Daily Tech Digest - December 28, 2019

Taiwanese Police Arrest Miner Accused of Stealing Millions in Power
Proof of Work was the original consensus mechanism used by Bitcoin and latterly implemented on the likes of Ethereum, Litecoin, and Dogecoin. PoW involves performing thousands of calculations per second to find the solution to a mathematical problem that is hard to solve but easy to verify. The Proof of Work system incentivizes miners by rewarding them with coins for each new block found. Although it remains an extremely fair and secure consensus mechanism, PoW has been criticized over the years. Much has been made, for its example, of its high energy and resource requirements: the computational power needed for miners to solve complex mathematical puzzles ahead of their peers is huge. Critics lose sight of the fact that this is a feature and not a bug: the difficulty of cheating Proof of Work is what makes it so robust, and why the Bitcoin network is so valuable. Even the most well funded adversary would struggle to obtain the hashpower necessary to control the network and double spend coins.

DevOps in the enterprise requires focus on security, visibility

In this episode of Test & Release, Pariseau, who writes for SearchSoftwareQuality and SearchITOperations, discusses technology topics that will matter in 2020. She also shares experiences from containers, cloud and DevOps conferences such as KubeCon and DevSecCon, where diverse leaders related the many challenges associated with DevOps and Agile transformation. Success for DevOps in the enterprise starts with small wins and a consistent march toward improvement. "It's clear that enterprises have had to handle this digital transformation in phases," Pariseau said. "You have to eat the elephant one bite at a time." Take security in the SDLC. DevOps purists, she says, intended for business and security concerns to get rolled into the natural cadence of a lifecycle. However, as many teams struggle with pipeline complexities bringing DevOps to mainstream enterprise IT, those concerns took a back seat. Now, enterprises are putting security back into focus, as high-profile breaches carry potentially disastrous repercussions.

A decade of fintech megatrends
Forecasts that this sector will cross the $25 billion mark by 2025 seem grossly inadequate to me. Libra has awoken central banks, policy makers and regulators with the likelihood that a dominant global industry led stablecoin may emerge. The FSB, BIS, and IOSCO are all focused on analysing the market impact of stablecoins and central banks are reviewing their plans for digital fiat currencies. Libra may have fumbled in the early days with its own narrative, but its impact has been sensational. Following the ICO crash and pullback of the bitcoin price in 2018 the sector has regrouped with an enterprise focus: new digital assets and derivatives, and a focus on exchange, custody and settlement infrastructure. Market leaders include R3 with its Corda platform and Six the Swiss stock exchange, who will partner to platform digital assets; a JP Morgan Coin for client payments; and Fidelity Digital Assets platform for institutional clients. After Xi Jinping's comments expect the Chinese government to push the development of blockchain technology, ahead of the application of cryptocurrencies which are banned in China.

Remme technology reduces passwords and human failure to present a high-end security system that is simple to use without jeopardizing security. REMME solves the issue of central servers that can be hacked, as well as restricting attacks, such as phishing, server, and password violation, and password reuse attacks, with the help of blockchain. Users can utilize the free version of the system in some 10,000 logins per month. Up to 100,000 logins per month can be used for $199. It’s inexpensive as compared to its competitors. Remme is headquartered in Ukraine. Remme has been in existence since 2015, and its name is becoming famous in the industry. It serves a wide range of businesses, but most companies have to safeguard their clients’ sensitive data. But, anyone can use it, including small organizations and individuals. Remme has two essential strengths. Firstly, it uses new technology that is hack-proof, so it guarantees client data security and avoids any possible damages or losses.

Tesla describes its solution in the patent application: “A data pipeline that extracts and provides sensor data as separate components to a deep learning network for autonomous driving is disclosed. In some embodiments, autonomous driving is implemented using a deep learning network and input data received from sensors. For example, sensors affixed to a vehicle provide real-time sensor data, such as vision, radar, and ultrasonic data, of the vehicle’s surrounding environment to a neural network for determining vehicle control responses. In some embodiments, the network is implemented using multiple layers. The sensor data is extracted into two or more different data components based on the signal information of the data. For example, feature and/or edge data may be extracted separate from global data such as global illumination data into different data components. The different data components retain the targeted relevant data, for example, data that will eventually be used to identify edges and other features by a deep learning network. ..."

The Year of Magecart: How the E-Commerce Raiders Reigned in 2019

While the retail giant notified customers on Nov. 15, the company has yet to release details of the attack. For example, hHow many customers were impacted by the breach remains unknown. Researchers, however, believe the intruders belong to a loose grouping of cybercriminal gangs known as Magecart groups, named for their habit of skimming financial details from shopping carts and, often, the Magento e-commerce platform. This particular group had upped its game: The attackers had tightly integrated their information-gathering code into two parts of the website and had knowledge of how Macy's e-commerce site functioned, security firm RiskIQ said in a Dec. 19 analysis. "The nature of this attack, including the makeup of the skimmer and the skills of the operatives, was truly unique," said Yonathan Klijnsma, head researcher with RiskIQ, in his analysis. "I've never seen a skimmer so meticulously constructed and able to play to the functionality of the target website." The Macy's breach is the latest success for the broad class of Magecart attackers.

In its traditional configuration using value functions or policy search the RL algorithm essentially conducts a completely random search of the state space to find an optimum solution. The fact that it is in fact a random search accounts for the extremely large compute requirement for training. The more sequential steps in the learning process, the greater the search and compute requirement. The new upside down approach introduces gradient descent from supervised learning which promises to make training orders of magnitude more efficient. Using rewards as inputs, UDRL observes commands as a combination of desired rewards and time horizons. For example “get so much reward within so much time” and then “get even more reward within even less time”. As in traditional RL UDRL learns by simply interacting with its state space except that these unique commands now create learning based on gradient descent using these self-generated commands. In short this means training occurs against trials that were previously considered successful (gradient descent) as opposed to completely random exploration.

The patent, granted earlier this month after being filed back in March 2015, outlines a system that allows users to make bitcoin payments using an email address linked to a cryptocurrency wallet. "Bitcoin can be sent to an email address," the patent filing read, detailing the advantages of the technology. "No miner's fee is paid by a host computer system. Instant exchange allows for merchants and customers to lock in a local currency price. A tip button rewards content creators for their efforts. A bitcoin exchange allows for users to set prices that they are willing to sell or buy bitcoin and execute such trades." However, the system takes 48-hours for the transaction to clear once the receiver has confirmed the payment and there doesn't appear to be support for other major cryptocurrencies. The technology could mean a big step for mainstream adoption of bitcoin—something that's been a long-term goal of Coinbase's CEO Brian Armstrong.

An essential API test verifies that an API is capable of connection, and that it is sending and receiving data. At some level, the QA team should include security testing. API messages must verify security at both ends of a data exchange. In addition to connectivity and security, verify database validity. If the APIs allow invalid data during an exchange, the database and applications are susceptible to failure from an unexpected source. Data validity is critical for API, database and application communication. To vet these areas, make sure to test error conditions as well. The API developer should share the error codes that will generate when the system rejects an incoming message for security or data issues, when messages are in the wrong format and when the API endpoint is down or non-functional. The QA engineer should verify that the API returns the data the IT organization expects across systems. Many applications have integrated components, such as a web portal and a mobile app.

A CISO Offers Insights on Managing Vendor Security Risks

"You should absolutely be applying some third-party risk assessment methodology," Decker stresses in an interview with Information Security Media Group. "Look at these third-party organizations and understand what type of security practices they have in place. You need to understand what kind of data you're putting into those systems and how important these third-party suppliers are to your operations." For inherently high-risk vendors, he says, organizations should "have a corresponding level of scrutiny and control around how those vendors are actually applying security around your systems, or as an entry point into your environment." Organizations need to ensure that the terms and conditions that they include in their contracts with vendors "not only have some technical components about the data that's going into their environment, [but also] the components where they're connecting to, a back channel," he says. They not only need to specify what kinds of controls they want vendors to have in place, but also "make sure there are the appropriate liabilities that are truly accounted for in that contract," he adds.

Quote for the day:

"Problem-solving leaders have one thing in common: a faith that there's always a better way." -- Gerald M. Weinberg

No comments:

Post a Comment