Quote for the day:
"If you do what you’ve always done, you’ll get what you’ve always gotten." -- Tony Robbins
Why the Value of CVE Mitigation Outweighs the Costs
When it comes to CVEs and continuous monitoring, meeting compliance requirements
can be daunting and confusing. Compliance isn’t just achieved; rather, it is a
continuous maintenance process. Compliance frameworks might require additional
standards, such as Federal Information Processing Standards (FIPS), Federal Risk
and Authorization Management Program (FedRAMP), Security Technical
Implementation Guides (STIGs) and more that add an extra layer of complexity and
time spent. The findings are clear. Telecommunications and infrastructure
companies reported an average of $3 million in new revenue annually by improving
their container security enough to qualify for security-sensitive contracts.
Healthcare organizations averaged $7.3 million in new revenue, often driven by
unlocking expansion into compliance-heavy markets. ... The industry has long
championed “shifting security left,” or embedding checks earlier in the pipeline
to ensure security measures are incorporated throughout the entire software
development life cycle. However, as CVE fatigue worsens, many teams are
realizing they need to “start left.” That means: Using hardened, minimal
container images by default; Automating CVE triage and patching through
reproducible builds; Investing in secure-by-default infrastructure that
makes vulnerability management invisible to most developers
Generative AI: A Self-Study Roadmap
Building generative AI applications requires comfort with Python programming and
basic machine learning concepts, but you don't need deep expertise in neural
network architecture or advanced mathematics. Most generative AI work happens at
the application layer, using APIs and frameworks rather than implementing
algorithms from scratch. ... Modern generative AI development centers around
foundation models accessed through APIs. This API-first approach offers several
advantages: you get access to cutting-edge capabilities without managing
infrastructure, you can experiment with different models quickly, and you can
focus on application logic rather than model implementation. ... Generative AI
applications require different API design patterns than traditional web
services. Streaming responses improve user experience for long-form generation,
allowing users to see content as it's generated. Async processing handles
variable generation times without blocking other operations. ... While
foundation models provide impressive capabilities out of the box, some
applications benefit from customization to specific domains or tasks. Consider
fine-tuning when you have high-quality, domain-specific data that foundation
models don't handle well—specialized technical writing, industry-specific
terminology, or unique output formats requiring consistent structure.
Announcing GenAI Processors: Build powerful and flexible Gemini applications
At its core, GenAI Processors treat all input and output as asynchronous streams
of ProcessorParts (i.e. two-way aka bidirectional streaming). Think of it as
standardized data parts (e.g., a chunk of audio, a text transcription, an image
frame) flowing through your pipeline along with associated metadata. This
stream-based API allows for seamless chaining and composition of different
operations, from low-level data manipulation to high-level model calls. ... We
anticipate a growing need for proactive LLM applications where responsiveness is
critical. Even for non-streaming use cases, processing data as soon as it is
available can significantly reduce latency and time to first token (TTFT), which
is essential for building a good user experience. While many LLM APIs prioritize
synchronous, simplified interfaces, GenAI Processors – by leveraging native
Python features – offer a way for writing responsive applications without making
code more complex. ... GenAI Processors is currently in its early stages,
and we believe it provides a solid foundation for tackling complex workflow and
orchestration challenges in AI applications. While the Google GenAI SDK is
available in multiple languages, GenAI Processors currently only support Python.
Scaling the 21st-century leadership factory
Identifying priority traits is critical; just as important, CEOs and their
leadership teams must engage early and often with high-potential employees and
unconventional thinkers in the organization, recognizing that innovation often
comes from the edges of the business. Skip-level meetings are a powerful tool
for this purpose. Most famously, Apple’s Steve Jobs would gather what he
deemed the 100 most influential people at the company, including young
engineers, to engage directly in strategy discussions—regardless of hierarchy
or seniority. ... A culture of experimentation and learning is essential for
leadership development—but it must be actively pursued. “Instillation of
personal initiative, aggressiveness, and risk-taking doesn’t spring forward
spontaneously,” General Jim Mattis explained in his 2019 book on leadership,
Call Sign Chaos. “It must be cultivated for years and inculcated, even
rewarded, in an organization’s culture. If the risk-takers are punished, then
you will retain in your ranks only the risk averse,” he wrote. ... There are
multiple ways to streamline decision-making, including redefining decision
rights to focus on a handful of owners and distinguishing between different
types of decisions, as not all choices are high stakes.
Lessons learned from Siemens’ VMware licensing dispute
Siemens threatened to sue VMware if it didn’t provide ongoing support for the
software and handed over a list of the software it was using that it wanted
support for. Except that the list included software that it didn’t have any
licenses for, perpetual or otherwise. Broadcom-owned VMware sued, Siemens
countersued, and now the companies are battling over jurisdiction. Siemens
wants the case to be heard in Germany, and VMware prefers the United States.
Normally, if unlicensed copies of software are discovered during an audit, the
customer pays the difference and maybe an additional penalty. After all, there
are always minor mistakes. The vendors try to keep these costs at least
somewhat reasonable, since at some point, customers will migrate from
mission-critical software if the pain is high enough. ... For large companies,
it can be hard to pivot quickly. Using open-source software can help reduce
the risk of unexpected license changes, and, for many major tools there are
third-party service providers that can offer ongoing support. Another option
is SaaS software, Ringdahl says, because it does make license management a bit
easier, since there’s usually transparency both for the customer and the
vendor about how much usage the product is getting.Microsoft says regulations and environmental issues are cramping its Euro expansion
One of the things that everyone needs to consider is how datacenter development in Europe is being enabled or impeded, Walsh said. "Because we have moratoriums coming at us. We have communities that don't want us there," she claimed, referring particularly to Ireland where local opposition to bit barns has been hardening because of the amount of electricity they consume and their environmental impact. Another area of discussion at the Datacloud keynote was the commercial models for acquiring datacenter capacity, which it was felt had become unfit for the new environment where large amounts are needed quickly. "From our perspective, time to market is essential. We've done a lot of leasing in the last two years, and that is all time for market pressure," Walsh said. "I also manage land acquisition and land development, which includes permitting. So the joy of doing that is that when my permits are late, I can lease so I can actually solve my own problems, which is amazing, but the way things are going, it's going to be very difficult to continue to lease the infrastructure using co-location style funding. It's just getting too big, and it's going to get harder and harder to get up the chain, for sure," she explained. ... "European regulations and planning are very slow, and things take 18 months longer than anywhere else," she told attendees at <>Bisnow's Datacenter Investment Conference and Expo (DICE) in Ireland.350M Cars, 1B Devices Exposed to 1-Click Bluetooth RCE
The scope of affected systems is massive. The developer, OpenSynergy, proudly
boasts on its homepage that Blue SDK — and RapidLaunch SDK, which is built on
top of it and therefore also possibly vulnerable — has been shipped in 350
million cars. Those cars come from companies like Mercedes-Benz, Volkswagen,
and Skoda, as well as a fourth known but unnamed company. Since Ford
integrated Blue SDK into its Android-based in-vehicle infotainment (IVI)
systems in November, Dark Reading has reached out to determine whether it too
was exposed. ... Like any Bluetooth hack, the one major hurdle in actually
exploiting these vulnerabilities is physical proximity. An attacker would
likely have to position themselves within around 10 meters of a target device
in order to pair with it, and the device would have to comply. Because Blue
SDK is merely a framework, different devices might block pairing, limit the
number of pairing requests an attacker could attempt, or at least require a
click to accept a pairing. This is a point of contention between the
researchers and Volkswagen. ... "Usually, in modern cars, an infotainment
system can be turned on without activating the ignition. For example, in the
Volkswagen ID.4 and Skoda Superb, it's not necessary," he says, though the
case may vary vehicle to vehicle.
Leaders will soon be managing AI agents – these are the skills they'll need, according to experts
An AI agent is essentially just "a piece of code", says Jarah Euston, CEO and
Co-Founder of AI-powered labour platform WorkWhile, which connects frontline
workers to shifts. "It may not have the same understanding, empathy, awareness
of the politics of your organization, of the fears or concerns or ambitions of
the people around that it is serving. "So managers have to be aware that the
agent is only as good as how you've trained it. I don't think we're close yet
to having agents that can operate without any human oversight. "As a manager,
you want to leverage the AI to make you and your team more productive, but you
constantly have to be checking, iterating and training your tools to get the
most out of them." ... Technological skills are expected to become
increasingly vital over the next five years, outpacing the growth of all other
skill categories. Leading the way are AI and big data, followed closely by
networking, cybersecurity and overall technological literacy. The so-called
'soft skills' of creative thinking and resilience, flexibility and agility are
also rising in importance, along with curiosity and lifelong learning. Empathy
is one skill AI agents can't learn, says Women in Tech's Moore Aoki, and she
believes this will advantage women.Common Master Data Management (MDM) Pitfalls
In addition to failing to connect MDM’s value with business outcomes, “People
start with MDM by jumping in with the technology,” Cooper said. “Then, they
try to fit the people, processes, and master data into their selected
technology.” Moreover, in the process of prioritizing technology first,
organizations take for granted that they have good data quality, data that is
clean and fit for purpose. Then, during a major initiative, such as migrating
to a cloud environment, they discover their data is not so clean. ...
Organizations fall into the pitfalls above and others because they try to do
it alone, and most have never done MDM before. Instead, “Organizations have
different capabilities with MDM,” said Cooper, “and you don’t know what you
don’t know.” ... Connecting the MDM program to business objectives requires
talking with the stakeholders across the organization, especially divisions
with direct financial risks such as sales, marketing, procurement, and supply.
Cooper said readers should learn the goals of each unit and how they measure
success in growing revenue, reducing cost, mitigating risk, or operating more
efficiently. ... Cooper advised focusing on data quality – e.g., through
reference data – rather than technology. In the figure below, a company has
data about a client, Emerson Electric, as shown on the left.
