Daily Tech Digest - November 21, 2019

California's IoT Security Law: Why It Matters And The Meaning Of 'Reasonable Cybersecurity'

uncaptioned
According to the law, a reasonable security feature must be “appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified.” The law is specific about security as it relates to authentication for devices outside a local area network, stating that “the preprogrammed password is unique to each device manufactured” and “the device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.” As you can see, guidance included as part of the law is specific to authentication, and it remains vague regarding other reasonable cybersecurity measures that are necessary beyond password management. However, companies can look to prior guidance for clarity, which defines compliance with the 20 security controls in the CIS Critical Security Controls for Effective Cyber Defense as the "floor" for reasonable cybersecurity and data protection.



Serverless HTTP With Durable Functions

Durable functions rely on a main orchestrator function that coordinates the overall workflow. Orchestrator functions must be deterministic and execute code with no side effects so that the orchestration can be replayed to “fast forward” to its current state. Actions with side effects are wrapped in special activity tasks that act as functions with inputs and outputs and manage things like I/O operations. The first time the workflow executes, the activity is called, and the result evaluated. Subsequent replays use the returned value to ensure the deterministic code path. Until the release of version 2.0, this meant interacting with HTTP endpoints required creating special activity tasks. As of 2.0, this is no longer the case! Now, with the introduction of the HTTP Task, it is possible to interact with HTTP endpoints directly from the main orchestration function! The HTTP Task handles most of the interaction for you and returns a simple result. There are some trade-offs.


Google's new AI tool could help decode the mysterious algorithms that decide everything


Users can pull out that score to understand why a given algorithm reached a particular decision. For example, in the case of a model that decides whether or not to approve someone for a loan, Explainable AI will show account balance and credit score as the most decisive data. Introducing the new feature at Google's Next event in London, the CEO of Google Cloud, Thomas Kurian, said: "If you're using AI for credit scoring, you want to be able to understand why the model rejected a particular model and accepted another one." "Explainable AI allows you, as a customer, who is using AI in an enterprise business process, to understand why the AI infrastructure generated a particular outcome," he said. The explaining tool can now be used for machine-learning models hosted on Google's AutoML Tables and Cloud AI Platform Prediction. Google had previously taken steps to make algorithms more transparent. Last year, it launched the What-If Tool for developers to visualize and probe datasets when working on the company's AI platform.


The cybercrime ecosystem: attacking blogs

Thirty-seven percent of the top 40 blogs in Sweden where running an outdated version of WordPress, with the oldest version being from 2012, vulnerable to a lot of exploits—even full remote code execution allowing the attacker to compromise not just the WordPress installation, but the server it is running on, too. When checking the server hosting this extremely old WordPress installation, I found that 13 other websites were running on the same server. Most of the outdated WordPress installations where from 2018. As mentioned before, this is a very common way for cybercriminals to spread malware, but how does it work in real life? After the WordPress site is compromised, the most common technique is to redirect the user to a so-called exploit kit. This is a system which will enumerate the browser, and if a list of requirements is met, deliver the malicious payload to the victim. For example, some of the requirements may be to exploit a certain browser only, if the exploit kit only has exploits for Firefox. In that case, nothing will happen if you visit the website in Chrome or Internet Explorer.


cloud network blockchain bitcoin storage
"These services may be half the price of Amazon S3, but they’re 100 times greater risk given the decentralized nature of the storage and the nascent companies behind them," Bala said via email. "Comparatively, AWS is a trusted provider with 10s of exabytes under management. I am also very skeptical of the performance claims being made relative to S3, particularly when objects need to be rebuilt in case a peer in the storage network disappears." Cloud storage provider Backblaze offers capacity through its B2 service at a quarter the price of Amazon AWS, but without the risk a P2P architecture poses, Bala said. "B2 is built and operated by sophisticated people from a technical perspective with a successful track record. So one need not use a P2P storage service just to save money," Bala said. Bala also criticized P2P-based storage services for claiming to use blockchain's innate cryptography and resilliency when, in fact, the distributed ledger technology is only used for the purposes of payment.


How to Build a Regex Engine in C#

This is an ambitious article. The goal is to walk you through the building of a fully featured regular expression engine and code generator. The code contains a complete and ready to use regular expression engine, with plenty of comments and factoring to help you through the source code. First of all, you might be wondering why we would develop one in the first place. Aside from the joy of learning how regular expressions work under the hood, there's also a gap in the .NET framework's regular expression classes which this project fills nicely. This will be explained in the next section. I've previously written a regular expression engine for C# which was published here, but I did not explain the mechanics of the code. I just went over a few of the basic principles. Here, I aim to drill down into a newer, heavily partitioned library that should demystify the beast enough that you can develop your own or extend it. I didn't skimp on optimizations, despite the added complication in the source. I wanted you to have something you could potentially use "out of the box."


Under the microscope: inbound versus outbound email protection

email security
Times change, technologies continue to evolve, and yet email remains the easiest avenue of attack for cybercriminals looking to hack into your business Need convincing? Well, in 2018 94% of malware attacks were deployed by email, 78% of cyber espionage incidents used phishing, and 32% of all reported breaches involved phishing (let’s not dwell too much on the possible scale of unreported breaches). The truth is that email has been the easiest avenue of attack for at least two decades and, unless there are some fundamental changes in how the problem is addressed at a global level, it will probably remain so for another decade. In the meantime, businesses continue to look for ways of increasing their level of inbound protection – deploying security products that attempt to block access to infected sites or identify unsavoury email content before it reaches the recipient. These products come in many different shapes and sizes and are then augmented by a ‘human shield’, i.e. the vigilance of the employees to spot phishing scams and fraudulent messages that have outwitted the technology.


Q&A on the Book Rebooting AI

There are many legitimate concerns about AI. People with bad intentions - criminals, terrorists, militaries carrying out war, authoritarian governments carrying out surveillance - will undoubtedly misuse it, as they do every powerful technology. People, both in the general public and in positions of authority, are apt to trust it too much. Unless it is audited very carefully, AI can perpetuate existing social biases, as we've seen in many scandals over the last decade, such as the Amazon job recruitment program that was unshakably biased against women applicants.But our largest concern is that the great potential of AI that could benefit mankind will end up unrealized: first, because people will be frightened by the dangers and, after a certain point, discouraged by the limitations and failures of existing AI; and, second, because AI research, fixated on the short-term successes of machine learning, will fail to explore other approaches that have longer-term payoffs but a greater benefit in the long term.


IoT sensors must have two radios for efficiency

Maersk container ship / shipping containers / abstract data
For the Internet of Things to become ubiquitous, many believe that inefficiencies in the powering of sensors and radios has got to be eliminated. Battery chemistry just isn’t good enough, and it’s simply too expensive to continually perform truck-rolls, for example, whenever batteries need changing out. In many cases, solar battery-top-ups aren’t the solution because that, usually-fixed, technology isn’t particularly suited to mobile, or impromptu, ad hoc networks. Consequently, there’s a dash going on to try to find either better chemistries that allow longer battery life or more efficient chips and electronics that just sip electricity. An angle of thought being followed is to wake-up network radios only when they need to transmit a burst of data. Universities say they are making significant progress in this area. “The problem now is that these [existing] devices do not know exactly when to synchronize with the network, so they periodically wake up to do this even when there’s nothing to communicate,” explains Patrick Mercier, a professor of electrical and computer engineering at the University of California, San Diego, in a media release.


Facebook: Microsoft's Visual Studio Code is now our default development platform


While Facebook is making VS Code the default developer environment, Marcey notes that Facebook does not have a "mandated development environment" and that some developers use other IDEs such as Vim and Emacs. Nonetheless, the default status for VS Code means that Facebook is backing it for its development future. "Visual Studio Code is a very popular development tool, with great investment and support from Microsoft and the open-source community," said Marcey. "It runs on macOS, Windows, and Linux, and has a robust and well-defined extension API that enables us to continue building the important capabilities required for the large-scale development that is done at the company. Visual Studio Code is a platform we can safely bet our development platform future." Facebook is also teaming up with Microsoft to improve the remote-desktop experience with VS Code via remote development VS Code extensions. Microsoft in May announced previews of three extensions that enable development in containers, remotely on physical or virtual machines, and with the Windows Subsystem for Linux (WSL).



Quote for the day:


"Leadership cannot just go along to get along. Leadership must meet the moral challenge of the day." -- Jesse Jackson


No comments:

Post a Comment