Open source isn’t working for AI
It’s hard to trust AI if we don’t understand the science inside the machine. We
need to find ways to open up that infrastructure. Loukides has an idea, though
it may not satisfy the most zealous of free software/AI folks: “The answer is to
provide free access to outside researchers and early adopters so they can ask
their own questions and see the wide range of results.” No, not by giving them
keycard access to Facebook’s, Google’s, or OpenAI’s data centers, but through
public APIs. It’s an interesting idea that just might work. But it’s not “open
source” in the way that many desire. That’s probably OK. ... Because open source
is inherently selfish, companies and individuals will always open code that
benefits them or their own customers. Always been this way, and always will. To
Loukides’ point about ways to meaningfully open up AI despite the delta between
the three AI giants and everyone else, he’s not arguing for open source in the
way we traditionally did under the Open Source Definition. Why? Because as
fantastic as it is (and it truly is), it has never managed to answer the cloud
open source quandary—for both creators and consumers of software—that DiBona and
Zawodny laid out at OSCON in 2006.
Botnet malware disguises itself as password cracker for industrial controllers
What's weird is that the malware also deploys code to check the clipboard
contents for cryptocurrency wallet addresses, and silently rewrites those
details to point to another wallet so as to steal people's funds. Remember, this
is running on PCs normally connected to industrial equipment, so perhaps the
crooks behind this caper just grabbed some generic nasty to use. "Dragos
assesses with moderate confidence the adversary, while having the capability to
disrupt industrial processes, has financial motivation and may not directly
impact Operational Technology (OT) processes," the team wrote. The Sality
malware family has been around for almost two decades, first being detected in
2003, and can be commanded by its masterminds to perform other malicious
actions, such as attacking routers, F-Secure analysts wrote in a
report. Sality maintains persistence on the host PC through process
injection and file infection, and abusing Windows' autorun functionality to
spread copies of itself over USB, network shares, and external storage drives,
according to Dragos.
Rescale and Nvidia partner to automate industrial metaverse
The new partnership between Rescale and Nvidia will allow enterprises to connect
workflows between Rescale’s existing catalog of engineering and scientific
containers, Nvidia’s extensive NGC offerings, and enterprises’ standard
containers of their own models and supporting software. This new containerized
approach to engineering software means teams can specify the software libraries
and configurations that reflect industry best practices. The recent Nvidia and
Siemens partnership is an ambitious effort to bring together physics-based
digital models and real-time AI. Rescale’s announcement with Nvidia enhances
this partnership, as accelerated computing combined with high-performance
computing is the foundation that powers these use cases. For example,
enterprises can take advantage of Nvidia’s work on Modulus, which uses AI to
speed up physics simulations hundreds or thousands of times. Siemens estimates
that integrating physics and AI models could help save the power industry $1.7
billion in reduced turbine maintenance. The partnership could also make it
easier for companies to integrate other apps that work on these tools.
Uber Files leak shows why India’s approach to security and privacy matters
In the Uber Files investigation led by The Guardian under the International
Consortium of Investigative Journalists or ICAJ, the leaked documents provide
evidence of law breaking, lobbying world leaders, using stealth technologies to
evade raids and opaque algorithms deployed by the Uber Corporation in 2012-16.
In the documents, there have been instances where Uber executives have
sanctioned the use of stealth technologies like the ‘Kill Switch’ to evade
regulations and efforts of investigative agencies for a fair probe in India,
Belgium and other countries. On similar lines, reports indicate that e-commerce
giant Amazon spent more than Rs 8,000 crore in India on legal fees in 2018-20.
There are numerous incidents like these where regulators are in a Catch-22
situation of regulation and innovation. The Uber Files tell how technology
platforms deploy a multi-pronged strategy to subvert public opinion with
sponsored academic work, allying with public officials, and wilfully stifling
investigations of law enforcement agencies to dodge regulatory efforts for
better transparency, accountability and public scrutiny of their
architecture.
Is Microsoft’s VS Code really open source?
“Microsoft modifies VS Code in a way that a non-Microsoft VS Code fork can’t use
extensions from the official Microsoft VS Code store. Not only that, some of the
VS Code extensions developed and released by Microsoft will only work in the VS
Code released by Microsoft and won’t work on non-Microsoft VS Code forks,”
mentioned Ranatunge in his blog post. Microsoft has made similar moves in the
past. It modified the open-source cross-platform IDE MonoDevelop as Visual
Studio for Mac. The Visual Studio for Mac has three versions- for students,
professionals and enterprises. While the students’ version is free and supports
classroom learning, individual developers and small companies must log in via
IDE to access the other versions. In 2021, Microsoft abruptly removed the Hot
Reload functionality from the open-source .NET SDK, only to revoke it later as
it had enraged the .NET community. As stated, Microsoft follows an open-core
model for VS code. Therefore, developers who want access to the full open source
code that is MIT licensed will have to download the code from the repository and
then build the VS code on their own.
Open source security needs automation as usage climbs amongst organisations
"OSS is not insecure per se…the challenge is with all the versions and
components that may make up a software project," he explained. "It is impossible
to keep up without automation and prioritisation." He noted that the OSS
community was responsive in addressing security issues and deploying fixes, but
organisations tapping OSS would have to navigate the complexity of ensuring
their software had the correct, up-to-date codebase. This was further compounded
by the fact that most organisations would have to manage many projects
concurrently, he said, stressing the importance of establishing a holistic
software security strategy. He further pointed to the US National Institute of
Standards and Technology (NIST), which offered a software supply chain framework
that could aid organisations in planning their OSS security response. Asked if
regulations were needed to drive better security practices, Liu said most
companies saw cybersecurity as a cost and would not want to address it actively
in the absence of any incentive.
How To Minimize the Impacts of Shadow IT on Your Business
Organizations looking to manage and mitigate the negative impacts of shadow IT
must first perform an internal audit. Cloud security applications such as
Microsoft’s Cloud App Security detect unsanctioned usage of applications and
data. But detecting shadow IT is only one part of the equation. Companies should
work to address the root causes. This may include optimizing communications
between departments – particularly the IT team and other departments. If one
department discovers a software solution that may be beneficial, they should
feel comfortable approaching the IT team. CIOs and IT staff should develop
processes that allow them to streamline software assessment and procurement.
They should be able to give in-depth reasons why a particular tool suggested by
a non-IT employee may be impracticable. Additionally, it is recommended that IT
staff suggest a better alternative if they reject a proposed tool. Organizations
should consider training non-IT staff in cybersecurity literacy and
awareness.
Gatling vs JMeter - What to Use for Performance Testing
There's a saying that every performance tester should know: "lies, damn lies,
and statistics." If they don't know it yet, they will surely learn it in a
painful way. A separate article could be written about why this sentence should
be the mantra in the performance test area. In a nutshell: median, arithmetic
mean, standard deviation are completely useless metrics in this field (you can
use them only as an additional insight). You can get more detail on that in this
great presentation by Gil Tene, CTO and co-founder at Azul. Thus, if the
performance testing tool only provides this static data, it can be thrown right
away. The only meaningful metrics to measure and to compare performance are the
percentiles. However, you should also use them with some suspicion about how
they were implemented. Very often the implementation is based on the arithmetic
mean and standard deviation, which, of course, makes them equally useless. ...
Another approach would be to check the source code of implementation yourself. I
regret that most of the performance test tools documentation does not cover how
percentiles are calculated.
BlackCat Adds Brute Ratel Pentest Tool to Attack Arsenal
Sophos investigators found that the attacker used commercially available tools
such as AnyDesk and TeamViewer and also installed nGrok, an open-source remote
access tool. "The attackers also used PowerShell commands to download and
execute Cobalt Strike beacons on some machines, and a tool called Brute Ratel,
which is a more recent pen-testing suite with Cobalt Strike-like remote access
features," Brandt says. Sophos researchers found that the Brute Ratel binary was
installed as a Windows service named wewe in an affected machine. One of the
bigger challenges for the Sophos investigators was that some of the targeted
organizations were running the same servers that were compromised using the
Log4j vulnerability. Apart from ransoming systems on the network, the threat
actors collected and exfiltrated sensitive data from the targets and uploaded
large volumes of data to Mega, a cloud storage provider. The attackers used a
third-party tool called DirLister to create a list of accessible directories and
files, or in some cases used a PowerShell script from a pen tester toolkit,
called PowerView.ps1, to enumerate the machines on the network.
Removing the blind spots that allow lateral movement
One of the biggest challenges of lateral movement detection is its low anomaly
factor. Lateral movement attacks exploit the gaps in an organization’s user
authentication process. Such attacks tend to remain undetected because the
authentication performed by the attacker is essentially identical to the
authentication made by a legitimate user. Following the initial “patient zero”
compromise, the attacker uses valid credentials to log in to organizational
systems or applications. Therefore, the standard IAM infrastructure in place
legacy cannot detect any anomaly during this process, which allows attackers to
slip through and remain in the network undetected. Another key challenge is the
potential mismatch or disparity between endpoint and identity protection
aspects. Endpoint protection solutions are mainly focused on detecting anomalies
in file and process execution. However, the attacker gains access by exploiting
the legitimate authentication infrastructure, utilizing legitimate files and
process. Therefore, it doesn’t appear on the radar of endpoint solutions.
Quote for the day:
"Sport fosters many things that are
good; teamwork and leadership" -- Daley Thompson
No comments:
Post a Comment