What’s the privacy tax on innovation?
A few decades ago, California had one of the strongest definitions for
certifying Organic foods in the US. Eventually, the US government stepped in
with a watered-down definition. Despite the pain of new privacy controls, the US
data broker industry will lobby for a similar approach to at least harmonize
privacy regulations at the Federal level that limit the impact on their business
models when operating across state lines. For businesses and consumers, a more
equitable approach would be to add a few more teeth to the cost of data misuse
arising from legal sales, employee theft, or breaches. A few high-profile
payouts arising from theft or when this data is used as part of multi-million
dollar ransomware attacks on critical business systems would have a focusing
effect on better privacy management practices. Another option is to turn to
banks as holders of trust. Banks may be a good first point for managing the
financial data we directly share with them. But what about all the data that
others gather that may not be tied to traditional identifiers like social
security numbers (SSN) used to unify data, such as IP addresses, phone numbers,
Wi-Fi hubs, or the trail of GPS dots that gravitate to your home or office?
Living with the ghost of a smart home’s past
There were the window shades that always opened at 8AM and always closed at
sundown. My brother disconnected everything that looked like a hub, and still,
operating on some inaccessible internal clock, the shades carried on as they
were once programmed to do. ... This is the state of home ownership in 2024!
People have been making their homes smart with off-the-shelf parts for well over
a decade now. Sometimes they sell those homes, and the new homeowners find
themselves mired in troubleshooting when they should be trying to pick out wall
colors. Some former homeowners will provide onboarding to the home’s smart home
system, but most do as the guy who used to own my brother’s house did. They walk
away and leave it as an adventure for the next person. ... I really hope the new
renters of my old Brooklyn walk-up appreciate all the 2014 Philips Hue lights I
left installed in the basement. There’s a calculus you make as you’re moving.
It’s a hectic time, and there’s a lot to be done. Do you want to spend half the
day freeing all those Hue bulbs from their obnoxious and broken recessed light
housings, or do you want to leave a potential gift for the next homeowner and
get started on nesting in your new place?
Overcoming the AI Privacy Predicament
According to one study by Brookings, while 57% of consumers felt that AI will
have a net negative impact on privacy, 34% were unsure about how AI would affect
their privacy. Indeed, AI evokes a mixed set of thoughts and emotions in
consumers. For most people, the promise of AI is clear: from increasing
efficiency, to automating mundane tasks and freeing up more time for creative
work, to improving outcomes in areas such as healthcare and education. ... In
the realm of AI, the lack of trust is significant. Indeed, 81% of consumers
think the information collected by AI companies will be used in ways people are
uncomfortable with, as well as in ways that were not originally intended. That
consumers are put in a seemingly impossible predicament regarding their privacy
leaves them little choice but to a.) consent, or b.) forgo use of the product or
service. Both choices leave consumers wanting more from the digital economy.
When a new technology has negative implications for privacy, consumers have
shown they are willing to engage in privacy-protective behaviors, such as
deleting an app, withholding personal information, or abandoning an online
purchase altogether.
How Static Analysis Can Save Your Software
While static analysis is a means of pattern detection, fixing an actual bug (for
example, dereferencing a null pointer) is much harder, albeit possible. It
becomes mathematically difficult to track exponentially increasing possible
states. We call this “path explosion.” Say you’re writing code that, given two
integers, divides one by the other, and there are various failure modes
depending on the integers’ values. But what if the denominator is zero? That
results in undefined behavior, and it means you need to look at where those
integers came from, their possible values and what branches they took along the
way. If you can see that the denominator is checked against zero before the
division — and branches away if it is — you should be safe from division-by-zero
issues. This theoretical stepping through stages of code is called “symbolic
execution.” It’s not too complicated if the checkpoint is fairly close to the
division process, but the further away it gets, the more branches you must
account for. Crossing the function boundary gets even trickier. But once you
have calls from other translation units, the problem becomes intractable in the
general case.
Avoiding Shift Left Exhaustion – Part 1
Shift left requires developers to be involved in testing, quality assurance,
and collaboration throughout the development cycle. While this is undoubtedly
beneficial for the final product, it can lead to an increased workload for
developers who must balance their coding responsibilities with testing and
problem-solving tasks. ... Adapting to Shift left practices often requires
developers to acquire new skills and stay current with the latest testing
methodologies and tools. This continuous learning can be intellectually
stimulating and exhausting, especially in an industry that evolves rapidly.
Developers must understand new tools, processes, and technologies as more
things get moved earlier in the development lifecycle. ... The added pressure
of early and continuous testing and the demand for faster development cycles
can lead to developer burnout. When developers are overburdened, their
creativity and productivity may suffer, ultimately impacting the software
quality they produce. ... Shifting testing and quality assurance left in the
development process may impose strict time constraints. Developers may feel
pressured to meet tight deadlines, which can be stressful and lead to rushed
decision-making, potentially compromising the software’s quality.
Ransomware Attacks on Critical Infrastructure Are Surging
Especially under fire are critical services. Healthcare and public health
agencies dominated, filing 249 reports to IC3 last year over ransomware
attacks, followed by 218 reports from critical manufacturing and 156 from
government facilities. Ransomware-wielding attackers are potentially targeting
these sectors most because they perceive the victims as having a proclivity to
pay, given the risk to life or essential business processes posed by their
systems being disrupted. Last year, IC3 received a ransomware report from at
least one victim in all of the 16 critical infrastructure sectors - which
include financial services, food and agriculture, energy and communications -
except for two: dams and nuclear reactors, materials and waste. The ransomware
group tied to the largest number of successful attacks against critical
infrastructure reported to IC3 last year was LockBit, followed by
Alphv/BlackCat, Akira, Royal and Black Basta. Law enforcement recently
disrupted Alphv/BlackCat, as well as LockBit, after which each group
separately claimed to have rebooted before appearing to go dark.
What’s the missing piece for mainstream Web3 adoption?
Today’s Web3 lacks a unifying ecosystem, causing the market to fracture into
multiple, independently evolving use cases. Crypto enthusiasts have to use
various decentralized applications (DApps) and platforms to perform multiple
transactions and interact with the different sectors of Web3. However, this
isn’t a sustainable growth model for the Web3 industry and is more of a
deterrent rather than a benefit when it comes to crypto adoption. ...
Recognizing the need for a more integrated approach, some Web3 players are
moving beyond the hype. Legion Network is emerging as a notable example among
these. As a one-stop shop for Web3, Legion Network addresses the complexity of
the industry and reaches new audiences. It brings together essential Web3 use
cases, including a proprietary crypto wallet with comprehensive portfolio
tracking, DeFi swaps and bridges, engaging play-to-earn/win games, captivating
quests with prize rewards, a launchpad for emerging projects and a unique
SocialFi experience that fosters community engagement.
What’s Driving Changes in Open Source Licensing?
In response to the challenges posed by cloud computing, some vendor-driven
open source projects have changed their licenses or their GTM models. For
example, MongoDB, Elastic, Confluent, Redis Labs and HashiCorp have adopted
new licenses that restrict the use of their software-as-a-service by third
parties or require them to pay fees or share their modifications. These
changes are intended to protect the revenue and sustainability of the original
vendors and to ensure that they can continue to invest in the open source
project. However, these changes have also caused some controversy and backlash
from the user community, who may feel that the project is becoming less open
and more proprietary or that they are losing some of the benefits and freedoms
of open source. However, community-driven open source projects have largely
maintained their permissive licenses and their collaborative approach. These
projects still benefit from the diversity and scale of their user community,
who contribute to the development, maintenance, support and security of the
software. These projects also leverage the support of organizations and
foundations, such as the Linux Foundation, the Apache Software Foundation and
the CNCF, who provide governance, funding and infrastructure.
Botnets: The uninvited guests that just won’t leave
Reducing response time is vital. The longer the dwell time, the more likely it
is that botnets can impact a business, particularly given that botnets can
spread across many devices in a short period. How can security teams improve
detection processes and shrink the time it takes to respond to malicious
activity? Security practitioners should have multiple tools and strategies at
their disposal to protect their organization’s networks against botnets. An
obvious first step is to prevent access to all recognized C2 databases. Next,
leverage application control to restrict unauthorized access to your systems.
Additionally, use Domain Name System (DNS) filtering to target botnets
explicitly, concentrating on each category or website that might expose your
system to them. DNS filtering also helps to mitigate the Domain Generation
Algorithms that botnets often use. Monitoring data while it enters and leaves
devices is vital as well, as you can spot botnets as they attempt to
infiltrate your computers or those connected to them. This is what makes
security information and event management technology paired with malicious
indicators of compromise detections so critical to protecting against
bots.
Are You Ready to Protect Your Company From Insider Threats? Probably Not
The real problem is that employees and employers don’t trust each other. This
is an enormous risk for employees, as this environment makes it more likely
that insider threats, security risks that originate from within the company,
will emerge or intensify when tensions are high and motivations, including
financial strain, dissatisfaction or desperation, drive individuals to act
against their own organization. That’s the bad news. The worst news is that
most companies are unprepared to meet the moment. ... Insider threats often
betray their motivation. Sometimes, they tell colleagues about their
intentions. Other times, their actions speak louder than words, as attempts to
work around security protocols, active resentment for coworkers or leadership
or general job dissatisfaction can be a red flag that an insider threat is
about to act. Explaining the impact of human intelligence, the U.S.
Cybersecurity and Infrastructure Security Agency (CISA) writes, “An
organization’s own personnel are an invaluable resource to observe behaviors
of concern, as are those who are close to an individual, such as family,
friends, and coworkers.”
Quote for the day:
"Leaders must be close enough to
relate to others, but far enough ahead to motivate them." --
John C. Maxwell
No comments:
Post a Comment