Daily Tech Digest - December 12, 2023

The SEC action against SolarWinds highlights how tough it can get for CISOs

The SEC has accused Brown of misleading investors by not disclosing "known risks" and not accurately representing the company’s cybersecurity measures during and before the 2020 Sunburst cyberattack that affected thousands of customers in government agencies and companies globally. ... The claimed failures, including not abiding by the statements that the company made on its website regarding their patterns and practices for developing their software as well as password policies internal to the company. The SEC complains in its filings that the company did not disclose cybersecurity risks independently from other risks, given SolarWinds' role and industry, nor pay extra risk attention to targeted attacks and the disclosure needs surrounding them. ... The SEC also indicated that SolarWinds did not limit administrative access to those who needed access. Too often in developer networks administrative rights are used too widely and not limited. Internal staff expressed concerns that user access would lead to losses of organizational assets and personal data.

Deriving Actionable Insights and ROI from AI

To increase the ROI of AI, large language models (LLMs) must ingest clean and high-quality data for accurate, meaningful insights. This is only possible by investing in data discovery and data classification solutions and processes. Organizations will also face growing AI-related security challenges in 2024. This will lead them to set up guardrails that protect corporate and customer data. Businesses must also consider that company-specific or proprietary data ingested by LLMs could put organizations at risk if company financials or other private information are replicated to a public AI engine and exposed. ... There are many opportunities for businesses to benefit from AI; however, there also needs to be a rapid evolution of data classification and data life cycle management before businesses will be able to derive the value they expect from AI. This is especially important if companies are trying to justify ROI from their AI investment. Sustainability took a back seat during the pandemic and long after the worst of it passed, as organizations made major adjustments to operations and tried to find their new (or old) normal.

Startup Oxide Computer puts the ‘cloud’ back in on-prem private clouds

Oxide's main mission is to put the "cloud" back in private cloud computing. The company is built on the premise that you should be able to choose to rent or own cloud capacity, depending on the workload, not losing the benefits of cloud computing like elasticity when you choose the latter. To accomplish this, the Oxide team set out to build an entirely new cloud hardware rack that would deliver all of the advantages public cloud vendors enjoy, without sacrificing on control, efficiency, and flexibility. Another issue that limits private clouds is that many enterprises attempt to build their private clouds on Kubernetes. The problem is that Kubernetes was not designed for multitenancy, and, thus, it does not offer a true cloud experience. That's not a knock on Kubernetes, but the container orchestration software is typically deployed on top of bloated layers of software, adding complexity and making it difficult to manage at scale. ... According to Oxide, this design allows enterprises to be fully deployed within a few hours of unboxing the system, versus what typically takes weeks or months using the "kit car" build of OEM hardware.

We’re in a truly important phase of change due to the impact of artificial intelligence. In fact, I believe people have been quite amazed at how good it is. Even industry professionals have been quite surprised at how powerful it is. But it comes with dangers, and I think that’s the important point I talked about a few years ago and still find very important today; you really need to understand how this works to use it effectively, because you still have to understand that it works statistically, in the sense that it understands what the most probable words are to follow the paragraphs it has already seen. ... I think we will have to ask the question of whether we are developing a new species, whether this is an evolution of what we are doing, or whether we are going to have to consider a new hybrid species, which is probably the perspective of integrating artificial intelligence into our own species. Elon Musk is considering the idea with Neuralink. His response to the existential threat of artificial intelligence is that no, we must become it, we must integrate artificial intelligence and humans, which will generate new philosophical, social, and legal dilemmas in the future.

Quantum-Computing Approach Uses Single Molecules As Qubits For First Time

Some of the first demonstrations of the basic principles of quantum computing, in the late 1990s, used large numbers of molecules manipulated in a solution inside a nuclear magnetic resonance machine. Since then, researchers have developed a variety of other platforms for quantum computing, including superconducting circuits and individual ions held in a vacuum. Each of these objects is used as the fundamental unit of quantum information, or qubit — the quantum equivalent of the bits in classical computers. In the past few years, another strong contender has emerged, in which the qubits are made of neutral atoms — as opposed to ions — trapped with highly focused laser-beam ‘tweezers’. Now, two separate teams have made early progress towards using this approach with molecules instead of atoms. “Molecules have a bit more complexity, which means they offer new ways to both encode quantum information, and also new ways in which they can interact,” says Lawrence Cheuk

DevOps and Automation

Continuous Integration (CI) and Continuous Deployment (CD) are critical components of DevOps software development. CI is the practice of automating the integration of code changes from multiple contributors into a single software project. It is typically implemented in such a way that it triggers an automated build with testing, with the goals of quickly detecting and fixing bugs, improving software quality, and reducing release time. After the build stage, CD extends CI by automatically deploying all code changes to a testing and/or production environment. This means that, in addition to automated testing, the release process is also automated, allowing for a more efficient and streamlined path to delivering new features and updates to users. Docker and Kubernetes are frequently used to improve efficiency and consistency in CI/CD workflows. The code is first built into a Docker container, which is then pushed to a registry in the CI stage. During the CD stage, Kubernetes retrieves the Docker container from the registry and deploys it to the appropriate environment, whether testing, staging, or production. 

Unveiling the 'Willingness Pyramid' across generations and cities

The 'Willingness Pyramid' stands as a compelling representation of the shifting attitudes towards work models in bustling metropolises. At its core, it underscores a marked inclination towards the "only office" work model, with a notable emphasis on the younger, tech-savvy workforce in these urban hubs. For the emerging generations of Late millennials and Gen Z, the physical office environment is not merely a place of work but a dynamic space that fosters productivity, innovation, and collaboration. The younger workforce's enthusiastic embrace of the "only office" model is rooted in a confluence of factors. Raised in the digital age, these individuals have grown up with technology seamlessly integrated into their lives. As a result, they perceive the physical office as a hub for face-to-face interactions, spontaneous idea exchanges, and a breeding ground for innovation that cannot be fully replicated in remote settings. The office, for them, is not just a workplace but a social and creative nexus. This trend, however, exhibits a nuanced dynamic as we traverse through different age groups within the same urban landscapes.

Why FinOps Must Focus on Value, Not Just Cost

It’s not necessarily the fault of those teams. Rather, FinOps in its earliest iterations has suffered from some of the same problems that plagued its predecessors — namely, an approach to cost management that focuses on the “what” — how much the bill says you spent, and only after it arrives — versus the “why,” which should accurately reflect the business reasons for consuming cloud resources in the first place, as well as the results those choices produced. Moreover, FinOps, even while the name suggests tight collaboration, often still relies on fragmented and retroactive processes and information, according to Williams. ... Moving to a value-focused approach to FinOps is akin to the “shift left” mindset that is increasingly popular in security and other IT domains that have historically been dealt with via lagging indicators. Some organizations try mandating discipline with regard to cloud usage — the “do this or else” approach. “That never works,” Williams said. Instead, consumption policies and technical guardrails need to be implemented before resources are ever provisioned and deployed.

Researchers Unmask Sandman APT's Hidden Link to China-Based KEYPLUG Backdoor

"We did not observe concrete technical indicators confirming the involvement of a shared vendor or digital quartermaster in the case of LuaDream and KEYPLUG," Aleksandar Milenkoski, senior threat researcher at SentinelLabs, told The Hacker News. "However, given the observed indicators of shared development practices, and overlaps in functionalities and design, we do not exclude that possibility. Noteworthy is the prevalence of similar cases within the Chinese threat landscape, indicating there could be established internal and/or external channels for supplying malware to operational teams." "The order in which LuaDream and KEYPLUG evaluate the configured protocol among HTTP, TCP, WebSocket, and QUIC is the same: HTTP, TCP, WebSocket, and QUIC in that order," the researchers said. "The high-level execution flows of LuaDream and KEYPLUG are very similar." The adoption of Lua is another sign that threat actors, both nation-state aligned and cybercrime-focused, are increasingly setting their sights on uncommon programming languages like DLang and Nim to evade detection and persist in victim environments for extended periods of time.

The skills and traits of elite CTOs

Strategic thinking is essential for a CTO to align technology initiatives with the overall business strategy, Kowsari says. “A successful CTO should be able to set a clear technology vision, identify opportunities for innovation, and make informed decisions that drive the company’s growth,” he says. Without a strategic mindset, technology investments and initiatives might lack direction and fail to contribute to the organization’s success, Kowsari says. The ability to set and execute a vision is indeed a fundamental aspect of the CTO’s role, Clemenson says. “This encompasses aspects such as design, funding, efficient resource allocation, buy vs. build strategy, while simultaneously emphasizing short- and long-term considerations,” he says. At the same time, CTOs must be strong leaders. “CTOs are responsible for leading and managing technology teams,” Kowsari says. “Strong leadership and team-building skills are vital. Effective team management can lead to increased productivity, innovative solutions, and the successful execution of technology projects. It also helps retain top technical talent, which is essential in a competitive job market.”

Quote for the day:

"Don't be buffaloed by experts and elites. Experts often possess more data than judgement." -- Colin Powell

No comments:

Post a Comment