Daily Tech Digest - July 09, 2022

Ray Kurzweil Wants to Upload Your Brain to the Cloud

Well, this can go one of two ways. Either this brain/cloud situation will be an incredibly beneficial superpower, or it could be just another farming device for data mining and ad sales. My take: If it’s a beneficial superpower then it won’t be given to the general public. Superpower for the rich. Farming device for the regular people. And thank you very much but I am farmed enough. My Hinge updates don’t need to be sent to my cerebellum. I can’t talk about taking a trip to Costa Rica without flights popping up on my phone. I’m grateful for the ways technology has touched my life but let me remind people about the Flo app. This is a period and fertility tracking app that settled with the FTC in May for selling its users’ personal health data without their knowledge. While there are definitely huge potential advances that could be made from brain/cloud merges, I can only think of social media companies that are designed to addict us, with at least one of these apps in the recent past tracking our eye movements to see what we liked so we could be coaxed to spend more time using it. It’s not all bad but I am not looking to plug in forever. And I don’t trust these companies to do good.


NIST’s pleasant post-quantum surprise

To understand the risk, we need to distinguish between the three cryptographic primitives that are used to protect your connection when browsing on the Internet: Symmetric encryption - With a symmetric cipher there is one key to encrypt and decrypt a message. They’re the workhorse of cryptography: they’re fast, well understood and luckily, as far as known, secure against quantum attacks. ... Symmetric encryption alone is not enough: which key do we use when visiting a website for the first time? We can’t just pick a random key and send it along in the clear, as then anyone surveilling that session would know that key as well. You’d think it’s impossible to communicate securely without ever having met, but there is some clever math to solve this. Key agreement - also called a key exchange, allows two parties that never met to agree on a shared key. Even if someone is snooping, they are not able to figure out the agreed key. Examples include Diffie–Hellman over elliptic curves, such as X25519. The key agreement prevents a passive observer from reading the contents of a session, but it doesn’t help defend against an attacker who sits in the middle and does two separate key agreements: one with you and one with the website you want to visit.


Buggy 'Log in With Google' API Implementation Opens Crypto Wallets to Account Takeover

The first bug involved the common feature found in mobile apps that allow users to log in using an external service, like Apple ID, Google, Facebook, or Twitter. In this case, the researchers examined the "log in with Google" option — and found that the authentication token mechanism could be manipulated to accept a rogue Google ID as being that of the legitimate user. The second bug allowed researchers to get around two-factor authentication. A PIN-reset mechanism was found to lack rate-limiting, allowing them to mount an automated attack to uncover the code sent to a user's mobile number or email. "This endpoint does not contain any sort of rate limiting, user blocking, or temporary account disabling functionality. Basically, we can now run the entire 999,999 PIN options and get the correct PIN within less than 1 minute," according to the researchers. Each security issue on its own provided limited abilities to the attacker, according to the report. "However, an attacker could chain these issues together to propagate a highly impactful attack, such as transferring the entire account balance to his wallet or private bank account."


How To Become A Self-Taught Blockchain Developer

The Blockchain developer must provide original solutions to complex issues, such as those involving high integrity and command and control. A complicated analysis, design, development, test, and debugging of computer software are also performed by the developer, particularly for particular product hardware or for technical service lines of companies. Develops carry out computer system selection, operating architecture integration, and program design. Finally, they use their understanding of one or more platforms and programming languages while operating on a variety of systems. There will undoubtedly be challenges for the Blockchain developer. For instance, the developer must fulfill the criteria of a Blockchain development project despite using old technology and its restrictions. A Blockchain developer needs specialized skills due to the difficulties in understanding the technological realities of developing decentralized cryptosystems, processes that are beyond the normal IT development skill-set. 


Machine learning begins to understand human gut

While human gut microbiome research has a long way to go before it can offer this kind of intervention, the approach developed by the team could help get there faster. Machine learning algorithms often are produced with a two step process: accumulate the training data, and then train the algorithm. But the feedback step added by Hero and Venturelli's team provides a template for rapidly improving future models. Hero's team initially trained the machine learning algorithm on an existing data set from the Venturelli lab. The team then used the algorithm to predict the evolution and metabolite profiles of new communities that Venturelli's team constructed and tested in the lab. While the model performed very well overall, some of the predictions identified weaknesses in the model performance, which Venturelli's team shored up with a second round of experiments, closing the feedback loop. "This new modeling approach, coupled with the speed at which we could test new communities in the Venturelli lab, could enable the design of useful microbial communities," said Ryan Clark, co-first author of the study, who was a postdoctoral researcher in Venturelli's lab when he ran the microbial experiments.


Jorge Stolfi: ‘Technologically, bitcoin and blockchain technology is garbage’

It is the only thing that blockchain could contribute: the absence of a central authority. But that only creates problems. Because to have a decentralized database you have to pay a very high price. You must ensure that all miners do “proof of work.” It takes longer, and it is not even secure because in the past there have been occasions where they have had to rewind several hours worth of blocks to remove a bad transaction, in 2010 and 2013. The conditions that made that possible are still there and that’s why blockchain technology is a fraud: it promises to do something that people already know how to do. ... It is the only digital system that does not follow customary money laundering laws. That’s why criminals use it. Once you have paid a ransom, there is no way for the victim to cancel the payment and get the money back, not even the government can do it easily. It is anonymous and when a hacker encrypts your data, they do not have to enter your system directly, where they would leave a trace. He has botnets, computers that he has already hacked, so tracking him down is difficult.   


How to Write Secure Source Code for Proprietary Software

Source code is at the mercy of developers and anyone else that has access to it. That means limiting access to your source code and establishing security guidelines for those with access is vital for increasing security. It's also important to realize that insider threat actors aren't always malicious. Often, insider threats come from mistakes or negligent actions taken by employees. ...  Outside threats come from outside of your development team. They may come from competitors that want to use the code to improve their own. Or, they can come from hackers who will attempt to sell your source code or pick it apart looking for vulnerabilities. The point is, whether a leak comes from inside or outside threats, it can have terrible consequences. Source code leaks can lead to additional attacks, exposing large amounts of sensitive data. Source code leaks can also lead to financial losses by giving competitors an advantage. And your customers will think twice before dealing with a developer that has exposed valuable customer data in the past.


How IoT and digital twins could help CIOs meet ESG pledges

This inevitably leads to accusations of greenwashing, where marketing departments hijack the ambitions of organisations before any serious, robust plan is in place. For CIOs tasked with bringing down emissions and adhering to targets, this can be a huge problem. A recent IBM CEO study finds that CEOs are coming under increasing pressure from stakeholders to act on sustainability. It cites “frustrations” with organisations’ “all talk and no action”. Culture is seen as a significant issue in hampering any attempts to co-ordinate carbon emission strategies. “If you want to avoid the trap of greenwashing, it needs to start with the CEO,” says Alicia Asín, CEO of Libelium, an IoT business based in Zaragoza, Spain. Asín, speaking on a panel at IoT World Congress, added that this creates a culture where the whole organisation needs to look at the design and sustainability credentials of every technology offering for every sustainable project. She used an example of a farm customer that is using IoT to reduce the amount of water in irrigation and to reduce the level of pesticides being used on their crops.


GitHub Copilot is the first real product based on large language models

The success of GitHub Copilot and Codex underline one important fact. When it comes to putting LLMs to real use, specialization beats generalization. When Copilot was first introduced in 2021, CNBC reported: “…back when OpenAI was first training [GPT-3], the start-up had no intention of teaching it how to help code, [OpenAI CTO Greg] Brockman said. It was meant more as a general purpose language model [emphasis mine] that could, for instance, generate articles, fix incorrect grammar and translate from one language into another.” But while GPT-3 has found mild success in various applications, Copilot and Codex have proven to be great hits in one specific area. Codex can’t write poetry or articles like GPT-3, but it has proven to be very useful for developers of different levels of expertise. Codex is also much smaller than GPT-3, which means it is more memory and compute efficient. And given that it has been trained for a specific task as opposed to the open-ended and ambiguous world of human language, it is less prone to the pitfalls that models like GPT-3 often fall into.


LockBit explained: How it has become the most popular ransomware

After obtaining initial access to networks, LockBit affiliates deploy various tools to expand their access to other systems. These tools involve credential dumpers like Mimikatz; privilege escalation tools like ProxyShell, tools used to disable security products and various processes such as GMER, PC Hunter and Process Hacker; network and port scanners to identify active directory domain controllers, remote execution tools like PsExec or Cobalt Strike for lateral movement. The activity also involves the use of obfuscated PowerShell and batch scripts and rogue scheduled tasks for persistence. Once deployed, the LockBit ransomware can also spread to other systems via SMB connections using collected credentials as well as by using Active Directory group policies. When executed, the ransomware will disable Windows volume shadow copies and will delete various system and security logs. The malware then collects system information such as hostname, domain information, local drive configuration, remote shares and mounted storage devices then will start encrypting all data on the local and remote devices it can access.



Quote for the day:

"If you want people to to think, give them intent, not instruction." -- David Marquet

No comments:

Post a Comment