Google Launches Carbon, an Experimental Replacement for C++
While Carbon began as a Google internal project, the development team ultimately
wants to reduce contributions from Google, or any other single company, to less
than 50% by the end of the year. They ultimately want to hand the project off to
an independent software foundation, where its development will be led by
volunteers. ... The design wants to release a core working version (“0.1”) by
the end of the year. Carbon will be built on a foundation on modern programming
principles, including a generics system, that would remove the need to check and
recheck the code for each instantiation. Another much needed feature lacking in
C++ is memory safety. Memory access bugs are one of the largest culprits of
security exploits. Carbon designers will look for ways to better track
uninitialized states, design APIs and idioms that support dynamic bounds checks,
and build a comprehensive default debug build mode. Over time, the designers
plan to build a safe Carbon subset. ... Carbon is for those developers who
already have large codebases in C++, which are difficult to convert into Rust.
Carbon is specifically what Carruth called a “successor language,” which is
built atop of an already existing ecosystem, C++ in this case.
The Cost of Production Blindness
DevOps and SRE are roles that didn’t exist back then. Yet today, they’re often
essential for major businesses. They brought with them tremendous advancements
to the reliability of production, but they also brought with them a cost:
distance. Production is in the amorphous cloud, which is accessible everywhere.
Yet it’s never been further away from the people who wrote the software powering
it. We no longer have the fundamental insight we took for granted a bit over a
decade ago. Yes, and no. We gave up some insight and control and got a lot in
return: Stability; Simplicity; and Security. These are pretty incredible
benefits. We don’t want to give these benefits up. But we also lost some
insight, debugging became harder, and complexity rose. ... Log ingestion is
probably the most expensive feature in your application. Removing a single line
of log code can end up saving thousands of dollars in ingestion and storage
costs. We tend to overlog since the alternative is production issues that we
can’t trace to their root cause. We need a middle ground. We want the ability to
follow an issue through without overlogging. Developer observability lets you
add logs dynamically as needed into production.
UK government introduces data reforms legislation to Parliament
Suggested changes included removing organisations’ requirements to designate
data protection officers (DPOs), ending the need for mandatory data protection
impact assessments (DPIAs), introducing a “fee regime” for subject access
requests (SARs), and removing the requirement to review data adequacy decisions
every four years. All of these are now included in the updated Bill in some
form. “We now have confirmation of what the UK’s post-GDPR data framework is
intended to look like,” said Edward Machin, a senior lawyer in Ropes &
Gray’s data, privacy and cyber security practice. ... “The GDPR isn’t perfect
and it would be foolish for the UK not to learn from those lessons in its own
approach, but it’s walking a tightrope between improvements to the current
framework and performative changes for the sake of ripping up Brussels red tape.
My initial impressions of the Bill are that the government has struck the
balance in favour of business and overlooked some civil society concerns, so I
would think that reduced rights and safeguards for individuals will be areas
that are targeted for revision before the Bill is finalised.”
Hackers can spoof commit metadata to create false GitHub repositories
Researchers identified that a threat actor could tamper with commit metadata
to make a repository appear older than it is. Or else, they can deceive
developers by promoting the repositories as trusted since reputable
contributors are maintaining them. It is also possible to spoof the
committer’s identity and attribute the commit to a genuine GitHub account. For
your information, with open source software, developers can create apps faster
and even skip third-party’s code auditing if they are sure that the source of
software is reliable. They can choose GitHub repositories maintained actively,
or their contributors are trustworthy. Checkmarx researchers explained in
their blog post that threat actors could manipulate the timestamps of the
commits, which are listed on GitHub. Fake commits can also be generated
automatically and added to the user’s GitHub activity graph, allowing the
attacker to make it appear active on the platform for a long time. The
activity graph displays activity on private and public repositories, making it
impossible to discredit the fake commits.
Hackers turn to cloud storage services in attempt to hide their attacks
The group is widely believed to be linked to the Russian Foreign Intelligence
Service (SVR), responsible for several major cyberattacks, including the
supply chain attack against SolarWinds, the US Democratic National Committee
(DNC) hack, and espionage campaigns targeting governments and embassies around
the world. Now they're attempting to use legitimate cloud services, including
Google Drive and Dropbox – and have already used this tactic as part of
attacks that took place between May and June this year. The attacks begin with
phishing emails sent out to targets at European embassies, posing as invites
to meetings with ambassadors, complete with a supposed agenda attached as a
PDF. The PDF is malicious and, if it worked as intended, it would call out to
a Dropbox account run by the attackers to secretly deliver Cobalt Strike – a
penetration-testing tool popular with malicious attackers – to the victim's
device. However, this initial call out was unsuccessful earlier this year,
something researchers suggest is down to restrictive policies on corporate
networks about using third-party services.
How Zero Trust can stop the catastrophic outcomes of cyberattacks on critical infrastructure
The impending necessity of Zero Trust should be recognised by every government
and CNI provider around the world if they are to have any hopes of mitigating
sophisticated attacks like ransomware. Critical Infrastructure is the backbone
of a country’s economy and social order. It is impossible to maintain a
sustainable society when sectors like emergency healthcare, energy
distribution, food and agriculture, education, and financial services are
constantly under disruptive threats. In May 2021, the US government issued an
executive order for federal government agencies, to improve their
cybersecurity postures and recommended moving toward a Zero Trust architecture
as the solution. Following this executive order, the Pentagon launched a Zero
Trust office in December 2021 and in January 2022, President Biden further
emphasised the urgency of moving to a Zero Trust architecture by mandating all
government agencies to achieve specific Zero Trust goals by the end of the
Fiscal Year 2024.
Transparency in the shadowy world of cyberattacks
Focusing on the fundamentals of software security is in some ways more
important to raise all of us above the level of insecurity we see today. We
curate and use threat intelligence to protect billions of users–and have been
doing so for some time. But you need more than intelligence, and you need more
than security products–you need secure products. Security has to be built in,
not just bolted on. Aurora showed us that we (and many in the industry) were
doing cybersecurity wrong. Security back then was often “crunchy on the
outside, chewy in the middle.” Great for candy bars, not so great for
preventing attacks. We were building high walls to keep bad actors out, but if
they got past those walls, they had wide internal access. The attack helped us
recognize that our approach needed to change–that we needed to double down on
security by design. We needed a future-oriented network, one that reflected
the openness, flexibility, and interoperability of the internet, and the way
people and organizations were already increasingly working. In short, we knew
that we had to redesign security for the Cloud.
The importance of secure passwords can’t be emphasized enough
Mobile phones are a main and often overlooked concern. We found that 30% of
respondents do not use antivirus on their phones, meaning they are not
properly securing their devices. This is especially a concern as the
demographic most often on their phones are also the ones who are less worried
about online threats and vulnerabilities. Password managers, passwords stored
in an electronic file and or in physical format are used most frequently for
work devices and least frequently for personal phones. The Autofill option and
password managers are used most often by 25-44-year-olds and hard format is
used more by those between 55-65. But even if work accounts are secure, that
doesn’t mean that sensitive information from work doesn’t carry over onto
personal phones. Email and communication apps connected to work accounts are
often downloaded onto personal devices, and if someone uses the same passwords
across accounts, their personal devices being compromised means their work
ones are as well.
Unlocking the potential of AI to increase customer retention
A true AI-fuelled CRM goes beyond simple automation. To provide real benefit,
AI must aggregate data from multiple different sources — including in
house-sales, marketing, and service tools. It needs to break down
organisational silos to identify patterns in interactions and offer deeper
customer insights. Some feel they don’t necessarily have enough primary data
to build effective predictive models. There are vast amounts of organisational
data generated around a single customer or prospect. The trick is to leverage
a CRM that understands and captures all of these interactions in a format that
can fuel AI initiatives. By breaking down the silos between business units and
integrating all of the valuable data that they hold, organisations will be
able to benefit from the most advanced predictive models. This is often more
challenging than it should be to implement. Business systems are typically
good at providing a snapshot of an organisation on any given day, but they
aren’t usually as good at gathering historical information.
Burnout: 3 steps to prevent it on your team
Company culture doesn’t just happen. Leaders must actively maintain and shape
it to identify ongoing opportunities that empower employees to support and
contribute to it. Employee contributions can be as small as internal pulse
surveys or as large as designing new groups or initiatives. Think about
creating a club to encourage the workforce to participate in the hiring
process and weigh in on how candidates would mesh with internal teams. This
engagement would directly shape how the organization operates and builds
positive working environments for employees – no matter the physical or remote
work setting. By opening the door for employees to get involved and provide
input, leaders can identify signs of fatigue earlier, address pain points
before employees reach the pinnacle of exhaustion, and create a community that
motivates and engages the workforce. ... Too often, leaders view benefits as
the silver bullet to burnout. But benefits alone won’t cure feelings of
burnout. If your workforce is giving direct feedback on areas that need
improvement, simply listening is not enough. Take action to meet these needs
and make your actions known.
Quote for the day:
"Take time to deliberate; but when the
time for action arrives, stop thinking and go in." -
- Andrew Jackson
No comments:
Post a Comment