Daily Tech Digest - October 12, 2019

Agile Project Management for Distributed Teams

Distribution is a challenging idea.One of the major parts of team development is that every team member should feel unburdened and all of the work should be divided equally. Also, every team member should understand their role perfectly, so as to remove any ambiguity. Every task that is allocated to the team members should be done transparently and not behind closed doors. One thing that the companies are beginning to realize is that increasing the amount of pressure on the team members can exhaust them and that is not good for anyone, because overloaded resources are so fed up that they lose focus and as a result, there is a real decline in productivity. Lastly, when there is so much clarity and transparency in the project development and team communication, agile project management and an agile team deliver the desired results very effectively and they are motivated to acquire the upcoming goal more eagerly. ... Scrum scaling is an amazing procedure in the agile project management model where every project is first evaluated and before scaling the project, a proper infrastructure is put into place to better understand all the elements related to the project.

How Cybercriminals Continue to Innovate

How Cybercriminals Continue to Innovate
Distributed denial-of-service attacks also continue to dominate, Europol says. These are one of the top types of attacks that get reported to European law enforcement agencies because they're aided by the the easy availability of stresser/booter services. "Many banks report that DDoS attacks remain a significant problem, resulting in the interruption of online bank services, creating more of a public impact rather than direct financial damage," the report says. But police have successfully disrupted many major DDoS services ... Security experts say that in the recent past, criminals might advertise their goods and services exclusively on one darknet forum or use the same handle across forums to create better "brand awareness." Today, however, compartmentalization appears to be the name of the game, with criminals creating single-vendor shops or a presence on smaller, Tor-based markets. "Some organized crime groups are also fragmenting their business over a range of online monikers and marketplaces, therefore presenting further challenges for law enforcement," Europol says.

FBI warns about attacks that bypass multi-factor authentication (MFA)

The FBI made it very clear that its alert should be taken only as a precaution, and not an attack on the efficiency of MFA, which the agency still recommends. The FBI still recommends that companies use MFA. Instead, the FBI wants users of MFA solutions to be aware that cyber-criminals now have ways around such account protections. "Multi-factor authentication continues to be a strong and effective security measure to protect online accounts, as long as users take precautions to ensure they do not fall victim to these attacks," the FBI said. Despite the rise in the number of incidents and attack tools capable of bypassing MFA, these attacks are still incredibly rare and have not been automated at scale. Last week, Microsoft said that attacks that can bypass MFA are so out of the ordinary, that they don't even have statistics on them. In contrast, the OS maker said that when enabled, MFA helped users block 99.9% of all account hacks. Back in May, Google also said a similar thing, claiming that users who added a recovery phone number to their accounts (and indirectly enabled SMS-based MFA) improved their account security.

What developers need to know about an Alexa vulnerability

All Alexa virtual assistants automatically transmit all recording data back to Amazon servers. The company saves storage space by retaining certain voice recordings and deleting others at any time. Amazon employees routinely listen to recordings to determine how well Alexa understands requests and improve the service. Recordings are linked with an account number and the user’s first name. Amazon gives users the option to delete their interaction with Alexa, but doesn’t give them the option to prevent Amazon from retaining certain voice recordings. Indefinite record retention implies a lack of private data retention policy for Amazon’s servers. The company decides on the dates the records must be removed from its primary storage systems, not the consumer. A similar security concern also exists in Alexa for Business. Developers use the service to build, test and deploy Jenkins code to the cloud. Just like the aforementioned Alexa vulnerability, developers can delete recordings on their end, but don’t have the option to control what records Amazon may retain.

Web and mobile testing faceoff: Sauce Labs vs. BrowserStack

Both products require users to define how the test data maps to the GUIs involved, and users are generally comfortable with this process in each toolset. Users with specific interest in browser or mobile apps appreciate BrowserStack's approach of different modules for different missions, but those who require both view the segmentation somewhat negatively, so it's smart to know just what UI type the app uses. BrowserStack has strong organizational features. Users can define teams, allocate resources by team, and -- depending on the purchased plan -- do parallel testing. With provided analytics, development managers can review how many tests are run and the pattern of testing, and whether the tests cover the full functionality of the UIs. Sauce Labs also has good team support and team metrics such as data on the rate of changes made, the number of changes and tests run.

Cloud architecture that avoids risk and complexity

Cloud architecture that avoids risk and complexity
Cost is easy. You can spend ten times what you need to, to solve the same problem. Typically, the architecture team layers on more technology than necessary or doesn’t take advantage of cloud-native features. This means that the applications burn ten times more public cloud resources.  Often I come upon disturbing realities, such as a technology being used because of an existing enterprise license agreement with that technology provider, which really means “funny money” that needs to be spent. Risk is another core factor and is not as easy to spot as cost. Overengineering of the cloud solution can cause additional unnecessary complexity, which can lead to more attack surfaces for hackers and the additional likelihood that data on premises or in the cloud will be breached.  I often use the phrase “you’re not that good” to describe the fact that the more technology you have, the more complexity, cost, and risk you also have. If you think about it, most major breaches have been caused by some neglect that led to a vulnerability.

How to Stop Superhuman A.I. Before It Stops Us

The problem is not the science-fiction plot that preoccupies Hollywood and the media — the humanoid robot that spontaneously becomes conscious and decides to hate humans. Rather, it is the creation of machines that can draw on more information and look further into the future than humans can, exceeding our capacity for decision making in the real world. To understand how and why this could lead to serious problems, we must first go back to the basic building blocks of most A.I. systems. The “standard model” in A.I., borrowed from philosophical and economic notions of rational behavior, looks like this: “Machines are intelligent to the extent that their actions can be expected to achieve their objectives.” Because machines, unlike humans, have no objectives of their own, we give them objectives to achieve. In other words, we build machines, feed objectives into them, and off they go. The more intelligent the machine, the more likely it is to complete that objective.

Volusion Payment Platform Sites Hit by Attackers

"The most obvious threat actor that is currently famous for card skimming and compromising ... e-commerce websites is Magecart, which has the history of using Vultr Holdings data centers (just live Volusion-Cdn[.]com) and using public cloud storage to host their malicious scripts," Afahim says. Afahim discovered the attack against the check-out site for Sesame Street Live this week, although these incidents could have started as far back as Sept. 12. The payment function for the Sesame Street Live online store remained offline Wednesday. On Thursday, a spokesperson for Volusion told Information Security Media Group that the attacks had been stopped within a few hours of the company being notified, but that an investigation was still underway. "A limited portion of customer information was compromised from a subset of our merchants. This included credit card information, but not other associated personally identifying details ..." the spokesperson says.

Mind-reading systems: Seven ways brain computer interfaces are already changing the world

A collaboration between researchers -- including neuroscientists, biomedical engineers, and musicians -- has been looking at the potential for BCIs to be used with music. They are working on a system that could analyse a person's emotional state using their neural signals, and then automatically develop an appropriate piece of music. For example, if you're feeling down, the system's algorithms could write you a piece of music to help lift your mood.  The system has been tested on healthy volunteers, as well as on one individual with the neurodegenerative condition Huntington's disease, which causes depression and low mood. "Part of the reason someone might have a music therapy session is because they have trouble understanding their own emotions or expressing their own emotions, so the idea is to use music and the skills of the therapist, and potentially this device is better in helping them understand their emotions," says Ian Daly, lecturer at the University of Essex's School of Computer Science and Electronic Engineering.

Author Q&A on the Book Software Estimation Without Guessing

Much of the trouble with estimating is not estimation itself, but the communications, or lack thereof, between people. If you don’t know how an estimate is going to be used, it’s likely to be the wrong estimate for the situation. If you fear an estimate for one use is going to be misused for another, then you’ll likely develop an estimate that doesn’t satisfy either need. ... In one sense, there is only one way to estimate. That’s by comparing the unknown to the known. There are, of course, many ways to do that comparison. You might conceptually break the unknown down into smaller pieces that are easier to compare. You might build a model that encapsulates the comparison based on measurable attributes of the planned work. ... The one thing you know about an estimate is that it is going to be wrong to some degree. How wrong and wrong in what way are the more important questions. Making an early prediction and then trusting it for a long time seems like a foolish strategy. Estimates have a limited shelf-life. If you’re going to make a long-term estimate, you should also make some shorter-term interim estimates that you can use to check your assumptions.

Quote for the day:

"The task of leadership is not to put greatness into humanity, but to elicit it, for the greatness is already there." -- John Buchan

No comments:

Post a Comment