Daily Tech Digest - January 27, 2022

The metaverse: Where we are and where we’re headed

The underpinnings of the metaverse have already taken the gaming industry by storm, because gaming is where virtual experiences have been the most immersive. In fact, there’s almost a separate conversation happening in gaming, where virtual interaction and things like NFTs and cryptocurrencies are spawning a creator and gamer economy that hasn’t yet impacted the enterprise. Bitter rivalries exist in gaming, as evidenced by the legal battle between Apple, which wants to charge 30% for access to its app store, and game maker Epic, which needs to access the iPhone because it’s such a compelling format for gaming but refuses to pay that tax. Many gamers dream of a connected network of always-on 3D virtual worlds where you can port your gaming profile anywhere. But that’s not going to happen anytime soon, given that virtual spaces are owned by different companies. And besides, a cross-gaming metaverse doesn’t fully encapsulate the metaverse’s full potential – the one that will transform just about every industry. While forecasting the exact form of the coming metaverse is impossible, the seeds are being sown today.

Best Practices: 5 Risks To Assess for Secure CI Pipeline

If you’re an experienced software engineer or security professional, you’ve probably heard of API keys leaking from public code repositories. Maybe you’ve even experienced your own secrets getting leaked after accidentally committing them to an open-source project. Depending on the type of secret that was leaked, it could end up being a costly mistake. The best way to protect your secrets is to practice good secret management. A good start is to use secret management tools like Azure Key Vault or Amazon KWS that provide secure storage and identity-based access (learn more here). Using GitHub’s built-in repository secrets manager also works well depending on your use case, but it isn’t as feature-rich as a true key management service. Another must-have for secret management is a tool that can tell you right away if you accidentally commit a secret to your codebase. There are some different options out there, but secret detection is GitGuardian ‘s specialty. It has hundreds of built-in secret detectors and is free for open-source projects. Knowing right when you accidentally expose your secrets is crucial in protecting yourself and your code.

How hybrid working is impacting operational efficiency

The advent of the Omicron variant has been a watershed moment in the story of the pandemic, cementing the idea that restrictions, changed habits, and new workplace practices such as hybrid working aren’t going away any time soon. This realisation has clearly been felt by Google, which is – according to recent reports – in the process of investing £730 million into a reinvigorated work environment that places a heavy emphasis on hybrid working culture. Google’s multi-million-pound purchase and refurbishment of Central Saint Giles will include inclusive meeting rooms for the purposes of hybrid working, in addition to more spacious and partially outdoor areas that have clearly been inspired by pandemic life. By proactively investing in this kind of undertaking, Google is leading the way in looking beyond discussions of whether hybrid working is [or is not] a practice worth pursuing, choosing instead to focus on the workplace practicalities of hybridity. These practicalities demand urgent and comprehensive thought in order for organisations to improve, discover, or regain satisfactory levels of operational efficiency which, as we have found in our clients, may have been eroded due to hybrid working.

Decentralized Web3 Computing Is Key To Scaling The Metaverse

Because metaverses are digital worlds where users interact with each other and software programs in a three-dimensional space, they are also complex systems that require copious computing resources to run their 3D worlds and advanced AI algorithms. Their collection of interconnected applications and services will allow users to freely move between cross-chain visual worlds, requiring highly-distributed and powerful compute power for reliability. The metaverse will also be a critical piece of Web3, providing users with access to blockchain-based applications and services as well as new decentralized applications (dApps) to be built that were never possible before. Fortunately, this infrastructure for a powerful, secure, and scalable computing cloud based on blockchain is already in place and embedded into modern microprocessors. The foundation of this infrastructure is called a trusted execution environment or TEE-based privacy technology. TEE is a secure area of a microprocessor that can provide confidential and isolated application execution while creating a blockchain compute 

Data Quality, Data Stewardship, Data Governance: Three Keys

Quality cannot be measured or improved if definitions and rules aren’t clear, if valid values aren’t clear, if the context is missing, or if there’s no shared understanding of what quality data is.Hopper showed a record with multiple unlabeled fields, illustrating the value of context in understanding data, as well as the importance of consistent terminology shared by business users. “Field 1” just isn’t enough, she said. ... A steward works to protect a valuable resource and ensures the health and sustainability of that resource, she said. ... A steward provides ongoing monitoring and maintenance of data assets, and in most organizations, they focus on quality, because in the end that quality translates into usability, she said. ... Many organizations are unclear about whether data stewards live in the business or in IT, but it’s important to understand that there are different types of data stewards. Some are more business-focused, working with business terms, definitions, and rules, and so they become the go-to person to help business users with a quality issue.

Digital IDs under attack: How to tackle the threat?

A key objective of the eIDAS regulation is to secure electronic identification and authentication in cross-borders online services offered within Member States. Today’s publications support the achievement of this objective of the regulation. In addition, the regulation also addresses identity proofing in the different contexts where trust in digital identities is necessary and elaborates on qualified certificates to allow for other identification methods. The area of identification has seen a new trend emerge over the past few years in the self-sovereign identity technologies also referred to as SSI. The report explains what these technologies are and explores their potential to achieve greater control of users over their identities and data, cross-border interoperability, mutual recognition and technology neutrality as required by the eIDAS regulation. The report on remote identity proofing builds on the previous report Remote ID Proofing of ENISA, which makes an analysis of the different methods used to carry out identity proofing remotely. The new report analyses the different types of face recognition attacks and suggests countermeasures.

Report: Access Broker Exploiting VMware Log4j Vulnerability

The BlackBerry researchers say attackers most commonly use encoded PowerShell commands to download a second-stage payload to victimized systems, after using the Log4j flaw to first gain access. They warn that in some cases, the threat actors also attempted to use the curl.exe binary file to download additional files to the system - and attempted to execute the downloaded content using the Windows Subsystem for Linux bash utility. They say multiple cryptominers were identified after successful exploitation - and in one case, PowerShell was used to download and execute the "xms.ps1" file containing a cryptominer. The researchers say the script then created a Scheduled Task to establish persistence and to store command-and-control and wallet configurations. The cybersecurity firm also "discovered instances where a webshell file was injected into absg-worker.js, and the VMBlastSG service restarted to allow for connections to the webshell." BlackBerry also calls the threat actors in these cases "tidy" - citing cleanup actions taken following miner installation.

IT leadership: 3 practices to let go of in 2022

Historically, IT problems have been addressed in a reactive manner. A help desk ticket arrives, and an MSP then initiates an investigation into the issue. That methodology is akin to finding a needle in a haystack, especially if it is a global or regional issue. It requires going into your in-house server to backtrack the issue, resulting in lost productivity and excess effort on the part of MSPs to find and resolve the problem. A cloud-based solution eliminates manual exploration and remediation of help desk issues. Many offer alert prioritization features, enabling IT to clearly see the most urgent issues and address them in a more proactive and efficient way. If there are multiple outages in multiple locations, these solutions allow MSPs to triage issues. That’s more, cloud-based services can be designated for hybrid, public, or private hosting. This eliminates the need for antiquated in-house servers, which are vulnerable to system crashes and lost data as well as costly repairs and maintenance. 

Getting proactive about reactance

As the return-to-work conundrum suggests, reactance isn’t triggered by change per se. It is triggered when change bumps up against established norms, beliefs, or expectations, as is often the case with corporate change initiatives—which may help explain why failure rates for such programs are usually pegged at around 70%. “If people have a structured belief and you try to change that belief, that is a moment when people are very inclined to feel reactance. The stronger that belief, the stronger the pushback,” Nordgren said. The natural inclination in such cases is to respond to reactance by making a more strident case for change and bolstering it with plenty of evidence. The problem with this approach, as seen time and again in the last couple of years, is that it raises the pressure to change, which in turn, creates a reactance flywheel. “To me, this is one of the most important ideas around reactance,” Nordgren explained. “If you believe in climate change and you’re dealing with someone who does not, or if you believe in vaccines and you’re dealing with someone who does not, the more evidence you throw at them, the more they fight against it. ...”

How the Financial Times Approaches Engineering Enablement

Teams at the FT have a lot of autonomy, within certain boundaries. The boundaries generally are where you want to make a change that has an impact outside your team, for example, when you want to introduce a new tool but something is already available, or where we get a lot of benefit as a department from having a single approach. ... Similarly, if you want to start shipping logs somewhere different, that has an impact on people’s ability to look at all the logs for one event in a single location, which can be important during an incident. Sometimes, teams need something for which there isn’t a current solution, and then they can generally try something out. For a completely new vendor, teams need to go through a multi-step procurement process - but teams can go through a shorter process while they are doing evaluation, provided they aren’t planning to do something risky like send PII data to the vendor. Teams do use their autonomy. They make decisions about their own architecture, their own libraries and frameworks.

Quote for the day:

"A true dreamer is one who knows how to navigate in the dark." -- John Paul Warren

No comments:

Post a Comment