Daily Tech Digest by Kannan Subbiah

August 19, 2016

AI in Cyber Security: Creating the best defence against modern cyber attacks

“Using artificial intelligence or machine learning can help with the information/data overload problem. Instead of presenting security analysts with terabytes of raw data we can present them with easy-to-understand views such as behavioural profiles or virtual "video recordings" of user sessions or a prioritised view of all unusual events. A machine can really efficiently dig through tons of raw data and produce real insight from it thereby freeing up security teams to focus on what's really important for them.” This fast, accurate processing of data also affords defenders another weapon against attackers – that of finding behavioural patterns. This cuts to the second major issue facing security professionals in that attackers are constantly evolving and keeping one step ahead of defenders.

The Rise of the Platform Economy

We are in the midst of a reorganization of our economy in which the platform owners are seemingly developing power that may be even more formidable than was that of the factory owners in the early industrial revolution. We prefer the term “platform economy,” or “digital platform economy,” a more neutral term that encompasses a growing number of digitally enabled activities in business, politics, and social interaction. If the industrial revolution was organized around the factory, today’s changes are organized around these digital platforms, loosely defined. Indeed, we are in the midst of a reorganization of our economy in which the platform owners are seemingly developing power that may be even more formidable than was that of the factory owners in the early industrial revolution.

GE CIO Jim Fowler talks collaboration and IT transformation

Fowler says some GE employees choose to use collaboration platforms that GE owns and has certified, such as Yammer in Microsoft's Office 365 suite. Others gravitate to apps like Slack. GE's employees have access to federated apps such as Yammer and Skype for Business, but they are also free to use other collaboration tools if they adhere to what Fowler calls "guardrails," including support for single sign-on, and audit and data-sharing controls. "If somebody finds that there's another tool that works better and we can license it in a legal way, and we can run it in a secure fashion, and they don't put certain types of data in it, I'm also not going to get in the way of it."

A big data, IoT project brings unique storage demands

The data footprint and storage I/O requirements of IoT and big data differ from those of the traditional data center application. First, IoT data is typically a continuous feed. Data sizes can vary from miniscule to enormous. The number of files to store can reach into the trillions. This makes it easy to quickly create large amounts of data, and, as a result, there is a constant demand for capacity growth. And that growth must scale quickly and in ways that aren't disruptive. Storage systems for an IoT project also need to scale cost-effectively so that an organization can store petabytes of data for a long time. That requires low administration costs and burdens. Most IT staff simply cannot manage a dozen storage systems from six different vendors.

NSA’s use of software flaws to hack foreign targets posed risks to cybersecurity

The hacker tools’ release “demonstrates the key risk of the U.S. government stockpiling computer vulnerabilities for its own use: Someone else might get a hold of them and use them against us,” said Kevin Bankston, director of New America’s Open Technology Institute. “This is exactly why it should be U.S. government policy to disclose to software vendors the vulnerabilities it buys or discovers as soon as possible, so we can all better protect our own cybersecurity.” The weekend’s release prompted immediate speculation about who might be behind it. A group calling itself Shadow Brokers claimed responsibility. Some experts and former employees suspect, although without hard evidence, that Russia is involved.

Can we defeat DDoS using analytics?

Static defences do not work if a yet-unknown attack is used. Instead our systems need to adapt to new types of attack. Also keep in mind that there still is a proportion of bona fide service requests to use the service. This makes it harder to inspect the traffic and to work out a classification scheme for traffic filtering. Since not all incoming requests can be assumed to be part of the attack it is more complex to derive appropriate filtering rules. If the filters chosen are too specific they do not block the attack, and if they are made too general they may block legitimate traffic. However, as defenders of good, we seek to solve these problems through the application of analytical techniques to detect DDoS attacks. A widely diverse range of statistical methods and machine learning techniques could be used to detect abnormal changes in the resource usage that are indicative of a DDoS attack.

Why Natural Language Processing Will Change Everything

Computer “assistants” like Siri and Cortana are the most visible use of NLP today, but there are many other applications of NLP in use. As mentioned above, Google has poured a great deal of resources into NLP as it relates to search, allowing us to type or speak a natural question and receive a relevant answer. Google also is using NLP to create predictive text responses to emails in its Inbox email client, allowing users to choose from one of three responses and respond to an email with a single click. You may have used NLP for yourself if you have ever used the “translate” link inside Facebook to translate a foreign language into your own (with varying results) or used Google translate on Google or Bing search results. A reliable machine translation has been a goal of NLP since the 1950s, and results are improving all the time.

6 myths about big data

"The biggest myth is you have to have clean data to do analysis," said Arijit Sengupta, CEO of BeyondCore. "Nobody has clean data. This whole crazy idea that I have to clean it to analyze doesn't work. What you do is, you do a 'good enough' analysis. You take your data, despite all the dirtiness, and you analyze it. This shows where you have data quality problems. I can show you some patterns that are perfectly fine despite the data quality problems. Now, you can do focused data quality work to just improve the data to get a slightly better insight." Megan Beauchemin, director of business intelligence and analytics for InOutsource, agreed. "Often times, organizations will put these efforts on the back burner, because their data is not clean. This is not necessary. Deploying an analytic application will illuminate, visually, areas of weakness in data," she said.

How Startups Get Software Built

To what extent programmers on your team in particular impact success or failure is hard to quantify, but clearly, software and those who make it play a critical role in grabbing the market before the competition. Coding for a startup is different from coding for an established company. The startup culture is unique and extends to every angle of the business, from finance to sales to operations to software development. Your offering must be simple and inexpensive. You must be laser focused on your customer and change your offering quickly and constantly based upon customer experience. No silos, no sacred cows. Not just any code will do, and not just any coder will do. The coder, whether one of the founders or not, must be married first to the customer, not to the code. In particular, the software mindset must:

Why Vietnam is an attractive IT offshoring destination

It is typical in the Vietnamese culture for folks to want to stay in their country, be involved in IT on a local basis, and provide for their families. This is a significant difference and an important advantage for the Vietnamese outsourcing environment. Then there is the level of technical talent. Malaysia has technical competency, but does not seem to possess the same scalability as Vietnam. I often hear of organizations struggling to build out teams fast enough in Malaysia because of the quantity of staff needed to do an assignment. I believe that technical competency in Vietnam is superior to the Philippines. However, in the Philippines the English is better. This is why the Philippines are so proficient in call centers.

Quote for the day:

"Treat people as if they were what they ought to be, and you help them become what they are capable of being." -- Johann Wolfgang von Goethe

August 18, 2016

3 Things the Network Must Provide for IoT

While government dominates the industries purchasing for IoT telecom, technology, and cloud service providers aren’t far behind. Every industry, in fact, had a pretty good purchase rate for the previous twelve months, indicating there’s a lot more work going on with IoT than is obvious if you’re only watching the consumer space. Much of what’s going on is in the infrastructure; in the network that’s providing connectivity and immediacy of response by the applications in the back-end that manage, meter, monitor, secure, and interact with those cute little chips embedded in your kid’s favorite teddy bear. Like any app or client (because that’s really what these remote things are, clients) there are a basic set of services they need to operate consistently, predictably, and reliably. Namely, they need services that enable security, delivery, and visibility.

Stateful applications spark container management debate

Typically, stateful applications rely on files on the host, according to Thiruvengadam, and are common in enterprise private cloud scenarios where remote storage of state information in repositories such as Simple Storage Service is not in use. That point of view is typical of a startup that built its IT architecture from scratch, countered Chris Riley, a founding partner at HKM Consulting LLC, in Rochester, Mass. Enterprises running in Amazon Web Services have the option of storing configuration files in Amazon's Elastic File System as external storage for stateful applications, he added. "In the real world, there are still a lot of applications that use file systems for config files, and if you're not building apps yourself and you're leveraging those systems, you have to be aware of host volumes," Riley said.

How well does social engineering work? One test returned 150%

In the wild, the most common attacks would be social engineering, typically involving some sort of email phishing campaign where the attacker sends an email that looks like it’s from a legitimate organization, or maybe from the company itself, and gets a user to click on a link. That link either asks them to type in their user name and password or opens up a document or something else that exploits the workstation, and then the attacker goes from there. That’s what is typically used in ransomware attacks. The human element tends to be one of the hardest things to secure. ... The percentage rate for clicking on the original email was probably closer to 50%. On most engagements we see 25%-30% actually log in so we can capture credentials, and maybe 20% go through the entire process. Still, in a large organization that’s a really high percentage of users.

Shade malware attack examines your finances before demanding ransom

Don't believe for a second that Shade has left the party. It's all part of a larger plan to extort as much money from victims as possible. Shade downloads none other than Teamspy, a bot which uses the TeamViewer 6 remote control utility to communicate with a command-and-control (C&C) server and receive a number of commands, including the ability to start/stop audio and video, download a file from a URL provided by the C&C, and enable remote control. ... Once they know how much money their victims can afford, the attackers can command Teamspy to download a tried-and-true locker version of Shade onto the victim's computer. That encryptor in turn demands a customized ransom amount from the victim, all in an effort to increase the likelihood (and amount) that the victim will pay.

The Internet of Things (IoT) will make your city smarter

"The key to making the technology work is to take the human component out of the mix," says Tim Crawford, former CIO and current strategic adviser with AVOA, which helps companies worldwide connect the dots between today's technologies and tomorrow's state-of-the-art innovation. "The sources of data—sensors for water levels, for instance—can create a heat map of the city's water supply issues. These systems automatically know where the hot spots are during a rain storm and can quickly dispatch the nearest trucks with the necessary equipment to eliminate flooding. There's no need for any human to get involved. You eliminate human error and increase response times all at once."

Is Data Classification a Bridge Too Far?

The challenges posed here are immense. Not only is there an extremely large amount of data being created everyday but businesses still need to manage and leverage their huge store of old data. This stored wealth is not static because every bit of data possesses a lifecycle through which it must be monitored, modified, shared, stored and eventually destroyed. The growing adoption and use of cloud computing technologies layers even more complexity to this mosaic. Another widely unappreciated reality being highlighted in boardrooms everywhere is how these changes are affecting business risk and internal information technology governance. Broadly lumped into cybersecurity, the sparsity of legal precedent in this domain is coupled almost daily with a need for headline driven, rapid fire business decisions.

EU to crack down on online services such as WhatsApp over privacy

According to a draft policy paper seen by the Financial Times, the likes of WhatsApp, owned by Facebook, and Skype, owned by Microsoft, would have to abide by “security and confidentiality provisions”. The policy paper, which is due in September, also outlines how these “over-the-top” services – where voice calls and messages are delivered via the internet – would have to comply with requests from security services, as well as regulating how they can make money from customer data. ... “Trying to replicate regulations that were done for a completely different media in a completely different age is well-nigh impossible,” she said, adding that the plans showed the gulf in views on internet regulation between the US and Europe.

Oldies but Goodies: The Relationship Between POSIX® and UNIX® and Why They Matter Today

Despite what one might think, both the UNIX and POSIX standards are continually under development still even today. The community for each is very active—meeting more than 40 times a year to continue developing the specifications. Things are always changing, so there are new areas of functionality to standardize. The standard is also large so there is a lot of maintenance and ways to improve clarity and portability across systems. Although it might seem that once a technology becomes standardized it becomes static, standardization usually has the opposite effect—once there is a standard, the market tends to grow even more because organizations know that the technology is trusted and stable enough to build upon. Once the platform is there, you can add things to it and run things above it. We have about 2,000 application interfaces in UNIX today.

Security is more than User Education – it’s About Cultural Change

Interestingly enough, there are two types of attacks that do not require a technical vulnerability to be exploited for an attack to be successful. These are DDoS and social engineering. The latter is the focus of this paper. The simplest way to explain how attackers exploit users to gain unauthorised access to an organisation is simply to look at the kill chain and understand how an attacker gets a foothold into an organisation’s network for nefarious purposes. As an example, ramsomware / malware attacks usually are deployed using methods that require a user to click on a link or similar that then downloads a malicious payload onto their network connected desktop machine. Once the malware is deployed, the attacker then uses the desktop that they now control to gain further access into the network.

Programmable infrastructure fends off configuration drift

Duplo is heavily influenced by PaaS systems, particularly Microsoft Azure, where Zenefits principal engineer Venkat Thiruvengadam once worked. However, unlike PaaS offerings from service providers that abstract infrastructure completely away from the user organization, Duplo allows Zenefits' infrastructure administrators to set policies for underlying resources, including the orchestration of monitoring tools. Thiruvengadam says he finds programmable infrastructure a happy medium between automated configuration tools, which he feels don't have a broad enough scope, and full-fledged PaaS, which he sees as too prescriptive. Programmable infrastructure "is a middle ground," Thiruvengadam said. It can set up the infrastructure by implicitly reading the application needs and providing a declarative interface to application teams ... "

Quote for the day:

"Things get done only if the data we gather can inform and inspire those in a position to make difference." -- Mike Schmoker

August 17, 2016

How to develop a cloud-first architecture and strategy

The first step is to build skills and assess applications. To create your cloud team and assess application readiness, your organization must transform. IT is becoming a broker for cloud services, and the role of cloud architect is a big part of that. Gartner used to ask if an organization could take the risk of moving the cloud, but the question is no longer about "if," Cancila said. The question now is where you are moving and how are you going to get there. The next step in the process is to select cloud providers and services. Consider the different layers of the cloud (SaaS, PaaS, and IaaS) and how they fit into your organization's goals. Also, assess your app architecture and infrastructure.

Why Private Clouds Will Suffer A Long Slow Death

While private cloud proponents have spent the last five years focusing on getting their IaaS offerings working, the big three cloud providers have moved way beyond core computing services. They’re delivering the services IT groups will need in the future to keep their companies from being eaten by software. Google, although its revenue is still small in comparison to AWS and Azure, offers an incredibly interesting machine learning set of services. I’ve worked with them, and they offer tremendous power at an affordable price, delivered in an easy-to-use framework. It’s clear we’re at the beginning of an AI-powered revolution, and Google is staking its claim to be the pioneer in the field, as demonstrated by its Deep Mind offering defeating the world’s champion Go player.

Intel’s New Mission: Find Fresh Uses for Its Famous Paranoia

Silicon Valley treats Moore’s Law as if it is immutable, and with even more reverence than it does paranoia. But it was not a scientific law; it was always an observation about the behavior of a market for computers and software, which paid off at a rate to justify increasing investment in making chips. It is changing, Mr. Krzanich said, because phones, sensors and cloud systems develop at different rates. “It’s lengthened to 24 to 36 months,” he said. “The performance of the ecosystem is much more than Moore’s Law.” That is why Intel is in the wireless and networking fields, and is working on a new kind of three-dimensional memory chip, which Mr. Krzanich said would be out at the end of this year, that can speed performance of big-data-type calculations sevenfold.

Ransomware-as-a-service allows wannabe hackers to cash-in on cyber extortion

The availability of Cerber to anyone who wants to pay for it differentiates it from another of the most successful ransomware families, Locky. "Locky is only being sent by one threat actor -- they use it on their own and don't share or sell it. Cerber acts as ransomware-as-a-service -- those who created it are now leasing it for anyone to use," says Horowitz. That arguably makes Cerber more dangerous than Locky because each affiliate user can infect victims using a variety of different attack methods, although the two most common involve the victim unknowingly executing a malicious program disguised as a legitimate file, delivered in a phishing email, or the victim is infected browsing a compromised website. Researchers believe there are currently over 150 active Cerber campaigns targeting users in 201 countries, with victims in South Korea, the US, and Taiwan accounting for over half of ransom payments.

Visa Alert and Update on the Oracle Breach

“Oracle’s silence has been deafening,” said Michael Blake, chief executive officer at HTNG, a trade association for hotels and technology. “They are still grappling and trying to answer questions on the extent of the breach. Oracle has been invited to the last three [industry] calls this week and they are still going about trying to reach each customer individually and in the process of doing so they have done nothing but given the lame advice of changing passwords.” The hospitality industry has been particularly hard hit by point-of-sale compromises over the past two years. Last month, KrebsOnSecurity broke the news of a breach at Kimpton Hotels. Kimpton joins a long list of hotel brands that have acknowledged card breaches over the last year, including Trump Hotels, Hilton, Mandarin Oriental, and White Lodging, Starwood Hotels and Hyatt.

Forget two-factor authentication, here comes context-aware authentication

Contextual access is, at its essence, an evolution of adaptive authentication that replaces the use of static rules and blacklists with machine learning to assess risk based on user behavior and context. Indeed, many providers already do super simplistic “context,” such as blacklisted locations. These approaches. however, are far too coarse to be effective at balancing security with usability. At the same time, 2FA adoption is hard -- users have to install an app or use insecure SMS. In fact, the U.S. government announced that it is set to phase out text-based 2FA. But contextual authentication can sit in the background and simply do its thing pretty much invisibly (unless higher risk is determined).

Whaling Goes After the Big Phish

Successful whaling attempts are so believable and seemingly trustworthy that executives who should probably know better are clicking on links and attachments that appear to be from fellow executives, employees or business partners. One stellar example of this includes a senior executive with a security firm who received an email that appeared to be from an underling but was actually from a whaler. He was tricked into giving up employee W-2 data. Another incident involved an executive from a major soft drink company that was in talks to choose a bottler in a highly profitable, under-serviced country. Before negotiations were completed, someone working under the executive was spear phished, and the whaler was able to harvest all email related to the negotiations, jeopardizing the talks and putting the company at a distinct disadvantage.

Serverless computing: The smart person's guide

Unlike a cloud application where code is structured in a more monolithic fashion and may handle several tasks, code running on serverless services like Lambda is more typical of that found in a microservices software architecture. Under this model, applications are broken down into their core functions, which are written to be run independently and communicate via API. These small functions run by serverless services are triggered by what are called events. Taking Lambda as an example, an event could be a user uploading a file to S3 or a video being placed into an AWS Kinesis stream. The Lambda function runs every time one of these relevant events is fired. Once the function has run the cloud service will spin down the underlying infrastructure.

NSA Hacked? Top Cyber Weapons Allegedly Go Up For Auction

Although the exploits were poorly coded, “nonetheless, this appears to be legitimate code,” Matt Suiche, CEO of cyber security startup Comae Technologies added. Virginia-based Risk Based Security has also looked at the sample files and said that one of the exploits contains an IP address registered by the U.S. Department of Defense. None of this means that the NSA has been hacked. The Shadow Brokers may have simply come across a compromised system that was hosting the exploits, Risk Based Security said in a blog post. It's also possible the Shadow Brokers are promoting a big scam. Deception-based schemes are very common in hacking, Risk Based Security added. The NSA hasn't acknowledged any ties with Equation Group and on Monday, it didn't respond for comment.

Don't Ditch SMS, But Change the Way You Use It

Ditching text messaging and shifting to a new form of authentication would likely confuse customers, security experts say. Instead, financial institutions should take a more nuanced approach, said Rich Rezek, vice president of market development for authentication solutions for the tech vendor Early Warning. SMS-based authentication "will still remain a tool in the tool kit" since it's inexpensive and simple for banks to set up, and something consumers are familiar with, Rezek said. But banks still must need to take steps to improve how they handle two-factor authentication and SMS. "As fraudsters start to figure out [an authentication method], then you have to evolve and take the next approach," Rezek said. Common ways for a criminal to compromise an SMS authenticator include remotely hacking a phone and having the texts forward to a different phone, or to a computer via voice over internet protocol, Rezek said.

Quote for the day:

“Things work out best for those who make the best of how things work out.” -- John Wooden

August 15, 2016

China is disrupting global fintech

Online users expect different cultural, branding, marketing, functionality, cost, customization, engagement, and service experiences. Freeman said, “It’s very difficult to customize traffic-based selling. It’s fraught with challenges” Beyond automated transaction services, companies like PINTEC provide more advanced investment management services, dubbed roboadvisory, digital wealth, or digital advisory services. Although in the early stages, they aim to incorporate big data and artificial intelligence to provide appropriate, affordable solutions. These accounts often blend investment recommendations from the roboadvisor with some client decision-making, which is especially well-suited for Chinese investors who value lower fees and being involved in the process. Jeroen Buwalda, Partner at EY, said, “Asian entrepreneurs have faith in themselves, not fund managers.”

The Role of the Hybrid Cloud and Application Services in Digital Transformation

The cloud actually plays a huge role in digital transformation. In fact, it forms the heart of it. It changes the entire business model to facilitate a more technology-led transformation. Enterprises have the option of choosing from public or hosted private clouds, which would enable them to improve processes and embrace innovation without having to spend huge amounts on infrastructure and avoid the risk of deploying redundant technology when there are good chances for failure. However, choosing the right model, even for cloud computing, is very essential, as each of them has its own advantages and disadvantages. Public clouds, on the other hand, can be better utilized with applications that might have variable resource requirements, like e-commerce apps and gaming apps.

Create a better strategy for innovation, move away from a 70/30 model

Companies want -- and need -- CIOs to drive innovation, yet many IT organizations still follow the 70/30 model where 70% of time and resources are dedicated to "keeping the lights on" IT and 30% to IT innovation. Delivering reliable, secure, efficient and cost-effective IT systems remains responsibility No. 1 for CIOs, but it's time to move the needle. Our question this month to IT leaders: "What have you done in the past 12 months to reduce time spent on 'keeping-the-lights-on' IT functions?" Their strategies for innovation ran the gamut, from implementing on-demand services to identifying real-time business problems to solve.

The Third Wave: Why Big Data is the Future of Legal Tech

Big data analytics allow lawyers to gather this same information, but on a much larger scale. For instance, analytics platforms allow attorneys to view their judge’s complete history, including every decision issued and every case cited, to identify the legal precedent the judge finds most persuasive. While this type of analytics can’t tell an attorney whether this judge is particular about staying behind a podium during cross examination or likes his motions in a particular font size, it does allow an attorney to craft an argument using a judge’s favorite case. In addition, such analytics can inform an attorney’s strategy in litigating a particular case in terms of filing motions that a judge is likely to grant, rather than spending a client’s time and money on motions that a judge hardly ever accepts.

Hackers demonstrated first ransomware for IoT thermostats at DEF CON

Andrew Tierney and Ken Munro of PenTest Partners demonstrated the smart thermostat ransomware at DEF CON. It only took them a few days to hack the thermostat, and this was right before the security conference, so they would not reveal the manufacturer until they could report the vulnerability to the company. This particular IoT thermostat runs a modified version of Linux, has a large LCD screen – the better to show the ransom demand – and has an SD card. As for what the ransomware does, Tierney told Infosecurity Magazine, “It heats to 99 degrees, and asks for a PIN to unlock which changes every 30 seconds. We put an IRC botnet on it, and the executable dials into the channel and uses the MAC address as the identifier, and you need to pay one Bitcoin to unlock.”

Rein in the IT bear: why businesses must take back control

Exactly one half of IT decision makers fear that they cannot drive digital transformation forward at the speed their management team expects. Combine this with the fact that 32% of employees also believe their employers are not driving digital transformation as fast as competitors are doing, and you have the ingredients for a disaster – commercially speaking. When disturbed, a bear becomes unruly and unpredictable. The same result can be seen when too much pressure is placed upon an IT system ill-equipped to handle the demands of digitalisation. When this happens, the IT department struggles to deliver the best quality IT service to end users. The bear’s unpredictable, volatile and temperamental nature is wreaking havoc, and the carnage left in its wake impedes businesses from innovating to remain competitive in their chosen fields.

INTERVIEW: Blockchain Warp Speed With Ethereum's Raiden

Basically all blockchain based applications that want to scale to real world usage will benefit from Raiden. It can be used for applications like asset trading in gaming or finance, retail payments, micropayments for content (think the next YouTube or Spotify where creators are directly paid for every second consumed). But it's also suitable as an infrastructure for cheaper, faster and more secure correspondent banking. Especially the upcoming machine-to-machine economy will likely use blockchain as an easy to integrate permissionless infrastructure. Some expected applications of Raiden here will be decentralized energy trading, on-demand payments for bandwidth, API-access, sensor data or access to property and infrastructure.

Big data’s humble beginnings

Enterprises are already embracing big data and predictive analytics to hire and retain talent, forecast staffing needs and improve employee satisfaction. In the next two years, 6,400 organizations with 100 employees or more plan to implement big data analytics, providing ample opportunities for a new crop of startups that collect, refine and interpret data to populate the HR analytics landscape. Startups are leveraging Watson’s technology to deliver data-driven recommendations to consumers and healthcare providers; this pattern will soon extend to the health sector at large. People are generating more health-related data than ever before, and doctors, patients and researchers need tools to make sense of it. Physicians will be able to compare patients’ data with health trends in the general population and provide data-driven advice for treatment or prevention of illnesses.

Question: What's missing in Microsoft's data science professional degree?

Arguably more the biggest concern, however, is the module doesn’t teach relational database theory or relational data modelling. Both are surely vitally important to a good data scientist but, as we know, historically relational is something that's proved disposable in big data, an area this qualification no doubt seeks to serve. Without this understanding it’s hard to understand why NoSQL databases are different, what advantages they bring as well as their disadvantages. More importantly, without a good understanding of relational theory, the data scientist misses a huge and well-tested bag of tricks that avoids a whole host of analytical problems. There is a suggestion that the student can go elsewhere to learn this material, but it’s not clear exactly where the student should go.

A Delayed Blockchain Strategy Can Sink an Institution

The blockchain iceberg may not be directly in front of us at the moment, but unless the culture of complacency is tackled head-on, financial services retailers will quickly find themselves in a precarious situation. By preparing properly and bracing for impact, organizations can learn the best way to steer themselves clear of danger, instead of facing a titanic struggle to stay afloat. A blockchain can securely record ownership and any other information about any asset, and with its ability to enable transactions to be completed within minutes or even seconds, it could completely revolutionize the industry. While some suggest it will be a force for good, others suggest that the changes it would impose on the way these organizations operate will leave a trail of ruin in their wake.

Quote for the day:

"Knowledge management is something many companies are sure they need, if only they knew what it was." -- @mldamico

August 14, 2016

There's Now A Cryptocurrency Created by Participating in DDoS Attacks

“Proof-of-DDos might not be a good ultimate end goal, but there are aspects of the idea that may prompt thinking along these or similar lines … We hope that Proof-of-DDoS is eye-catching enough to get people thinking more about these ideas.” The DDoSCoin system also allows its participants to choose specific sites to target through consensus. However, since the proof-of-DDoS concept relies on verifying encrypted TLS connections to a victim website, the participants will only be able to target sites that support those secure connections. Currently, about 56% of Alexa's top million websites support TLS. But that number is expected to increase as the encryption standard becomes more widespread, the researchers say.

Secure Boot snafu: Microsoft leaks backdoor key, firmware flung wide open

Microsoft has inadvertently demonstrated the intrinsic security problem of including a universal backdoor in its software after it accidentally leaked its so-called "golden key"—which allows users to unlock any device that's supposedly protected by Secure Boot, such as phones and tablets. The key basically allows anyone to bypass the provisions Microsoft has put in place ostensibly to prevent malicious versions of Windows from being installed, on any device running Windows 8.1 and upwards with Secure Boot enabled. And while this means that enterprising users will be able to install any operating system—Linux, for instance—on their Windows tablet, it also allows bad actors with physical access to a machine to install bootkits and rootkits at deep levels. Worse, according to the security researchers who found the keys, this is a decision Microsoft may be unable to reverse.

Deep Instinct’s Artificial Brain Spots Zero-Day Security Threats

Nervana isn’t specializing in security. But like Nervana, Deep Instinct is using GPUs to produce what it describes as an artificial brain. That brain was trained by being exposed to hundreds of millions of files: applications, PDFs, just computer files of any type. About half were benign, and half were malignant. The process took about 24 hours, Schirmann says. Some human intervention was necessary during this first step, just as it is with a human brain that’s early in development. Humans told Deep Instinct’s AI which files were good or bad — but what distinguishes deep learning from machine learning is that the brain wasn’t instructed which features to watch. Based on what it knew about the “good” and “bad” piles, it began drawing its own conclusions about what a malicious file looks like.

Blockchain-Based Peer-To-Peer Solar Energy Trading To Be Trialed In Perth

The technology works, like bitcoin, to identify the ownership of energy as it is generated and then to manage multiple trading agreements between consumers who buy excess solar direct from the original owner/producer, without the addition of market costs and commercial margins. “It’s a software program that tracks the movement of electricity from point to point,” Green explained in an interview with One Step Off The Grid on Friday. “It handles the financial transactions off the back of it as well. “Presently, if you’ve got surplus solar electricity you sell it back for a low feed-in tariff and buy it back (from the grid) for a high rate. Using (Power Ledger), you can sell it to your neighbour at somewhere between the two” – less than the uniform tariff but more than you would get from selling it to their retailer, Green said.

How can Augmented Reality Leverage the FinTech Future?

Augmented Reality, widely being called as AR is a combination of different technologies incorporated to enhance the comprehension of an experience. ... The fundamental principle of AR is to enhance the user experience by presenting him overlaid system generated features to the real world surroundings. AR technology is extensively pragmatic towards mobile users. Number of users dependent on location-based services will be ever growing owing to the advancements in GPS and other dependent technologies. Hence FinTech future which puts its faith in mobile driven technology will get an amplification by encouraging their users to adapt to AR. Augmented Reality will bring Fintech users close to each other. There are many ways in which it can remodel the user experience.

The Field Guide To Data Science

Data Science is an auspicious and profound way of applying our curiosity and technical tradecraft to solve humanity’s toughest challenges. The growing power, importance, and responsibility of applying Data Science methodologies to these challenges is unimaginable. Our own biases and assumptions can have profound outcomes on business, national security, and our daily lives. A new class of practitioners and leaders are needed to navigate this new future. Data Scientists are our guides on this journey as they are creating radical new ways of thinking about data and the world around us.

Undocumented SNMP String Exposes Rockwell PLCs To Remote Attacks

“This vulnerability is due to the presence of an undocumented SNMP community string that could be leveraged by an attacker to gain full control of affected devices and grants the ability to manipulate configuration settings, replace the firmware running on the device with attacker-controlled code, or otherwise disrupt device operations,” Cisco Talos wrote in an advisory. “Depending on the role of the affected PLC within an industrial control process, this could result in significant damages.” According to an advisory published today by the Industrial Control System Cyber Emergency Response Team (ICS-CERT), these PLCs are used in industries such as chemical, manufacturing, food, water, wastewater and others across Europe, the United States and Asia.

WaTerFall requirements in Agile Product Development

In reality, and rather frequently, the best ideas and solutions come much later in the process when development phase is well underway. It is also not uncommon that customers change their minds about initially stated requirements after development begins. In cases like these, to justify BRD scope creep, a tedious and overly bureaucratic process, of change control is implemented – something that requires additional time and effort. By design, BRDs are meant to resist changes; anything that requires an update after BRD is finalized and signed off, carries a negative connotation. Lastly, having BRDs produced without initial participation of technology creates a lot of ‘wishful thinking’ and unrealistic expectations from customers that sometimes look for complex and expensive solutions.

Agile Scaling Frameworks: An Executive Summary

SAFe is anchored and framed by a so-called "big picture" of what a compliant implementation will look like. This generates two problems. Firstly, it encourages the perception that agile change can be templated and overlaid onto existing practices without deep and pervasive change...in other words, the foundations may be weak. Secondly, and ironically, organizations with no Unified Process legacy will find the prescriptions of the template hard to approximate...too much change in other words. Nevertheless SAFe can be an appealing option for organizations which are already vested in the Unified Process or similar methods.

Why Change Management Needs Review By IT Security

Information security should be embedded into the change management process to ensure that all changes have been assessed for risks. This includes assessing the potential for introducing new vulnerabilities into the environment and the potential business impacts that could occur if a change produces undesired results. Changes will always involve some amount of risk, but risk can be minimized if changes are adequately reviewed, assessed and coordinated through a formal change management process. One of the biggest challenges is gaining buy-in from users so that they follow the change management process and not circumvent it. Change management helps avoid problems by increasing upfront communication and identifying issues before they happen.

Quote for the day:

“There is a difference between listening and waiting for your turn to speak.” -- Simon Sinek

August 13, 2016

10 key considerations when building a private cloud

A private cloud enables enterprises to secure and control applications and data while providing the ability for development teams to deliver business value faster and in a frictionless manner. But while building a private cloud can transform IT, it can also be an expensive science experiment without careful planning and preparation. ... Private cloud can be a transformative path for an enterprise. But like any transformative change, it requires significant thought, dedication and perseverance. By paying attention to the practices outlined above, enterprises can navigate the transformation to empower the business to become faster at delivering value and viewing IT as an accelerator of this transformation.

The New Cloud, and the Even Newer One on the Way

First, in a reversal from earlier impressions, organizations are starting to realize that data is in fact more secure in the cloud than at home, removing the last great barrier to widespread deployment. And with Big Data and IoT workloads coming down the pike, enterprises are eager to tap into machine learning, containers and advanced mobile technologies, which can be done much quicker and at less cost in the cloud than by building out data center infrastructure. Not everything is suitable for the cloud, however. According to SolarWinds’ Gerardo Dada, there are a number of key criteria when it comes to determining what should and should not leave the data center. Applications with multiple dependencies, such as CRM and ERP, might have trouble in the cloud, while a self-contained company blog would not.

Automated Regression Testing Made Easy with CasperJS

This script will rely on Casper’s evaluate() method. The method allows you to evaluate an expressionwithin the context of the current DOM. This is an important concept to grasp when working with PhantomJS or Casper: evaluate() acts as a bridge between the casperjs environment and page context. Simply put, when you pass a function to evaluate(), it will be executed as if you typed it into the browser’s console. Using evaluate() allows us to enter the DOM, run some JS code, and return values for further processing within the Casper environment. Which is exactly how we are going to get our gallery image sizes so we can compare them and verify the dimensions.

Google makes Gmail safer with new security warnings to fight phishing

The warnings, announced Wednesday, will impact Gmail use on the web or Android. If an email sender cannot be authenticated, Gmail will display a question mark in place of the sender's profile photo, corporate logo, or avatar. Users are authenticated with either Sender Policy Framework (SPF) records, or DomainKeys Identified Mail (DKIM), a digital signature on outgoing messages that uses a private domain key to encrypt your domain's outgoing mail headers. If you receive a message with a link to a site known for phishing, malware, or Unwanted Software, you'll see a warning when you click on the link—an extension of the Safe Browsing protection already available on most browsers.

Aligning the organization for its digital future

Almost every company expects digital disruption in some form or another—but how are they actually preparing for it? Perhaps surprisingly, this preparation may need to be more cultural than technological. Tanya Ott spoke with Gerald Kane about companies’ differing levels of digital maturity as they compete in a rapidly changing world. ... It’s very easy to pretend to do it and not do it. It’s very easy to give it lip service and not execute on those things. If you want to be serious about competing in a digital world, you’ve got to look in a mirror first. You gotta recognize where you fall short on these aspects, and then you have to actually do real and meaningful and substantive change.

Why Data Integration is the Future of Marketing

If organizations are unable to identify the best leads or most promising existing customers, communication breaks down and marketing can become unaligned with sales. This results in irrelevant or unused content, and redundant efforts from both teams. This underscores the benefits of integrating data into one tool or dashboard that can analyze all data and surface the most relevant information. ... Organizations also must integrate their marketing technologies to create a cleaner, more manageable tech stack that drives real revenue impact. To maximize productivity and save valuable time, teams need to streamline processes by adopting fewer solutions that do more, and integrate all of those seamlessly so that insights are unearthed and presented in a digestible way for marketing and sales teams.

Introduction to Hyperledger: Why Open Blockchain is critical for business

The Hyperledger Project is a collaborative effort designed to advance blockchain technology by identifying and addressing the necessary features that can be captured in a cross-industry open standard for distributed ledgers. The thought leaders behind the project consider the peer-to-peer distributed ledger technology of blockchain to be the next generation foundation for transactional applications, one that establishes trust, accountability, and transparency while reducing the cost and complexity of business processes. They think of blockchain as an operating system for interactions. … a whole bunch of banks, a whole bunch of technology firms are going to get together and literally change the nature of money and trust on the Internet.

Humanizing change: Developing more effective change management strategies

When you ask employees to change, you are demanding something ambitious—asking them to change their mental model of how the organization should work. This requires engaging in “System 2” thinking, which is where much more thoughtful deliberation occurs, to reshape and even challenge an existing belief system. But when confronted with new information, System 1 automatically creates a picture of what we know, often ignoring information that conflicts with our assumptions, while filling in missing information based on what our mental models interpret to be true, This is why simply making a rational, incentive-based case for change often fails to win over employees. It is likely falling on only partially listening ears.

Linux TCP flaw lets 'anyone' hijack Internet traffic

The problem exists in any operating system running Linux kernel 3.6 or newer. Linux 3.6 was introduced in 2012. The vulnerability allows an attacker from anywhere on the internet to search for connections between a client and a server. Once such a network connection is found, the attacker can invade it, cause connection termination, and perform data injection attacks. How bad is it? The discoverers say the attack is fast and reliable, takes less than a minute, and works about 90 percent of the time. According to University of California at Riverside (UCR) researchers, the Linux TCP/IP security hole can be used by attackers in a variety of ways: hackers can remotely hijack users' internet communications, launch targeted attacks that track users' online activity, forcibly terminate a communication, hijack a conversation between hosts, or degrade the privacy guarantee of anonymity networks such as Tor.

Calculating True North for IoT Applications

You'll need a few libraries installed on your Raspberry Pi, these will give you access to your GPS and Magnetic Models through code. The compass does not require additional libriaries but it does use i2c-dev.h. ... The first step is to read the GPS coordinates from your device. Using GPSd and libgpsmm.h make it pretty simple to access your GPS data. We're going to make a class to manage this interface and supply us with values streamed from the device. The GPS uses a serial connection and the sentences returned are parsed for you by libgps. We can either use the raw coordinate values returned or they can be broken into components like degrees, minutes and seconds.

Quote for the day:

“Too many of us are not living our dreams because we are living our fears.” -- Les Brown

August 12, 2016

How smart offices of the future can make companies more intelligent

A smart office will change everything. Think of how, just 10 years ago, a desktop computer was everything. Now, most employees use multiple devices daily, said Jeremy Ashley, group vice president for Oracle Applications User Experience. "The office has just become one part of the entire story. We're looking to see what types of trends are emerging here. One example is a trend that has emerged only because we have these devices. Everywhere I've been around the world, I ask, 'what's the very first thing you do in the morning?' Doesn't matter where it is, they say, 'I pick up my phone and I read my email, my Facebook, and a selection of other things.' This is a brand new behavior. It's never happened before," Ashley said.

New DBMS products open the door for a once dormant market

As new requirements, such as the need to support more unstructured data, emerged from advances like social networking, start-up vendors approached DBMS concepts differently. "The DBMS market had become quite boring, but market changes recently have made it much more interesting," said Donald Feinberg, vice president, analyst at Gartner. Traditional system revenue has flattened out, but sales of new tools -- although small in relation to the total market -- are increasing by double digits. So, buying a DBMS is no longer a simple choice among Oracle, Microsoft and IBM. One reason for the recent attention is the market's size and growth. The database market is expected to increase from $40 billion in 2015 to $50 billion by 2017, according to IDC. A number of factors are fueling the growth and market shake-up.

Busting Bimodal Myths

Bimodal is the practice of managing two separate but coherent styles of work: one focused on situations of greater predictability, the other where exploration is required. Mode 1 is optimized for areas that are more well-understood. It focuses on exploiting what is known. This includes renovating the legacy environment, so it is fit for a digital world. Mode 2 is exploratory, potentially experimenting to solve new problems. Mode 2 is optimized for areas of uncertainty. Mode 2 often works on initiatives that begin with a hypothesis that is tested and adapted during a process involving short iterations. ... “Bimodal capability that marries the renovation of the IT core with the exploratory approach to developing new digital products and services is essential for an enterprise to survive and flourish in the digital era,” said Mr. Mingay.

Want The Government To Do Something About Cybersecurity?

Our IT infrastructures and capabilities are known to produce benefits for our economy, but clearly we are sub optimized in our current approach. Our schools still teach the old way with almost no benefits from new technology. Most students have no more than a working knowledge of computers. And we turn out too few who can master IT. Economically, we have great unrealized potential in using IT to enable job growth and economic benefits while reducing cost of healthcare, cost of living and cost of education. Smart IT can also reduce cost of business and reduce the cost of goods to consumers. In the federal government, IT helps serve citizens but CIOs and CTOs struggle agency by agency to deliver value.

Information security ignorance is not a defense

Government entities, regulators, and the courts are increasingly applying the "reasonableness" test to determine if an organization was responsible for a breach, or other security lapse. First, courts in California applied this standard, followed closely by the FTC. Unfortunately, "reasonableness," as it relates to information security practice, is nowhere defined specifically. Even so, this standard will likely be applied by many courts in the growing number of security-related lawsuits. It is clear that businesses of all sizes must ensure that they have done everything practical to protect their customer assets, and to prevent any harm to those customers due to their neglence. Given the rise in litigation, however, they must also be able to demonstrate in court that their precautions were "reasonable."

Why Outsourced Call Center Roles Are Coming Back Onshore

So-called “enabler technologies” accounted for about half of the reported investments by contact center providers from 2014 to 1015 — with analytics, automation and multichannel tools the biggest areas of spending, according to the Everest Group report. “CRM and communication technologies have become table stakes with most, if not all, providers including them within their portfolio,” Bhargava says. “In order to differentiate themselves in the hyper-competitive call center outsourcing landscape as well as cater to enterprise needs, service providers have invested in enabler technologies.” HGS, for example, launched its DigiCx platform, which incorporates automation and analytics to deliver chat-as-a-service and other self-service capabilities.

Business Intelligence Analytics is the Future of SaaS

Data preparation is quickly becoming a critical capability of experts, who traditionally relied on others to get the data sorted out and ready from them. In order to transform unsorted data into information on demand, people doing customer targeting, risk analysis and marketing operations will need the necessary tools and skills to handle self-service data preparation at scale. As the gap widens between all of the data and the people who know how to analyze it and use it, companies that do not adapt to modern standards will experience big data blunders, such as embarrassing data quality errors and miscalculation of data.

How developers define 'open' and 'closed' technology

"Open" is one of the most nebulous terms in technology, yet it's also a label that oddly carries huge emotional baggage. To be open is to be on the side of truth and righteousness. To be closed or proprietary is, well, on par with drinking unicorn blood. (Hint: only Voldemort does that.) The problem, however, is that there are no hard and fast rules for "open" or "closed," yet we act as if there were. Perhaps the best way to sniff out true "openness" is to look to developers to see what they feel comfortable building upon. With developers as our guide, the stark differences between open and closed become much more subtle and interesting.

Asymmetric Information Is Economists' Little Secret

Why is asymmetric information so crucial to an understanding of financial markets? It’s probably related to the reason people want financial assets in the first place. People want cars and bananas and microwave ovens because those things are immediately useful. But most people who buy and sell financial assets have no intrinsic desire for the asset itself -- they only care about how its value to other people will change in the future. That means that while information is important for many products, when it comes to financial markets, information is the product. Many major economics papers have explored this fact. One example is the famous 1980 paper “On the Impossibility of Informationally Efficient Markets,” by Sanford Grossman and Joseph Stiglitz.

Inside Look at SWIFT-Related Bank Attacks

"We came across a very interesting piece of malware and one of our researchers, during their analysis, recognized that this malware is likely to have been used in the attack against the Bangladesh Bank," McKinty says. "That's where we got engaged with SWIFT. We were able to provide them some insight, with regard to what had happened at the Bangladesh Bank." And from there, the tale of the malware got more interesting, he adds. While attributing any of these attacks to a single entity or group is challenging, McKinty says the code used in the Bangladesh attack is not widely available in the underground. As a result, BAE believes that the code used in the SWIFT-related attacks is a variant of the same code used in the attacks against Sony Pictures and the bank in Vietnam, he says.

Quote for the day:

"No amount of source-level verification or scrutiny will protect you from using untrusted code." -- Ken Thompson

August 11, 2016

IT leaders: In the wake of Delta Airlines outage, it's time to simplify

Efforts to reduce complexity, like application portfolio rationalizations, are usually placed low on the priority list, since they're expensive and, when executed perfectly, are completely transparent to end users, save for a large bill for the effort. The historical problem with reducing complexity was a high cost, with a low perceived return. ROI calculations usually centered around reduced hardware and support costs from eliminating redundancy and complexity, which rarely covered the high cost of replatforming, rebuilding, or retiring a legacy application. However, incidents like Delta's readily demonstrate the very real costs of IT complexity in lost revenue. A company need not be a complex, time-sensitive operation like an airline to experience this challenge;

The Differences Between Virtual reality, Augmented Reality And Mixed Reality

Virtual reality is hot, and enterprise- and consumer-facing organizations are eager to figure out how they can take advantage of the new medium, whether it be for entertainment, productivity, sales, or a myriad of other potential uses. However, sometimes lost in all this excitement is the difference between virtual reality platforms and whether the required technical underpinnings are in place to deliver a satisfying user experience. It’s important to understand what virtual reality, augmented reality, and mixed reality are in relation to each other, as well as the technical considerations that those hoping to create experiences for these platforms need to keep in mind.

Canadians Moving Fast and Hard into Blockchain Space

Reports this month suggest the Canadian market will work on strengthening its global position of implementing potential use cases for Blockchain technology. Blockchain News reported recently that payments tech firm NetCents revealed a new partnership with The Vanbex Group, owners of Blockchain payments tool Genisys, to help banks in Canada implement the distributed ledger technology. ... NetCents isn’t the only company anticipating disruption to ACH payments by Blockchain technology. The Deloitte Centre for Financial Services released a report in March that pinpointed ACH payments as a target for Blockchain disruption, and that Blockchain-based payments platforms could reach the scale and volume that ACH currently holds (at 23 billion transactions a year) by 2025.

What do CIOs in high-performing companies do differently?

As companies increasingly rely on technology as a competitive differentiator, CIOs need to build and sustain peer relationships with other C-suite leaders. But all relationships are not created equal. A strong CFO-CIO relationship, for example, can mean smarter technology investments that align with strategic growth plans, improve business performance, and administer effective risk governance.4 This isn’t lost on HPC CIOs. When asked which relationships are important for their success, most (93 percent) consider the CFO relationship one of the top strategic relationships. Only 70 percent of other CIO respondents agreed.

Consortium develops prototype blockchain application for banks

The consortium utilised the Linux Foundation open-source Hyperledger Project blockchain fabric, the development of which was supported by IBM Research and IBM Global Business Services. The consortium said that the proof of concept shows the potential to streamline the manual processing of import/export documentation and improve security by reducing errors; this could also increase convenience for all parties through mobile interaction and make companies' working capital more predictable. The consortium now plans to conduct further testing on the concept's commercial application with selected partners such as corporates and shippers.

Data theft rises sharply, insiders to blame

IT professionals also claimed that "insider negligence" is the most common, root cause of a data breach -- and is twice as likely to cause the loss of data in comparison to external attackers, malicious employees with an axe to grind, or lax contractor security. In total, 87 percent of respondents said their jobs require them to access and use data including customer information, contact lists, employee records, financial reports, and corporate documents, but only 29 percent of IT respondents said their organizations enforce a least-privilege model to keep access to this kind of information on a 'need to know' basis. To make matters worse, the survey suggests over a third of businesses have no searchable record of file system activity, and only 25 percent of organizations monitor employee, email, and file activity.

Tech 'utopia is creepy,' according to Nicholas Carr

When we saw the resurrection of the internet after the big dot-com bust, there was this sense that the walls of old media and the gatekeepers were coming down and there was golden age of people in control of their own expression and what they read. This was a strong theme back then. There was Wired cover story called “We are the web” that presented this as a whole new world opening up. What we've seensince then has been very different. The old gatekeepers, to the extent they were gatekeepers, have been replaced by companies like Facebook and Google and companies that really now have become the new media companies and are very much controlling the flow of information.

IT asset management: How to be efficient

Having a service management discipline and ITAM together helps organizations make more informed decisions and design better processes. Imagine the value of having a change risk calculator that factors in asset details such as the age of the assets being changed or whether it was due to be returned from a lease expiring in sixty days. Having solid practices or procedures for collecting asset lifecycle data along with a sophisticated inventory ensures the reliability and integrity of the information. Getting started is not simple. True governance practices require that the company’s learning and growth culture with an effective long-range plan will guide the successful implementation of this business initiative.

Here’s Why We Need Fintech Disruption Now More Than Ever

Maybe it’s unfair to expect fintech mount a meaningful challenge to the likes of JPMorgan and Nasdaq in just a few years. The aspect of the financial world that makes it so apt for disruption – its top-heavy concentration – is also what makes it so hard to disrupt. Neither should the engineering challenge be minimized. The technology of finance is probably second only to agriculture (and maybe one “other” profession) in how long humans have spent honing it. Financial startups inevitably bump into realities that explain why banking is so cumbersome to begin with. They tend to to end up focusing on pesky chores like verifying customers’ identities, or trying to establish systems that are actually indeed secure.

Myth busted: Older workers are just as tech-savvy as younger ones, says new survey

"It's dangerous for companies to assume that if you're under 35, you're tech savvy," said Paul Bernard, an executive coach and regular contributor to Next Avenue, a website for 50-plus-year-olds. "In many cases, I've seen that many older people are able to combine tech-savvy with communication skills—almost without exception, it's easier for older workers to pick up more tech skills than younger workers, who are tech savvy, to pick up communication skills." ... "Older job applicants are viewed as too expensive, and thus are often automatically rejected," Matloff said. "Some employers do claim that the older ones are rejected due to not having up-to-date skills, but I have found that that is generally just an excuse, and that most older tech workers do have modern skill sets."

Quote for the day:

"If you make decisions based upon people's reactions or judgments then you make really boring choices." -- Heath Ledger

August 10, 2016

Protecting privacy in genomic databases

The new system, which Berger and Simmons developed together with Cenk Sahinalp, a professor of computer science at Indiana University, implements a technique called “differential privacy,” which has been a major area of cryptographic research in recent years. Differential-privacy techniques add a little bit of noise, or random variation, to the results of database searches, to confound algorithms that would seek to extract private information from the results of several, tailored, sequential searches. The amount of noise required depends on the strength of the privacy guarantee — how low you want to set the likelihood of leaking private information — and the type and volume of data. The more people whose data a SNP database contains, the less noise the system needs to add; essentially, it’s easier to get lost in a crowd.

Researcher hides stealthy malware inside legitimate digitally signed files

If an executable file is signed, information about its signature is stored in its header, inside a field called the attribute certificate table (ACT) that's excluded when calculating the file's hash -- a unique string that serves as a cryptographic representation of its contents. This makes sense because the digital certificate information is not part of the original file at the time when it is signed. It's only added later to certify that the file is configured as intended by its creator and has a certain hash. However, this means that attackers can add data, including another complete file inside the ACT field, without changing the file hash and breaking the signature. Such an addition will modify the overall file size on disk, which includes its header fields, and this file size is checked by Microsoft's Authenticode technology when validating a file signature.

Huawei cyber president warns technology is a breeder of threats

"Of course it's more complicated now than 35 years ago, but the technology of 35 years ago is still a security challenge, and here we are looking forward five and 10 years towards things that have not really been invented. We don't really know they're going to be fully used around the world and yet people are asking 'how do you secure this world?'" His advice is to focus on securing this world -- not the PC of 35 years ago -- because shortly after each new technology is born a threat occurs. Suffolk does not expect this to change. Due to the public nature of many recent data breaches or security hacks, Suffolk believes that many customers now understand intrinsically what goes on with security, noting it has not stopped them from embracing technology.

16 Stunning Statistics that Forecast the Future of the Internet of Things

Everyone’s talking about the Internet of Things, even the “things,” which can now request and deliver customer support, tell if you’re being as productive as you could be at work, let your doctor know if you’re following orders (or not), reduce inefficiencies in energy consumption, improve business processes, predict issues and proactively improve or resolve them based on data received. The Internet of Things (IoT) is just getting started. These forecasts below show why organizations need to get started too (if they haven’t already) on leveraging and responding to the Internet of Things

Part 1: Machine Learning’s Promise for Cybersecurity

Williamson told an industry panel in May that machine learning and data science solutions are “very technique driven.” “Pretty well every provider of analytics solutions will say ‘look at the techniques I’ve got – I’ve got some core vector machines, I invented one of the core vector machine algorithms, it’s a great technique’,” he said. “It’s still a technique. How do you know for your problems that it’s useful? You don’t.” For some however, especially the data scientists in this field like Rehak, machine learning nevertheless holds great promise for making the Internet more secure. Some argue in fact, it’s not just possible that machine learning will improve security; it’s inevitable.

Storage Flexibility Benefits Multitenant Environment

Disruption, as we've heard, is around containers. We're launching a new container-as-a-service platform later this year based on ContainerX. That will allow us to do containers for both Windows or Starnix platforms, regardless of what the developers are looking for. We're targeting developers, DevOps guys, who are looking to do microservices to take their application, old or new, and architect it into the containers. That’s going to be a very disruptive new offering. We've been working on a platform for a while now because we have multiple locations and we can do the geographic dispersion for that. I think it’s going to take a little bit of the VMware market share over time. We're primarily a VMware shop, but I don’t think it’s going to be too much of an impact to us. It's another vertical we're going to be going after. Those are probably the two most important things we see as big disruptive factors for us.

The most critical gap in cybersecurity today: Talent

Despite the growing breadth/depth of security threats in the everyday organization, it is typical to find an unstructured security team that is not providing professional growth or continued education opportunities. Furthermore, the few professionals who are qualified are spread too thin and tend to burn out quickly. This has also had a profound impact on the security industry, which is now seeing 1 million unfilled cybersecurity jobs in 2016 alone, and that number is expected to increase to 6 million global job openings by 2019. While the task of closing this gap seems daunting, it is important for enterprises to shift their focus to their internal teams to cultivate the talent that already exists within their organizations, even if it’s minimal to start.

Where Do We Go with Robotics?

The word “robot” was coined by Karel Capek from the Czech word “robota” meaning “hard work” or “slavery”. On these aspects, robots play a part in relieving human workers from difficult or risky tasks, while being under their supervision. Volkswagen is testing them to relieve their workers from difficult tasks on assembly lines. Companies working with radioactive material use them to control and inspect their facilities. The army is willing to use them to make sure a military field is safe and cleaned from any explosive device. As for many technologies before, citizens are willing to call them progress only when they start benefitting from them. They may even have forgotten about one of the very first concerns that crystallized the word “robot” when it was coined: the diminution of employment in the industry.

Building engaging and secure mobile apps

Users must feel confident installing the app and using it wherever they might want to. However, most public Wi-Fi networks lack security. So it would be a wise choice to disable automatic connectivity to such networks to prevent loss of important data. Data leaks are the concern where users are expected to sync data to the cloud. The vendor’s protection mechanisms cannot be controlled even if the company’s security policies comply with best practices. To tackle this issue, it is recommended to ensure a different password for every app or service. However, most of the security shortcomings are to be tested beforehand, on the development and testing stages of the security lifecycle. And it is hardly possible that marketers will be involved when making decisions of this kind.

No, 900 million Android devices are not at risk from the 'Quadrooter' monster

Verify Apps scans your device for potentially problematic programs both as you download new apps and continually over time. It'll stop you from installing any app that could compromise your device's security and will also warn you if an existing app starts doing anything suspicious. Verify Apps is present on every Android device running version 2.3 or higher -- which, according to Google's latest platform measurements, accounts for a whopping 99.9% of active Android devices. And Google has confirmed the system is already watching out for any "Quadrooter"-related mischief -- none of which, it's worth noting, has actually been observed in the real world.

Quote for the day:

"Data is a precious thing and will last longer than the systems themselves." -- Tim Berners-Lee