how to determine what antivirus is running on your system and deliberately trigger it in an attempt to distract you," Josh Lemos, vice president of research and intelligence at Cylance, says. "That should be concerning organizations outside of Pakistan." Kill switches in malware have been seen before, such as in Stuxnet, but Cylance researchers say they've rarely seen a campaign that deliberately surrenders itself to investigators in this manner. "The White Company...wanted the alarm to sound," their report concluded. "This diversion was likely to draw the target's (or investigator's) attention, time and resources to a different part of the network. Meanwhile, the White Company was free to move into another area of the network and create new problems."

Firms lack responsible exec for cyber security

According to the report, although more people see the need for regular boardroom discussions about security, their organisations are failing to raise it sufficiently at the C-suite level. While 80% of all survey respondents agree that preventing a security attack should be a regular boardroom agenda item (up from 73% a year ago) only 61% say that it already is, which represents an increase of just 5% on last year. The report also suggests this lack of cohesion at the top of the organisation means that many are struggling to secure their most important digital assets. Fewer than half (48%) of respondents globally – 53% in the UK – say they have fully secured all of their critical data. But with the General Data Protection Regulation (GDPR) now fully in effect, this is no longer an opportunity, but mandatory, the report notes. However, companies are beginning to take control of their data as cloud computing best practices mature, with 27% reporting that the majority of their organisation’s data is currently stored on premise or in datacentres (25%).

Avoiding Business Stasis by Modernizing Ops, Architecture & More

Fear is inevitable during any modernization growth spurt. For instance, the operations team may fear that an increase in automation will lead to the loss of human expertise. Re-architecting the software may be perceived by developers as a threat to well-defined traditional team scopes and organizations. For the business owner, a poorly executed modernization takes away resources and doesn’t lead to improved agility. The concern many folks voice when they don’t know how to run or create a platform is that they don’t know what their place will be in the new organization. But what has started to become clear to those participating in our modernization effort is that their skills are being expanded — not replaced. And that enables them to take on new roles in the organization. One of the fundamental things that’s happening at StubHub is a complete change in the way we think about new ideas. The change in our stack allows us to work in any language and because we fully expect to move beyond Java and get into Go and Ruby and node.js, we can innovate and rethink our future in more ways than ever before.

C language update puts backward compatibility first

C language update puts backward compatibility first
C is the foundation for many popular software projects such as the Linux kernel and it remains a widely used language, currently second in the Tiobe index. Its simplicity makes it a common choice for software applications that run at or close to bare metal, but developers must take extra care in C, versus higher-level languages like Python, to ensure that memory is managed correctly—easily the most common problem found in C programs. Previous revisions to the C standard added features to help with memory management—including the “Annex K” bounds-checking feature. However, one of the proposals on the table for C2x is to deprecate or remove the Annex K APIs, because their in-the-field implementations are largely incomplete, non-conformant, and non-portable. Alternative proposals include replacing these APIs with third-party bounds-checking systems like Valgrind or the Intel Pointer Checker, introducing refinements to the memory model, or adding new ways to perform bounds checking for memory objects.

Quote for the day:

"Leadership has a harder job to do than just choose sides. It must bring sides together." -- Jesse Jackson

Daily Tech Digest - November 12, 2018

Financial institutions that over time fail to utilise technology to engage effectively with increasing regulation neglect the changing environment around them. Attempting to meet the obligations set forth by regulators with manual processes make an organisation prone to human errors and slippage in flows between key functions and departments. In effect, regtech becomes the magic ingredient that enables scalability for financial institutions in an environment of increasing regulatory requirements.  At Saxo Bank, we are deploying new technologies such as machine learning and artificial intelligence to our regulatory framework e.g. to enhance financial crime detection procedures and automatically scan through thousands of transactions. Through machine learning, the algorithm is constantly improving and finding new patterns that would be difficult (or time-consuming) to do manually.  An important factor for any financial institution with regards to regtech is to collaborate with external partners and vendors. Saxo Bank’s regtech framework is built on the foundations of several external data vendors and partners whose systems and knowledge we leverage in our own offering.

Building an artificial general intelligence begins by asking 'what is intelligence?'

People often make seemingly irrational choices. When offered an early registration discount for a conference, only 67 percent of the graduate students took advantage of the offer. When told that there would a penalty for late registration, 93 percent of the students took the offer even though the costs and the cost differences were identical in the two situations ($50 discount or $50 penalty). We can think about decisions like these as being somehow abnormal, but they are very common and, more importantly, demonstrate just how people use heuristics to achieve their intelligence. When intelligence has been studied by psychologists, the focus has generally been on identifying individual differences. Intelligence testing started with Alfred Binet and Theodore Simon’s efforts to identify French school children who might require special help. Their focus was on those factors that would allow a child to do well in school.

DevOps and Databases

When working with whole-schema source control, you usually don’t write your migration scripts directly. The deployment tools figure out what changes are needed for you by comparing the current state of the database with the idealized version in source control. This allows you to rapidly make changes to the database and see the results. When using this type of tool, I rarely alter the database directly and instead allow the tooling to do most of the work.  Occasionally the tooling isn’t enough, even with pre- and post- deployment scripts. In those cases, the generated migration script will have to be hand-modified by a database developer or DBA, which can break your continuous deployment scheme. This usually happens when there are major changes to a table’s structure, as the generated migration script can be inefficient in these cases. Another advantage of whole-schema source control; it supports code analysis. For example, if you alter the name of a column but forget to change it in a view, SSDT will return a compile error.

Diligent Engine: A Modern Cross-Platform Low-Level Graphics Library

The next-generation APIs, Direct3D12 by Microsoft and Vulkan by Khronos are relatively new and have only started getting widespread adoption and support from hardware vendors, while Direct3D11 and OpenGL are still considered industry standard. New APIs can provide substantial performance and functional improvements, but may not be supported by older platforms. An application targeting wide range of platforms has to support Direct3D11 and OpenGL. New APIs will not give any advantage when used with old paradigms. It is totally possible to add Direct3D12 support to an existing renderer by implementing Direct3D11 interface through Direct3D12, but this will give zero benefits. Instead, new approaches and rendering architectures that leverage flexibility provided by the next-generation APIs are expected to be developed. There exist at least four APIs (Direct3D11, Direct3D12, OpenGL/GLESplus, Vulkan, plus Apple's Metal for iOS and osX platforms) that a cross-platform 3D application may need to support.

The Amazing Ways Google And Grammarly Use AI To Improve Our Writing

Just like with other machine learning algorithms, Grammarly's artificial intelligence system was originally provided with a lot of high-quality training data to teach the algorithm by showing it examples of what proper grammar looks like. This text corpus—a huge compilation human researchers organized and labeled so the AI could understand it—showed, as an example, not only proper uses of punctuation, grammar and spelling, but incorrect applications so the machine could learn the difference. In addition, Grammarly’s system uses natural language processing to analyze every nuance of language down to the character level and all the way up to words and full paragraphs of text. The feedback the system gets through humans when they ignore a proposed suggestion helps the system get smarter and provides the human linguists working with the machines input on how to make the system better. The more text it is exposed to, the better it can make appropriate suggestions. That's one of the reasons the company switched in 2010 to a consumer service from targeting enterprise customers so it would have access to a larger data set and a more significant opportunity.

RPA and its expansion into AI: Driving a new era of business and IT alignment

All businesses have some form of data pipeline feeding their supply chains and warehouses. They are designed to try to provide 100% of the data needed on a regular basis. While it’s usually adequate for reporting, it’s not a complete enough data set for analysis and insight generation. There is always a ‘last mile’ of supplementary analysis required to capture a specific piece of insight. This augments the data set with data to support root causes analysis of challenges such as month-end close for example. RPA can be used to support that last mile of extraction, providing the aggregation and data preparation to support the dynamic needs of reporting, without having to wait for corporate IT to extend the data pipelines. This in turn, enables us to predict and do things that have historically been difficult for humans. We struggle to predict because we can’t deal with the huge volumes of data. We struggle to narrate large volumes of data that cover a multitude of lines of divisions or departments.

The state of ICS and IIoT security in 2019

Industrial control systems (ICS) are designed to operate and support critical infrastructure. They are used heavily in industrial areas such as energy and utilities, oil and gas, pharmaceutical and chemical production, food and beverage, and manufacturing. Attacks on such systems can cause major damage. The 2015 hack of Ukraine’s power grid caused a blackout that affected over 200,000 people. Whether ransomware, botnets, cryptominers, or something more destructive, malware targeting such systems continues to proliferate. According to Kaspersky Labs, over 40 percent of ICS computers it monitors were attacked by malicious software at least once during the first half of 2018. .. “The data clearly shows that industrial control systems continue to be soft targets for adversaries,” said the report. “Many sites are exposed to the public internet and trivial to traverse using simple vulnerabilities like plain-text passwords. Lack of even basic protections like automatically updated anti-virus enables attackers to quietly perform reconnaissance before sabotaging physical processes such as assembly lines, mixing tanks, and blast furnaces.”

James Bach on a Career in Testing and Advice for New Players

We need to assess the value of testing, and that assessment is the process of observing people, talking to people, and essentially testing the test process. We need to help our clients understand our own testing and why it is valuable. That’s where the word “legibility” comes in. Legibility means the ability for something to be read. Handwriting is an obvious example of something that we speak of as being legible or illegible. But you can apply the concept of legibility is more than just handwriting. You can apply it to any process or system. A system is legible if you can look at it and tell what it going on with it. After 27 years of marriage, my wife’s moods are highly legible to me. I can tell in a few seconds how she is feeling. Unfortunately, testing is often not so easy to read as handwriting or people. That’s why testers must work to make their testing legible. They do this by using whiteboards or spreadsheets to make helpful displays. 

Lazarus 'FASTCash' Bank Hackers Wield AIX Trojan

Lazarus 'FASTCash' Bank Hackers Wield AIX Trojan
Symantec says that it's recovered multiple versions of the Fastcash Trojan, each of which appears to have been customized for different transaction processing networks. The samples also tie to legitimate primary account numbers, or PANs - the 14 or 16-digit numerical strings found on bank and credit cards that identify a card issuer and account number. US-CERT said in its alert that after reviewing log files recovered from an institution that had been attacked by Hidden Cobra, "analysts believe that the [hackers'] scripts ... inspected inbound financial request messages for specific [PANs]. The scripts generated fraudulent financial response messages only for the request messages that matched the expected PANs. Most accounts used to initiate the transactions had minimal account activity or zero balances." In other words, malicious code inserted by Hidden Cobra attackers watched for references tied to attacker-controlled accounts, then returned fraudulent information about those accounts in response to queries.

5 questions to ask about open data centers

Extreme’s definition of open essentially means no vendor lock-in. WorkFlow Composer can automate workflows across any vendor, including Arista, Cisco and Juniper. Extreme can integrate with more than 100 vendors that have integration packs on exchange.stackstorm.org. Customers may have to tweak the code some, but they do not have to start with a blank sheet of paper. StackStorm extends beyond networking, too. As a result, engineers who use Workflow Composer can extend the automation capabilities to things like Palo Alto and Check Point firewalls, VMware vSphere, ServiceNow’s service desk and others. You could argue the network is the foundation of a modernized data center as it provides the connectivity fabric between everything. But open data centers incorporate more than just networking. By building Workflow Composer on StackStorm, Extreme can orchestrate and automate workflows from the network to the application — and everything in between.

Quote for the day:

"The person who can drive themself further once the effort gets painful, is the one who will win." -- Roger Bannister

Daily Tech Digest - November 11, 2018

broken web app hacker
Web applications are the most visible front door to any enterprise and are often designed and built without strong security in mind. Stressing out over hardware vulnerabilities like Spectre or Meltdown is fun and trendy, but while you're digging a moat around your castle someone is prancing across the drawbridge using SQL injection (SQLi) or cross-site scripting (XSS). The OWASP Broken Web Applications Project comes bundled in a virtual machine (VM) that contains a large collection of deliberately broken web applications with tutorials to help students master the various attack vectors. From trivial to more difficult, the project is designed to lead the user to a better understanding of web application security. The OWASP Broken Web Applications Project includes the appropriately named Damn Vulnerable Web Application, deliberately broken for your pentesting enjoyment. For maximum lulz, download OWASP Zed Attack Proxy, configure a local browser to proxy traffic through ZAP, and get ready to attack some damn vulnerable web applications.

Emotional skill is key to success

According to Susan David, emotional agility is about adaptability, facing emotions and moving on from them. It is also the ability to master the challenges life throws at us in an increasingly complex world. She added that while emotional intelligence is not values-focused, emotional agility is. "Women do have some advantages in the domain of emotional agility," she said. "When I go into organisations and look at hotspots or business units that are extremely high functioning, what we find is that the most important predictor of enabling these units is what I call 'individualised considerations'. That means leaders who are able to see the individual as an individual and this has diversity at its core. "These leaders do not stereotype or exclude," she added. "Of course, this doesn't work always in practice and there is a lot of work to be done in this regard in organisations and businesses."

Hybrid Blockchain- The Best Of Both Worlds

Hybrid Blockchain
The hybrid blockchain is best defined as the blockchain that attempts to use the best part of both private and public blockchain solutions. In an ideal world, a hybrid blockchain will mean controlled access and freedom at the same time. The hybrid blockchain is distinguishable from the fact that they are not open to everyone, but still offers blockchain features such as integrity, transparency, and security. As usual, Hybrid blockchain is entirely customizable. The members of the hybrid blockchain can decide who can take participation in the blockchain or which transactions are made public. This brings the best of both worlds and ensures that a company can work with their stakeholders in the best possible way. We hope that you got a clear view from the hybrid blockchain definition. To get a much better picture, we recommend you to check out some hybrid blockchain projects.

How universities should teach blockchain

The core issue is that blockchain is really hard to teach correctly. There’s no established curriculum, few textbooks exist, and the field is rife with misinformation, making it hard to know what is credible. Protocols are evolving at a rapid pace, and it’s tough to tell the difference between a white paper and reality. Having so much attention around blockchain specifically frames it as a miraculous and novel development rather than an outgrowth of decades of computer science research. Matt Blaze, an associate professor at the University of Pennsylvania and a cyber-security researcher, points out that the push for degree programs in blockchain is part of a trend of overspecialization by some engineering schools. The concepts sound good on paper but don’t live up to their promise. Despite the best of intentions, trends change, and students get stuck in narrow career paths. In order to avoid these pitfalls, universities will have to take an approach they’re not used to.

Experience an RDP attack? It’s your fault, not Microsoft’s

Windows security and protection [Windows logo/locks]
If you are compromised because of RDP, the problem is you or your organization. It isn’t a problem with Microsoft or RDP. You don’t need to put a VPN around RDP to protect it. You don’t need to change default network ports or some other black magic. Just use the default security settings or implement the myriad other security defenses you should have already been using. If you’re getting hacked because of RDP, you’re not doing a bunch of things that any good computer security defender should be doing. There are many ransomware programs, like SamSam, and cryptominers, like CrySis, that attempt brute-force guessing attacks against accessible RDP services. So many companies have had their RDP services compromised that the FBI and Department of Homeland Security (DHS) have issued warnings. The warning should be, “Your security sucks!” It isn’t like the malware programs are conducting a zero-day attack against some unpatched vulnerability.

Data as a Driver of Economic Efficiency

The General Data Protection Regulation (GDPR) became enforceable on May 25, 2018. The regulation aims to protect data by ‘design and default,’ whereby firms must handle data according to a set of principles. GDPR mandates opt-in consent for data collection and assigns substantial liability risks and penalties for data flow and data processing violations. GDPR’s enactment is particularly likely to influence technology ventures, given an increasing need for the use of data as a core product input. Specifically, data has become a key factor in technology-driven innovation and production, spanning industry sectors from pharmaceuticals and healthcare, to automative, smart infrastructure, and broader decision making. This report presents economic analyses of the consequences of data regulation and opt-in consent requirements for investment in new technology ventures, for consumer prices, and for economic welfare.

A Two-Minute Guide To Quantum Computing

AP Explains Quantum Computers
Most of us aren't clued up on the art of harnessing elementary particles like electrons and photons, so to understand how quantum computing works, meet Scottish startup M Squared. The company’s bread and butter is making some of the most accurate lasers in the world, using pure light and precise wavelengths. Such lasers can be used like a scalpel, one atom wide, to carve out the transistors of a silicon chip.  Typically the chip or brain in your smartphone is a centimeter square. It has a small section in the middle made up of around 300 million transistors, with connections spreading out like fingers to talk to the screen, the camera, the battery and more.  But imagine a chip with no transistors at all, and instead a small chamber that’s controlling the processes and energy levels inside of atoms. This is quantum computing, the next frontier of machines that think not in bytes but in powerful qubits. It sounds cutting-edge, but scientists have been studying the theory of quantum computing for 30 years, and some say the first mainstream applications are just around the corner.

How Do Self-Driving Cars See? (And How Do They See Me?)

We’ll start with radar, which rides behind the car’s sheet metal. It’s a technology that has been going into production cars for 20 years now, and it underpins familiar tech like adaptive cruise control and automatic emergency braking. ... The cameras—sometimes a dozen to a car and often used in stereo setups—are what let robocars see lane lines and road signs. They only see what the sun or your headlights illuminate, though, and they have the same trouble in bad weather that you do. But they’ve got terrific resolution, seeing in enough detail to recognize your arm sticking out to signal that left turn. ... If you spot something spinning, that’ll be the lidar. This gal builds a map of the world around the car by shooting out millions of light pulses every second and measuring how long they take to come back. It doesn’t match the resolution of a camera, but it should bounce enough of those infrared lasers off you to get a general sense of your shape. It works in just about every lighting condition and delivers data in the computer’s native tongue: numbers.

Facial recognition's failings: Coping with uncertainty in the age of machine learning

The shortcomings of publicly available facial-recognition systems were further highlighted in summer this year, when the American Civil Liberties Union (ACLU) tested the AWS Reckognition service. The test found that 28 members of the US Congress were falsely matched with mug shots from publicly available arrest photos. Professor Chris Bishop, director of Microsoft's Research Lab in Cambridge, said that as machine learning technologies were deployed in different real-world locales for the first time it was inevitable there would be complications. "When you apply something in the real world, the statistical distribution of the data probably isn't quite the same as you had in the laboratory," he said. "When you take data in the real world, point a camera down the street and so on, the lighting may be different, the environment may be different, so the performance can degrade for that reason. "When you're applying [these technologies] in the real world all these other things start to matter."

Robots Have a Diversity Problem

It is well-documented that A.I. programs of all stripes inherit the gender and racial biases of their creators on an algorithmic level, turning well-meaning machines into accidental agents of discrimination. But it turns out we also inflict our biases onto robots. A recent study led by Christoph Bartneck, a professor at the Human Interface Technology Lab at the University of Canterbury in New Zealand, found that not only are the majority of home robots designed with white plastic, but we also actually have a bias against the ones that are coated in black plastic. The findings were based on a shooter bias test, in which participants were asked to perceive threat level based on a split-second image of various black and white people, with robots thrown into the mix. Black robots that posed no threat were shot more than white ones. “The only thing that would motivate their bias [against the robots] would be that they would have transferred their already existing racial bias to, let’s say, African-Americans, onto the robots,” Bartneck told Medium. “That’s the only plausible explanation.”

Quote for the day:

"Remember this: Anticipation is the ultimate power. Losers react; leaders anticipate." -- Tony Robbins