Daily Tech Digest - October 06, 2021

Deep Learning's Diminishing Returns

While deep learning's rise may have been meteoric, its future may be bumpy. Like Rosenblatt before them, today's deep-learning researchers are nearing the frontier of what their tools can achieve. To understand why this will reshape machine learning, you must first understand why deep learning has been so successful and what it costs to keep it that way. ... Deep-learning models are overparameterized, which is to say they have more parameters than there are data points available for training. Classically, this would lead to overfitting, where the model not only learns general trends but also the random vagaries of the data it was trained on. Deep learning avoids this trap by initializing the parameters randomly and then iteratively adjusting sets of them to better fit the data using a method called stochastic gradient descent. Surprisingly, this procedure has been proven to ensure that the learned model generalizes well. The success of flexible deep-learning models can be seen in machine translation. For decades, software has been used to translate text from one language to another. Early approaches to this problem used rules designed by grammar experts.

IT security and cybersecurity: What's the difference?

Information technology focuses on the systems that store and transmit digital information. Cybersecurity, in contrast, focuses on protecting electronic information stored within those systems. Cybersecurity usually focuses on digital information and infrastructure. Infrastructure may include internet connections and local area networks that store and share information. In short, cybersecurity focuses on preventing hackers from gaining digital access to important data on networks, on computers, or within programs. Workers in IT and cybersecurity have varying job titles depending on their education, training, experience, and responsibilities. One subset of IT, IT security, focuses on protecting access to computers, networks, and information. IT security professionals may create plans to protect digital assets and monitor computer systems and networks for threats. They may also work to protect the physical equipment storing the data, along with the data itself. Another subset of IT, information security, focuses on securing data and systems against unauthorized access. 

How to quit your job and start your business in 90 days

Giving up is a straightforward decision that requires courage, boldness, and a strong belief in what you are about to do. But on the other hand, having a job you don't like can be the worst death sentence for your happiness and personal fulfillment. Quitting your job should be done wisely and in a balanced way, and building a business that replaces the security of income from your previous job is an art. ... Stopping working for someone else doesn't automatically make you able to work for yourself, but it does qualify you to try. Starting a business is like planning an expedition to Mount Everest. Climbing the highest peak in the world requires money, training, a year of planning, and only 49% of those who attempt it make it to the top. A dream without a deadline is a wish. Sitting for months contemplating your idea is one of the worst passive tactics to avoid compromise. Set a date to quit your job and dedicate yourself full time to your business. Just as it is important to set a start date, it is just as important to designate an end date. A date in which with maturity and wisdom you can say "this is not working."

How one coding error turned AirTags into perfect malware distributors

“Security consultant and penetration tester Bobby Rauch discovered that Apple's AirTags — tiny devices which can be affixed to frequently lost items like laptops, phones, or car keys — don't sanitize user input. This oversight opens the door for AirTags to be used in a drop attack. Instead of seeding a target's parking lot with USB drives loaded with malware, an attacker can drop a maliciously prepared AirTag,” the publication reported. “This kind of attack doesn't need much technological know-how — the attacker simply types valid XSS into the AirTag's phone number field, then puts the AirTag in Lost mode and drops it somewhere the target is likely to find it. In theory, scanning a lost AirTag is a safe action — it's only supposed to pop up a webpage at https://found.apple.com/. The problem is that found.apple.com then embeds the contents of the phone number field in the website as displayed on the victim's browser, unsanitized.” The worst part about this hole is that the damage it can inflict is only limited by the attacker’s creativity. 

Why today’s cybersecurity threats are more dangerous

Unlike 20 years ago, when even extensive IT systems were comparatively standalone and straightforward, the interdependencies of systems now make dealing with and defending against threats a much more difficult proposition. "The core problem here is complexity and our interdependence," Snyder said. "That is something that we're not going to move away from because that is providing us flexibility and functionality and all these other critical functions that we need. We've got a growing problem here." One new variable thrown into the digital mix is the meteroic growth of ransomware, which makes it appear that cyberattacks are getting worse. "I think that the ransomware attackers have found a perfectly successful illegitimate business model," Rand Corporation researcher Jonathan Welburn said. "Every time there's a large-scale attack, we see that [victims] issue a payment, and it solves the problem. It's a really good advertisement for that business model." Jay Healey, a senior research scholar at Columbia University, said that at one level, cybersecurity risks are unchanged from what they were two decades ago. "We've been here before," he said. 

The insecure application conundrum: how to stop the influx of vulnerable applications

The fundamental root cause of application insecurities can be attributed to the fact that security awareness training for developers is virtually non-existent. Developers do not willingly deploy applications in the hope that exploits are never found. Instead, there still exists a lack of exposure and experience that plays a part in them not understanding the actual severity of some of the vulnerabilities. At the same time, there is a global shortage of experienced developers, as evidenced, by the fact that vacancies for application development security developers are set to grow 164% in the next five years. Finding an experienced developer with a rounded skillset is like finding a needle in a haystack. As a result, for businesses, there is more economic value in investing in the training of developers in cyber security to build their competence at secure development methods, linked to their business. In essence, there are two major ways to distinguish how vulnerabilities are caused – through technical vulnerabilities and business logic flaws.

Facebook outage was a series of unfortunate events

Facebook says the root cause of its outage Monday involved a routine maintenance job gone awry that resulted in rendering its DNS servers unavailable, but first the entire Facebook backbone network had crashed. To make matters worse, the loss of DNS made it impossible for Facebook engineers to remotely access the devices they needed to in order to bring the network back up, so they had to go into the data centers to manually restart systems. That slowed things down, but they were slowed down even more because the data centers have safeguards in place to make tampering hard—for anybody. “They’re hard to get into, and once you’re inside, the hardware and routers are designed to be difficult to modify even when you have physical access to them,” according to a Facebook blog written by Santosh Janardhan, the company's vice president of engineering and infrastructure. It took time, but once the systems were restored, the network came back up. Restoring the customer-facing services that run over the network was another lengthy process because turning them up all at once could cause another round of crashes. 

The Three Symptoms of Toxic Leadership and How to Get Out of It

Toxicity has eaten deep into the very fabric of what is standard in the workplace. Why is it okay for people to use swear words and hate on one another, but not okay to use words such as love and appreciation? Why has what is supposed to be the norm now considered or seen as being “out there”? That's not right, and a change in this thought pattern is long overdue. Now is the time to educate everyone on the importance of speaking right, doing right, treating each other right in the workplace, and above all, being a nontoxic leader. It’s time we stop being toxic leaders and take action. Once I started studying and analyzing my own toxic traits, I was able to come out of it. And now, I help other successful leaders in tech do the same. For example, I was once working with an engineering manager at a start-up company. She worked around the clock to provide everything for her team. She did sufficient training, was nice to everyone, and provided all the support she possibly could.

Hybrid work: 9 ways to encourage healthy team conflict

Diversity of thought leads to better solutions in the end. “Leaders of high-performing teams consistently convey the importance of conflict and push the team to engage in constructive debate, even to the point that the tension makes team members uncomfortable, to generate the best decisions,” says Andy Atkins, practice leader at BTS Boston. This can be trickier in the hybrid world. “It is more difficult to gauge team members’ reactions, or test the temperature in the room, and it is easier for team members themselves to withdraw from the conversation,” says Atkins. Therefore, leaders must be more deliberate in creating a culture that encourages speaking up. The most successful leaders not only model the willingness to face conflict themselves, but also help team members express their own points of view. “It helps if the team leader takes care to reserve his or her own observations in discussions to allow others to speak first, and to deliberately draw out different opinions around the table before moving on,” says Atkins.

Critical infrastructure IoT security: Going back to basics

Ultimately, IoT devices weren’t built with security in mind. The vast amount of IoT devices tend to be poorly secured, often functioning with out-of-date software or using default security configurations which makes it a vulnerable target for threat actors. The fact is that until the last 5 or 10 years, security wasn’t even something considered as a part of developing OT. It’s not like a hospital buys a new MRI machine every year, so that 10-year-old MRI machine in the hospital is still highly vulnerable since it was built in a time when security wasn’t important or thought of. It is unsurprising that the vulnerability of IoT and the critical infrastructure landscape as a whole to cyberattacks is becoming a growing concern within the security landscape and recent attacks on the sector have proven the need to ramp up security efforts. Even though IoT is becoming an increasing target, the focus on many recent attacks is on OT infrastructure. For that reason, the critical infrastructure industry must take a security-first stance to security their operations. 

Quote for the day:

"Leaders keep their eyes on the horizon, not just on the bottom line." -- Warren G. Bennis

No comments:

Post a Comment