Computer Weekly is the leading technology magazine and website for IT professionals in the UK, Europe and Asia-Pacific
Son Güncellemeler
-
WWW.COMPUTERWEEKLY.COMDriving innovation in emerging tech through international collaborationThe UK, with the third largest tech sector in the world, is well-positioned to successfully partner with leading and emerging digital economies. But innovation does not exist within the constraints of country borders. In fact, international partnerships and collaboration are key to making sure that technology works for people, economies, societies, and the planet.Recent years have seen the UK government sign a number of innovative bilateral initiatives including Fintech Bridges, Space Bridges, and Digital Economy Agreements. While many of these have been successful, it is critical the new government continues to work with partners around the world to best position the UK tech sector for international success.One of the most promising initiatives in fostering international collaboration has been the establishment of Fintech Bridges, as exemplified by the UK-Australia Fintech Bridge. These arrangements serve as international regulatory sandboxes that allow companies to test innovative products and services in a controlled environment while ensuring compliance with relevant regulations.By doing so, they help companies - especially those that are inherently innovative and operate in difficult regulatory environments - scale into new markets more effectively.The new government has a unique opportunity to drive innovation through international partnerships Daniel Clarke, TechUKThe UK-Australia Fintech Bridge has demonstrated the potential of such partnerships. Under this agreement, regulatory authorities from both countries collaborate to support fintech startups, allowing them to operate in each other's markets through regulatory sandboxes. The success of this initiative, which has seen over 42 UK fintech companies expand into Australia, shows that to support innovative, high-growth sectors, you need innovative trade policies.To build on this success, TechUK has called on the new UK government to establish additional Tech Bridges which include regulator-to-regulator dialogue - with other key markets, across more technology sub-sectors.These partnerships would support the international expansion of some of the UKs most innovative tech companies and help diminish the technical trade barriers which so often arise from varying regulations.In an increasingly digital world, the UK must also focus on negotiating Digital Economy Agreements (DEAs) with priority markets. The UK-Singapore DEA, for instance, has been a model for how such agreements can facilitate innovation. DEAs are adaptable to new technologies and provide mechanisms for regular stakeholder input, ensuring that the trading relationship remains modern and responsive to technological advancements.The next UK government should build on this model by negotiating additional DEAs with key markets. These agreements would not only support the digital economy but also provide a framework for cooperation on emerging technologies, such as artificial intelligence, quantum computing, cyber security, blockchain and much more.The US-EU Trade and Technology Council, despite yielding few concrete results, has been a critical forum for discussing transatlantic cooperation on issues such as export controls, foreign direct investment screening, and technology standards. These are issues that are inherently global and ever-changing and thus require a consistent, ongoing dialogue. The UK should seek to learn the lessons from the US-EU Trade and Technology Council and explore options for dialogues with key partners.Moreover, where bilateral science and technology partnerships already exist such as the newly signed UK-India Technology and Security Initiative, the UK should prioritise operationalising them in consultation with industry stakeholders. For example, the UKs bilateral tech forums with Japan and India offer significant opportunities for closer cooperation on emerging technologies. By strengthening these partnerships alongside industry support, the UK can remain at the forefront of critical conversations on technology and trade.The new government has a unique opportunity to drive innovation through international partnerships by building on successful initiatives like Tech Bridges, prioritising digital economy agreements, and enhancing dialogue with core partners. These efforts will not only support the growth of high-tech sectors but also ensure that the UK remains a leader in global dialogues around technology and regulation.Daniel Clarke is policy manager for international policy and trade at TechUK. Read more about UK tech policyHow standards and assurance are making responsible AI achievable - Everyone would agree that taking an ethically principled approach to using AI is essential - but in practice, delivering governance and assurance mechanisms around implementing AI responsibly is what really matters.Driving the development of transformative technologies through digital skills - The lack of digital skills training for employees is holding back organisations from achieving the business potential of key technologies such as AI, data analytics and cyber security. What needs to be done?From pixels to planets - the UK gaming and space sectors show how to lead on future technologies - The UK has a track record of innovation and achievement in gaming and space technologies - what can the rest of the tech sector learn from these success stories?Why the government should still bet on DSITs five key technologies - When the Conservative government launched the Department for Science, Innovation and Technology, it identified five key technologies for UK investment. The new Labour government must continue this plan.TechUK calls for government support to help UK datacentre market reach growth potential - UK tech trade body TechUK claims the UKs datacentre sector could become one of the countrys fastest-growing sectors with more government support.0 Yorumlar 0 hisse senetleri 28 ViewsPlease log in to like, share and comment!
-
WWW.COMPUTERWEEKLY.COMIT and business leaders face big gap in understanding of data prioritiesSiarhei - stock.adobe.comNewsIT and business leaders face big gap in understanding of data prioritiesThere appears to be a gap between what business leaders want to do with artificial intelligence and the IT capabilities of their organisationByCliff Saran,Managing EditorPublished: 22 Nov 2024 10:33 Over three-quarters (77%) of business leaders claim it is easy to use the data they need for their jobs, yet IT people struggle with data management, research has found.The Morning Consult survey of 4,000 business leaders and tech practitioners for Capital One found that 70% of IT staff report spending up to four hours a day fixing data issues, conducting quality checks or correcting errors.According to Capital One, these ongoing struggles not only slow down workflows, but also point to deeper issues with data management and governance to ensure high-quality data.The survey reported that although data culture is a top indicator of artificial intelligence (AI ) success among those polled, only 35% of respondents said they have a strong data culture, citing inconsistent support and education. In fact, over a fifth said their organisation lacks a strong data culture or there is inconsistent leadership support, talent development and education around data.The majority (87%) of business leaders who participated in the survey believe their organisation has a sufficiently modern data ecosystem to build and deploy AI. The fact that only 13% of the technical people polled were confident they could fix data issues in less than an hour shows a disconnect between business goals and the technical implementation challenges that must be overcome to meet these objectives.Companies are looking to deploy advanced artificial intelligence such as multi-modal AI, which requires the ability to process unstructured data in various formats and on a massive scale. However, according to Capital One, the contrast between perceived ease and the time spent resolving data problems highlights how many organisations overlook the result of poor data management in an increasingly complex environment.The survey also revealed inconsistency in how business leaders rank data security. While 76% ranked data security as their top concern in AI initiatives, followed by data quality (73%) and data management (65%), over half (53%) said their organisation prioritises data management to mitigate risk. In fact, 38% admit data management is given only moderate importance. Efforts to address security risks vary, with 58% of business leaders using data encryption, but only 20% using tokenisation.When asked about their organisation's progress with cloud integration, 41% of leaders and 33% of practitioners with advanced implementations said they are scaling automation technology across the enterprise. However, in those organisations at an early stage of implementation, 15% of leaders and 18% of practitioners are running pilots in some parts of the business.Cloud integration is considered an important step in improving the data management required for AI. Terren Peterson, vice-president of engineering at Capital One, said: Doing AI and ML [machine learning] is hard enough on its own.Organisations need to start with a good foundation of data, he said, and to achieve this, they should aim to build a data platform based on standardised data using a single data pipeline.According to Peterson, those organisations that have fully embraced cloud technologies are in a better place in terms of the data management required to support AI, compared with those that rely on on-premise IT infrastructure. Cloud-native organisations are just two or three clicks away from building their data platform, he added.Read more about data managementHow to manage proprietary enterprise data in AI deployments: Explore strategies for managing sensitive data in enterprise AI deployments, from establishing clear data governance to securing tools and building a responsible AI culture.Why Salesforce needs a data management platform: There are reports that Salesforce is looking to acquire Informatica, but such a move needs to fit with its AI and GenAI strategy.In The Current Issue:Interview: Rahul Todkar, head of data and AI, TripadvisorGartner Symposium: Why the chance of digital success is randomDownload Current IssueNTT R&D Forum 2024: New horizons for photonics-based chips, clouds & qubits CW Developer NetworkDiversity in tech: To work for all, AI needs input from all Computer Weekly Editors BlogView All Blogs0 Yorumlar 0 hisse senetleri 28 Views
-
WWW.COMPUTERWEEKLY.COMSwiss encrypted messaging service, ePost, targets one million postal usersSwitzerlands national postal service is targeting one million Swiss residents to join its ePost encrypted communications service by the end of 2025.Swiss Post, faced with the prospect of annual falls in demand for traditional postal services, is betting that its ePost mobile app will fill the gap left by the declining use of traditional mail.ePost aims to become the go-to app in Switzerland for people to communicate with banks, insurance companies, government, hospitals and other organisations such as clubs and societies.It offers Swiss citizens a single inbox for email, instant messaging and electronic post, the ability to receive and pay bills, and the facility to store and access documents, ranging from insurance quotes to medical records.The app, which claims to be the first of its kind, has attracted interest from governments and postal services in Germany, France and the Nordics, which are investigating the potential to build equivalent apps.Renato Stalder, CEO of ePost, told Computer Weekly that demand for the app has grown throughout 2024, with 15,000 to 25,000 people signing up each month, often through word-of-mouth recommendations.The need for a digital alternative became clear to Swiss Post in 2000 when the volume of letters posted in Switzerland began a rapid downward trajectory as people replaced letters with emails and text messages.With Swiss Posts revenues in decline, the government decided the country should build a nationwide communications platform that would be available to everyone living in Switzerland or overseas with a Swiss passport.Swiss Post created a subsidiary, ePost Service AG, to develop the technology. It was intended to act more like a startup company than a traditional postal service, with the ability to move quickly and attract talented technology experts.Stalder told Computer Weekly that, to secure financial backing, the new company had to find a niche that had yet to be exploited by other communications services.The market for business-to-business communications had already been cornered by Microsoft technology, particularly Microsoft Teams, while WhatsApp was the app of choice for people to send personal instant messages.But ePost identified a gap in the market for technology that would help businesses and government agencies communicate with consumers and citizens.ePosts breakthrough idea was to build an app through which Swiss citizens could communicate with multiple business and government departments, pay bills, sign contracts, and collate important documents and communications.We said lets bring together people, organisations, Cantons [administrative districts], banks and insurance companies on one distributed platform to allow secure communications, and lets create that as a piece of national infrastructure, said Stalder.The company turned to the open source protocol, Matrix, which offers decentralised secure communications.The technology has the advantage of not tying its users to proprietary messaging services, such as WhatsApp, or requiring companies that deploy Matrix messaging services to be locked into the technology of a single provider.Its interoperable design means it is possible to send messages on the Matrix protocol and have them delivered through bridges to other messaging services.Swiss Post began developing its country-wide communications platform in October 2020 and the app was ready to roll out in July 2021. The main selling point was to offer a digital alternative to paper post.The business model was influenced by the postal service the sender pays, but the app is free to use for the public.It was not successful, said Stalder. We made a big mistake. We were so focused on the history of post that we were thinking about letters and decided to digitise the letter, he said.Stalder acknowledged that ePost had failed to recognise the publics changing preferences. The growth of email and instant messaging meant that letters, even in digital form, were in decline.It took six months to convince the first 50,000 people to download the app. The app simply did not offer enough benefits to persuade people to use it, said Stalder, and businesses were not keen to add digital post as yet another communications channel.ePost went back to the drawing board to develop an updated version of the app featuring secure messaging and email, document storage, digital document signing and a simple way to pay bills.The service offered small and medium-sized companies cloud-based software that they could use to manage their relationship with customers. For larger companies, there is an on-site server.When the updated app became available in 2024, persuading companies and Swiss citizens to sign up to the app nevertheless proved to be a chicken and egg problem.Companies did not want to sign up unless they could use the app to reach a significant number of people, and citizens were not interested unless they could use the app to reach a significant number of companies and government organisations.The upside was that the first company to solve the problem would have a monopoly. As Stalder said: Its a winner-takes-all approach.Stalders initial goal was to sign up two banks, two insurance companies and two regional government Cantons.The app aimed to attract businesses by offering them branding that mimics the branding they would have had on physical letters, including a company colour scheme and logos.It also offered a safe alternative for staff who might use non-work apps such as WhatsApp for official communications.Stalder, who has also worked on the governance committee of a bank, found there were concerns in financial organisations about employees using WhatsApp and similar messaging services.Although WhatsApp is end-to-end encrypted, and therefore secure, the difficulty is that WhatsApp messages are not recorded in company records. That means, for example, if a customer accused a bank of providing bad financial advice over WhatsApp, the bank would have no record of the communication.These features have proved attractive to businesses. We say we want to give the same comfort and convenience [as WhatsApp] but without the problems. And thats where the corporates react very positively, said Stalder.Users benefit by being able to use a single app to communicate with a wide range of businesses, clubs and government services. They can receive invoices, contracts and other digital documents, emails, SMS messages and secure emails, which appear in one inbox.People can also pay their bills from the app, which can connect to their bank through an open banking standard used by 70% of Swiss banks. The app will also recognise contracts and allows people to sign them digitally.You get sent a bill and you have one click to send it to your e-banking. This is the most used function. The second most used function is signing papers directly in the app instead of printing them out, said Stalder.As all messages appear in one inbox, people do not have to spend time searching their emails, text messages and paper files to find information.The app also allows users to tag documents for example, to identify documents and receipts, which saves time when filing an annual tax return. At the end of the tax year, people can ask the app for all the receipts needed to complete their tax declaration.Every document that comes in gets a digital signature at the moment it comes into the system. And we can guarantee, since its in the system, it was never changed, said Stalder.For now, ePost which employs 140 people, most of whom work on development is focused on growth. It has set the ambitious target of reaching one million users by 2025 and is set to break even by 2026.The next step is to add secure encrypted email, which will appear in the same inbox as regular email, chat messages and digital letters.We want to have a unified communications approach. As a user, I dont care if it was an email going ping-pong or a text message. That is the thing we are working on now, said Stalder.Over the next two years, ePost also plans to develop ways to make it easier to integrate other software applications into the platform by developing application programming interfaces (APIs). One plan is to link ePost to Microsoft Teams so that people working for corporations or the government can speak to customers through their ePost app on their mobile phone.There are still technical challenges ahead. One issue is that people can miss messages if they log out of the app, such as when they change their mobile phone. At a Matrix conference in Berlin this year, other organisations revealed they had experienced the same problem.I have learned that everyone has this problem, so its a real issue, but the good thing is that the pressure is so high, I am sure it will be solved, said Stalder.If there is one thing Stalder would do differently, it is to start with email and messaging services rather than trying to replicate letters electronically.Sometimes I go with our commercial people and to see the reaction of the client when we present them with new functionalities, he said. When we start our story with the digital letter, you can see they are sitting there and saying, Okay, thats nice. But when we talk about new channels, they open their eyes and say, Well, that would allow us to have a totally different conversation with the customer, why didnt you tell us before?.Read more about the evolution of postal servicesHow SingPost is delivering on digital transformation: SingPost group CIO outlines the companys efforts to leverage AI and automation to improve operations, emphasising the importance of building the right culture as it expands its regional footprint.Finlands postal service targets new revenue streams through digitisation: Posti plans to use the new SisuID digital authentication method to accelerate business growth and opportunities.Postal delivery robots piloted in Norway: The Norwegian postal service is testing out the value and viability of robots delivering mail to homes and businesses.0 Yorumlar 0 hisse senetleri 16 Views
-
WWW.COMPUTERWEEKLY.COMCMA gets ready to take on Apple and Google over mobile browsingKoshiro - stock.adobe.comNewsCMA gets ready to take on Apple and Google over mobile browsingPreliminary investigation finds a lack of fairness and choice of mobile browsing on iOS devices like the iPhone is holding back innovationByCliff Saran,Managing EditorPublished: 22 Nov 2024 16:15 An independent inquiry into the mobile browser market has recommended that the Competition and Markets Authority (CMA) consider investigating Apple and Googles mobile ecosystem activities. However, the inquiry also recommended that no further action needs to be taken on cloud gaming.The provisional findings of the inquiry concluded that the mobile browser market is not working well for UK businesses and millions of individual phone users.The CMA began an investigation following its Mobile ecosystems market study in 2021, which found that Apple and Google have an effective duopoly on mobile ecosystems, including operating systems, app stores and web browsers on mobile devices. This puts Apple and Google in a position to set the rules on how mobile browsers work on iOS and Android devices respectively.The independent inquiry reported that Apple restricts competitors from delivering new, innovative features that could benefit consumers. For instance, rival browser providers have highlighted concerns that they have been unable to offer a full range of browser features, such as faster webpage loading on iPhone.Many smaller UK app developers also told us that they would like to use progressive web apps an alternative way for businesses to provide apps to mobile users without downloading apps through an app store but this technology is not able to take off on iOS devices, said the group assessing the mobile browser market for the CMA.There is also a revenue-sharing agreement between Google and Apple, which significantly reduces the financial incentives of other browser developers offering mobile browsers on iOS.Other issues considered in the report include the way users are presented with choices about which browser they use. The inquiry provisionally found that Apple and Google have the ability to manipulate these choices to make their own browsers the clearest or easiest option. Through our investigation, we have provisionally found that competition between different mobile browsers is not working well and this is holding back innovation in the UK Margot Daly, CMAMargot Daly, chair of the CMAs independent inquiry group, said: Markets work best when rival businesses are able to develop and bring innovative options to consumers. Through our investigation, we have provisionally found that competition between different mobile browsers is not working well and this is holding back innovation in the UK.The analysis set out in this report and a range of potential interventions considered to address the market issues identified by the group merits consideration by the CMA board under its new powers, which have been specifically designed for digital markets. Under those new powers, the CMA can consider the case for designating firms with strategic market status, taking account of the interplay between the specific markets that are the subject of this market investigation and Apples and Googles wider mobile ecosystems.In the US, the Department of Justice is looking to force Google parent Alphabet to sell the Chrome browser, following a ruling in August in which the search engine giant was found to have acted in an anti-competitive manner.Read about other CMA investigationsCMA clears Google over Anthropic partnership: The UK competition watchdog has finished its initial investigation into Googles partnership with Anthropic, with no follow-up on the cards.CMA offers potential solution to Vodafone and Threes merger issues: Remedies Working Paper published by UK competition watchdog into merger of leading telcos says deal may proceed if appropriate remedies are implemented.The CMA anti-trust investigation into AWS and Microsoft explained: Everything you need to know.CMA extends investigation into anti-competitive behaviour in UK cloud market: The UK competition watchdog has secured a four-month deadline extension for its investigation into the cloud infrastructure services market.In The Current Issue:Interview: Rahul Todkar, head of data and AI, TripadvisorGartner Symposium: Why the chance of digital success is randomDownload Current IssueNTT R&D Forum 2024: New horizons for photonics-based chips, clouds & qubits CW Developer NetworkDiversity in tech: To work for all, AI needs input from all Computer Weekly Editors BlogView All Blogs0 Yorumlar 0 hisse senetleri 16 Views
-
WWW.COMPUTERWEEKLY.COMMicrosoft slaps down Egyptian-run rent-a-phish operationMicrosofts Digital Crimes Unit (DCU) has scored a major win against the cyber criminal underworld after leading an operation to seize 240 fraudulent websites used by an Egyptian national named today as Abanoub Nady who sold do-it-yourself phishing kits under the brand name ONNX to less adept crooks.Nady, who used the handle MRxD0DER, both developed and sold the phishing-as-a-service kits, which were used in multiple campaigns against Microsoft customers in various sectors, although it is understood that the financial services industry was the most heavily targeted.The DCU believes that emails originating from the ONNX family of products made up a significant portion of the tens to hundreds of millions of phishes caught in Microsofts nets every month it was likely among the top five such ops globally.Redmond said that in targeting ONNX, it was disrupting the illicit cyber criminal supply chain and protecting customers from downstream threats such as fraud, data theft, and ransomware.This action builds on the DCUs strategy of disrupting the broader cyber criminal ecosystem and targeting the tools cyber criminals use to launch their attacks, Microsoft DCU assistant general counsel Stephen Masada explained.Our goal in all cases is to protect customers by severing bad actors from the infrastructure required to operate and to deter future cyber criminal behaviour by significantly raising the barriers of entry and the cost of doing business.We are joined by co-plaintiff LF (Linux Foundation) Projects, LLC, the trademark owner of the actual registered ONNX name and logo.ONNX or Open Neural Network Exchange is an open standard format and open source runtime for representing machine learning models, enabling interoperability between different hardware, frameworks, and tools for easier deployment and scalability, he said.Together, we are taking affirmative action to protect online users globally rather than standing idly by while malicious actors illegally use our names and logos to enhance the perceived legitimacy of their attacks.Masada said that the DCU had unilaterally opted to name Nady to serve as a further deterrent to others.A spokesperson for the Linux Foundation said: At the Linux Foundation, we advocate collaboration as a powerful tool for tackling complex challenges. Today, we celebrate our recent collaboration with Microsoft to defend millions of individuals and organisations from a global phishing-as-a-service criminal operation. We encourage organisations who find themselves in a position to fight one element of a cyber crime problem to identify ways to collaborate and build a stronger collective response.Recent months have seen a significant upswing in sophisticated adversary-in-the-middle (AitM) phishing attacks such as those orchestrated through ONNX in recent months, notably a spike in so-called quishing phishing using malicious QR codes.However, Microsoft's action against ONNX is in fact the result of a lengthy investigation dating back to 2017. Over the years, said Microsoft, it has tracked various of Nadys enterprises including other phishing operations known as Caffeine and FUHRER.All of his kits were designed to send emails at scale in coordinated campaigns, and ONNX was sold on a subscription-based model with various tiers of access and support, even a VIP tier for the most discerning criminals, who benefited from round-the-clock tech support offering step-by-step guidance.ONNX was mostly promoted, sold and configured via the Telegram messaging platform, alongside demonstration videos. Once bought, customers were able to orchestrate attacks using the provided templates and the fraudulent ONNX technical infrastructure, where they were allowed to connect malicious domains obtained from elsewhere.Under a civil court order, unsealed today in the Eastern District of Virginia, Microsoft has now taken over this technical infrastructure, putting it beyond use for future attacks.Unfortunately, observed Masada, while the DCUs action will substantially disrupt ONNX, it is a certainty that other threat actors will fill the void, with adapted techniques.However, taking action sends a strong message to those who choose to replicate our services to harm users online: we will proactively pursue remedies to protect our services and our customers and are continuously improving our technical and legal strategies to have greater impact, he said.Furthermore, as cyber criminals continue to evolve their methods, it is crucial for organisations and individuals to stay informed and vigilant. By understanding the tactics employed by cybercriminals and implementing robust security measures, we can collectively work towards a safer digital environment. Continued collaboration, like the partnership with LF Projects, remains essential if we want to meaningfully dent the cyber threat landscape.Read more about phishingThe Metropolitan Police working with international police forces have shut down LabHost, a phishing-as-a-service website that has claimed 70,000 victims in the UK.Phishing techniques are evolving away from malicious email attachments, according to a Mimecast report.A healthy dose of judicious skepticism is crucial to preventing phishing attacks, said David Fine, supervisory special agent at the FBI, during a presentation at a HIMSS event.0 Yorumlar 0 hisse senetleri 53 Views
-
WWW.COMPUTERWEEKLY.COMBianLian cyber gang drops encryption-based ransomwareThe Australian Cyber Security Centre (ACSC) and the United States Cyber Security and Infrastructure Security Agency (CISA), have published updated intelligence on the activities of the dangerous BianLian ransomware operation, after observing a rapid evolution in the gangs tactics, techniques and procedures (TTPs).One of a number of gangs that first came to prominence alongside LockBit in 2022 during a shift in the cyber criminal landscape following the demise of the Conti crew, BianLian is almost certainly based in Russia despite the Chinese name probably an attempt at obfuscation.Over the past couple of years it has established a name for itself by targeting critical national infrastructure (CNI) operators in both Australia and the US, with victims also claimed in the UK.Having gained access to its victims environments, usually by stealing valid Remote Desktop Protocol (RDP) credentials, and exfiltrating their data, BianLian historically employed the standard double extortion model, encrypting the victims systems and then threatening to leak their data if they werent paid off.However, said the Australians, in 2023 BianLian started to shift to encryption-based extortion, in which systems are left intact and victims are warned of financial, business and legal consequences if payment is not made. Among cyber criminals, this technique may be considered a somewhat easier method of extorting a victim as it requires less technical work. BianLian certainly seems to think so, because since January 2024, they have exclusively used this method.FBI, CISA, and ACSC encourage critical infrastructure organisations and small- and medium-sized organisations to implement the recommendations in the mitigations section of the advisory to reduce the likelihood and impact of BianLian and other ransomware and data extortion incidents, said the ACSC.The most significant change observed is the abandonment of a traditional ransomware locker for encryption and the updating of its standard ransomware note to reflect this samples of which are provided in the advisory.It has also adopted more high-pressure techniques in an attempt to pressure its victims into paying. It now sends copies of the ransom note to office printers and employees of affected companies have been on the receiving end of threatening telephone calls.However, in the run-up to its attacks the gang is also using a number of other updated techniques that defenders should be alert to. A full run-down is available from the ACSC, but among some of the changes some of those observed by the authorities are the targeting of public-facing applications of both Microsoft Windows and VMware ESXi infrastructure, exploiting the vintage ProxyShell exploit chain for initial access, in addition to RDP.Once inside its target, BianLian also now implants a custom, Go-coded backdoor specific to the victim and from there installs remote management and access software, it favours popular products including AnyDesk and TeamViewer, to establish persistence and command-and-control (C2) purposes. It now also appears to be using the Ngrok reverse proxy tool and possibly a modified version of the open source Rsocks utility to establish tunnels from victim networks and cover up where the C2 traffic is heading.To escalate its privileges within the victim environment, it has recently taken to exploiting CVE-2022-37969. This zero-day, among 64 bugs that Microsoft attempted to quash in its September 2022 Patch Tuesday update, is a privilege elevation vulnerability in the Windows Common Log File System Driver and successfully exploited, grants admin-level rights.Historically, BianLian has leveraged Power Shell and Windows Command Shell to disable antivirus tools such as Windows Defender and Anti-Malware Scan Interface (AMSI). It has now been observed renaming binaries and scheduled tasks after genuine Windows services and security products and appears to be trying to pack executables using UPX to conceal their code in an attempt to bypass detection tools.When it comes to establishing persistence and facilitating further lateral movement, the gang has been observed using PsExec and RDP with valid accounts, but has also been spotted using the Server Message Block (SMB) protocol, installing webshells on Exchange servers, and creating Azure Active Directory (AD) accounts.Andrew Costis, engineering manager of the Adversary Research Team and AttackIQ, which specialises in MITRE ATT&CK-based cyber attack simulations, said it was vital for defenders to understand and test against the often highly-specific TTPs used by gangs like BianLian.The shift to exfiltration-based extortion is interesting, particularly as its believed that theBianLianoperators are likely based in Russia or have ties to Russia based on some of the tools they have been observed using, he observed.With the current geopolitical situation unfolding between Russia, Ukraine, and the West, this could be a strategic move to strike their victims faster and ultimately target more victims. This de-prioritisation of double extortion could potentially be a time-saving strategy, as double extortion negotiations take time and resources on both sides, Costis told Computer Weekly in emailed comments.From a value perspective, the intention of this change in tactic suggests that they dont currently value encryption or double extortion. It will certainly be interesting to see if other ransomware groups follow suit.Read more about ransomwareWe look at ransomware attacks, and the importance of good backup practice as well as immutable snapshots, air-gapping, network segmentation, AI anomaly detection and supplier warranties.Anomaly detection and immutable copies can be frontline tools against ransomware we look at the role storage can play against the latest techniques employed by ransomware gangs.Threat intel specialists at Recorded Future have shared details of newly developed techniques they are using to disrupt Rhysida ransomware attacks before the gang even has a chance to execute them.0 Yorumlar 0 hisse senetleri 50 Views
-
WWW.COMPUTERWEEKLY.COMApple addresses two iPhone, Mac zero-daysApple has dropped a series of software updates across its various product lines as it aims to ward off the impact of two newly discovered zero-days, both of which may have already been exploited in the wild.The fixes for CVE-2024-44308 and CVE-2024-44309 both attributed to Clment Lecigne and Benot Sevens of the Google Threat Analysis Group affect devices running iOS and iPadOS 17.7.2 and 18.1.1, macOS Sequoia 15.1.1, and visionOS 2.1.1. They are also present in Safari 18.1.1.CVE-2024-44308 affects the JavaScriptCore framework and enables a threat actor to achieve arbitrary code execution if the target device can be made to process maliciously crafted web content. According to Apple, there are reports that it has already been actively exploited on Intel-based Mac systems.CVE-2024-44309 affects the open source WebKit browser engine used extensively within the Apple ecosystem, and is described as a cookie management issue that enabled a threat actor to conduct a cross-site scripting (XSS) attack.In an XSS attack, a threat actor is able to insert malicious data into content from trusted websites, which is then included with content delivered to the victims browser. They can be used to achieve a number of goals, including session cookie theft enabling the threat actor to masquerade as the victim, but are also used to spread malware and steal credentials.Again, there are reports of in-the-wild exploitation of CVE-2024-44309 against Intel-based Macs.Michael Covington, vice-president of strategy at Jamf, a device management company specialising in Apple products, said that it is very important for defenders to promptly address vulnerabilities in WebKit, given the frameworks criticality to the Safari web browser.The fixes provided byAppleintroduce stronger checks to detect and prevent malicious activity, as well as improve how devices manage and track data during web browsing. With attackers potentially exploiting both vulnerabilities, it is critical that users and mobile-first organisations apply the latest patches as soon as they are able, said Covington.CVE-2024-44309 is not the first issue to affect WebKit identified this year. In late January Apple patched CVE-2024-23222 which also made it into the US Cybersecurity and Infrastructure Security Agencys (CISAs) Known Exploited Vulnerabilities (KEV) catalogue.Also exploited as a zero-day, CVE-2024-23222 was a type confusion flaw leading to arbitrary code execution on the vulnerable deviceAs ever, Apple has provided scant detail on either of these vulnerabilities or how they have been taken advantage of. However, their identification by Google teams that have previously worked on vulnerabilities exploited by predatory commercial spyware vendors such as disgraced Israeli firm NSO may indicate the sort of people to whom these new flaws may be of interest.Apple remains alert to such issues, and notably issued a security alert to iOS users in over 90 countries back in April, after detecting that they were being targeted by a mercenary spyware attack that was remotely compromising their devices.As usual, Apple users who have not enabled automated updates can download the patches by navigating to their devices Settings menu, then to General, then to Software Update.Read more about mobile securityMobile devices bring their own set of challenges and risks to enterprise security. To handle mobile-specific threats, IT should conduct regular mobile security audits.To keep corporate and user data safe, IT must continuously ensure mobile app security. Mobile application security audits are a helpful tool to stay on top of data protection.Behavioural-based biometrics offer tantalising advantages over more traditional biometric solutions. Learn about some of the benefits and potential challenges for safe and secure implementation.0 Yorumlar 0 hisse senetleri 55 Views
-
WWW.COMPUTERWEEKLY.COMORG urges ICO to revise public sector enforcement approachThe Information Commissioners Office (ICO) approach of only fining public sector organisations in the most serious cases is under fire from privacy campaigners at Open Rights Group (ORG), who say there is an urgent need to test the regulators claims that fines do not act as an effective deterrent for public sector bodies.The campaigners say the ICOs approach of limiting fines to public sector bodies for only the most serious data protection issues is not working, as problems often persist well after other, less-severe enforcement actions have been taken.In an increasingly digital world, data protection is vital for our personal security. TheICOs reluctance to take enforcement action, alongside its policy of not challenging public sectororganisations where needed, is not working, said ORG chief executive Jim Killock.As we see the development of AI technology and its increased use by public sectororganisations, we need strong data protection laws and a strong regulator who will act as the first line of defence for the British public.In July 2022, the ICO adopted a revised two-year trial approach to working with public authorities, with commissioner John Edwards arguing in an open letter that fines are ineffective in ensuring data protection compliance because of how they indirectly punish victims of data breaches in the form of reduced budgets for vital services.In July 2024, the ICO then published its Annual report and financial statements for the 2023-24 financial year, in which the data regulator reviews its performance over that period. It shows where the ICO has investigated public and private bodies, and the proportion of these investigations that have resulted in reprimands, enforcement notices (that obligate recipients to change their data practices), or fines.In terms of its actions against public sector bodies for data protection breaches, the ICO issued one fine (to the Ministry of Defence over a data leak that exposed the identities of 245 Afghanis), two enforcement notices (one regarding the loss of control of child abuse case files at the Crown Prosecution Service, and another against the Home Office for its GPS tagging of refugees), and 28 reprimands.Examples of these reprimands include one for Thames Valley Police for disclosing a witnesses address to suspected criminals, which forced the person to move house; one for theUniversity Hospital of Derby and Burton NHS Trust for failing to process outpatient data in a timely fashion, which delayed medical treatments for some patients for up to two years; and one for West Midlands Police over multiple incidents where the data mix-ups meant officers attended the wrong addresses.Other instances include two reprimands for the Ministry of Justice, one over the disclosure of adoption details against court instructions, and another for leaving four bags of confidential waste in an unsecured holding area in the prison, which both prisoners and staff had access to.Given the number of reprimands handed out for clearly harmful data practices in comparison to the low number of fines and enforcement notices, the ORGis therefore calling on theICOto use its full powers against public sectororganisations, including enforcement notices and fines where necessary.Computer Weekly contacted the ICO about the ORGs analysis and arguments, and was directed to an ICO statement on its public sector approach from June 2024.While we have continued to issue fines to public bodies where appropriate, we have also been using our other regulatory tools to ensure peoples information is handled appropriately and money isnt diverted away from where its needed the most, it said.We will now review the two-year trial before making a decision on the public sector approach in the autumn. In the meantime, we will continue to apply this approach to our regulatory activities in relation to public sector organisations.On 20 November 2022, in reference to the ICOs private sector enforcement, information commissioner John Edwards told The Times that the large financial penalties often issued by European regulators tend to result in lengthy legal battles, which could drain regulators resources and ultimately weaken their ability to enforce meaningful changes.I dont believe that the quantum or volume of fines is a proxy for impact, he said. You know, they get a lot of headlines. Its easy to compile league tables, but I actually dont believe that approach is necessarily the one that has the greatest impact.He added that the ICO prefers to engage with companies to encourage compliance rather than issue fines worth hundreds of millions of pounds.According to an ORG analysis of the ICOs latest annual report, the instances of enforcement action that have taken place show the gravity of the public sectors data mispractice, and that there is little evidence reprimands lead to genuine change despite the increased reliance on them.The ICO should use the full range of its enforcement powers in the public sector until and unless it can prove alternative approaches result in a substantial improvement in data protection compliance, said ORG in one of its recommendations for the ICO.It added that the regulator should publish all evidence resulting from the two-year public sector approach trial where public sector organisations were only fined as a last resort, and that this should be followed up by externally conducted independent audit to validate the findings.ORG further added that there should be amendments to the new Labour governments proposed Data Use and Access Bill (DUAB), so that the ICO is banned from issuing more than one reprimand to an organisation: Any subsequent breaches should result in an escalation of action not additional final reprimands that both undermine the premise of the initial reprimand and have little impact on behaviour.The DUAB should further be amended to require the ICO to publish a league table of public sector bodies subject-access request (SAR) performance, so that organisations which consistently fail to respond within the statutory times frame can be prioritised for enforcement action.SARs are an important vehicle for ensuring individuals privacy and safety, it said. Since 2018, however, the ICO has also been attempting to get three authorities to deal with their SAR backlogs without success. This year, six years after problem first became apparent, Plymouth City Council, Devon and Cornwall Police and Dorset Police were each sent a final reprimand.This year marks the first time the number of reprimands have been published by the ICO in an annual report, which it committed to doing in December 2022 after a freedom of information request from Jon Baines a senior data protection specialist at law firm Mishcon de Reya revealed the regulator had failed to disclose the majority of the 42 reprimands it had issued to public sector bodies between May 2018 and November 2021.A follow up freedom on information request from Baines from June 2022 found a further 15 reprimands since November 2021 that had not been publicly disclosed up to that point.Read more about UK data protection enforcementICO reprimands Essex school for illegal facial recognition use: The Information Commissioners Office has reprimanded Chelmer Valley High School in Chelmsford for introducing facial recognition and failing to conduct a legally required data protection impact assessment and obtain the explicit consent of students.ICO selectively discloses reprimands for data protection breaches: Data protection experts question ICOs selective approach to publishing formal reprimands for contravening the law, after FoI request reveals the Cabinet Office was among the organisations reprimanded.ICO police cloud guidance released under FOI: Long-awaited guidance from the UK data regulator on police cloud deployments highlights some potential data transfer mechanisms it thinks can clear up ongoing legal issues, but tells forces its up to.0 Yorumlar 0 hisse senetleri 55 Views
-
WWW.COMPUTERWEEKLY.COMCMA clears Google over Anthropic partnershipOlena - stock.adobe.comNewsCMA clears Google over Anthropic partnershipThe UK competition watchdog has finished its initial investigation into Googles partnership with Anthropic, with no follow-up on the cardsByCliff Saran,Managing EditorPublished: 19 Nov 2024 16:01 The Competition and Markets Authority (CMA) has said Alphabets partnership with Anthropic does not qualify for investigation under the merger provisions of the Enterprise Act 2002.In October 2023, Alphabet invested $2bn in OpenAI rival Anthropic. The artificial intelligence (AI) startup has also received $4bn funding from Amazon.The CMA is concerned that the foundational model sector is developing in ways that risk negative market outcomes. In particular, the likes of Google, Amazon, Meta, Microsoft and Apple have the market dominance to buy up or shut down competition. It is also worried that partnerships between these major technology providers and developers of AI foundation models may limit choice and be anti-competitive.In September, the CMA concluded its investigation of Microsofts hiring of key staff from Inflection, finding that Inflection AI was not a strong competitor to the consumer chatbots Microsoft has developed directly in partnership with OpenAI.Discussing the outcome of the latest investigation, Joel Bamford, executive director of the CMA, wrote on LinkedIn: Our investigation has shown that Google has not acquired the ability to materially influence Anthropics commercial policy and therefore the partnership does not meet the jurisdictional threshold for UK merger control to apply.He described the conclusion of this latest investigation as another decision by the CMA which provides greater clarity for businesses and their investors.In a summary of its findings from the phase one investigation into the deal, the CMA said it did not believe Google had acquired material influence over Anthropic as a result of the partnership. The CMA said it looked at the risk of Google exercising influence over Anthropic at shareholder and/or board level, along with an assessment of Googles own Vertex AI product.The available evidence did not indicate that Google has the ability to exercise material influence over Anthropic through the partnership, the CMA concluded.The CMA said it had considered the fact that Anthropic and Google offer two of the leading foundational AI models globally. However, given Anthropics turnover is below the 70m threshold, which is one of the criteria it takes into account when assessing whether to look further into a deal, pursuing this thread of investigation was not necessary.The CMA is also looking at whether it should investigate Amazons partnership with Anthropic, due to the $4bn funding the AI startup received from Amazon.Some industry experts believe the CMA should continue looking at the foundation model market. Josh Mesout, chief innovation officer at Civo, said: While the CMA has decided not to pursue an investigation into the Anthropic/Alphabet partnership, the broader concerns raised in the investigation about potential market concentration in AI remain valid.Over-dependence on a handful of major firms could still stifle innovation, limit consumer choice and potentially lead to a monopoly that favours Big Tech. Even without a formal investigation, it is the responsibility of everyone in the industry to ensure the AI market remains fair, competitive and conducive to ongoing technological advancement.Read about other CMA investigationsCMA offers potential solution to Vodafone and Threes merger issues: Remedies Working Paper published by UK competition watchdog into merger of leading telcos says deal may proceed if appropriate remedies are implemented.AWS and Google slam Microsoft for claiming its cloud licensing tactics are not harming them: The CMA published the summary hearings from Microsoft, AWS and Google this week, which revealed all three had quite a lot to say on the Redmond software giants cloud licensing practices.In The Current Issue:Interview: Rahul Todkar, head of data and AI, TripadvisorGartner Symposium: Why the chance of digital success is randomDownload Current IssueClearly smart, SAS acquires Hazy: A wider vision for synthetic data CW Developer NetworkI guess the trainings down in Africa, CNCF & Andela skill-up 20,000+ IT pros CW Developer NetworkView All Blogs0 Yorumlar 0 hisse senetleri 56 Views
-
WWW.COMPUTERWEEKLY.COMComputer Weeklys Women in UK Tech Rising Stars 2024This years most influential woman in UK technology Sheridan Ash, founder and co-CEO of Tech She Can created the charity to bridge the accessibility gap that exists when it comes to female role models in the technology space.While there are many high-profile women in tech, these role models are people to aspire to be, and many young girls feel they need women only one or two steps ahead of them in their careers to show them the path to the top.Computer Weeklys Rising Stars category wasintroduced in 2014as a way to increase the number of women showcased as industry role models.Each year, alongside the top 50 list, Computer Weekly asks its judges to suggest Rising Stars who are starting their journey towards a possible place in the top 50 in the future, and who represent the future of the tech sector.This years Rising Stars are:Hendy founded digital suicide prevention tool R;pple in 2020, designed to help people who are making online searches relating to self-harm or suicide.She is CEO of the charity, which she does alongside her work as the cyber culture manager at Deloitte.With an extensive background in cyber, Hendy is also a TEDx speaker, an ambassador for One Young World and a JAAQ creator, covering the topic of suicide prevention.Underhill has spent her entire career at Lloyds Banking Group, since joining the firm as a graduate in 1999.She has held several roles at Lloyds, and is currently HR director for technology and data, part of the firms Group Chief Operating Office, where she is responsible for developing its people strategies for technology.She has previously sat on the board of now disbanded tech diversity collective the Tech Talent Charter.Clark has worked in the public sector for many years, most recently being appointed the parliamentary under-secretary of state for artificial intelligence (AI) and digital government at the Department for Science, Innovation and Technology (DSIT).Her responsibilities range across AI and digital, including AI regulation, transparency and ethics, as well as cyber security and digital identity, and public services.Before her Parliamentary career, Clarks focus was on medicine, having studied bioinformatics at the University of Exeter and worked in roles in diagnostic biochemistry and diagnostic virology.Find out more about our past Rising StarsHeavily focused on the use of AI, Duarte co-founded non-profit We and AI in 2020 to ensure AI is developed with everyone in mind, creating communities to ensure diverse teams of people are involved in the technologys future development.She is also the lead of Better Images of AI, a not-for-profit that offers a free library of images that better represent AI to reduce the use of stereotypical representations of AI such as humanoid robots, glowing brains, outstretched robot hands, blue backgrounds and the Terminator.In 2020, she also became the founding editorial board member of the AI and Ethics Journal, published by Springer Nature.Davis heads up talent, engagement and diversity, as well as learning and development, for IT infrastructure firm Softcat.Her role involves looking after the development of all employees across the organisation, as well as developing the firms graduate and apprenticeship programmes.She is also an advisory board member of community group Women of the Channel.Thakrar founded and is CEO of Included VC, a venture capital fund dedicated to making sure diversity entrepreneurs gain the funding they need.Its not her first time working with entrepreneurs previously she headed up innovation and entrepreneurship in Deep Science Ventures at Imperial College London.0 Yorumlar 0 hisse senetleri 53 Views
-
WWW.COMPUTERWEEKLY.COMMicrosoft Ignite: AI capabilities double every six monthspeshkov - stock.adobe.comNewsMicrosoft Ignite: AI capabilities double every six monthsIf Moore's law promised a doubling of tech every 18 months, the pace is three times quicker with AI developments, says Satya NadellaByCliff Saran,Managing EditorPublished: 20 Nov 2024 9:38 During his keynote presentation at the start of Microsofts annual Ignite conference in Chicago, CEO Satya Nadella discussed artificial intelligence (AI) scaling, through which the capabilities of the tech is doubling every six months.Just like Moores Law, we saw the doubling in performance every 18 months with AI. We have now started to see that doubling every six months or so, he said.He believes a new scaling law will emerge for AI based on the amount of computational time needed to run AI inference. This ability to scale is leading to three major shifts in technological development, according to Nadella.The first is what he describes as a universal multimodal interface universal interface, which supports speech, images, videos, for both input and output.Second, he said: We have new reasoning and planning capabilities, essentially neural algebra to help solve complex problems and can detect patterns involving people, places and things.You can even find relationships between people, places and things using this new algebra.The third is what Nadella calls support for long term memory-rich context, adding: If you put all these things together, you can build a very rich agentic world defined by this tapestry of AI agents, which can act on our behalf across our work and life across teams, business processes, as well as organisations.The company kicked off the Ignite event announcing previews of new AI capabilities. Among these is Copilot Actions, now in private preview, which is designed to enable anyone to automate everyday tasks in Microsoft 365 using simple prompts.Microsoft also unveiled new agents in Microsoft 365, including a natural language AI assistant for Sharepointfor finding and querying content more quickly, and a new Teams agentprovides what Microsoft describes as real-time, speech-to-speech interpretation in meetings. According to Microsoft, meeting participants will also have the option to have the agent simulate their personal voice.Another new agent is for employee self-service. Available on Microsoft 365 Copilot Business Chat in private preview, this can be used to expedite answers for common policy-related questions and, according to Microsoft, simplifies action-taking on key HR and IT-related tasks, such as helping employees to understand their benefits or request a new laptop. The agent can be customised in Copilot Studio to meet an organisations unique needs.Other agents in public preview take real-time meeting notes in Teams and automate project management from start to finish in Planner.On the developer support side, Microsoft has introduced Azure AI Foundry, which it said gives customers access to all existing Azure AI services and tooling, plus new capabilities. Among these is the Azure AI Foundry software developers kit. Available in preview, this provides what Microsoft calls a unified toolchain for designing, customising and managing AI apps and agents.According to Microsoft, the Azure AI Foundry provides enterprise-grade control and customisation. It offers 25 prebuilt app templates and can be accessed from familiar tools such as GitHub, Visual Studio and Copilot Studio.Read more AI development storiesHow open source is shaping AI developments: The Linux Foundation outlines efforts to bolster enterprise AI adoption through a framework for managing and deploying AI applications, standardised tooling and open data alternatives.Microsoft aims at AI development: New data management and analytics suite features include databases and a data catalog to enable enterprises to develop and operationalize advanced applications.In The Current Issue:Interview: Rahul Todkar, head of data and AI, TripadvisorGartner Symposium: Why the chance of digital success is randomDownload Current IssueDomino fall release topples challenges across AI assembly, scale & governance CW Developer NetworkClearly smart, SAS acquires Hazy: A wider vision for synthetic data CW Developer NetworkView All Blogs0 Yorumlar 0 hisse senetleri 43 Views
-
WWW.COMPUTERWEEKLY.COMComputer Weekly announces the Most Influential Women in UK Tech 2024Sheridan Ash, founder and co-CEO of Tech She Can, has become the 13th person to be named Computer Weeklys Most Influential Woman in UK Tech.Launched in 2012, the Computer Weekly list of the 50 Most Influential Women in UK Tech started as a list of 25, expanding to 50 in 2015, and now seeing hundreds of nominations each year.The list was originally created to showcase the amazing women in the technology industry, shining a light on the sectors role models who may inspire the next generation of women in tech.As well as the 2024 longlist of more than 700 nominated women, and our list of Rising Stars, there are also new entrants to our Hall of Fame, launched to acknowledge those who have made a lifetime contribution to the UKs technology sector.This years winner, Sheridan Ash, launched Tech She Can to teach girls and young women about technology careers and subjects to inspire them to choose this path in the future.1. Sheridan Ash, founder and co-CEO, Tech She CanUntil 2023, Ash led technology innovation at PwC UK, and is currently co-CEO and founder of the charity Tech She Can. She was a board member of the Institute of Coding for four years and, in 2020, received an MBE for services to young girls and women through technology.Tech She Can is an award-winning charity with more than 240 member organisations, which together work with industry, government and schools to improve the ratio of women in technology roles. It provides initiatives and pathways into tech careers across all the different stages of girls and womens lives.At PwC, Ash led change in the technology workforce, pioneering initiatives that saw the percentage of women in tech more than double to reach 32%.2. Naomi Timperley, co-founder, Tech North Advocates; innovation director, Oxford InnovationTimperley is a freelance consultant and co-founder of Tech North Advocates, a private sector-led collection of tech experts who champion thetechnology sector in the north of England.In 2021, she co-founded advisory firm Growth Strategy Innovation, which helps to grow startup and scaleup organisations. She is now innovation director for Oxford Innovation, which helps organisations develop ecosystems for entrepreneurs and innovators, in turn boosting local areas.Timperley was named a Computer Weekly Women in Tech Rising Star in 2017 when, until 2021, she was a board member of FutureEverything. She previously co-founded Enterprise Lab.3. Sarah Turner, CEO and co-founder, Angel AcademeTurner founded Angel Academe, a pro-women and pro-diversity angel investment group focused on technology, and is currently CEO of the group.Until 2023, Turner was also an advisory board member of tech recruiter Spinks, and in 2007 co-founded consultancy Turner Hopkins, which helps businesses create digital strategies.Previously, Turner was an external board member and chair of the investment committee for venture capital fund the Low Carbon Innovation Fund and a board member of the UK Business Angels Association, the trade association for early-stage investment.4. Charlene Hunter, CEO and founder, Coding Black FemalesHunter founded Coding Black Females in 2017 to help black female software developers meet each other and network. Alongside her work at Coding Black Females, Hunter is a software developer.She is an advisory board industry representative in the University of Essex Onlines computing department, technical director at SAM Software Solutions, and technical director at full-stack and front-end training organisation Black CodHer Bootcamp.Previously, Hunter was lead software engineer at Made Tech, and held roles such as senior software developer, lead Java developer, app developer and technical consultant at various firms. She was named a Computer WeeklyWomen in UK Tech Rising Star in 2020.5. Samantha Niblett, founder, Labour Women in TechBefore her time as an MP, Niblett had a long career in technology, having roles such as industry sales leader at DXC Technology and head of alliances, channel and ecosystem in EMEA at 1E.Now, alongside her role as an MP, shes founder of the Labour: Women in Tech group, which campaigns to reach equal gender opportunities in the technology industry. Shes also the co-chair of the All-Party Parliamentary Group on FinTech and the Parliamentary Internet, Communications and Technology Forum (PICTFOR), as well as the chair for the Interparliamentary Forum on Emerging Technologies and a member of the Women and Equalities Select Committee.6. Anna Brailsford, CEO, Code First GirlsAn entrepreneur and co-founder, Brailsford joined Code First Girls as CEO in 2019, where she works to encourage more women into the tech sector by providing software development skills and education.Prior to her work at Code First Girls, she co-founded and was CEO of performance management firm Frisbee, which was part of venture capital fund Founders Factory. Until summer 2024, she was was a board member for the Institute of Coding, where she focused specifically on diversity and inclusion. She is also a self-employed commercial and strategy consultant.7. Deborah ONeill, partner head of digital, Europe, Oliver WymanAs part of her role as partner and head of digital for Europe at Oliver Wyman, ONeill leads digital transformation and new proposition launches at companies all over the world.Alongside this, she is also a strategic partner at FutureDotNow, a board trustee for Girlguiding and special adviser to the founder at The Youth Group.8. Hayaatun Sillem, CEO, Royal Academy of EngineeringSillem worked for the Royal Academy of Engineering for 12 years before being appointed its CEO in 2018. Previous roles at the academy include deputy CEO and director of strategy, director of programmes and fellowship, and head of international activities.As well as her work for the academy, Sillem is a trustee of EngineeringUK and the Foundation for Science and Technology, and CEO of the Queen Elizabeth Prize for Engineering.9. Priya Lakhani, founder and CEO, Century TechLakhani founded Century Tech as a teaching and learning platform focused on subjects such as artificial intelligence (AI), cognitive neuroscience, big data analytics and blockchain, where she is also CEO.A frequent public speaker, she has previously been a member of the UKs AI Council, a board member for the Foundation for Education Development, a board member for Unboxed 2022, and a non-executive director for the Department for Digital, Culture, Media and Sport (DCMS).She is a digital patron for Cottesmore School, and has appeared on the BBCs AI Decoded news segment. She was awarded an OBE in 2014.10. Mary McKenna, co-founder, AwakenHubMary McKenna is a huge supporter of entrepreneurship and startups, holding several roles as an adviser and investor. Her social enterprise, AwakenHub, where she is co-founder, is focused on building a community of female founders in Ireland.As well as being an expert adviser for the European Commission, she is an entrepreneurship expert with the Entrepreneurship Centre at the University of Oxfords Said Business School, and a trustee for CAST, among many other board memberships and non-executive directorships.11. Claire Thorne, co-CEO, Tech She CanThorne is co-CEO of Tech She Can, a charity aimed at increasing the number of women in the technology sector, as well as a venture partner at Deep Science Ventures and a diversity and inclusion advisory board member for the Institute of Coding.She has a background in the education sector, previously holding roles as director of innovation strategy for the University of Surrey and executive officer to the vice-president (innovation) at Imperial College London.12. Liz Williams, CEO, FutureDotNow; chair, Good Things FoundationWilliams is CEO of inclusion campaign FutureDotNow, which aims to ensure people are not left behind by the growing skills gap caused by digital adoption. She is a member of the UK governments Digital Skills Council, and chair of the Good Things Foundation.Prior to her current work, Williams spent more than 20 years at BT in a number of different roles, including programme director for sustainable business, director of tech literacy and education programmes, and director of digital society. Until 2024, she was a member of the board of trustees for Transport for London.13. Emma Wright, director, Institute of AI; partner, Harbottle and LewisWith a background in law surrounding telecoms, the internet and media, Wright now uses her expertise as director of not-for-profit The Institute of AI, as well as partner at Harbottle & Lewis, heading up the tech, data and digital group.She has worked in the tech sector for over 20 years. Her team atHarbottle & Lewis is comprised of 66% female and 66% ethnic minority members.During 2023, she worked with the OECD, WEF and the ITU to build a reputation in relation to the regulation of AI. She is also working with the Ditchley Foundation, considering whether the collaborative approach in relation to telecoms can work for AI regulation.14. Bina Mehta, chair, KPMG UKIn her 30 years at KPMG, Mehta has had many responsibilities, including building the firms focus on trade and investment, and helping scaleup clients to access financial support.She is now chair of the organisation, and in 2022 was awarded an MBE for services to UK trade and investment and supporting female entrepreneurs.15. Arfah Farooq, scout, Ada Ventures; founder, Muslamic Makers; founder, Muslim Tech FestAn expert in diversity, inclusion and community building, Farooq co-founded Muslamic Makers in 2016 as a networking group for Muslims in tech, design and development.As well as a freelance diversity and inclusion consultant, Farooq is a scout for Ada Ventures with special interest in edtech, healthtech and fintech, and until March 2024 was a community manager for Big Society Capital.She has an extensive background in digital and AI in both the private and public sectors.16. Beckie Taylor, CEO, co-founder, TechReturnersTaylor co-founded TechReturners, where she is currently CEO, to give skilled individuals who have had a career break the opportunity to connect with firms and help them back into mid-level to senior-level tech roles.She is also co-founder of The Confidence Community, which aims to provide resources, training information and events to give people more career confidence. Taylor is co-founder of community WIT North and co-founder of ReframeWIT.She recently founded community platform Voices in Tech to help connect speakers with event opportunities.17. Melanie Dawes, chief executive, OfcomDawes has headed up Ofcom since 2020 following her previous role as permanent secretary at the Ministry of Housing, Communities and Local Government, as well as many other roles across the Civil Service.She has previously been a trustee at Patchwork Foundation, which aims to encourage under-represented young people to participate in democracy, and a non-executive director of consumer group Which?.18. Avril Chester, founder, Cancer Central; CTO, Royal Pharmaceutical SocietyAward-winning entrepreneur Avril Chester is currently the CTO of the Royal Pharmaceutical Society, her most recent in a series of roles heading up technology in organisations. In 2018, she founded technology charity platform Cancer Central to help support people with cancer.19. Nicola Martin, BCS Women committee member and BCS Pride vice-chair; founder, Nicola Martin Coaching & ConsultancyMartin has a history of working as a test consultant at firms such as Barclays, Sony, the UK Home Office, Shazam and Sky, and is currently a startup adviser and founder of her own coaching and consultancy firm.Prior to this, she was head of quality at Adarga and is currently chair for the BCS Special Interest Group in Software Testing, and until January 2023 was the vice-chair of the BCS LGBTQIA+ tech specialist group.20. Amanda Brock, CEO, Open UKAmanda Brocks role at OpenUK sees her leading the sustainable and ethical development of open technologies in the UK, including technology such as open source software, hardware and data.She also sits on the boards of both the Cabinet Office Open Standards Board and US cyber security firm Mimoto, is an advisory board member of several firms, as well as acting as a judge for the CIO 100 Awards.21. Natalie Moore, CEO, Apps for GoodMoore has been at Apps for Good since 2019, originally as director of education, products and events, then as chief operating officer (COO), before becoming CEO in 2021.Her career background has been heavily weighted towards education, having been international education programme coordinator for London 2012, and volunteering as governor at the Harris Academy Ockendon and Sixth Form.22. Tristi Tanaka, head of the CMO portfolio, NHS Black Country ICB; BCS committee memberTanaka is currently part of the programme team for All4Health&Care, a community launched during the pandemic to connect digital healthcare providers with the public sector. She is also the head of the CMO Office for NHS Black Country ICB, and is on the community support committee for BCS.Previously, she has been a fellow, independent audit for AI systems for ForHumanity, and BCS Women membership secretary.23. Casey Calista, chair, Labour DigitalCalista has a history in both technology and the public sector.Alongside her role at Labour Digital, she is head of policy and public affairs at UK scaleup Vorboss, and she co-founded network Women in Tech Policy.She volunteers as an adviser for digital citizenship charity Glitch, and is a policy board member for OpenUK.24. Helen Kelisky, managing director UK&I, Google CloudWith experience in cloud at companies such as Salesforce and IBM, Kelisky started her role at Google in 2022 well-equipped with the skills needed to run its cloud division.Alongside this, Kelisky is on the board of directors for Calnex Solutions, and is a member of the board of directors for the Women in Telecoms and Technology networking group.25. Lila Ibrahim, chief operating officer, Google DeepMindLila Ibrahim became Google DeepMinds first COO in 2018, looking after teams in disciplines such as engineering, virtual environments, programme management and operations.Prior to this role, she was COO of online skills platform Coursera, and has also acted at general manager for emerging markets platforms in China at Intel.26. Kate Philpot, vice-president, global sales enablement, Getty Images; board member, TLA Black Women In TechPhilpot has a background in both sales, and learning and development, which she uses in her role as the vice-president of global sales enablement at Getty Images. She has held various roles both in and outside of sales at many notable firms, such as Shell, Mars and GSK.As well as being a board member for the TLA Black Women in Tech group, she is a member and speaker for the Sales Enablement Directive.27. Nicola Hodson, CEO for UK&I, IBMHodson has an extensive background in the technology sector, and has had roles such as managing consultant at EY and general manager at Siemens Business Services responsible for public sector, healthcare, financial services and manufacturing.More recently, she was vice-president for global sales, marketing and operations field transformation at Microsoft, before becoming chief executive of IBM in UK and Ireland at the beginning of 2023.Shes also a board member and deputy president of TechUK, and holds several non-executive directorships.28. Roni Savage, managing director, Jomas Associates (Engineering & Environmental)As managing director of Jomas Associates (Engineering & Environmental), Savage specialises in geotechnical and environmental engineering.She is also passionate about topics such as women in engineering and social mobility, and is on the UK governments SME Business Council.29. Allison Kirkby, CEO, BT GroupWith a long history of CEO positions, Kirkby has experience in running companies with a background in telecoms, and in February this year took over as CEO of BT Group. Her past CEO roles have included TDC group, Tele2 and Telia, and she is also a non-executive director of Brookfield asset management.30. Clare Barclay, president, enterprise and industry, Microsoft UKBarclay has been with Microsoft for more than 10 years, holding several roles including director of SMB, general manager of small and mid-market solutions and partners, COO, and CEO in the UK.In November 2024, she became president of enterprise and industry for Microsoft in the UK. She is chair of the industrial strategy advisory council for the Department for Business and Trade, volunteers as a board member for the British Heart Foundation and, until recently, was a non-executive director at CBI.31. Kike Oniwinde Agoro, founder and CEO, BYP NetworkOniwinde Agoro founded BYP Network in 2016 to help black professionals network and have easier access to jobs, after a trip abroad confirmed the challenges young black people face in getting jobs both in and outside the UK.Until 2024, she was board trustee for volunteer organisation Getting On Board, and has received several awards and accolades, including Forbes 30 Under 30 and Financial Times Top 100 BAME Leaders in Technology.32. Sharon Wallace, head of D&I, partnerships and people change, SkyWallace heads up diversity and inclusion, partnerships and people change at Sky, and one of her focuses in this role is designing and delivering the people strategy for technology within the firm.Outside of this, Wallace was a member of the advisory board for recently disbanded Tech Talent Charter, and volunteers as a cub and scout assistant.33. Toni Scullion, computing science teacher; founder of dressCodeScullion is a serial founder, having founded dressCode, a not-for-profit that encourages young women in Scotland to consider a career in computer science, and co-founded the Ada Scotland Festival, which aims to use collaboration to close the gender gap in computer science education in Scotland.These endeavours stem from her being a computer science teacher passionate about encouraging more children to take the subject. Alongside this work, she is a volunteer for the Scottish Tech Army, a not-for-profit aimed at using tech for good.34. Sarah Tulip, chief growth officer, Conquer Technology; co-founder, Women in Leeds DigitalEarlier this year, Tulip took on the role of chief growth officer at software engineering consultancy Conquer Technology. In 2018, she co-founded community-led initiative Women In Leeds Digital, which encourages and helps minority groups to consider a career in technology.Tulip is also chair of the regional productivity forum in Yorkshire, Humberside and the North East for the Productivity Institute, ambassador for Leeds as a digital city at Leeds City Council, and managing director at &Then Consulting.35. Zandra Moore, CEO and co-founder, PanintelligenceMoore co-founded data analytics and AI firm Panintelligence in 2010 with the aim of helping firms properly organise their data to more easily adopt AI. She became CEO in 2018.Alongside this, Moore also founded low-code tech community No Code Lab and gender equality community Lean In Leeds. As well as a position as chair for Lifted Ventures, Moore is an Ada Angel for inclusive venture firm Ada Ventures.36. Laura Moore, global director of identity, Sky; co-founder, Lift as we ClimbAs global director of identity at Sky, Moore is responsible for leading the firms identity management projects. Prior to this, she held several roles as a project manager, and was previously the head of infotainment group technology for Vodafone.As well as being a member of the board for Tech Talent Charter, she is the co-founder of female tech leaders community Lift as we Climb.37. Maria Axente, head of AI public policy and ethics, PwC UK; vice-chair and member of data analytics and AI Leadership Committee, TechUKMaria Axente is the head of AI public policy and ethics at PwC in the UK, where she combines her skills in analytics and ethical AI policy development to ensure AI is developed with humans in mind.Previously, she was the artificial intelligence and AI-for-good lead at the firm, responsible for advising clients on responsible use of AI, and ensuring ethical development of PwC AI operations, products and services.Shes a vice-chair for the data, analytics and AI leadership committee at TechUK, and in the past she has been an advisory board member for the APPG for AI, and adviser for the PHI for Augmented Intelligence.38. Bev White, CEO, Nash SquaredAs CEO of Nash Squared, White heads up the global firm which provides IT recruitment, technology solutions and leadership services out of 36 offices across the world.White has a long background in the tech sector, having previously held roles as CIO and director of IT, as well as completing a degree in computer science.39. Alice Bentinck, co-founder and CEO, Entrepreneur FirstBentinck was named aComputer Weekly Rising Star in 2014, and has co-founded several organisations, including Entrepreneur First, a firm that supports European technology startups, and not-for-profit coding training programme Code First Girls.She is on the Computer Science Department Industrial Liaison Board for Imperial College London, is a board trustee for Generation and is the author of startup business bookHow to be a founder.40. Janine Hirt, CEO, Innovate FinanceHirt joined Innovate Finance in 2015 as the industry bodys head of community, before eventually becoming its CEO six years later. She now heads up the organisation, aiming to drive innovation and transformation in the fintech sector to make it more inclusive.She has worked around the world in a variety of roles, including acting head of corporate relations for Chatham House in the UK, head of membership for the Brazilian-American Chamber of Commerce in New York, and head new hire trainer for an English language training programme in Japan.41. Cynthia Davis, CEO and founder, Diversifying GroupDavis is the co-founder of diversity career platform Diversifying, and founder and CEO of recruitment organisation BAME Recruitment and Consulting.She is chair of the board of directors for Pop Up Projects and a board trustee for charity Over the Wall, both aimed at changing young peoples lives for the better.Davis has previously held roles in talent acquisition in the STEM sector, at telecoms firm BT, and as part of a short-term project at an aerospace, aviation, F1 and motorsport organisation.42. Anne Keast-Butler, director, GCHQThe first female to head up GCHQ, Keast-Butler moved into the director role last year after serving as deputy director general of MI5. With a long career in security and defence, her previous roles have included overseeing the upkeep of functions that support MI5s operational activities and the launch of the UKs National Cyber Security Programme.43. Akua Opong, senior EUC engineer, infrastructure and cloud engineering, London Stock Exchange; STEM adviserAs well as her work as senior EUC engineer, infrastructure and cloud engineering at the London Stock Exchange Group, Opong is a freelancer and STEM adviser and a board trustee for The Blair Project Foundation.Until recently, she was part of the City of London Corporation volunteer advisory group for equality, diversity and inclusion, and was previously an advisory board member for Neurodiversity in Business, and a mentor at the TechUp mentor programme for Durham University.Opong was a contributor forVoices in the shadows, the book of black female role models created by the 2022 Computer Weekly Most Influential Woman in UK Tech, Flavilla Fongang.44. Sarah Munby, permanent secretary, Department for Science, Innovation and TechnologyMunby has a long history of working in government, and became permanent secretary leading the Department for Science, Innovation and Technology in February 2023.She has also been partner, leader of strategy and corporate finance practice in UK and Ireland at McKinsey & Company, where she led the firms work on productivity across the UK economy.45. Charlotte Crosswell, chair, Centre for Finance, Innovation and TechnologyCrosswell is managing director of consulting firm Exadin, as well as chair for the Centre for Finance, Innovation and Technology. She holds several other non-executive directorships in firms such as Freemarket and the Centre for Policy Studies. In 2021, she received an OBE for services to the financial services sector.46. Irene Graham, CEO, Scaleup InstituteGraham has been the CEO of not-for-profit the ScaleUp Institute since 2015, and has an OBE for services to UK business and economy.As well as being a visiting professor of entrepreneurship at Strathclyde University, Graham holds various non-executive and advisory roles.47. Zahra Bahrololoumi, CEO, Salesforce UK&IAs CEO of Salesforce in the UK and Ireland, Bahrololoumi is responsible for the workforce in these regions across all industries and functions, and is particularly focused on ensuring its customers are ready for digital transformation.She sits on several boards, including for Seeing Is Believing Coventry Place, Movement to Work and Cancer Research UK Corporate Partnerships, and is an independent non-executive director on the TSB board.In 2023, she was awarded a CBE for services to the information technology sector.48. Nzinga Gardner, business operations analyst, News UK Technology; chair of Women in Tech Network, News UKNaming the technology sector her familiar territory, Gardner has an extensive background in the technology sector, having held roles such as first line support at Fujitsu, senior supply chain administrator at Technicolor and project manager at the BBC as a member of the BBCs Design and Technology Business Management Unit HQ Team.Now, shes a business operations analyst as part of the technology arm of News UK, and is a board trustee of food and hygiene bank Necessities UK.49. Sarah Cardell, CEO, Competition and Markets AuthorityCardell has been at the Competition and Markets Authority since 2013, first as general counsel, then as interim CEO, and now as CEO.Prior to her time at the Competition and Markets Authority, she was a legal partner for the markets division of energy markets authority Ofgem, and in her early career spent 11 years at law firm Slaughter and May, working her way from trainee solicitor to partner.50. Elena Sinel, founder, Acorn Aspirations and Teens in AI; business mentor, Microsoft for StartupsSinel founded Teens in AI and Acorn Aspirations to help young people who want to solve real-world problems using technology such as AI, virtual, augmented and mixed reality.She has won awards for her work, including CogX 2017 Award in Using AI for Social Good Projects, and is currently an education taskforce committee member for the All Parliamentary Group on Artificial Intelligence, and a business mentor at Microsoft for Startups.Before working on Acorn Associates and Teens in AI, Sinel was a consultant for several firms, including the British Council, NGOs, Chittagong Hill Tracts and the Ethiopian Cultural Heritage Project.0 Yorumlar 0 hisse senetleri 43 Views
-
WWW.COMPUTERWEEKLY.COMFrom beauty model to tech role model this years most influential woman in UK techMy husband has to sew my buttons on I still cant sew, confesses co-CEO of technology education charity Tech She Can, Sheridan Ash.This years Computer Weekly most influential woman in UK technology has always had a sense of wanting to right the injustice inflicted on women by gender stereotyping.At school, the girls had to do sewing or needlework or typing, and the boys did metalwork and woodwork. So I went to the local newspaper. I set up a petition. I got other pupils to stand outside the school with placards. Anyway, I got it changed. Hence, I cant sew or type, but Im great at welding, says Ash.Computer Weekly attended the launch of the first Tech She Can research eight years ago, when it was still a part of Ashs work at PwC.Ash has since left the professional services firm to focus on the technology education charity full-time, but like many women in the tech sector, her journey has not been linear.Ash left school at 16 with no qualifications, which she puts down, in part, to undiagnosed dyslexia. Not knowing what to do, she accepted a modelling job she was offered when window shopping with her mother in London.While this sufficed for a while, in her early 20s, Ash needed a career change for various reasons. After getting help with her dyslexia, she returned to education to study psychological sciences, then worked in the pharmaceutical industry before returning to school again to gain a masters in business administration.Eventually, Ash was offered a job at PwC to implement the firms health and technology practice.Ash has always been passionate about equality hence wanting to weld at school and in her role at PwC, she started to notice the diversity gap in the technology sector.What was going wrong? Why was it so predominantly male? she found herself wondering at the time.After the firm selected its first technology leader to sit on the board, the work Ash had done to collect data around diversity, both within PwC and the wider sector, began to pay off in a big way.She explains: I worked directly for that technology leader. I wrote the whole technology and innovation strategy for the firm, and at the heart of that, I embedded the piece around diversity.It was when working with the board of PwC eight years ago that Ash was inspired to commission the first piece of research on diversity, which eventually evolved into the Tech She Can movement.Ash says while there had been research at the time about the lack of women in the sector and the reasons for that, there was not enough around why younger girls were overlooking jobs in tech.After asking thousands of young people between the ages of 18 and 24, Ash explains: They said, We know who Sheryl Sandberg is, and Ada Lovelace, but ones been dead a long time and the others a COO. What they were looking for is relatable role models, people [in roles] they could see a pathway to.The research also found girls were less likely than boys to have technology suggested to them as a career option by others in their lives, such as teachers, parents or career advisors.Girls were also more likely to say they wanted a career that has a positive impact on society, but Ash speculates the digital native generations dont see how technology can achieve that because its so embedded in their lives.Read more about diversity in techResearch by organisations Women in Tech North and Tech Returners finds that women believe developing alternative routes into tech jobs will help close the industrys diversity gap.Research from the Institute of Coding has found UK adults dont think tech represents the wider UK population, and are uncertain about the level of education needed for a tech job.She explains: They wanted to have a positive impact on themselves, the community, their family, the UK and the wider world, and they didnt understand the relationship between technology and doing that.Recognising that no single person or organisation will be able to shift the dial alone, Tech She Can is focused on acting as a bridge between government, schools and industry.Were quite good at bridging that demand and supply [gap], along with [addressing] whats putting girls off, the perception issues and all of those things, Ash claims. Often, you dont get [to hear] teachers, schools and childrens voices.Tech She Can was launched as a charter with 18 partner organisations to collaborate on improving the pipeline of women going into technology roles. As part of this, it has become focused on helping educate children about tech careers.A common barrier between young girls and tech careers is a lack of understanding about what a tech career involves, what roles are available, how to go about pursuing a tech career, and the kinds of people who work in the industry.This goes hand in hand with a lack of visible and accessible role models, as young women are less likely to be drawn to a career if they dont see anyone like them in such roles.Photographer: Elyse MarksI want to persuade girls they have a role to play in making sure that the world isnt just developed by a lot of white tech bros, that they could be part of making sure the world is a fit place for everybody, and that it is somewhere women are treated equally in creating that worldSheridan Ash, Tech She CanAsh urges: Weve got to start changing these perceptions and addressing the inspiration and aspiration gaps very early on, and childrens understanding of what technology is and what roles and careers there are out there. Nobody seems to be doing that.Tech She Can regularly visits schools and provides online learning to prepare young people for technology careers, educating them about possible roles and how technology will play a role in their future careers. It also helps government and industry connect with schools with the aim of closing the technology skills and diversity gaps.We dont teach the coding. We teach the inspiration, the aspiration, and show them how the technology they can use [translates into] careers and jobs.Last year, Ash left PwC to pursue Tech She Can full-time, launching the initiative as a charity in partnership with co-CEO Claire Thorne.The programme has gone from strength to strength. It now has 200 member organisations, 800 registered champions, and has reached more than 130,000 children.At a time when so many organisations are stepping back when it comes to implementing diversity and inclusion in their technology remit, how does Tech She Can make sure those involved are not using it as lip service?What we concentrate on is what we call our strategic partners, which are the people who fund us, and across all our partners we train champions to go into schools, we package up all our live lessons in a way that the champions can take them out and deliver them in person. In primary schools, they often do it to a whole assembly, and in secondary schools, its usually to individual classes.During these sessions, the champions explain technology concepts, how they apply in the real world and what tech jobs involve, which over time has changed the way children perceive technology, the subjects they choose to study and what careers they consider in the future.Underpinning it all is data. For example, the organisation uses social mobility data to ensure it offers its services to schools that have the greatest need for it.Wearing other hats, Ash is a non-executive director for several other organisations, leaning into her life-long need to help women achieve equality.But she still has moments when she needs to perform a Wonder Woman-style power pose to amp herself up.We often talk about technology role models, and in Ashs childhood, she aspired to be Wonder Woman.She kicked the ass of the baddies, she says. She wanted to have a positive impact. She did good shit. And that felt right from a young age, whether I was conscious or not about what I wanted in life.There is plenty of research highlighting the importance of role models for young women, especially in the technology space. Ash is a role model herself.Ash says she wants every young woman to know that not only is technology a joyful career, but it is going to be one of the most important factors of shaping her world.She says: I want to persuade girls they have a role to play in making sure that the world isnt just developed by a lot of white tech bros, that they could be part of making sure the world is a fit place for everybody, and that it is somewhere women are treated equally in creating that world.0 Yorumlar 0 hisse senetleri 42 Views
-
WWW.COMPUTERWEEKLY.COMUK government seeks AI innovators to support clean energy transition and pursuit of net zero by 2050NewsUK government seeks AI innovators to support clean energy transition and pursuit of net zero by 2050The UK government has launched the second round of the Manchester Prize, which is geared towards using artificial intelligence technologies to assist with the clean energy transitionByCaroline Donnelly,Senior Editor, UKPublished: 19 Nov 2024 8:18 The government is seeking support from artificial intelligence (AI)-focused academics and entrepreneurs to help build clean energy systems and help the UK hit its net zero by 2050 goal.Interested parties are invited to apply for funding to develop technologies that could decarbonise the UK energy grid, improve the nations energy security and help the government achieve its wider aim of positioning the country as a clean energy superpower.The funding is being made available through the launch of the second round of the Manchester Prize, an initiative launched in 2023 by the Department for Science, Innovation and Technology (DSIT) to support AI-led innovation in the UK over the coming decade.The first round of the Manchester Prize is due to conclude in April 2025, and is focused on the role AI can play in the areas of energy, the environment and infrastructure.The second round of the competition will see the government offer up to 100,000 to 10 applicants, and one winner will be chosen from them who will secure a 1m prize to support the further development of their AI offering. The closing date for applications is 17 January 2025.Over the next eight weeks, applicants can come forward to demonstrate how their innovations will boost low-cost energy, reduce energy demand and make energy use more efficient across the country, said the government in a statement.These could include new avenues for boosting the power generated by wind and solar farms, using AI to increase energy efficiency in our homes and businesses, and tapping into the technology to build up a better understanding of future spikes in energy demand.Expanding on this theme, Feryal Clark, UK government minister for AI, said the second round of the Manchester Prize looks set to have a transformative impact on the UK.AI can transform our public services, make us more productive and tackle some of the biggest shared challenges in society. AI is already having a positive impact on so many aspects of our lives, but theres much more waiting to be tapped into, said Clark.The second round of the Manchester Prize will bring brilliant British innovation to bear to deliver a clean, secure energy future for the UK. Whether in energy, healthcare, or beyond, were backing AI innovations to deliver real and lasting change across the country.Paul Monks, chief scientific adviser at the Department for Energy Security and Net Zero, said the climate crisis is the greatest long-term challenge society is up against, and initiatives like this will play an important role in helping address it.The greatest long-term challenge we face is the climate and nature crisis. Thats why we have our world-leading targets to decarbonise the electricity grid by 2030 and to reach net zero by 2050, he said.We need an ambitious approach to using artificial intelligence across the development, engineering and operation of our energy systems, so I am pleased to see the Manchester Prize recognising that with its dedicated new round on decarbonisation.Read more about UK government technology initiativesJeremy Hunts Spring Budget makes IT investment tax expendable for three years and announces support for artificial intelligence companies, including annual 1m Manchester Prize.The funding programme will be directed by the UKs AI Safety Institute, with grants being used to understand and mitigate the impacts of artificial intelligence, including any systemic risks it presents at the societal level.In The Current Issue:Interview: Rahul Todkar, head of data and AI, TripadvisorGartner Symposium: Why the chance of digital success is randomDownload Current IssueClearly smart, SAS acquires Hazy: A wider vision for synthetic data CW Developer NetworkI guess the trainings down in Africa, CNCF & Andela skill-up 20,000+ IT pros CW Developer NetworkView All Blogs0 Yorumlar 0 hisse senetleri 43 Views
-
WWW.COMPUTERWEEKLY.COMNationwide Building Society backs HPE GreenLake for hybrid cloud pushNewsNationwide Building Society backs HPE GreenLake for hybrid cloud pushNationwide Building Society's digital transformation efforts are continuing apace, with the company enlisting the help of HPE GreenLake to meet its hybrid cloud goalsByCaroline Donnelly,Senior Editor, UKPublished: 19 Nov 2024 9:00 Nationwide Building Society is drawing on HPEs private cloud capabilities to help deliver on the next phase of its multi-year hybrid cloud strategy.The company, which has more than 17 million customers in the UK and employs 18,000 people, is in midst of a hybrid cloud-focused digital transformation project, geared towards improving the online experience for its customers.As previously reported by Computer Weekly, this work, which began in 2018, has seen the firm use public cloud technologies, such as those offered by Amazon Web Services, and embrace the use of DevOps-style software development methodologies within its teams.The project has also seen Nationwide adopt different cloud technologies based on what is best for that particular type of data or workload, which is why the company is now adding the HPE Greenlake private cloud setup to its supplier mix too.Nationwides hybrid cloud strategy is vital to our ability to compete and means we can continue to meet the needs and expectations of our customers HPE GreenLake cloud is a core component of our hybrid cloud strategy, said Paul Walsh, director of infrastructure and service delivery at Nationwide.With them, were building a cloud platform that will further improve our resilience and agility, enabling us to provide even better levels of service and deliver new capabilities to our developers faster than ever before.Specifically, Nationwide will use HPE GreenLake management services to automate and orchestrate its infrastructure management workloads and deliver infrastructure-as-code, the company said.This [will] enable [Nationwide] to focus on innovation, value-add activities and gain better control over application builds and security, said the company, in a statement. Faster release cycles will accelerate the time to market, providing consistent customer experiences across all digital platforms.The HPE GreenLake cloud setup will also provide Nationwide with an overview of its energy consumption and emissions, so that it can take proactive steps to reduce its environmental footprint, the company added.Matt Harris, senior vice-president and managing director for the UK, Ireland, Middle East and Africa at HPE, said the complexities of the deployment highlight why taking a public cloud-only approach would not work for a company like Nationwide.Nationwides modernisation journey showcases the effectiveness of HPE GreenLake cloud, with the storied institution transitioning from complex, legacy technology to a modern, future-proofed hybrid cloud operating model where a one-size-fits-all public cloud could never be the only answer, said Harris.Nationwide is not the only financial services company tapping into HPE GreenLake to deliver on its hybrid cloud strategy, as Barclays Bank also set out plans in September 2024 to ramp up its use of the technology for that purpose.Read more about financial services and cloudThe Financial Ombudsman Service is reaping the benefits of the cloud-based human resources and finance system it implemented last year.IBM Clouds push to provide sector-specific public cloud services to financial services firms enters a new phase.In The Current Issue:Interview: Rahul Todkar, head of data and AI, TripadvisorGartner Symposium: Why the chance of digital success is randomDownload Current IssueClearly smart, SAS acquires Hazy: A wider vision for synthetic data CW Developer NetworkI guess the trainings down in Africa, CNCF & Andela skill-up 20,000+ IT pros CW Developer NetworkView All Blogs0 Yorumlar 0 hisse senetleri 43 Views
-
WWW.COMPUTERWEEKLY.COMAWS widening scope of MFA programme after early successAmazon Web Services (AWS) is to widen the scope of a mandatory multi-factor authentication (MFA) programme it introduced earlier this year, after seeing strong uptake among customers and a slump in password-related phishing attacks.The cloud giant made MFA compulsory for management account root users in the AWS Management Console beginning in May 2024, starting with its largest accounts. In June, it added support for FIDO2 passkeys as an MFA method to give users more options, and expanded the original requirement to include root users in standalone accounts, too.According to AWS principal product manager of account protection Arynn Crow, over 750,000 root users have enabled MFA since April, with customer registration rates more than doubling since the addition of FIDO2 passkeys to the mix. She claimed the policy change had prevented greater than 99% of password-related attacks.At AWS, weve built our services with secure-by-design principles from day one, including features that set a high bar for our customers default security posture, said Crow. Strong authentication is a foundational component in overall account security, and the use of MFA is one of the simplest and most effective ways to help prevent unauthorised individuals from gaining access to systems or data.Based on this early success, AWS will now be expanding MFA requirements to member accounts in AWS organisations from Spring 2025.Customers who have not enabled central management of root access will be required to register MFA for their AWS Organizations member account root users in order to access the AWS Management Console, said Crow.As with our previous expansions to management and standalone accounts, we will roll this change out gradually and notify individual customers who are required to take action in advance, to help customers adhere to the new requirements while minimising impact to their day-to-day operations.On the back of its early successes with an MFA mandate, Crow said AWS was keen to do more to shore up security for its customers, and had recognised another opportunity to try to eliminate unnecessary passwords for good.She said that on top of the run-of-the-mill security issues seen with standard passwords, attempting to secure password-based authentication was introducing too much operational overhead for AWS customers, especially those operating at scale or subject to regulatory requirements to rotate their credentials frequently.As such, AWS has now launched a new capability to centrally manage root access for accounts managed in AWS Organizations, enabling them to cut down on the number of passwords they need to manage while still keeping control over the use of root principals.Crow explained that customers can now turn on centralised root access with a quick configuration change either in the identity and access management console or the AWScommand line interface and then remove the long-term credentials of member account root users.This will improve the security posture of our customers while simultaneously reducing their operational effort, she concluded.Read more about cloud IAMPoor identity and access management puts enterprise data at risk, but the path to stronger IAM remains complex.Cloud adds a level of complexity to identity and access management. Be sure to follow these cloud IAM best practices to prevent identity-related security issues.This comparison dives into the differences among cloud IAM services from AWS, Azure and Google Cloud. Use it to evaluate features, resource hierarchy configuration and pricing.0 Yorumlar 0 hisse senetleri 42 Views
-
WWW.COMPUTERWEEKLY.COMInfinidat gets in on the RAG act with workflow architecture offercam_pine - stock.adobe.comNewsInfinidat gets in on the RAG act with workflow architecture offerStorage array maker says customers can get data from any NFS storage to use in RAG for internal enterprise AI projects, and claims its OS metadata expertise enables thisByAntony Adshead,Storage EditorPublished: 18 Nov 2024 15:54 Infinidat has launched a retrieval augmented generation (RAG) workflow architecture, deliverable as a consultancy service to its storage customers, which allows them to build in up-to-date, private data from multiple company data sources to artificial intelligence (AI) from any NFS storage in their organisation.The move reflects a trend that has seen multiple storage companies address AI workloads, and RAG issues in particular in generative AI (GenAI) that result when data used for training is incomplete, out of date or lacks the type of information that can only be gained from private data, such as within an organisation or from expert knowledge.When an organisation wants to develop GenAI, it puts a dataset through a training process in which the AI learns how to recognise particular attributes that can be used for information, or for triggers in applications.Those training processes are often built around datasets that are very general, can go out of date or perhaps initially lack specialised or private data. This is often the case with AI projects inside organisations that need to stay up to date over time, said Infinidat chief marketing officer Eric Herzog.A lot of organisations are using generative AI as an internal project with private data, said Herzog. And as well as wanting to protect their IP, they have concerns about accuracy, avoiding hallucinations, etc.For example, a large enterprise that generates vast amounts of data in sales, support, operations would want to boost the performance of what it is doing, and thats very much tied to its storage performance.The customer wants to see accurate data in near real time. It can use AI to understand the details it might be screws in a component, the type, the supplier, any number of details and be able to update that information on a continual basis.What Infinidat now offers is professional services consulting to allow its customers to access data for RAG purposes from its own and other suppliers storage, as long as it is in NFS file storage format.According to Herzog, that comprises help with configuring the storage system to get at data and metadata rapidly for RAG purposes. He said Infinidat is well-positioned to do this because of the importance it places on metadata and the neural cache within its architecture and the InfuzeOS environment.Infinidat arrays can be all-flash or hybrid spinning disk and solid state, and are mostly targeted at high-end enterprise andservice provider customers. Their hardware products feature triple-active controllers and use of a so-called neural cache that marshals data to the most appropriate media, with the bulk of I/O requests going via very fastDRAM, with a cache hit rate of more than 90% claimed.Infinidats focus here on RAG capabilities sees it join other storage suppliers that have recently made a push for customers embarking on AI projects.Pure Storage CEO Charlie Giancarlo was keen to highlight his companys AI push at its Accelerate event in June, with storage write speed and availability emphasised. Meanwhile, NetApp launched a push towards data management for AI with the announcement of data classification for AI via its OnTap operating system at its annual Insight shindig in September.Read more about storage and AIStorage technology explained: AI and data storage. In this guide, we examine the data storage needs of artificial intelligence, the demands it places on data storage, the suitability of cloud and object storage for AI, and key AI storage products.Storage technology explained: Vector databases at the core of AI. We look at the use of vector data in AI and how vector databases work, plus vector embedding, the challenges for storage of vector data and the key suppliers of vector database products.In The Current Issue:Interview: Niall Robinson, head of product innovation, Met OfficeIAM: Enterprises face a long, hard road to improveDownload Current IssueClearly smart, SAS acquires Hazy: A wider vision for synthetic data CW Developer NetworkI guess the trainings down in Africa, CNCF & Andela skill-up 20,000+ IT pros CW Developer NetworkView All Blogs0 Yorumlar 0 hisse senetleri 29 Views
-
WWW.COMPUTERWEEKLY.COMFinal report on Nats calls for improvements to contingency processblindturtle - stock.adobe.comNewsFinal report on Nats calls for improvements to contingency processSuppliers need to be involved much sooner and a review of technical documentation is needed to speed up recoveryByCliff Saran,Managing EditorPublished: 18 Nov 2024 12:30 The major incident caused by the failure of the UKs National Air Traffic Services (Nats) in August 2023 may be a very rare occurrence, but a final report into the system failure has recommended 34 changes.The report, prepared for the UK Civil Aviation Authority (CAA) by the Independent Review Panel, looked at what could be done better to limit the effects of the failure that occurred because an incorrectly formatted flight plan was submitted to the system.In the event of a failure of a primary system, the backup system is designed to seamlessly take over processing. The authors of the Nats major incident investigation final report noted that in this instance, the primary system had not failed, but had acted as programmed. It placed itself into maintenance mode to make sure irreconcilable and therefore potentially unsafe information was not sent to an air traffic controller.However, the backup system applied the same logic to the flight plan with the same result. It subsequently raised its own critical exception, writing a log file into the system log, and placed itself into maintenance mode.The failure of Nats occurred because both the primary and backup Flight Plan Reception Suite Automated Replacement (FPRSA-R) subsystems were in maintenance mode to protect the safety of the air traffic control operations. This meant flight plans could no longer be automatically processed, and manual intervention was now required.The report recommended that Nats should review the current command structure, its supporting technology and processes. This should analyse whether the current model is likely to lead to the best outcomes in the majority of incidents, or whether it can be optimised further with the addition of alternative options.The reports authors recommended that this review should include, as a minimum, options for alternative models and examples of other effective command structures, including the use of a single incident manager model. They also noted that such options should include guidance about when the use of each option is most appropriate, and suggested a review of training requirements to maximise operational oversight capabilities during incidents, and system and process requirements to support selected structures, including decision-making, escalation and creation of a common operating picture.Read more stories on NatsDuplicate waypoints: Processing of waypoints that determine when a flight enters and leaves UK airspace caused the air traffic system to report a critical error.BT flies into Nats network: Nats implements transformational technology programme to keep skies safe and support customers worldwide.When Nats went offline, a subset of unprocessed data remained in the system but was outside the established pause queue. This required further escalation to identify the root cause of the issue.The report recommended that air traffic control documentation should be reviewed to ensure that the system complexity and behaviour can be better understood by engineers and users who are not dedicated to the system. There should also be a high-level joint Technical Services and Operations review of key critical systems. The report recommended that this review should confirm that the operational documentation for each system reviewed has sufficient description and clarity to allow the system to be operated safely and resiliently in unexpected circumstances.While escalation procedures were followed, the authors of the report pointed out that earlier contact with the supplier would most likely have expedited the resolution of the event.They recommended that Nats should update the escalation process to provide guidance on the time or other key criteria that should trigger when, and under what circumstances, supplier support is requested. Nats should create a single controlled document detailing the supplier contracts and associated contacts, who provide 24-hour support, the report stated. These details should be accessible by anyone in Nats likely to be required to support an incident response. As a minimum, these should include Levels 1 through 3 of engineering support.Among the minor recommendations is that given the complexity of the system architecture, which is regularly changed and upgraded, it is impossible to maintain up-to-date overall system mapping of Nats. The reports authors recommended conducting an assessment of the feasibility of using new technology, or a model-based engineering process, to rapidly produce the required system schematic information to the teams during the early stages of an incident.They also said that the technical services director should review the current operational documentation in support of implementing new technology, or a model-based engineering process that supports rapid mapping. This must ensure that there is sufficient and accurate detail for the various levels of engineering support to see the high-level, key interfacing systems and methods by which they connect, they wrote.The key aim of this review should be to assist in the identification of problems that might be upstream or downstream of the specific system where a fault first occurs.In The Current Issue:Interview: Niall Robinson, head of product innovation, Met OfficeIAM: Enterprises face a long, hard road to improveDownload Current IssueClearly smart, SAS acquires Hazy: A wider vision for synthetic data CW Developer NetworkI guess the trainings down in Africa, CNCF & Andela skill-up 20,000+ IT pros CW Developer NetworkView All Blogs0 Yorumlar 0 hisse senetleri 47 Views
-
WWW.COMPUTERWEEKLY.COMSchwarz Group partners with Google on EU sovereign cloudsdecoret - stock.adobe.comNewsSchwarz Group partners with Google on EU sovereign cloudPartnership with Europes biggest retailer will offer client-side encryption and ensure data doesnt leave GermanyByCliff Saran,Managing EditorPublished: 15 Nov 2024 11:45 Google has partnered with retail giant Schwarz Group to deliver what the pair claim is truly secure and sovereign cloud-based collaboration for German and European regulated industries.Through the partnership, Schwarz Groups StackIT, the cloud provider for the retailer, which operates as an independent company offering sovereign cloud capabilities, will provide client-side encryption of customers Google Workspace data.StackIT said customers data will remain resident within the European Union (EU), with full redundancy offered by backups hosted solely in its European datacentres to meet customer demands around data protection, data residency and data resiliency.Germany and the EU have until now lacked enterprise-grade cloud collaboration solutions that fully address the sovereignty requirements of regulated industries, including ensuring all data is secured and backed up on local soil with absolutely no opportunity for access by foreign nations or platform providers, said Rolf Schumann, co-CEO of Schwarz Digits, the IT and digital division of the Schwarz Group.Our partnership and new offering with Google Cloud will fill this gap with an entirely new business model.Client-side encryption means Google has no access to customers data. According to Schwarz and Google, this safeguards the sovereignty of not only Schwarz Group, but also all customers who value the independence of their operations, giving them full confidence that their data is always in their control.This new partnership will enable the companies of Schwarz Group to combine its leadership in digital transformation with Google Clouds strengths in productivity, collaboration and security, enabled by our cutting-edge AI, said Sundar Pichai, CEO of Google and Alphabet. Together, we are opening up a world of new, sovereign opportunities for European organisations to innovate and build on our joint solutions, accelerating a new era of innovation.Read more about data sovereigntyUK governments M365 use under scrutiny: Microsofts hold on government IT is under scrutiny, following a disclosure to a Scottish policing body that saw the software giant advise that it cannot guarantee data sovereignty in Microsoft 365.NHS data sovereignty: Amid security concerns and AI advances, a majority of the British public still trusts the NHS to store and analyse their health data, but would prefer it remains domiciled in the UK.Through the partnership, Google Clouds security will be integrated with those of XM Cyber, Schwarz Digits hybrid cloud security company. This integrated offering will then be distributed to customers via the Google Cloud Marketplace.According to Google and Schwartz, this integrated security will help German and European organisations, particularly those in highly regulated industries, raise the bar on their enterprise and multi-cloud security. In addition, XM Cybers Continuous Exposure Management will be embedded into the sovereign Google Workspace office productivity suite offered to European enterprises.This partnership changes the game for regulated industry players in Europe by removing the sovereignty and security concerns that often hold back more ambitious adoption of the cloud for productivity and collaboration, said Thomas Kurian, CEO of Google Cloud. Our alliance with companies of Schwarz Group will enable entire industries in Europe to deliver digital innovation with security and compliance at its core.Schwarz Group is Europes largest retailer, and the fourth-largest in the world. The company plans to transition its global office workforce to Google Workspace. The partnership with Google, according to Schwarz Group, enables critical workplace data to be protected against third-party access including foreign government institutions, and also transferred to alternate service providers if needed.Switching to Google Workspace is an important step for us out of legacy and into innovative, efficient and future-proof cloud-based collaboration, said Christian Mller, Co-CEO of Schwarz Digits. Google Workspace is the most secure and reliable productivity platform in the industry today, and we expect our organisation-wide migration to have significant flow-on benefits to all areas of operations from simplifying IT management to rendering our point-of-sale workflows significantly more efficient.In The Current Issue:Interview: Niall Robinson, head of product innovation, Met OfficeIAM: Enterprises face a long, hard road to improveDownload Current IssueDapr dresses up for CNCF project graduation + Diagrid delights Open Source InsiderPatent troll-busting: CNCF launches Cloud-Native Heroes Challenge CW Developer NetworkView All Blogs0 Yorumlar 0 hisse senetleri 33 Views
-
WWW.COMPUTERWEEKLY.COMThe Loan Charge scandal explained: Everything you need to knowTens of thousands of IT contractors have been hit with life-changing tax bills relating to projects they worked on over a decade ago after enrolling in remuneration schemes that saw them paid for the work they did in the form of non-taxable loans, rather than a conventional salary.These loan-based remuneration schemes were typically run by offshore employee benefits trusts (EBTs), and were often erroneously marketed as being an HM Revenue & Customs (HMRC)-compliant means for contractors to bolster their take-home pay, with contractors often advised to join such schemes by respected tax advisers.In some instances, contractors were told they would be unable to work for certain organisations unless they agreed to be paid in loans, too.In recent years, however, scheme participants have found themselves in HMRCs crosshairs, thanks to the introduction of a piece of retroactive legislation known as the Loan Charge that is designed to help the government recoup the tax it claims participants avoided paying between December 2010 and April 2019.The individuals now being chased for backdated tax payments by HMRC claim they are the victims of mis-selling, given how these schemes were previously marketed to them as safe and compliant to use, and the situation has seen more than 200 MPs from various parties come out in support of their plight.In the years since the policy was introduced, and details of the toll it is taking on those in its scope have started to emerge, there have been a series of legal actions attempted to overturn the policy.There have also been calls from MPs for HMRC to stop doggedly pursuing the individuals involved, and start taking punitive measures against the employers, agencies and promotors who advised people to join these schemes in the first place.At the time of writing, though, the policy remains in place, and there are few signs from the government that it has any intention of revising its contents or how it works.The situation has drawn parallels with the Post Office Horizon IT scandal, given the people caught in scope of the Loan Charge are widely considered to be victims of mis-selling by accountants and trusted tax advisors who marketed these loan-based remuneration schemes as HMRC-approved.Sammy Wilson, an MP representing the Democratic Unionist Party (DUP), drew comparisons between the victims of the Post Office scandal and the individuals affected by the Loan Charge during a January 2024 Business Committee Back Bench debate in the House of Commons.As was the case with the Post Office scandal victims, the Loan Charge story similarly involves a group of people who were acting in good faith being prosecuted and pursued when the people who absolutely knew what they were doing are getting away scot-free, said Wilson.In the case of the Loan Charge, the parties responsible for marketing and promoting these loan-based remuneration schemes are not being pursued in the same way as the individuals who participated in them, which he described as wrong.HMRC are going after those who they regard as easy targets, said Wilson. The promoters of these schemes not one penny [has been demanded from them].Despite the promoters [making] hundreds of millions of pounds of these schemes, [they] have mis-sold the schemes, [and] have disappeared when there is any attempt to get after them, he added. Those promoters are not being pursued and yet individuals are being harassed harassed to the point that many of them have taken their own lives.The Loan Charge policy was introduced as part of an ongoing anti-tax avoidance campaign by HMRC, designed to counter the surge in the number of loan-based remuneration schemes in operation.The policy was put forward by HM Treasury during the 2017 Budget as means of recouping billions of pounds in unpaid taxes the UK government claimed contractors avoided paying by opting to be paid in the form of non-taxable loans rather than receive a conventional salary.The policy terms initially stated that any contractor who participated in a loan-based remuneration scheme between 6 April 1999 and 5 April 2019 would be in-scope of the policy, and would be expected to pay back any and all tax they avoided while enrolled in these schemes.The total amounts of unpaid tax HMRC said they owed are what is referred to as the Loan Charge.An independent review of the policy, published in December 2019, concluded the timeframe the policy covers should be shortened by 11 years, so that only individuals who enrolled in schemes after 9 December 2010 would be included.It is estimated this change resulted in around 10,000 people falling out of scope of the Loan Charge policy.Much of the controversy surrounding the Loan Charge relates to the retroactive nature of the policy, with critics often taking issue with the fact it effectively introduces a retrospective tax on something in this case, a loan that was previously technically considered to be non-taxable.The timeframe the policy covers also means the final amounts of unpaid tax that individuals can end up owing can end up being life-changing, with many of those affected at risk of financial ruin or facing bankruptcy as a result.There is also the fact that many of the individuals who participated in these schemes received assurances from trusted tax advisors and accountants that receiving payment for the work they did in this way was permissible and acceptable in the eyes of HMRC.When the policy was first introduced, HMRC estimated that implementing the Loan Charge would allow it to recoup 3.2bn in previously unpaid tax over the course of five years, but that figure was later revised up to 3.4bn. However, the publication of the independent review into the policy, which resulted in several tweaks being made to how it works, is estimated to have reduced the policys overall total tax take by 620m.HMRC suggests there are around 50,000 individuals affected by the Loan Charge policy, although volunteer-led non-profit the Loan Charge Action Group (LCAG) has previously told Computer Weekly it thinks the number of people affected is far, far higher.Those affected include a disproportionate number of IT contractors, as well as NHS workers, public sector agency staff, teachers and individuals working in the oil and gas sector.While the concept of loan-based remuneration schemes pre-dates the onset of the IR35 regulations, the number of these schemes in operation markedly increased in the wake of HMRC introducing these revamped tax avoidance rules in 2000.The IR35 regulations were introduced as part of a disguised employment push by the government that would see contractors having their engagements classified as being either inside or outside IR35 based on the kind of work they do and how it is carried out.Contractors that are determined to be working inside IR35 are considered to be employees for tax purposes, meaning they are liable to pay the same employment taxes and national insurance contributions (NICs) as a salaried employee, but are not entitled to employment benefits such as paid sick leave or pension contributions.In many cases, contractors were offered the opportunity to side-step the IR35 regulations entirely by opting to close down their limited company and sign on to become the employee of an umbrella company instead.Some of these umbrella companies operated in a non-compliant manner by promising contractors they could increase their take-home pay by agreeing to be paid in non-taxable loans issued by EBTs that were marketed as HMRC-compliant.HMRC, however, has always maintained that it has never approved the use of a loan-based remuneration scheme, and has also been of the view that such schemes do not work. In addition to that, it has also been repeatedly claimed by many of those affected by the Loan Charge policy that they were unwittingly enrolled in these schemes by umbrella companies that promised them too-good-to-be-true amounts of take-home pay without disclosing they would be paid in loans.While HMRC has repeatedly stated that no one in-scope of the Loan Charge will be forced to sell their main home to cover the amounts it claims they owe in unpaid tax, Computer Weekly has heard anecdotal reports from IT contractors who have done exactly that.HMRC has previously stated that it has no intention to make the individuals in-scope of the Loan Charge policy bankrupt, and that insolvency will only be considered as a last resort if the person involved is actively avoiding paying what they owe or are at risk of accruing further debt.Even so, members of the Loan Charge APPG have repeatedly spoken out about the toll the policy is taking on the health and well-being of those affected.There have also been 10 suicides linked to the Loan Charge to-date, as confirmed by HMRC, in a letter signed by its CEO, Jim Harra, in January 2023.The missive states that HMRC has had cause to refer itself to the Independent Office for Police Conduct on 10 occasions where a customer has sadly taken their life and had used a disguised remuneration scheme.This question is key to understanding the Loan Charge policy. Loans are typically not considered to be a form of taxable income, but according to HMRC the recipients of these loans should pay tax on them because they were never intended to be repaid.Furthermore, many contractors who participated in these schemes were of the understanding they would never be asked to repay the loans they received.But as extensively documented by Computer Weekly several attempts have been made in recent years by different parties to recall the loans contractors received, meaning in addition to HMRC they have also been asked to repay these loans in full, plus interest.In instances such as this, HMRC has restated that any individual that repays a loan they received during the timeframe covered by Loan Charge policy will still need to repay the tax it claims they still owe.This is an outcome few, if any, loan scheme participants have ever budgeted for, adding further pressure to their finances. Some individuals caught in the policys scope have sought settlements with HMRC to bring the matter to a close for them, although there are also anecdotal reports of people who went down this route and then received further payment demands from HMRC afterwards.There have been numerous legal challenges attempted to overturn the policy, as well as requests made to HMRC to consider letting those unable to pay off the full amounts owed pay a reduced settlement figure, so the government tax collection agency gets some money rather than none.MPs have also repeatedly called on the government to do more to tackle the people responsible for marketing these schemes, to prevent new schemes from emerging. There are further calls to also spread the tax burden on to the promoters, agencies and employers that encouraged individuals to join these schemes.During the Autumn Budget 2024, the government confirmed there would be a second independent review of the policy to bring the matter to a close for all those affected.This was on the back of representations made to Treasury Minister James Murray during a meeting facilitated by the APPG in August 2024, where various individuals in-scope of the policy outlined the toll the Loan Charge was taking on their health, well-being and their finances.At the time of writing, HM Treasury is yet to confirm the scope of the review and who will be tasked with overseeing it.In the meantime, Computer Weekly has learned that HMRC is offering to pause the settlement activity of anyone caught by the Loan Charge until the review has concluded.0 Yorumlar 0 hisse senetleri 50 Views
-
WWW.COMPUTERWEEKLY.COMIT leaders raise concerns over IT security overspendNewsIT leaders raise concerns over IT security overspendHow many IT security products does it take to secure a business? Too many, according to some IT decision-makersByCliff Saran,Managing EditorPublished: 15 Nov 2024 15:00 IT leaders say they are overspending on cyber security tools, a survey of 800 IT leaders from Flexera has found.The poll reported that 31% of the IT decision-makers who took part in the survey ranked IT security tools as the top area of overspending. This represents a six-point increase from last years survey (25%).Even though reducing IT security risks ranked second (28%) behind artificial intelligence (AI) in terms of priorities over the next 12 months, the findings suggest that the conversations around the inflation of security tools and difficulties in integrating separate tooling together are ongoing.Last year, analyst IDC surveyed 503 IT decision-makers in North America looking at cloud-native application protection platforms; data security; endpoint detection and response; extended detection and response; network security; next-generation firewall; security information and event management; security service edge; and vulnerability and exposure management. The respondents had anywhere from 41 to 60 security tools in their environment, with 25% reporting 21 to 40 tools.Beyond IT security tools, the Flexera survey found that 68% of IT leaders say business units are spending far more on cloud and software as a service (SaaS) than they are aware of.According to those surveyed, the estimated average amount of overspending across cloud, software, SaaS and hardware is around 20-25%. When asked about their top IT spending challenges, 45% said it was controlling growth in IT spend; for 40%, the biggest challenge was tackling IT spending efficiency and avoiding waste; and 39% saw their biggest challenge as managing price hikes from their software providers.Flexera said the responses suggest that IT leaders desire more thorough visibility across their entire technology investment, yet are continually juggling unknowns as they seek to determine the best course of action to correct overspending and better balance their piece of the budget.Read more about IT security expenditureEMEA security spend will have another boom year: Cyber security services and technology will once again be the focus of major investment across EMEA during 2024, according to the latest Technology Spending Intentions study from TechTarget and ESG.Budgets rise as IT decision-makers ramp up cyber security: Few IT leaders surveyed in the TechTarget/Enterprise Strategy Group 2024 Technology Spending Intentions study say they are spending less this year.The survey results also suggest that AI is redefining IT leaders priorities. Almost half (48%) of the IT leaders polled put integrating AI as their top priority for the next 12 months.While IT leaders are facing a myriad of challenges and opportunities, artificial intelligence seems to pose the biggest potential gains in the short- and long-term, said Conal Gallagher, chief information officer at Flexera.Theres an extraordinary expense required of AI projects, creating an even greater sense of urgency to not only understand the impact of the investment, but to quickly demonstrate returns that advance core business objectives, he added.AI is not only disrupting and transforming IT for example, creating more focus on compute resources and data quality but planting the seeds to change the way we all work. Its no surprise that IT is at the forefront of recognising and ushering in this disruption, helping to be a guiding force for their organisations.In The Current Issue:Interview: Niall Robinson, head of product innovation, Met OfficeIAM: Enterprises face a long, hard road to improveDownload Current IssueDapr dresses up for CNCF project graduation + Diagrid delights Open Source InsiderPatent troll-busting: CNCF launches Cloud-Native Heroes Challenge CW Developer NetworkView All Blogs0 Yorumlar 0 hisse senetleri 50 Views
-
WWW.COMPUTERWEEKLY.COMA fifth of new PCs shipped in Q3 were AI-optimisedHN Works - stock.adobe.comNewsA fifth of new PCs shipped in Q3 were AI-optimisedPC manufacturers are working hard to showcase the benefits of premium devices that use neural processing units to deliver on-device AI accelerationByCliff Saran,Managing EditorPublished: 14 Nov 2024 14:58 A fifth of all PCs shipped in the third quarter of 2024 were equipped to support artificial intelligence (AI), Canalys has reported in its latest PC market report. The Canalys data shows that AI-capable PC shipments hit 13.3 million in the quarter, accounting for 20% of all PCs sold.The analyst firm defines AI-capable PCs as desktops and notebooks that include a chipset for dedicated AI workloads, such as a neural processing unit (NPU).Canalys reported that Windows devices accounted for a majority of AI-capable PC shipments for the first time, capturing a 53% share. What is significant is that these Windows-certified devices, known as Copilot+ PCs, are based on the Qualcomm Snapdragon ARM-based chip rather than an x86-compatible processor from the likes of Intel or AMD.Discussing the data, Canalys principal analyst Ishan Dutt said: Copilot+ PCs equipped with Snapdragon X series chips enjoyed their first full quarter of availability, while AMD brought Ryzen AI 300 products to the market and Intel officially launched its Lunar Lake series. However, both x86 chipset vendors are still awaiting Copilot+ PC support for their offerings from Microsoft, which is expected to arrive this month.While the Windows 11 refresh cycle and processor roadmaps will continue to drive penetration, however, Canalys believes there may be a reluctance to buy the new technology, which is designed to provide on-device AI.Despite the positive momentum, significant work must still be done to convince both channel partners and end customers of the benefits of AI-capable PCs, said Dutt. This is especially true for more premium offerings, such as Copilot+ PCs, which Microsoft requires to have at least 40 NPU TOPS [trillions of operations per second] alongside other hardware specifications.There is a sense that these devices appear to be targeting the premium end of the PC market. For instance, even with Black Friday deals, Currys cheapest AI-capable device is currently an HP OmniBook X 14in laptop Copilot+ PC, which is on sale at 799, reduced from 999. The most expensive is a 2,149 Microsoft 15in Surface laptop Copilot+ PC. The majority of the devices listed are over 1,000, which may put them beyond the budget of many organisations.In fact, just under a third (31%) of PC resellers do not plan to sell Copilot+ PCs in 2025, according to Canalys, while a further 34% expect such devices to account for less than 10% of their PC sales next year. With Windows 10 end of support now less than a year away, the coming quarters represent a critical opportunity to drive a significant portion of an aged installed base to be upgraded to an AI-capable PC, Dutt added.Given the premium these AI-capable devices command, Canalys noted that manufacturers are working with software firms to help them sell the benefits of AI PCs. For instance, at its Imagine AI event in September, HP showcased its collaboration with software providers to deliver on-device AI experiences. Lenovo, meanwhile, has focused on embedding proprietary AI tools and agents into its PCs, such as Creator Zone, Learning Zone and Lenovo AI Now.For vendors like Lenovo and Dell, whose offerings extend beyond PCs, on-device AI will be a key component of the delivery of broader, more holistic AI services and solutions, said Canalys analyst Kieren Jessop.The Canalys data also reveals how Apple is not directly competing with Microsoft. Since 2020, Apple has shifted away from using Intel processors to its own chips based on ARM architecture. It is now shipping devices with the M3 chip, the third generation of so-called Apple silicon. This potentially makes Apple devices running ARM-based hardware a more mature offering than the mainstay of PC manufacturers, which have jumped on the Copilot+ bandwagon.Apples strategic approach in this landscape is distinct, said Jessop. It is leveraging its vertically integrated ecosystem to create features that do not need to directly compete with Microsofts suite of productivity tools, such as Copilot Pro for Microsoft 365, which is compatible with macOS. Apple can instead focus its differentiation at the hardware and operating system level, positioning itself against Windows OEMs [original equipment manufacturers] in an effort to make market share gains during the ongoing refresh cycle.Read more about neural processing units (NPUs)ARM accelerates Edge AI: NPU said to deliver four times performance uplift for high-performance edge AI applications, such as factory automation and smart cameras, through new IoT reference design platform.Forrester preparing for the era of the AI PC: PC manufacturers are gatecrashing the artificial intelligence industry party. There are now a number of devices that incorporate AI acceleration hardware.In The Current Issue:Interview: Niall Robinson, head of product innovation, Met OfficeIAM: Enterprises face a long, hard road to improveDownload Current IssueDapr dresses up for CNCF project graduation + Diagrid delights Open Source InsiderPatent troll-busting: CNCF launches Cloud-Native Heroes Challenge CW Developer NetworkView All Blogs0 Yorumlar 0 hisse senetleri 45 Views
-
WWW.COMPUTERWEEKLY.COMWilliams Racing F1 team supports kids cyber campaignneppen1 - stock.adobe.comNewsWilliams Racing F1 team supports kids cyber campaignA multi-region campaign will teach pre-teen children cyber security basics with a little help from Formula 1 star Alex AlbonByAlex Scroxton,Security EditorPublished: 14 Nov 2024 15:30 Formula 1 team Williams Racing has joined forces with cyber firms Keeper Security and KnowBe4 to launch a global security education programme for schools, designed to empower online safety across the sector.The Flex Your Cyber campaign, which launches first in the US, with a UK roll-out planned for the near future, is aimed at children aged between five and 14, and is being supported by the National Cybersecurity Alliance (NCA), a security education non-profit.Keeper Security CEO and co-founder Darren Guccione said that with the education sector increasingly victimised by cyber criminals, and bountiful evidence of a clear awareness gap, it is becoming crucial to teach cyber fundamentals not just to teachers and admin staff, but to children too.Our goal is to empower the entire educational community with the knowledge they need to protect themselves from todays cyber threats, said Guccione. Starting this education at a young age will help ensure future generations are protected against the cyber threats plaguing our digital landscape.Flex Your Cyberwill provide tailored content for parents, teachers, administrators and children, ranging from practical tips and solutions for the grown-ups, to more age-appropriate activities for children.For children in the Little Kids category, which covers those aged up to about eight or nine, the campaign has developed a number of videos and games, an activity book and an infographic to introduce the youngest learners to some of the basics of online safety.This is where Williams Racing comes in. The team has loaned the services of its lead driver Alex Albon, who stars in a video in which he travels across the internet on a brightly coloured bike, battling cartoon cyber threats as he goes. Our goal is to empower the entire educational community with the knowledge they need to protect themselves from todays cyber threats Darren Guccione, Keeper SecurityChildren in the Big Kids category will be engaged with more interactive activities, cyber challenges and access to information that delve a little deeper into digital security concepts relevant to pre-teens. Meanwhile, Albon dodges cyber dangers such as privacy potholes and navigates the malware mile in a retro 8-bit style racing video game environment.Not to be forgotten, teaching staff will have access to tools, resources and age-appropriate lesson plans to integrate elements of security education in the classroom, while back office staff will receive more guidance on best practices and solutions to build secure digital environments within schools.More resources, information and videos including, just for fun, a game of cyber charades between Albon and Williams team principal James Vowles are available on the Flex Your Cyber campaign website.Cyber security is critical in all walks of life, and particularly in Formula 1, where protecting our data is vital to succeeding on track, said James Southerland, head of partnerships at Williams Racing.Forming good cyber security habits at a young age is becoming as important as learning to cross the road safely or wear a seatbelt, and we are delighted to be supporting our partner Keeper Security with this campaign.Stu Sjouwerman, CEO of KnowBe4, added: Keeper Securitys Flex Your Cyber initiative is a crucial step in safeguarding children in an increasingly digital world, cultivating a security culture in our future workforce from the ground up.By equipping students, parents and educators with accessible cyber security education and resources, Flex Your Cyber will foster a robust culture of cyber resilience essential for navigating todays complex threat landscape. We are proud to support this impactful programme, which promises to have a lasting, positive impact on the education community and beyond.Read more about security education and online safetyThe National Cyber Security Centre is expanding its PDNS for Schools service to encompass a wider variety of institutions up and down the UK.Schools are implementing smartphone-free policies in an attempt to curb students exposure to online harms, but teachers and parents are worried the Online Safety Act will only partially address concerns.In their first agreement on the subject of childrens online safety, the UK and US governments have said they will create a new working group to boost cooperation.In The Current Issue:Interview: Niall Robinson, head of product innovation, Met OfficeIAM: Enterprises face a long, hard road to improveDownload Current IssueDapr dresses up for CNCF project graduation + Diagrid delights Open Source InsiderPatent troll-busting: CNCF launches Cloud-Native Heroes Challenge CW Developer NetworkView All Blogs0 Yorumlar 0 hisse senetleri 46 Views
-
WWW.COMPUTERWEEKLY.COMEx-boxer fights US government over legality of Sky ECC cryptophone interceptsLawyers representing a former boxer charged with serious drug trafficking offences are challenging the legality of the US governments use of intercepted messages obtained by a European police hacking operation against the worlds largest cryptophone network.The former heavyweight boxer from Montenegro, Goran Gogic, faces charges over his alleged involvement in the import of large quantities of cocaine. His lawyers accuse prosecutors of bypassing US legal protections by relying on overseas partners to conduct surveillance.The case will test the validity of evidence obtained by French law enforcement from the hacking and mass interception of 170,000 users of Sky ECC phones in a joint operation with Belgian and Dutch police in the US courts.Joseph Corozzo, a lawyer for Gogic, said the case is the first time legal arguments used to exclude evidence obtained through the torture of individuals outside of the US have been applied in an attempt to exclude overseas intercept material.Corozzo said his client, as a non-US citizen, did not benefit from Fourth Amendment protections against government surveillance under the US Constitution.If he were a US citizen, we feel strongly that the court would suppress [the intercept material] very quickly. Since he is a non-US citizen, its a greater burden to us to establish all the factors involved, he added.US prosecutors argue that the intercepted text messages used as evidence against Gogic in the case are broadly similar to the communications data that the government regularly receives from telecoms and social media companies in the US.Even if Gogic did have rights under the Fourth Amendment, the conduct of French law enforcement agencies in seizing the data does not shock the conscience and the US did not act with an intention to evade the constitution. they claim.Sky Global, a company with headquarters in Vancouver, Canada, began developing encrypted phones in 2008, which were later sold through a network of distributors and resellers.Belgian police began investigations into the use of Sky ECC phones by organised criminals in 2016, after seizing the encrypted phones in a drug trafficking operation in the port of Antwerp. Dutch police began parallel investigations following their own seizures of Sky ECC phones.By late 2018, Sky ECC was gaining international attention, and more than 20 police officers from the US, Canada, Australia and Belgium met at an international conference in Sydney to discuss ways of breaking the Sky ECC encryption.French investigators began intercepting encrypted messages from Sky ECC in June 2019. A breakthrough by Dutch technicians who discovered how to decrypt the platform led to the live interception and decryption of all Sky ECC messages from February 2021.French, Belgian and Dutch police launched an action day against Sky ECC users on 9 March 2021, making large numbers of arrests, searches and seizures in the three countries. The operation, dubbed Operation Argus, led to the interception of one billion messages.Gogic was arrested in Miami in October 2022 and faces charges under the US Maritime Drug Law Enforcement Act.His arrest came after police seized a shipment of 18 tonnes of cocaine in Philadelphia, in an operation described as one of the largest cocaine seizures in US history.The case stems from federal investigation into a vast network of international narcotics traffickers who smuggled cocaine from South America to the US and Europe in commercial container ships.Gorgics lawyers argue in a motion to suppress that US investigators engaged in forum shopping to circumvent US law and constitutional protections.They claim the US put its own investigation into Sky ECC on hold to obtain intercept material from France that would otherwise be inadmissible in the US.An internal French police report shows that during a meeting in Europol in May 2019, Belgian and Dutch investigators learned that the US intended to arrest Skys executives, based in Canada.However, the US agreed with the Dutch to suspend US investigations until after European police forces completed their investigation into Sky ECC.A tacit agreement between the American and Dutch authorities allowed the European investigations to continue, with the Americans suspending further operations pending the outcome of ongoing investigations, the report states.Belgium, France and Holland closed their investigation into Sky ECC in March 2021, making multiple arrests and seizures of drugs and firearms.Three days later, US prosecutors indicted Sky Globals Canadian CEO, Jean-Francois Eap, and a former phone distributor, Thomas Herdman, for racketeering and knowingly facilitating the import and distribution of drugs and the sale of encrypted communications devices. Their cases have not been heard in court.By receiving intercepted material from France, rather than carrying out its own interception, the US could maintain the faade of keeping its hands clean during the interception and then receive the same evidence anyway through requests for mutual legal assistance, Gogics defence lawyers claim.They point to evidence that Dutch police carried out a similar forum shopping exercise by obtaining intercept material from France that would not be admissible if carried out under Dutch law.According to a Dutch court document, in 2019, a Dutch magistrate refused an order to seize full copies of the Sky ECC servers as it could not be established that the users of Sky ECC were using the system exclusively for illegal purposes.The magistrate found that because there was no concrete suspicion against individual users, it would be too far reaching to grant unconditional permission to search the messages of all Sky ECC users.Dutch police ultimately obtained intercepted messages of all incoming and outgoing communications from Sky ECC from French law enforcement.Gogics lawyers claim that the Dutch authorities successfully circumvented the Amsterdam investigative judges 2018 denial of their application to copy the Sky ECC servers by getting the same relief they had been denied from a different venue: France.Defence lawyers are also pressing US prosecutors to disclose all documentation of how the US obtained Sky ECC data from European law enforcement.According to the motion, filed in the Eastern District of New York, a major problem from an evidentiary standpoint is that digital data is at a significantly higher risk of (intentional) manipulation or (unintentional) alterations.An expert who examined spreadsheets of intercepted messages provided by the US has found evidence that the files were modified on multiple dates.The motion claims there are thousands of missing media files and numerous other anomalies in the data supplied by US prosecutors.Defence lawyers are pressing US prosecutors to disclose the underlying raw data and hash values that would allow experts to check that data provided in evidence had not been modified.They point to a case in Panama where a judge acquitted 28 defendants after finding the leaked documents that formed the basis of the charges against them did not comply with digital evidence principles, and lacked the hash values necessary for verifying the authenticity and accuracy of digital data.Dutch police developed AI software known as Chat-X to access and analyse intercepted messages. According to Dutch lawyer Yehudi Moszkowicz, the artificial intelligence (AI)-based software was used to search millions of intercepted messages for keywords associated with threats to life, and later to automatically identify chat messages referring to money laundering and other crimes.Read more about Sky ECCMarch 2021Belgian police raid 200 premises in drug operation linked to breach of encrypted phone network: More than 1,600 police and law enforcement officials conduct drug raids after the compromise of an encrypted mobile phone network that has parallels with EncroChat.Police crack worlds largest cryptophone network as criminals swap EncroChat for Sky ECC: Belgian and Dutch police have breached the encryption of users of Sky ECC, the worlds largest cryptophone network.Arrest warrants issued for Canadians behind Sky ECC cryptophone network used by organised crime: The US has issued arrest warrants for the CEO of Sky Global and a former distributor for racketeering, aiding and abetting the distribution of illegal drugs by supplying encrypted phones to criminals.November 2021Cryptophone supplier Sky Global takes legal action over US government website seizures: Canadian tech company Sky Global has filed a legal motion claiming that the US government unlawfully seized the companys internet sites following police investigations into the use of its cryptophones by organised crime.Sky ECCprovided free cryptophones to a Canadian police force: Internal emails disclosed in a US court show how Sky Global supplied sample encrypted phones to a Canadian police force before its phone users became subject to an international police investigation.September 2024Canadian arrested by France after cooperating with US on Sky ECC cryptophone investigation: Thomas Herdman, who faces charges in France over his involvement in distributing Sky ECC encrypted phones, arrested by French police despite agreeing to cooperate with US law enforcement.Chat-X also provided access to metadata, including the location from which a message was sent, the International Mobile Equipment Identity (IMEI) number (a unique identifying number for each handset), the Access Point Name (APN) and the IMSI (a unique identifying number for each SIM card).Defence lawyers claim that the US government has failed to disclose the metadata from the messages used as evidence in the case, which could be used, for example, to establish whether Gogic was present when the messages were sent. They have also asked the court to order the disclosure of the Chat-X software.US law allows evidence supplied by other countries to be used in US courts under the silver platter doctrine.But defence lawyers argue that the interception of Sky ECC amounted to a global fishing expedition and that there was no probable cause to suspect every one of the individuals placed under surveillance of criminality.The fact that Sky ECC phones were sold for cash by dealers who met clients in person, they say, does not establish reasonable suspicion, let alone probable cause, that criminal activity is afoot.Prosecutors argue that the Fourth Amendment does not apply to searches and seizures made against non-US nationals on foreign soil.Even if it did, the conduct of French law enforcement agencies in seizing the data from Sky ECC does not shock the conscience and was upheld by French courts.There is no plausible claim that the government cooperated with the Europeans with the intent to evade constitutional requirements, according to a prosecution motion.The most the facts show is that the US extended a courtesy to European law enforcement by delaying overt investigation and enforcement actions that could harm the European investigation.That is not a case where American officials use foreign officials to intercept phone calls made from the US to a foreign country to circumvent constitutional requirements that would apply if the same phone calls were intercepted in the US, they say.A sworn statement from the law enforcement officer who received the data from France would be all that is needed to prove its authenticity.Questions around chain of custody should only have a bearing on the weight of evidence, not its authenticity, according to the prosecutors. There is no reason to believe that materially different data exists, nor that it would be favourable to the defendant if it did, they added.Corello said US prosecutors were following the same argument as prosecutors in Europe that the court should honour the prosecutorial activities of France based on the French courts finding that the conduct was permissible.Theyre not addressing in any fashion the issues of reliability and chain of custody, he added.The Sky ECC hack2016: Netherlands and Belgium begin independent investigations into Sky ECC encrypted phones.2018: Twenty police officers from the US, Canada, Australia, Belgium and other countries participate in an international conference in Sydney, discussing ways to access Sky ECC. They follow up with a meeting in Antwerp.19 November 2018: A report by investigators identifies the location of Sky ECC infrastructure in the OVH datacentre in Roubaix, France.30 November 2018: A Dutch judge allows an application to seize copies of the Sky ECC servers for technical research into encryption and interception of messages on the phone network, but does not allow the collection of data on the services for use as evidence. The magistrate concludes that it is not established that the encrypted communication of SkyECC is almost exclusively used by organised serious crime.13 February 2019: A French prosecutor at the Lille court initiates a formal investigation into Sky ECC.27 May 2019: A meeting at Europol with the Belgian, Dutch and French authorities is told that US authorities had also opened an investigation into Sky ECC and their ultimate goal was to arrest the companys executive in Canada. The Americans reach a tacit agreement with the Dutch to suspend US investigations while European investigations continue.12 June 2019: A French prosecutor applies for a court order to intercept, record and transcribe communications passing through Sky ECC servers in France.14 June 2019: French court authorises the interception of Sky ECCs servers for one month. The order is repeatedly renewed until December 2020.13 December 2019: Dutch, Belgian and French law enforcement authorities agree to form a Joint Investigation Team to gather evidence about alleged criminal activities of Sky Global and its users, and to share technical information and resources.December 2020: Dutch investigators work out how to obtain encryption keys from Sky ECC handsets. Work begins on decrypting a backlog of intercepted encrypted data.February 2021: French investigators begin live interception and decryption of Sky ECC phones. More than 70,000 phones are monitored.9 March 2021: Sky ECC is shut down after a joint operation by French, Belgian and Dutch law enforcement authorities, known as Operation Argus. Arrests, house searches and seizures are made in Belgium and the Netherlands. 12 March 2021: US files an indictment against Jean-Francois Eap, CEO of Sky Global, and former phone distributor Thomas Herdman.0 Yorumlar 0 hisse senetleri 50 Views
-
WWW.COMPUTERWEEKLY.COMRed Hat acquires tech to lower the cost of machine learningyour123 - stock.adobe.comNewsRed Hat acquires tech to lower the cost of machine learningThe acquisition of Neural Magic by Red Hat is being positioned as a way to democratise machine learning and reduce the need for GPUsByCliff Saran,Managing EditorPublished: 13 Nov 2024 14:55 Red Hat has announced its intention to acquire Neural Magic, the lead developer behind the open source vLLM project.The acquisition is being positioned as a way for Red Hat and its parent IBM to lower the barrier to entry for organisations that want to run machine learning workloads without the need to deploy servers equipped with graphics processing units (GPUs). This reliance creates a barrier to entry, hindering the widespread adoption of artificial intelligence (AI) across various industries and limiting its potential to revolutionise how we live and work.The GitHub entry for vLLM describes the software as: A high-throughput and memory-efficient inference and serving engine for LLMs [large language models].In a blog discussing the deal, Red Hat president and CEO Matt Hicks said Neural Magic had developed a way to run machine learning (ML) algorithms without the need for expensive and often difficult to source GPU server hardware.He said the founders of Neural Magic wanted to empower anyone, regardless of their resources, to harness the power of AI. Their groundbreaking approach involved leveraging techniques like pruning and quantisation to optimise machine learning models, starting by allowing ML models to run efficiently on readily available CPUs without sacrificing performance, he wrote.Hicks spoke about the shift towards smaller, more specialised AI models, which can deliver exceptional performance with greater efficiency. These models are not only more efficient to train and deploy, but they also offer significant advantages in terms of customisation and adaptability, he wrote.Red Hat is pushing the idea of sparsification, which, according to Hicks, strategically removes unnecessary connections within a model. This approach, he said, reduces the size and computational requirements of the model without sacrificing accuracy or performance. Quantisation is then used to reduce model size further, enabling the AI model to run on platforms with reduced memory requirements.All of this translates to lower costs, faster inference and the ability to run AI workloads on a wider range of hardware, he added.Red Hats intention to acquire Neural Magic fits into parent company IBMs strategy to help enterprise customers use AI models.In a recent interview with Computer Weekly, Kareem Yusuf, product management lead for IBMs software portfolio, said the supplier has identified a business opportunity to support customers that want to easily mash their data into the large language model. This, he said, allows them to take advantage of large language models in a way that enables protection and control of enterprise data.IBM has developed a project called InstructLab that provides the tools to create and merge changes to LLMs without having to retrain the model from scratch. It is available in the open source community, along with IBM Granite, a foundation AI model for enterprise datasets. Listen to the full interview with Kareem Yusuf Dario Gil, IBMs senior vice-president and director of research, said: As our clients look to scale AI across their hybrid environments, virtualised, cloud-native LLMs built on open foundations will become the industry standard. Red Hats leadership in open source, combined with the choice of efficient, open source models like IBM Granite and Neural Magics offerings for scaling AI across platforms, empower businesses with the control and flexibility they need to deploy AI across the enterprise.Read more about IBMs AI strategyIBMs latest Z mainframe offers lessons in building AI systems: Studying the engineering behind IBMs mainframe architecture could help enterprises build higher reliability into the GPU clusters used to run AI applications.IBM throws its Red Hat into open source AI ring with RHEL AI: IBM and Red Hat open source their first LLMs, but IT experts say RHEL AI is more likely to stand out in the ways it links AI to hybrid cloud infrastructure.In The Current Issue:Interview: Niall Robinson, head of product innovation, Met OfficeIAM: Enterprises face a long, hard road to improveDownload Current IssueHow enterprises can improve ROI on AI investments Data MattersHow To "Vawlt" Superclouds Networks GenerationView All Blogs0 Yorumlar 0 hisse senetleri 37 Views
-
WWW.COMPUTERWEEKLY.COMClosing in on quantum computing with error mitigationzapp2photo - stock.adobe.comNewsClosing in on quantum computing with error mitigationCurrent quantum computers are prone to error. IBMs latest Heron machine uses software and hardware to get better resultsByCliff Saran,Managing EditorPublished: 13 Nov 2024 14:58 The latest machine onIBMs quantum computing roadmap, Heron, has been given a hardware and software boost as the company pushes towards its goal of error correction.Error correction is seen as the holy grail for quantum computing, which would open the gates to commercial adoption. This may be many years away, but IBM Heron offers error mitigation, which the company describes as techniques that allow users to mitigate circuit errors by modelling the device noise at the time of execution.In other words, it is something software developers need to do when programming IBM quantum computers to get around the noisiness in terms of errors that is inherent in todays quantum computing technology.Advances acrossIBM Quantum hardware and Qiskitare enabling our users to build new algorithms in which advanced quantum and classical supercomputing resources can be knit together to combine their respective strengths, said Jay Gambetta, vice-president of IBM Quantum.As we advance on our roadmap towards error-corrected quantum systems as a pillar of the future of computing, the algorithms discovered today across industries will be key to realising the full potential of unexplored computational spaces created by the convergence of QPUs [quantum processing units], CPUs [central processing units], and GPUs [graphics processing units].To tie in with the Heron announcement, IBM has introduced several new tools in its Qiskit software developers kit. These include tools such as the Qiskit Transpiler Service to power the optimisation of quantum circuits for quantum hardware with artificial intelligence (AI) and Qiskit Code Assistant to help developers easily generate quantum code withIBM Granite-based generative AImodels.It is also adding Qiskit Serverless, which enables software developers to run initial quantum-centric supercomputing approaches across quantum and classical systems and the IBM Qiskit Functions Catalog to make services available from IBM, Algorithmiq, Qedma, QunaSys, Q-CTRL and Multiverse Computing.Error correction is the breakthroughTobias Lindstrom, head of science for NPLs department of quantum technology, believes a step change in quantum computing will happen once error correction is fixed.Today, were limited by scaling because we dont have error correction, he said. Once you can build a logical error-correct qubit, as far as I understand, theres nothing stopping you from building more of them. It is an engineering challenge.Once there is error correction, you may spend more money but there is no limit to the scaling, he added, in response to the question of whether a working quantum computer would follow the same rules as Moores Law, which shows that the number of transistors on a processor doubles every two years for the same price.While there has been a lot of progress in schemes focused on error correction, Lindstrom expects quantum computing adoption will accelerate when the techniques are eventually mastered.Even if such a computer with perhaps 10,000 qubits has a ticket price of $1bn, Lindstrom believes the price is not likely to be a barrier for some organisations and governments: I dont think thats going to stop people when you are talking about something as useful as a quantum computer.What this means is that quantum computers will likely only be initially purchased by governments or very large companies.There is a certain class of problem which Lindstrom and many in the industry feel quantum computing will be able to optimise. Not surprising, he said, quantum-type problems such as quantum chemistry are among the big opportunities, where quantum computing can be applied in material science leading to opportunities such as the development of greener technologies.While not fully fledged computers, Lindstrom described the UK Research and Innovations quantum test bed programme as an important step. These demonstrators of quantum technology provide a way for quantum computing firms to develop machines that organisations can have direct access to in the UK.Solving problems and improving skillsLike IBMs Gambetta, Lindstrom sees quantum devices as part of the mix that will be used to accelerate certain workloads: A good analogy is probably something like using GPUs or FPGAs [file programmable gate arrays] in the context of high-performance computing. Youre still logging onto a regular computer, but for certain problems, youre using a GPU or an FPGA.The era of quantum computing will, like with GPUs, involve the quantum processor effectively acting as an accelerator or co-processor for the CPU. Lindstrom believes that, in an ideal world, a programmer would use their preferred programming language and their source code compiler tool would then look through this code and decide which steps in the program requires an optimisation step and then assess whether this is best serviced by offloading the task to a quantum processor.Thats the ideal scenario, in terms of user friendliness, but it may not be the best way to use existing resources, he said.For Lindstrom, there needs to be a group of specialist programmers who understand the computer architecture in depth: I think a good analogue would be classical computers in the 1980s, where people were programming in assembly language to squeeze the most performance out of the hardware.Looking at current industry efforts, Lindstrom said that there is work to make quantum computing more accessible to people who do not necessarily have an in-depth background in the technology, but this is not possible today.For the foreseeable future, you will need a second category of people as well who really understand quantum computing and who can formulate the problem before they even start writing the code, he said.What this means from a skills perspective, as CIOs plan for a future where quantum computing is part of the technology mix is, according to Lindstrom, a similar story to the upskilling needed for GPUs.People are GPU-aware because, again, it has been part of the computing ecosystem for so long, but they dont necessarily need to know how to build a GPU they just need to understand the APIs [application programming interfaces] and what problems GPUs can be used for.Read more quantum computer storiesDoes quantum matter: Ilyas Khan, CEO of Quantinuum, discusses the quantum computing revolution.IBM plots route beyond Condor: New quantum system and classical computing hybrid forms the basis of next-gen supercomputing at IBM.In The Current Issue:Interview: Niall Robinson, head of product innovation, Met OfficeIAM: Enterprises face a long, hard road to improveDownload Current IssueHow enterprises can improve ROI on AI investments Data MattersHow To "Vawlt" Superclouds Networks GenerationView All Blogs0 Yorumlar 0 hisse senetleri 49 Views
-
WWW.COMPUTERWEEKLY.COMChinas Volt Typhoon rebuilds botnet in wake of takedownbeebright - stock.adobe.comNewsChinas Volt Typhoon rebuilds botnet in wake of takedownNine months after its malicious botnet comprising legacy routers was disrupted by the Americans, Chinese APT Volt Typhoon is rebuilding and presents as persistent a threat as everByAlex Scroxton,Security EditorPublished: 13 Nov 2024 16:06 The Chinese state threat actor most famously known as Volt Typhoon is staging a significant comeback after its botnet infrastructure was disrupted in a US-led takedown at the beginning of February 2024.Volt Typhoons malicious botnet comprised hundreds of Cisco and Netgear small and home office (SOHO) routers that had reached end-of-life (EOL) status and thus were no longer receiving security updates.The threat actor infected these devices with KV Botnet malware and used them to obfuscate the origins of follow-on hacks targeting critical national infrastructure (CNI) operations in the US and elsewhere.Now, nine months on, threat analysts from SecurityScorecard say that they have observed signs that Volt Typhoon is not only back in business, but is more sophisticated and determined than ever.SecurityScorecards Strike team has been poring over millions of data points collected from the organisations wider risk management infrastructure, and has determined that it is now adapting and digging in after licking its wounds in the wake of the takedown.The Strike Teams discoveries highlight the expanding threat posed by Volt Typhoon. As the botnet spreads and its tactics deepen, governments and corporations must urgently address weaknesses in legacy systems, public cloud infrastructures, and third-party networks, said SecurityScorecard senior vice-president of threat research and intelligence, Ryan Sherstobitoff.Volt Typhoon is both a resilient botnet and a warning. Without decisive action, this silent threat could trigger a critical infrastructure crisis driven by vulnerabilities left unresolved.In recent months Volt Typhoon has stood up new command servers using hosting services such as Digital Ocean, Quadranet and Vultr, and registered fresh SSL certificates to evade the authorities.The group has continued to exploit legacy vulnerabilities in Cisco RV320/325 and Netgear ProSafe routers. Sherstobitoff revealed that the operation was able to compromise 30% of the worlds visible Cisco RV320/325s in the space of just one month.The Strike Teams deep investigation has exposed Volt Typhoons complex network built on compromised SOHO and EOL devices. This group has weaponised outdated routers on a global scale, weaving layers of obfuscation that mask their presence and make detection exceptionally difficult, said Sherstobitoff.These compromised routers act as digital chameleons, facilitating the covert movement of data while mimicking normal network traffic. Analysts have identified MIPS-based malware on these devices, similar to Mirai, engineered to establish covert connections and communicate via port forwarding over 8443. This method keeps Volt Typhoons command operations off the radar, even for seasoned cyber security teams.Webshells, such as fy.sh, are strategically implanted in routers, allowing Volt Typhoon to maintain persistent access and secure remote control. The attack doesnt just hide it integrates seamlessly into routine network operations. The result? A resilient foothold, particularly within governmental and critical infrastructure sectors, that camouflages malicious activities and complicates any clean-up efforts, he said.As of September 2024, its new botnet cluster was observed routing traffic worldwide, much of it transiting through a compromised virtual private network (VPN) device which is acting as a silent bridge between Asia-Pacific and the US.This device is determined to be located somewhere in New Caledonia, a French island in the South Pacific Ocean, about 750 miles northwest of Queensland, Australia. By placing its hub in a location considered to be part of France though New Caledonias legal status as a sui generis overseas territory is both complex and controversial Volt Typhoon may be able to avoid additional scrutiny and extend the reach of its botnet even further.Sherstobitoff warned that CNI operators still presented an attractive target for Chinese state-sponsored attackers thanks to their essential role in economic stability, while the sectors lingering dependence on legacy technology is creating a perfect storm for disruption.He added that many third-party tech suppliers themselves lack robust defences, offering advanced persistent threat (APT) actors such as Volt Typhoon easy entry points.Read more about Volt TyphoonLumen Technologies researchers have observed Volt Typhoon exploitation of CVE-2024-39717 against four US organisations in the ISP, MSP and IT sectors.A panel of experts at RSA Conference 2024 discussed Volt Typhoon and warned the Chinese nation-state threat group is still targeting and compromising organisations.GCHQ director Anne Keast-Butler uses her first major public speech to warn that China poses a significant cyber security threat to the UK.In The Current Issue:Interview: Niall Robinson, head of product innovation, Met OfficeIAM: Enterprises face a long, hard road to improveDownload Current IssueHow enterprises can improve ROI on AI investments Data MattersHow To "Vawlt" Superclouds Networks GenerationView All Blogs0 Yorumlar 0 hisse senetleri 50 Views
-
WWW.COMPUTERWEEKLY.COMSchools go smartphone-free to address online harmsAs the UKs Online Safety Act (OSA) approaches its first birthday, parents and teachers insist more must be done to protect young people and children from the various risks they are facing online.In particular, they cite the need for tighter measures around smartphone and social media use in schools, which led two parents to create the Smartphone Free Childhood (SFC) group in February 2024.Since then, the group which characterises itself as a grassroots movement on a mission to challenge Big Techs colonisation of childhood has expanded massively, with 150,000 parent members across the UK at the time of publication.Their concerns cover a range of areas, including the increasing rates of depression, anxiety and suicide among children since smartphones were introduced, the pervasive effects of cyber bullying, the risk of children being exposed to harmful content via algorithms and messaging apps, and the intentionally addictive design choices of tech companies that are intended to harvest ever-increasing amounts of data for profit.While the UK is one of the first countries to attempt to regulate global social media platforms such as Meta, X, TikTok and YouTube which from the start of 2025 can be prosecuted by online harms regulator Ofcom for failing to address illegal content, which includes the possibility of million-pound fines and criminal sanctions against high-ranking social media platform employees parents and teachers say there is mounting evidence that, despite any good intentions, the online world continues to have a range of harmful effects on young people.An international study across 44 countries published last month, for example, revealed a growing rate of problematic internet use in children, revealing the dire need for safer platforms for young people. In the US, legal action against the biggest social media platforms is unfolding over their inaction on harmful content and failure to protect children. In 2023, 42 attorney generals sued Meta, alleging addictive features that target children. Although the Online Safety Act is an important first step, it will only partly address the harms currently being inflicted on children through smartphones and social media Clare Fernyhough, Smartphone Free ChildhoodAlthough the Online Safety Act is an important first step, it will only partly address the harms currently being inflicted on children through smartphones and social media, says Clare Fernyhough, co-founder of SFC. Its not clear the act will address the addictive by design nature of both smartphones and social media platforms, meaning tech companies will continue to make billions from keeping our children constantly online. With some children spending as much as nine hours a day on their phones, the opportunity cost these devices carry is enormous.Given the ongoing concerns over the spread of online harms, and the role of smartphones in particular, the inception of SFC has prompted many schools to attempt going smartphone-free.In May 2024, for example, 20 primary schools across St Albans announced plans to ditch smartphones, and in September, Ormiston academies announced the decision to go smartphone-free across its 44 state schools.We had a phone switched off and in your bag policy for years. It was completely ineffective, says Damien McBeath, head teacher at John Wallis Academy, which launched its own smartphone-free policy in January, shortly before the formation of SFC. Since Covid, we have seen a real decline in socially acceptable behaviour lots of TikTok trends, pupils bundling into toilet cubicles, incidents of online predators sapping pupils attention.In his 25 years as a head teacher, McBeath adds smartphones have been a tidal wave of issues and disruption.In October 2024, SFC also launched a formal Smartphone Free Schools campaign, which has already inspired a number of other schools to attempt the policy. SFC says the concerns McBeath has are echoed by other teachers, who have reached out to the group for guidance and support.We have been inundated with stories from teachers grappling with the effects of smartphones, from distraction in lessons to cyber bullying and sharing of inappropriate content. This is an urgent situation that needs immediate government support, says Fernyhough.Will Orr-Ewing, schools engagement lead for the Smartphone Free Schools campaign, adds: The average child gets hundreds of notifications on their phone throughout the school day a constant call on their attention, which leads them to check their phone whenever they are out of a teachers eyeline, especially in bathrooms and breaktimes. The average child gets hundreds of notifications on their phone throughout the school day a constant call on their attention Will Orr-Ewing, Smartphone Free Schools campaignThat is why we recommend that schools devise ways to take the phone off the childs person for the full seven hours of the school day either by use of pouches or lockers, or by prohibiting children from bringing in a smartphone at all, and recommending brick phones for travel instead.Since adopting the smartphone-free policy, John Wallis Academy claims it has seen immense benefits both for pupils and staff, including a 40% reduction in the number of detentions, an 80% reduction in the rate of in-school truancy, and a reduction in staff turnover from 30% to 17%.Campaigners and teachers believe broader support from the government could lead to nationwide change. Currently, just 11% of UK schools have effective smartphone restrictions in place. In an open letter to the Department for Education in October, head teachers, governing bodies and local councils urged the government to commit funding to support schools that aim to go smartphone-free.Aside from parents and teachers, the proposed implementation of the UKs Online Safety Act has also been met with discontent from civil society groups, which have argued during the acts ongoing consultation that there is a need for tougher laws around online safety.Digital safety charity 5Rights, for example, claims: Ofcoms proposals as currently drafted are light-touch and incomplete, and fail to meet the needs of children and the expectations of parliamentarians, civil society, parents and teachers.Digital secretary Peter Kyle similarly told the BBCs Laura Kuenssberg that he was going to close loopholes in the Conservative government-led Online Safety Act, adding that the tech sector is the only sector ... that can release products into society without proving theyre safe before release.Support for more stringent legislation is also echoed by the public. Recent polling from the Molly Rose Foundation, for example, revealed overwhelming public and parental support for a new Online Safety Act, with 84% of parents and 80% of adults backing a new act to strengthen online safety measures.Labour MP Josh MacAlister has also recently launched a Private Members Bill, which could potentially lead to providing statutory guidance on smartphone use in schools, and increasing the age of internet adulthood from 13 to 16. The MP and former teacher was vocal on the importance of this policy for disadvantaged children in particular.The bill also aims to strengthen regulator Ofcoms powers so that it can enforce a code of conduct to tackle the addictive-by-design nature of social media platforms such as Instagram and TikTok.Concerns around addictive design models were echoed in a joint agreement on online safety from the UK and US governments, stating: Both countries acknowledge that risk-based and safety, privacy and inclusivity-by-design approaches throughout design, development and deployment are fundamental to childrens safety and well-being online, alongside increased transparency and accountability from online platforms.Read more about online harmsOfcom issues online safety warning to firms in wake of UK riots: Ofcom has issued a warning reminding social media firms of their upcoming online safety obligations, after misinformation about the Southport stabbings sparked racist riots throughout the UK.UK and US pledge closer working on childrens online safety: In their first agreement on the subject of childrens online safety, the UK and US governments have said they will create a new working group to boost cooperation.Misinformation runs deeper than social media: While social media may contribute to the increasing rapid spread and reach of misinformation, the root causes of the problem go much deeper than the role of a particular company or way of using technology to communicate.0 Yorumlar 0 hisse senetleri 49 Views
-
WWW.COMPUTERWEEKLY.COMZero-day exploits increasingly sought out by attackersAndreas Prott - stock.adobe.comNewsZero-day exploits increasingly sought out by attackersThreat actors increasingly favour zero-day exploits to attack their victims before patches become available according to the NCSC and CISA, which have just published a list of the most widely-used vulnerabilities of 2023ByAlex Scroxton,Security EditorPublished: 12 Nov 2024 16:49 Threat actors both state-backed and financially-motivated are increasingly taking advantage of previously unknown vulnerabilities, or zero-days, to compromise their victims before fixes or patches are made available by the tech industry, according to a new advisory published by the Five Eyes cyber agencies, including the UKs National Cyber Security Centre (NCSC) and the United States Cybersecurity and Infrastructure Security Agency (CISA).The agencies have collectively drawn up a list of the 15 most exploited vulnerabilities of 2023 and found that the majority of exploited vulnerabilities were zero-days compared to less than half in 2022. The trend has continued through 2024, said the NCSC.The NCSC said that defenders needed to up their game when it comes to vulnerability management, paying particular attention to applying updates as quickly as possible when they do arrive, and to making sure they have identified all the potentially affected IT assets in their estates.The organisation also urged suppliers and developers to do more to implement secure-by-design principles into their products, something that the Five Eyes governments Australia, Canada, New Zealand, the UK and the United States have become particularly vocal about in the past 18 months. Doing so helps reduce the risk of vulnerabilities being accidentally introduced during development, only to be taken advantage off further down the line.More routine initial exploitation of zero-day vulnerabilities represents the new normal which should concern end-user organisations and vendors alike as malicious actors seek to infiltrate networks, said NCSC chief technology officer (CTO) Ollie Whitehouse.To reduce the risk of compromise, it is vital all organisations stay on the front foot by applying patches promptly and insisting upon secure-by-design products in the technology marketplace, said Whitehouse.We urge network defenders to be vigilant with vulnerability management, have situational awareness in operations and call on product developers to make security a core component of product design and life-cycle to help stamp out this insidious game of whack-a-mole at source, he added.The full list of the vulnerabilities most frequently exploited during 2023 is as follows:CVE-2023-3519, a code injection flaw in Citrix NetScaler ADC and NetScaler Gateway;CVE-2023-4966, a buffer overflow vulnerability in Citrix NetScaler ADC and NetScaler Gateway, aka Citrix Bleed;CVE-2023-20198, an elevation of privilege (EoP) issue in Cisco IOS XE Web UI;CVE-2023-20273, a web UI command injection bug in Cisco IOS XE;CVE-2023-27997, a heap-based buffer overflow flaw in Fortinet FortiOS and FortiProxy SSL-VPN;CVE-2023-34362, a SQL injection vulnerability in Progress MOVEit Transfer, infamously exploited by the Cl0p ransomware gang, the fall-out from which is still being felt;CVE-2023-22515, a broken access control vuln it Atlassian Confluence Data Center and Server;CVE-2021-44228, a remote code execution (RCE) issue in Apache Log4j2, aka Log4Shell, the source of a major incident at the end of 2021 and still being widely-abused years later;CVE-2023-2868, an improper input validation flaw in Barracuda Networks ESG Appliance;CVE-2022-47966, an RCE issue in Zoho ManageEngine;CVE-2023-27350, an improper access control vulnerability in PaperCut MF/NG;CVE-2020-1472, an EoP vuln in Microsoft Netlogon, the source of another high-profile historic incident that there is now no excuse for not having addressed;CVE-2023-427983, an authentication bypass flaw in JetBrains TeamCity;CVE-2023-23397, an EoP issue in Microsoft Office Outlook, widely-used by Russian spooks;And last but not least, CVE-2023-49103, an information disclosure vuln in ownCloud graphapi.The full list, which can be downloaded from CISA, also contains details of a number of other issues that were observed being routinely exploited during 2023, prominent among them two vulnerabilities in Ivanti products disclosed in August 2023, and the infamous Fortra GoAnywhere flaw exploited, yet again, by the Cl0p gang.Read more about recent zero-daysQualcomm urges customers to patch the memory corruption vulnerability as Google researchers have observed targeted exploitation in the wild against the flaw.According to Fortinet, the FortiManager vulnerability 'may allow a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted requests.More than two weeks after threat actors exploited a zero-day vulnerability in a third-party utility to breach Rackspace, the details about the flaw and the utility remain unknown.In The Current Issue:Interview: Niall Robinson, head of product innovation, Met OfficeIAM: Enterprises face a long, hard road to improveDownload Current IssueHow enterprises can improve ROI on AI investments Data MattersHow To "Vawlt" Superclouds Networks GenerationView All Blogs0 Yorumlar 0 hisse senetleri 46 Views
-
WWW.COMPUTERWEEKLY.COMMicrosoft fixes 89 CVEs on penultimate Patch Tuesday of 2024Microsoft has issued fixes addressing a total of 89 new Common Vulnerabilities and Exposures (CVEs) 92 including third-party disclosures to mark the penultimate Patch Tuesday of 2024, including four critical issues and a number of flaws that could be considered zero-days.Of these issues, one meets the full traditional definition of a full zero-day, a vulnerability that is both public and known to be exploited. This is CVE-2024-43451, a spoofing vulnerability in New Technology LAN Manager (NTLM) Hash.NTLM is a set of security protocols used to authenticate users identities. It dates back years and has been largely supplanted by vastly more secure protocols Microsoft has not recommended its use in over a decade, but since it was used in Internet Explorer, it remains supported to some extent and continues to cause problems, not least because at this stage, it is incredibly insecure.In this instance, successful exploitation of this issue could lead to total loss of confidentiality, according to Microsoft, as it discloses a users NTLMv2 hash to an attacker who could then use it to authenticate as the user if the victim can be tricked into minimal interaction with a malicious file, which could include merely selecting or clicking it, not even opening it. This may make it considerably more dangerous than its comparatively low severity score may indicate.Mike Walters, president and co-founder of Action1, explained: This issue arises from the mechanism where NTLM authentication credentials, specifically NTLMv2 hashes, are improperly exposed via a maliciously crafted file.The root cause of this vulnerability lies in improperly handling file interactions within systems, potentially allowing attackers to extract NTLMv2 hashes without requiring complete file execution, he told Computer Weekly in emailed commentary.All supported versions of Microsoft Windows are vulnerable to this issue, said Walters, especially if they use applications reliant on MSHTML and EdgeHTML platforms, while risk is further increased across different system environments thanks to the involvement of other scripting engines.Walters said the main concern with CVE-2024-43451 is the disclosure of NTLMv2 hashes that can be used to authenticate as the user and leveraged in pass-the-hash attacks, enabling further lateral movement for a canny threat actor.This vulnerability is particularly effective in phishing scenarios, where users might be deceived into interacting with malicious files. Once NTLM hashes are obtained, attackers can combine them with other network vulnerabilities to extend their access and compromise additional systems, he said.Organisations that heavily use Windows in environments with substantial network file sharing or legacy applications dependent on Internet Explorer and related platforms face heightened risk. Those lacking robust user training and monitoring systems to detect unusual file interactions may be more susceptible to exploitation.Also on the list is CVE-2024-49309, which is exploited but not yet public. This is an elevation of privilege (EoP) vulnerability in Windows Task Scheduler.This stems from an issue where authentication tokens or credentials are improperly managed and could allow a low-privileged attacker to gain deeper access if they can execute a malicious application designed for the purpose. It impacts multiple versions of Windows that incorporate Task Scheduler as part of their routine task automation processes, and it is thought that environments with shared or multiple-user setups may be particularly vulnerable to it.This vulnerability serves as a potential entry point for attackers who have already accessed a system with low privilege. Once privileges are escalated, these attackers can utilise this foothold for further lateral movement within a network or to exploit other vulnerabilities that necessitate higher access levels, said Walters.The nature of this vulnerability is especially concerning in corporate settings where individual users possess specific task automation privileges that could be exploited to gain unauthorised access.Four further vulnerabilities have been made public but as of yet have seen no exploitation, according to Microsoft, and one of these, CVE-2024-5535, a remote code execution issue in OpenSSL, is among the three third-party disclosures incorporated into this months drop.The other three are CVE-2024-43498, a remote code execution (RCE) vulnerability in .NET and Visual Studio, CVE-2024-49019, an EoP vulnerability in Active Directory Certificate Services, and CVE-2024-49040, a spoofing vulnerability in Microsoft Exchange Server.Chris Goettl, vice president of security products at Ivanti, shared further thoughts on both the Active Directory and Microsoft Exchange Server issues, and urged defenders to treat them as higher priorities than the official guidance might imply.[CVE-2024-49019] is rated Important and has a CVSS v3.1 score of 7.8. If exploited, the attacker could gain domain administrator privileges. The vulnerability does provide additional mitigations including removing overly broad enrol or auto-enrol permissions, removing unused templates from certificate authorities, and securing templates that allow you to specify the subject in the request, said Goettl.The vulnerability affects Windows Server 2008 and later Server OS editions. From a risk-based perspective, a public disclosure puts this vulnerability at a higher risk of being exploited and may warrant treating the vulnerability as a higher severity.Goettl continued: [CVE-2024-49040] is rated Important and has a CVSS v3.1 score of 7.5. The vulnerability exists in the P2 From header verification. Microsoft Exchange Server is often targeted by threat actors who specialise in Exchange exploits. From a risk-based prioritisation perspective, the public disclosure and availably of PoC level exploit code warrants treating this vulnerability as Critical.Finally, three other Critical issues are listed as, CVE-2024-43625, an EoP vulnerability in Microsoft Windows VMSwitch; CVE-2024-43639, an RCE vulnerability in Windows Kerberos; and CVE-2024-49056, an EoP vulnerability in Airlift.microsoft.com. In each of these instances, no proof of concept has yet been made public and no exploitation in the wild has been observed.Read more about Patch TuesdayOctober 2024: Stand-out vulnerabilities in Microsofts latest Patch Tuesday drop include problems in Microsoft Management Console and the Windows MSHTML Platform.September 2024: Four critical remote code execution bugs in Windows and three critical elevated privileges vulnerabilitieswill keep admins busy.August 2024: Microsoft patches six actively exploited zero-days among over 100 issuesduring its regular monthly update.July 2024: Microsoft has fixed almost 140 vulnerabilities in its latest monthly update, with a Hyper-V zero-daysingled out for urgent attention.June 2024: An RCE vulnerability in a Microsoft messaging feature and a third-party flaw in a DNS authentication protocol are the most pressing issues to address inMicrosofts latest Patch Tuesday update.May 2024: A critical SharePoint vulnerability warrants attention this month, but it is another flaw that seems to be linked to the infamous Qakbot malwarethat is drawing attention.April 2024: Support for the Windows Server 2008 OS ended in 2020, but four years on and there's a live exploit of a security flawthat impacts all Windows users.March 2024: Two critical vulnerabilities in Windows Hyper-V stand out onan otherwise unremarkable Patch Tuesday.February 2024: Two security feature bypasses impacting Microsoft SmartScreen are on the February Patch Tuesday docket,among more than 70 issues.January 2024: Microsoft starts 2024 right with another slimline Patch Tuesday drop, but there are some critical vulnerabilities to be alert to, including a number ofman-in-the-middle attack vectors.0 Yorumlar 0 hisse senetleri 45 Views
-
WWW.COMPUTERWEEKLY.COMUK Bolt drivers win legal claim to be classed as workersUK drivers working for ride-hailing and food delivery app Bolt should be classed as staff rather than self-employed, the Employment Tribunal has ruled.Being classified as workers means more than 100,000 Bolt drivers are now entitled to better workplace conditions and protections for the first time under UK employment law, including the right to be paid the national minimum wage, and to receive statutory minimum holiday pay and rest breaks, as well as protection from unlawful discrimination and whistleblowing.The Employment Tribunal specifically rejected Bolts claim that drivers are self-employed contractors running their own businesses, finding instead that the terms and conditions the firm applies to its relationship with drivers, as well as the level of control it has over their day-to-day work, means they are in fact workers.Overwhelmingly, the power lies with Bolt, said the ruling. There is nothing in the relationship which demands, or even suggests, agency. The agency notion is posited simply to defeat the obvious interpretation which the facts invite that Bolt employs the drivers to provide their labour in furtherance of its transportation business.It added: The supposed contract between the Bolt driver and the passenger is a fiction designed by Bolt and in particular its lawyers to defeat the argument that it has an employer/worker relationship with the driver.While Bolt currently only pays its drivers for time spent on trips, the Employment Tribunal also ruled they should be paid for time spent logged into the Bolt app, providing they are not also logged into apps for other private hire operators such as Uber or Deliveroo a practice those operators refer to as multi-apping.Lawyers from Leigh Day representing the drivers said the employment tribunal decision which was handed down on 8 November 2024 following a three-week hearing in September could lead to drivers receiving collective compensation worth more than 200m. They added that, on average, drivers could be entitled to compensation of over 15,000.While the ruling means Bolt will need to provide paid holiday and ensure drivers earn the minimum wage for any periods they work, the Employment Tribunal will hold a further session to decide exactly how much compensation the drivers are entitled to.We are very pleased that the employment tribunal has found in favour of our Bolt driver clients, said Leigh Day employment team solicitor Charlotte Pettman, who represented roughly 15,000 current and former Bolt drivers in their legal action.This judgment confirms that gig economy operators cannot continue to falsely classify their workers as independent contractors running their own business to avoid providing the rights those workers are properly entitled to. We call on Bolt to compensate our clients without further delay.Bolt driver Shuhel Ahmed also welcomed the ruling, adding: Its satisfying to know that our hard work and long hours have been recognised, and that we can fight on for better pay and conditions, and compensation will make a huge difference to my familys life. A spokesperson for Bolt which is currently reviewing its options, including grounds to appeal the decision said: Drivers are at the heart of what we do, and we have always supported the overwhelming majoritys choice to remain self-employed, independent contractors, protecting their flexibility, personal control and earning potential.The legal claim from Bolt drivers followed the UK Supreme Court determining in February 2021 that Uber drivers who were also represented by Leigh Day should be classified as workers rather than self-employed. That specific legal challenge was brought by private hire driver Yaseen Aslam and his union, the App Drivers and Couriers Union (ADCU).However, although Uber agreed in March to pay its UK drivers the minimum wage, it said this would only apply for the time they are assigned to trips, rather than, as the Supreme Court explicitly ruled, from the time they log in to the app.Commenting on the latest Employment Tribunal hearing decision regarding Bolt which explicitly noted that drivers should be paid for all time spent logged into the app ADCU general secretary Zamir Dreni said it vindicates our position on working time and demonstrates that neither Bolt nor Uber have never fully complied with the Supreme Court ruling, which means that between 40% and 60% of true working time remains unpaid.Rather than force workers back into courts for another decade of litigation, the government needs to step in now and fix the current employment bill, which omitted protections for gig workers, so that Britains hard-working minicab drivers and delivery couriers get the protections they deserve.However, different rulings related to the working relationship between drivers and other operators have come to different conclusions.In June 2021, theUK Court of Appeal ruled in a case originally brought by the Independent Workers Union of Great Britain (IWGB) in 2017 that Deliveroo riders are self-employed, further finding they do not have the right to organise via a trade union.Despite this, one judge conceded that the ruling could be seen as counterintuitive because it is easy to see that riders might benefit from organising collectively to represent their interests, as against Deliveroo.Another judge agreed that the decision may seem counterintuitive, adding: I quite accept that there may be other cases where, on different facts and with a broader range of available arguments, a different result may eventuate.Lord Justice Underhill added that the Uber case, which largely revolved around UK-specific employment law, had no bearing on this Deliveroo case because it did not engage Article 11 of the European Convention on Human Rights (which protects the right to form and join trade unions), adding that unlike Deliveroo, Uber did not rely on any substitution clause that meant others are allowed to complete the work.In September 2022, the IWGB once again appealed the ruling, arguing that riders have been denied collective bargaining rights and once again seeking to establish their worker status. However, this was dismissed by the Supreme Court in November 2023, which noted the way riders work with Deliveroo is inconsistent with an employment relationship.Read more about ride-hailing and delivery appsUber CEO denies pricing algorithm uses behavioural patterns: Uber workers are concerned about what data is being used by the companys algorithm to set variable pay and pricing levels after CEO Dara Khosrowshahi admits to using drivers behavioural patterns.Deliveroo accused of soft union busting with GMB deal: Smaller grassroots unions have criticised Deliveroo and GMB for making a hollow deal that will ultimately undermine workers self-organising efforts.Uber and Ola ordered to hand over more data to drivers: A Dutch court has rejected Uber and Olas claims that drivers collectively taking action to access their data amounts to an abuse of their individual data access rights, laying the ground for drivers to form their own union-controlled data trust.0 Yorumlar 0 hisse senetleri 46 Views
-
WWW.COMPUTERWEEKLY.COMHyperscalers net-zero plans hit roadblocksakkmesterke - stock.adobe.comNewsHyperscalers net-zero plans hit roadblockHyperscalers are looking at nuclear to power their energy-hungry datacentres and meet net-zero targets but regulations may curb their plansByCliff Saran,Managing EditorPublished: 11 Nov 2024 15:30 In 2022, datacentres were estimated to consume about 2% of global energy. By 2026, that number is predicted to double to 4%, equivalent to about 1000 terawatt hours a year, which, according to Gartner, is equivalent to the consumption of a country the size of Japan.Lloyd Jones, vice-president analyst at Gartner, said the company's energy utility clients are saying no to datacentres because they cannot guarantee 24/7, 365 days a year uninterruptible supply.But there is plenty of interest in the use of nuclear power as an alternative to fossil fuels to provide localised power for datacentres.Last month, Alphabet signed a deal with Kairos Power to develop the use of small modular nuclear reactors (SMRs) to complement the companys use of renewables to power its datacentres. Michael Terrell, senior director of energy and climate at Google, said in a blog post that the deal with Kairos Power would help the hyperscaler reach its net-zero targets for emissions.In September, Microsoft announced a 20-year agreement to buy electricity from Constellation Energys Three Mile Island (TMI) nuclear plant, and in March, Amazon acquired Talen Energys Cumulus Data Assets datacentre site, which is opposite the Susquehanna Steam Electric Station.In a new report, Powering data centers with new nuclear capacity faces tech, regulatory challenges, ratings agency Moodys notes that nuclear power enables electricity generating capacity free of greenhouse gas emissions and, unlike renewable energy sources such as solar or wind, nuclear reactors provide a 24/7, dispatchable source of electricity.But the report also highlights the risk of SMRs, which are considered a new technology. As Moodys points out, efforts to develop new nuclear generating capacity in the US have been frequently marked by construction holdups and cost overruns that have caused significant credit deterioration, severe financial distress and even utility bankruptcies. For instance, Utah Associated Municipal Power Systems and NuScale Power Corporation said in November 2023 that they had decided to terminate their plans to build an SMR because of rising development costs.Read more about hyperscalers energy strategyMicrosofts latest moves to secure electricity and more datacentres tackle two problems faced by major cloud providers: insufficient power and space to meet AI demands.Sustainable and renewable energy sources are necessary for data centers to meet emissions requirements by 2030. Nuclear power is a unique option for clean energy to run datacentres.While hyperscalers are busy signing deals to build out nuclear power plants to power their datacentres, Jones said: Take this with a pinch of salt, because we have not seen a small modular nuclear reactor being licensed and being built as a prototype, never mind receiving a licence for commercial manufacturers at industrial scale.Moodys notes that the technology is still under development and is likely to face heavy regulatory scrutiny. In addition, the ratings agency noted that efforts in the US to develop new nuclear generating capacity have been frequently marked by construction holdups and cost overruns.Given the fact that SMRs have yet to be built in a way that can make them operationally cost-effective, Jones predicts the hyperscalers will slowly roll back some of their net-zero commitments. The only thing they can do, he said, is use power from gas generators, which they will need to install on-site since the utilities firms are curbing applications for more datacentre power. Commitments are being rolled back on quietly and were seeing artificial intelligences (AIs) dirty secret puffing out as carbon intensity rises, he added, referring to the vast power requirements needed to run machine learning and AI inference workloads.However, building such microgrids onsite to generate electricity local to datacentre facilities is likely to face intense regulatory scrutiny. In what amounts to a major setup for Amazon Web Services, the US Federal Energy Regulatory Commission recently ruled against regional electricity transmission firm PJM Interconnections request to increase the capacity of Talen and Amazons interconnection service agreement to 480MW from the currently approved 300MW.Moodys said the order is likely to slow the proliferation of behind the meter deals under which datacentres are able to purchase electricity directly from a power plant on the same site, enabling them to bypass transmission and distribution costs. Such agreements would, in theory, provide datacentres with the quickest access to existing generation, Moodys said.Its likely there will be more regulatory barriers to overcome before microgrids and the idea of SMRs providing on-site power for datacentres gets any closer.However, Moodys believes that utility companies can help to de-risk the development of SMRs by working closely with the tech sector. Such partnerships would help to make SMRs commercially viable, and help both sectors carbon transition efforts. The scale and financial resources of hyperscalers like Amazon, Google, Microsoft and Meta Platforms position them well to shoulder the associated financial burdens of SMR development, Moodys said.In The Current Issue:Data bill will boost NHS and police access to data, says governmentDell CTO: Enterprise AI poised to take off in 2025Download Current IssueRedgate 'smartens up' database DevOps portfolio CW Developer NetworkOpenUK: Ponder procurement & policy perfection, please Open Source InsiderView All Blogs0 Yorumlar 0 hisse senetleri 47 Views
-
WWW.COMPUTERWEEKLY.COMNetApp boosts AFF, StorageGrid and E-series hardware with 60TB drivesNetApp has upgraded its AFF A- and C-series flash storage arrays while also boosting capacity and performance in StorageGrid object storage and E-series storage area networks (SANs), mostly as a result of new 60TB arrays plus central processing unit (CPU) and backplane enhancements.AFF A- and C-series performance and capacity-oriented respectively get new-generation CPUs, reworked peripheral component interconnect express (PCIe) connectivity, and are now fully modular to allow component upgrades in place while the chassis remains. With 60TB drives, capacity is now boosted also.Storage is via the Ontap operating system and can be file, block or object. While that is the case, NetApp also has its ASA block storage array, which it upgraded in September. Dedicated object storage capacity comes in its StorageGrid line, of which more below. AFF arrays come with full cloud connectivity for backup, tiering and migration.The arrays in the performance-oriented A-series are the A20, A30 and A50. NetApp claims they are now 41%, 96% and 153% quicker than their predecessor products, A150, A250 and A400.These new arrays replace existing ones at the lower end of the AFF range. They complement the A70, A90 and A1k at the high end that go to nearly 4PB raw and more than 15PB useable in the A1K, with nearly 200PB possible in a cluster configuration.In the QLC flash-equipped C-series, the new arrays are the C30, C60 and C80. Maximum capacity in the largest of these is nearly doubled over its predecessor, the C800 from 7.4PB to 14.7PB while at the other end, the new C30 goes to 2.2PB compared with the older C250, which went to 1.5PB.Possible capacities in the C-series can go to just over 700PB in a cluster of C80 arrays.Read more on NetAppNetApp maintains push to data management for AI. From data storage to intelligent data infrastructure thats the plan from NetApp, which has announced data curation for artificial intelligence as well as additions to its ASA and FAS storage arrays.NetApp: NAS pioneer well set for the cloud revolution. In this storage profile, we look at NetApp, which built a reputation in file access storage but seems to be set fair to navigate a future of hybrid cloud, cloud-native and containerisation.Grant Caley, UK and Ireland solutions director at NetApp, said: Since the advent of flash storage, the bottleneck of disk performance is no longer the factor for platform refreshes. Now it is about controller performance to that storage. So, capacities arent changing significantly, but controller performance is.Also, NetApps StorageGrid object storage arrays the offspring of E-series hardware and Bycast object storage software get an upgrade centred on 60TB arrays with more than 2PB possible in 3U possible in its SGF6112 product. An upgrade to StorageGrid software also allows for workloads in a cluster to be segregated into nodes for data only and metadata, plus 5,000 buckets per tenant possible.While object storage is possible in NetApps Ontap-equipped hardware, StorageGrid targets dedicated object storage use cases.Dynamic policy management allows the customer to decide on security, lifecycle, etc, in a much larger platform than object in Ontap, which is aimed at transient storage of object data or where it is managed by an application, such as backup, said Caley.Meanwhile, the companys E-series SAN arrays the only ones in the product line that dont use the Ontap OS also get 60TB drives and a CPU refresh, to provide two new platforms. These are the E4012 and E4060, which go to 264TB and 1.3PB raw capacity respectively. Those go to 2.1PB and 6.6PB raw with expansion shelves.E-series hardware is SAN-only, and aimed at customers that want affordable, basic storage capacity. Caley said the E-series target is simple SAN.It has snapshots and replication but is aimed at video surveillance, backup, archive storage, he said. It is for extreme performance or density, not data management, and has Infiniband, so it can be used for HPC storage.Besides array hardware upgrades, NetApp also announced a raft of enhancements to the software ecosystem surrounding it. These included Kubernetes data protection in Trident that includes snapshots, backup and restore, disaster recovery, and workload migration, available on-premise and in the cloud.Tridents data protection features are now also available where it works with Red Hats OpenShift environment, where there are also new collaborations between NetApp and Cisco in FlexPod converged offerings for OpenShift configurations aimed at virtualisation and artificial intelligence.0 Yorumlar 0 hisse senetleri 48 Views
-
WWW.COMPUTERWEEKLY.COMIAM: Enterprises face a long, hard road to improveIdentity and access management (IAM) is a difficult and enduring challenge for enterprises. Organisations need to balance securing and managing identities effectively with ease of use for employees, customers and suppliers. Put in too many layers of identity and access control, and the result is friction: processes that make it harder for employees to do their jobs.Many organisations start their identity journey with a combination of only short-term objectives, poor identity data, immature identity architecture and weak user verification, warns Scott Swalling, a cloud and data security expert at PA Consulting.A poor IAM approach, at best, can make it cumbersome and frustrating for your users and administrative staff. Onerous processes that dont take full advantage of IAM capabilities will breed users finding ways around them as they always have leading to security issues and potentially breaches.Even with the expansion of measures such as multifactor authentication (MFA) and biometrics, access remains a weak spot in enterprise security, as well as data compliance and privacy. IAM has become even more critical as enterprises move away from a fixed perimeter to flexible working, the cloud and web applications.The scale of the problem is very real. According to Verizons 2024 Data breach investigations report, stolen credentials were used in 77% of attacks against basic web applications. Googles 2023 Threat horizons report found that 86% of breaches involve stolen credentials.We need to transition to an identity-first security culture, warns Akif Khan, a vice-president analyst at Gartner who focuses on IAM. If you dont identify your users, its hard to have any type of security. If you dont know who is accessing your systems, how do you know if they should be accessing them, or not?IAM, Khan suggests, is replacing the old idea of organisations having a secure perimeter. The risks of relying on perimeter security alone are clear.In June this year, data breaches at Ticketmaster and Santander were traced back to unsecured Snowflake cloud accounts.Securing privileged accounts goes hand in hand with strong identity management and initiatives such as zero trust. But as zero trust requires significant, long-term investment, CIOs and CISOs should also be looking to improve existing security for credentials and move to risk-based approaches for identity.This is prompting organisations to move towards policy-based access controls and risk-adaptive access controls. These systems allow firms to enforce multifactor authentication if an action appears high risk, or block it altogether. But this depends on a clear IAM strategy throughout the organisation.Get the basics right to ensure you have clear visibility and control of who has access to your resources, recommends PAs Swalling. Ensure identity data is good. Coupling this with robust privilege access management, utilising automation and machine learning where possible, will streamline and enhance administrative tasks and reduce user frustration.Frustrated users make for ready victims, agrees Mustafa Mustafa, EMEA solutions manager for identity at Cisco, with a very real risk of MFA flood attacks.Cisco is a proponent of the zero-trust security model, but Mustafa admits few organisations have fully achieved it.In fact, Cisco research found that 86% of enterprises have started on zero trust, but just 2% say they have reached maturity. Barriers include complexity and an inconsistent user experience.The principle is trust no one, verify everyone, says Mustafa. The only way to implement a zero-trust policy is continuous verification of all users, devices and applications at all times and locations within or outside a given network. This includes deploying multifactor authentication, least privilege access and micro-segmentation.Zero trust is worth the effort, he argues. It improves security, compliance and risk management, but also simplifies operations once it is properly implemented and potentially allows organisations to reduce administration overheads, costs, and delays and frustrations for users. It also makes hybrid and remote working easier to manage.Meanwhile, enterprises need to continue to invest in MFA, identity governance and administration, privileged access management, and single sign-on, to list just a few. This can force CIOs to operate in two lanes one for improving security around identity and access now, and a separate, longer-term objective of moving to zero trust.In time, this will include making more use of artificial intelligence (AI) to spot unusual user behaviour or actions that could be evidence of a breach, and a move towards IAM based on risk, rather than just identity. This is sometimes also called adaptive authentication.By integrating real-time risk assessments, organisations can grant access based on context rather than identity alone, says John Paul Cunningham, CISO at Silverfort, an identity protection provider. This shift would reduce the operational overhead and data burden of managing authentication and authorisation. Ultimately, adopting this model would enable businesses to strengthen security, improve user experiences and lower the cost of maintaining identity security, he says.In practice, organisations are likely to rely on layers of security for layers of access, at least for now.The more forward-thinking organisations are prioritising identity. But the challenge still exists of stitching together disparate systems, says Cunningham. Looking at the future you can build new platforms, but people still have a lot of legacy architecture.However, enterprises still need to verify the identity of a user whether an employee, supplier, or customer in the first place. Here, the move towards global identity wallets (GIWs), usually part of a government-backed scheme, can help.Most often associated with digital government initiatives, GIWs might not be the most suitable tool for day-to-day access management, but they could play a role in onboarding staff or customers, and potentially cut fraud and credential theft. Already, there is some convergence between GIWs and IAM, with Microsofts Entra Verified ID integrated into the companys Authenticator app, for example.According to Gartner, more than 500 million people worldwide will use phone-based digital identity wallets by 2026. This represents significant growth, and should ease a number of issues around identity verification, especially for government services.In principle, you could have an identity wallet on your phone, and its not hugely different from an authenticator app. That could be used, says Khan. Its not a Microsoft ID, but an ID in a Microsoft app.Open standards around digital ID and interoperability between platforms are likely to drive adoption among government agencies and, in turn, take-up by citizens. Global identity wallet technology, for all its advantages, is likely to be too expensive for enterprises to set up on their own. And part of their advantage lies in scale, and in the trust that comes with government-issued ID.The market is moving towards portable digital identity, so users wont have to verify their identities again and again, but instead have an ID wallet on a mobile device which verifies that ID, says Khan.Businesses that currently pay for third-party identity verification services could even save money through a GIW. How the commercials stack up will be key to this, he says. Organisations also need to accept the identity asset in the wallet, which is again why government backing, and open standards and interoperability, are so important. And using GIWs could give advantages in areas as diverse as recruitment or providing services to new customers.From a technical point of view, it makes perfect sense if there is a route to onboard someone more quickly, says Khan. In a competitive market, organisations will look to explore that.Even so, GIWs look set to be part of the IAM landscape, rather than a replacement for internal identity and authentication systems. You have an ID, and that ID has attributes such as Im an employee of Gartner. Then you have your attributes for access rights, which is layers upon layers of information, says Khan. That might not all be in the wallet. Firms will still need to check details against their own identity infrastructure.The prospects for enterprise use of identity wallets, and much of the future development of IAM, will depend on the type of information, and the levels of access, organisations need to secure.Read more about identity and access managementBlack Hat USA 2024 showcased recurring themes of data security and IAM, encompassing the platform versus point product debate, cleaning identity data and GenAI security.The IAM landscape is experiencing profound change thanks to the advent of biometrics. Learn about the latest advantages and key benefits of biometrics in identity.Digital wallets can play a significant role in day-to-day authentication, extending beyond one-off events like onboarding or identity verification, says Silverforts Cunningham. By embracing digital wallets as a daily authentication tool, organisations can strengthen their security posture while enhancing user convenience and productivity.He expects to see take-up in healthcare, government, access to benefits and border control, at least initially.But digital wallets could also strengthen MFA and give hard-pressed data security teams some breathing space as they look at longer-term options, including zero trust.Digital wallets serve as an additional factor in MFA, a unique identifier similar to certificate-based tokens, and a secure storage solution for sensitive data like passwords and cryptographic keys, says Cunningham. Used well, they could improve security and ease of use while also reducing support costs for enterprises.0 Yorumlar 0 hisse senetleri 48 Views
-
WWW.COMPUTERWEEKLY.COMNetApp boosts AFF, StorageGrid and E-series hardware with 60TB drivesNetApp has upgraded its AFF A- and C-series flash storage arrays while also boosting capacity and performance in StorageGrid object storage and E-series storage area networks (SANs), mostly as a result of new 60TB arrays plus central processing unit (CPU) and backplane enhancements.AFF A- and C-series performance and capacity-oriented respectively get new-generation CPUs, reworked peripheral component interconnect express (PCIe) connectivity, and are now fully modular to allow component upgrades in place while the chassis remains. With 60TB drives, capacity is now boosted also.Storage is via the Ontap operating system and can be file, block or object. While that is the case, NetApp also has its ASA block storage array, which it upgraded in September. Dedicated object storage capacity comes in its StorageGrid line, of which more below. AFF arrays come with full cloud connectivity for backup, tiering and migration.The arrays in the performance-oriented A-series are the A20, A30 and A50. NetApp claims they are now 41%, 96% and 153% quicker than their predecessor products, A150, A250 and A400.These new arrays replace existing ones at the lower end of the AFF range. They complement the A70, A90 and A1k at the high end that go to nearly 4PB raw and more than 15PB useable in the A1K, with nearly 200PB possible in a cluster configuration.In the QLC flash-equipped C-series, the new arrays are the C30, C60 and C80. Maximum capacity in the largest of these is nearly doubled over its predecessor, the C800 from 7.4PB to 14.7PB while at the other end, the new C30 goes to 2.2PB compared with the older C250, which went to 1.5PB.Possible capacities in the C-series can go to just over 700PB in a cluster of C80 arrays.Read more on NetAppNetApp maintains push to data management for AI. From data storage to intelligent data infrastructure thats the plan from NetApp, which has announced data curation for artificial intelligence as well as additions to its ASA and FAS storage arrays.NetApp: NAS pioneer well set for the cloud revolution. In this storage profile, we look at NetApp, which built a reputation in file access storage but seems to be set fair to navigate a future of hybrid cloud, cloud-native and containerisation.Grant Caley, UK and Ireland solutions director at NetApp, said: Since the advent of flash storage, the bottleneck of disk performance is no longer the factor for platform refreshes. Now it is about controller performance to that storage. So, capacities arent changing significantly, but controller performance is.Also, NetApps StorageGrid object storage arrays the offspring of E-series hardware and Bycast object storage software get an upgrade centred on 60TB arrays with more than 2PB possible in 3U possible in its SGF6112 product. An upgrade to StorageGrid software also allows for workloads in a cluster to be segregated into nodes for data only and metadata, plus 5,000 buckets per tenant possible.While object storage is possible in NetApps Ontap-equipped hardware, StorageGrid targets dedicated object storage use cases.Dynamic policy management allows the customer to decide on security, lifecycle, etc, in a much larger platform than object in Ontap, which is aimed at transient storage of object data or where it is managed by an application, such as backup, said Caley.Meanwhile, the companys E-series SAN arrays the only ones in the product line that dont use the Ontap OS also get 60TB drives and a CPU refresh, to provide two new platforms. These are the E4012 and E4060, which go to 264TB and 1.3PB raw capacity respectively. Those go to 2.1PB and 6.6PB raw with expansion shelves.E-series hardware is SAN-only, and aimed at customers that want affordable, basic storage capacity. Caley said the E-series target is simple SAN.It has snapshots and replication but is aimed at video surveillance, backup, archive storage, he said. It is for extreme performance or density, not data management, and has Infiniband, so it can be used for HPC storage.Besides array hardware upgrades, NetApp also announced a raft of enhancements to the software ecosystem surrounding it. These included Kubernetes data protection in Trident that includes snapshots, backup and restore, disaster recovery, and workload migration, available on-premise and in the cloud.Tridents data protection features are now also available where it works with Red Hats OpenShift environment, where there are also new collaborations between NetApp and Cisco in FlexPod converged offerings for OpenShift configurations aimed at virtualisation and artificial intelligence.0 Yorumlar 0 hisse senetleri 47 Views
-
WWW.COMPUTERWEEKLY.COMLoan charge under review: Second inquiry into controversial contractor tax policy announcedThe UK government has committed to resolving the fallout from a controversial, retroactive UK tax policy that has left thousands of IT contractors living under the shadow of life-changing tax bills since it came into force in April 2019.In its recently announced Autumn Budget 2024, the government confirmed the policy (known as the Loan Charge) will be subject to an independent review to help bring the matter to a close for those affected, whilst ensuring fairness for all taxpayers.The governments wording here is interesting, because it neatly highlights the conflict and controversy at the centre of this policy, which has plunged contractors into financial ruin and been linked to at least 10 suicides.The policy was created to claw back money HM Revenue & Customs (HMRC) claims it is owed by thousands of contractors who joined loan-based remuneration schemes between December 2010 and April 2019.Participants in these schemes are typically paid in part for the work they do in the form of non-taxable loans. This means they pay no tax on this loan-based income, allowing participants to bolster their take-home pay.Given HMRCs role as the UK governments tax collection agency, its not difficult to see why it sought to clamp down on people using loan-based remuneration schemes to artificially minimise the amount of income tax they pay.However, the policys critics claim it fails to take into account that when these schemes were first set up, many were erroneously marketed as being an HMRC compliant means for contractors to bolster their take-home pay, with individuals often advised to join such schemes by respected tax advisers.Its further claimed contractors were also reportedly told they would be unable to work for certain end-hirers unless they agreed to be paid in loans. For this reason, the contractors now being pursued by HMRC for backdated income tax payments claim they are victims of mis-selling, and facing financial ruin for agreeing to be part of an arrangement that trusted sources assured them was safe and compliant to participate in.The situation has prompted calls from a 200-strong group of cross-party MPs for HMRC to stop doggedly pursuing the individuals involved, and instead direct its enforcement efforts towards the employers, agencies and scheme promoters who advised people these setups were safe to use.Given the amount of time that has passed since contractors took part in these schemes and HMRC began its Loan Charge enforcement action, tracking these parties down could prove difficult, as many of these firms and individuals have since disappeared from the market.Since the policys introduction, there has been talk of legal challenges being mounted to overturn the policy and campaigns, calling for the government to write off some of the tax amounts that are owed by contractors.As confirmed by the government in its statement about its plans to place the policy under independent review, the Loan Charge legislation remains in force, and any repayment settlement plans contractors have in place with HMRC must be honoured until the outcome of the review is known. HMRC will consider what updates need to be made to relevant guidance once the government announces further details about the review and once the review has concluded, the government said, in its statement.At the time of writing, no further details have been forthcoming from the government about what shape this independent review will take, or who will be tasked with overseeing it.Computer Weekly contacted HMRC for further details, but was told HM Treasury would be fielding questions on the Loan Charge review. At the time of writing, though, no response to Computer Weeklys questions had been received.This will be the second independent review the policy has been the subject of, with the first appearing in December 2019, after months of delays.Dave Chaplin, CEO of contracting authority ContractorCalculator, said a new review into the inner workings of the Loan Charge is most welcome.The human cost of this heavy-handed and poorly implemented policy cannot be overstated, he said. HMRC must be held accountable for this punitive, retrospective tax, which has had devastating consequences, with some affected individuals tragically taking their own lives due to the immense pressure.The first Loan Charge review was overseen by ex-National Audit Office (NAO) chief Amyas Morse, and was focused on ascertaining if the policy was the most appropriate way to tackle disguised remuneration.In the immediate aftermath of its publication in December 2019, the government announced a couple of amendments to the loan charge policy, including one that pledged to write off the tax bills of 11,000 people previously caught in its scope.It achieved this by cutting 11 years off the original 20-year period the policy covered, and by cancelling the Loan Charge for any individuals who previously disclosed to HMRC that they participated in a scheme on their tax returns if the agency failed to act on this information.The review also prompted the government to revise the policys repayment terms by making it possible for those in-scope to pay back what they owe over several tax years instead of one.While these amendments were initially welcomed by contracting market stakeholders, once the dust settled on the December 2019 review, misgivings about its contents began to surface, with tax advisers and contractors claiming the proposed changes did not go far enough.Some six months after the review dropped, in June 2020, a cross-party group of MPs operating as the Loan Charge All-Party Parliamentary Group (APPG) claimed its contents had been subject to outside interferenceby HMRC and the Treasury, which the latter denied in a statement to Computer Weekly at the time.Meanwhile, campaigners from the Loan Charge Action Group (LCAG) have been calling for all retrospective elements of the policy to be removed for years, and in a statement, its spokesperson, Steve Packham, said this second review into the policy must be genuinely independent and take a much broader look at how the fallout from the Loan Charge came to be.Read more about the Loan ChargeThe fallout from HMRC's controversial disguised remuneration clampdown, the Loan Charge policy, has been likened to the Post Office Horizon scandal during a House of Commons debate.A document dump of emails shared between HMRC officials has prompted loan charge campaigners to further question the legal footing of the governments controversial disguised remuneration policy.On this point, Packham said LCAG is keen for the review to touch on how the IR35 off-payroll rules fuelled the emergence of loan-based remuneration schemes at the turn of the century, and also HMRCs treatment of contractors caught up in the Loan Charge.It is hugely positive that the Chancellor, Rachel Reeves, has made good on her promise to commission a fresh, independent review of the Loan Charge, he said. We thank her and James Murray for this and for actually listening to those whose lives have and are being ruined by the Loan Charge scandal.This fresh review must be genuinely independent and this time must look at the whole issue, the role of IR35 legislation, the entire contractor supply chain and the misconduct and failures of HMRC, said Packham.There must now be a pause in related HMRC activity, to allow for the review to be established and to then properly examine the whole scandal, leading to a fair and final resolution for the thousands of families affected.Computer Weekly asked HM Treasury if there were any plans to pause HMRCs Loan Charge enforcement activity as the finer details of the review are worked out, but no response was received at the time of publication.For now, it remains to be seen what form this review will take, but its safe to assume the tens of thousands of people living under the long shadow of the Loan Charge will be watching and waiting with interest.0 Yorumlar 0 hisse senetleri 45 Views
-
WWW.COMPUTERWEEKLY.COMStorage explained: Consumption models of storage procurementStorage has long been the monolith of datacentre components. Deployed in forklift upgrades on multi-year refresh cycles, shiny new arrays have not taken long to lose their sheen and become complex to manage and laggardly in performance.Meanwhile, the cloud has emerged and made pay-as-you-go a norm that perpetually retains the sheen of newness for the customer. It brings flexibility in use, deployment, upgrades, scalability, speed of development and roll-out, and with the promise of better cost efficiency.And so storage suppliers have adapted. Procurement options now range from full ownership with lifetime upgrades to pay-as-you-go with storage capacity and performance upgrades triggered viaAIOps monitoring.In this article, we look at consumption models of storage, the pros and cons and whats available from vendors.The traditional storage refresh cycle takes place every three years and entails the entire replacement of all storage infrastructure by new hardware. It is a capital purchase in which ownership is transferred entirely to the customer, with licensing and support contracted from the supplier from then on.There are some benefits to the traditional storage refresh cycle. These include that the customer gets a brand new set of hardware, with adequate capacity and sufficient storage controller power, plus confidence in the security and software update status of the equipment. Customers will likely see a huge improvement in performance following a refresh.Often, new equipment will be more energy efficient and need way less maintenance, both of which cut costs. Scalability will be enhanced and new systems are more likely to provide better flexibility and integration with newer components of the wider infrastructure. Here, think cloud connectivity or containers, for example.Most things that are benefits in traditional procurement cycles can also become downsides.While equipment may arrive shiny, new and work well, with huge amounts of capacity to move into, performance will likely degrade over time.With storage, increases in the volume of data held can affect performance and reliability. Technologies move on, and what was good two years ago might be in sore need of an upgrade now and old hardware might just not scale easily after a certain point in its lifespan.There are also limits to improvements that can come via software patching. The concatenation of updates over time can result in a complex build-up of infrastructure patches.Older hardware will tend to suffer performance degradation and likely more outages. Meanwhile, outdated hardware will struggle to meet the needs of newer software and applications.And then, when the time comes to upgrade infrastructure, there is likely to be huge disruption as installation, migration and go-lives take place.Buying storage hardware outright entails a transfer of risk from the vendor to the customer. The customer may pay for maintenance going forward, but ultimately its the customers business that suffers if outages occur and/or the infrastructure falls short of whats required.Capital expenditure (capex) is money spent to buy or upgrade physical, non-consumable assets. Its a one-time investment with ownership transferred to the buyer. Capex cant usually be deducted from taxes, but fixed assets can be depreciated over time to spread out expense over the lifetime of the asset.Operational expenditure (opex) is money spent on day-to-day running costs that can be one-time or recurring. In storage and IT, the obvious example is payment for cloud services.Opex is listed in financial statements and can be deducted for the year in which it occurs, and it is listed on the companys balance sheet.Opex is included in calculations of operating income, which is then used to calculate net income, or the bottom line.Notably, some organisations in the UK public sector, for example have mostly paid for infrastructure via capex purchases, but that is changing.Why is all this relevant to storage purchasing? The emergence of the cloud and models of operating and purchasing that have arisen from it have brought opex as a commonly used method of expenditure for storage and IT.The cloud operating model arose with the consumption methods of purchasing prevalent in the cloud. Instead of owning infrastructure in the cloud, customers consume it.The cloud operating model has a number of benefits for hardware procurement, including storage.Key among these are that the organisation is not locked into the three-year refresh cycle, and can avoid all the downsides that come with it.Storage hardware can be paid for on an as-you-go basis. That means the vendor makes sure equipment is updated, capacity is increased to meet current and future needs and breakdowns are attended to.That also means no disruptive forklift upgrades every three years, and no necessity to suffer increasing levels of infrastructure inefficiency as it ages. Equipment can be updated on an ongoing basis, with the latest hardware and required capacity always on tap.Often thats taken care of via remote monitoring in which some vendors allow for cloud-like purchasing of increased capacity and performance, while also monitoring for technical issues in the infrastructure stack.Costs can come down or can be matched more effectively to ongoing needs as organisations pay for storage on a pay-as-you-go basis.All that can also mean fewer on-premise employees for support and maintenance while existing employees are freed to focus on more strategic projects.While capex procurement entails a transfer of risk to the purchasing organisation, consumption (opex) procurement brings different concerns and risks.This can include some loss of control.Where outright ownership can bring a feeling of control and security to the organisation, handing over ongoing maintenance and upgrades to a third party may entail the opposite.Its potentially a double-edged sword, because to hand over responsibility is exactly what the customer wants from as-a-service purchasing. If all goes well, thats a benefit.But when things go wrong in the traditional model, everything remains in the customers hands. That might not be the case where a vendor monitors and controls on-premise infrastructure.In particular, there may be security and compliance needs that a cloud service provider cannot adequately meet, which can mean as-a-service procurement just doesnt fit some organisations.Some kind of relationship management with the vendor is absolutely essential for any customer in a cloud operating model so that supply of services and their performance can be monitored and managed.Finally, it can be argued that paying for storage infrastructure as a service brings supplier lock-in.Storage vendors offer consumption purchasing that range frompure opex as-a-service models to fully owned capex spend, but with contracted hardware upgrades.In as-a-service models, customers usually commit to base levels ofusage with upgrades to storage and controller hardware delivered as required.At thecapexend of the spectrum, customers can purchase storage hardware while still benefiting from upgrades to storage hardware, with monitoring and predictive analytics.Dell Apex Flex on DemandDells consumption model for hardware isApex Flex on Demand. This allows customers to select from block, file and object storage hardware, plus data protection appliances.Dell and its customers work out a committed capacity and buffercapacity that is likely to be required in the future. Raw and usable capacity data is measured at component level using automated tools installed with the hardware.Customers commit to a usage term, after which they can go month-to-month, extend the subscription or return and refresh hardware. Also, customers can view and approve pre-invoice reports of metered infrastructure usage and costs via the APEX Console.Storage available via Flex includes PowerStore, PowerMax, PowerFlex, PowerScale and ECS. PowerProtect DD and PowerProtect DP data protection appliances are also available, as are PowerEdge servers and HCI solutions.HPE GreenlakeHPE GreenLakedelivers preconfigured hardware and software and manages the system during its lifecycle with payment via a monthly subscription fee.Storage offered includes block, file and object, that includes HPE Primera high-end flash, HPE Nimble all-flash and hybrid-flash, Simplivity hyper-converged, Qumulo hybrid cloud scale-out storage, and StoreOnce data protection appliances.Storage from GreenLake consumption comes alongside the whole of HPEs datacentre offer. So, GreenLake comes with the full range of the HPE offer behind it, from composable infrastructure such asHPE Synergy, third-party software and services and professional and operational services fromHPE Pointnext.Hitachi VantaraHitachi Vantaras Flex plans offer storage hardware via purchase or lease, as well as consumption models. The latter is EverFlex and is its storage as-a-service offer, which varies depending on whether infrastructure is managed and monitored by the customer or Hitachi. Both of these are pay-per-use, cloud-like models.IBMIBM offers storage as a service and Storage Utility consumption purchasing.Storage as a Service can work across on-premise datacentre and hybrid cloud and is based onIBM FlashSystemand DS8900F hardware. It comes with a base level to meet current needs plus 50% on top of that pre-installed. Base and expansion capacity are charged at the same rate.Storage Utility is a pay-per-use model that delivers 200% over base needs capacity on day one with datacentre upheaval avoided by over-provisioning and use of IBM Storage Insights to monitor capacity needs.Customers pay only for what they use and if their data needs shrink during any month the bill will reflect capacity usage, with a minimum base. The purported benefit of over-provisioning means additional capacity is readily available, at least within the contract period.NetApp KeystoneNetApp Keystone offers hardware in various non-capex formats that includeon-premise and cloud capacity.Keystone payment options range from pay outright for the hardware (Flex Pay), through Flex Subscription pay-as-you-go, to Flex Utility, which aligns costs to usage.A range of service levels is available and billing is for predicted committed capacity, plus pay-per-use for burst capacity and support for file, block, object and cloud storage services.NetApps Active IQ dashboard allows customers to monitor and manage storage usage, provision storage and data protection policies, review usage and billing, and to request capacity and services.NetApps BlueXP provides a single control plane in which all NetApp storage is visible, on-site and in public clouds.Pure StoragePure Storages as-a-service-likeofferings comeunder the Evergreen brand.Evergreen//Forever offers customers purchase outright, but with lifetime upgrades.Evergreen//Flex allows hardware to be purchased but capacity bought on a pay-as-you-go basis. Capacity can be delivered on any Pure hardware that can host it. So, in theory, Flex allows customers to use capacity in any of their arrays.Evergreen//One unifies on-premise and public-cloudstorageresources in a single subscription to provide block, file and objectstorage. Customers pay only for what they use.Pure1 management tools allow management across datacentre and cloud from a single dashboard. This includes monitoring and provisioning, as well as the ability to manage capacity and performance upgrades from Pure.Read more about storage technologyStorage technology explained: AI and data storage. In this guide, we examine the data storage needs of artificial intelligence, the demands it places on data storage, the suitability of cloud and object storage for AI, and key AI storage products.Storage technology explained: Flash vs HDD. In this guide, we examine the differences between flash storage and HDD, the rise of NVMe and much denser formats such as QLC, and whether or not flash will vanquish HDD in the all-flash datacentre.0 Yorumlar 0 hisse senetleri 49 Views
-
WWW.COMPUTERWEEKLY.COMWhat are the security risks of bring your own AI?Since the launch of ChatGPT by Open AI in November 2022, interest in generative artificial intelligence (GenAI) tools has increased dramatically. Its ability to generate a response based on a question or request has seen it used for a variety of purposes, from writing emails to underpinning chatbots.The recent Work trend index report by Microsoft, based on a survey of more than 31,000 professional employees, shows that 75% of knowledge workers are now using some form of GenAI in their jobs, and nearly half of those surveyed started using it within the past six months. However, nearly 80% of those using GenAI are bringing their own AI to work, and the percentage increases slightly when focusing on small businesses. It is worth noting that this adoption is not just by younger users, who are typically more likely to embrace new technology, but by users of all ages.As more information is generated and needs to be processed, we increasingly struggle with what is known as digital debt. An example of this is email overload. The Microsoft report notes that approximately 85% of emails are read in less than 15 seconds this shows why people are keen to move towards tools that help streamline the mundane tasks in their working lives.There is this digital debt that has built up over decades, but it has been accelerated during the pandemic, says Nick Hedderman, senior director of the modern work business group for Microsoft. 68% of the people we spoke to said theyre struggling with the volume and pace of work. Nearly 50% said they feel burnt out.The generative AI tools that are typically being used by professionals are those found on smartphones (such as Galaxy AI) or on the internet (such as ChatGPT). Unfortunately, because these tools are open source, they are outside of corporate oversight. Furthermore, when an online tool is free, then the user is frequently the product as their information is usable by others.If its free, you need to think about it in the same way as any social media site. What data is it being trained on? In essence, are you now the commodity? says Sarah Armstrong-Smith, chief of security for Microsoft. Whatever you put in, is that going into training models? How are you verifying that data is held securely and not being utilised for other purposes?More than anything else, the use of external generative tools is a data governance challenge, rather than a GenAI problem, as it relies on shadow IT hardware or software used in an organisation that is not overseen by the IT department.Youve always had sanctioned versus unsanctioned applications. Youve always had challenges with data sharing across the cloud platforms, says Armstrong-Smith. If its that easy to cut and paste something out of any corporate system and put it into a cloud application, irrespective if its a generative AI app or any other app, you have a problem with data governance and data leakage. The fundamental issues of data control, data governance and all of those things dont go away. In fact, what its highlighted is the lack of governance and control.The data governance problem of using external generative AI tools is twofold.First, there is data leakage, where users are copying potentially confidential information and pasting it into an online tool that they have no control over. This data could be accessed by others and used in the training of AI tools. If you take a random dataset that you have not verified and dont know what its trained on, and then bring that dataset into a corporate environment or vice versa, you can poison the model or algorithm because youre introducing non-verified data into the corporate dataset Sarah Armstrong-Smith, MicrosoftThere is also leakage into an organisation, if unverified and uncorroborated information is added to an organisations knowledge base. Users are all too often assuming that the information provided by an external GenAI tool is correct and appropriate they are not corroborating the data to ensure it is factually accurate, which they would be more likely to do when searching for information on the internet.The danger is, if you take a random dataset that you have not verified and dont know what its trained on, and then bring that dataset into a corporate environment or vice versa, you can even poison the actual model or the algorithm because youre introducing non-verified data into the corporate dataset, says Armstrong-Smith.This latter is the more serious problem, as potentially incorrect or misleading data is incorporated into a knowledge base and used to inform decision-making processes. It could also poison datasets that are used to train in-house AI, thereby causing the AI to give misleading or incorrect information.We have already seen instances of improperly used GenAI tools leading to poor results. Generative AI is being trialled within the legal profession as a possible tool to assist in writing legal documents. In one instance, a lawyer used ChatGPT to prepare a filing, but the generative AI hallucinated fake cases, which were presented to the court.In a corporate environment, you have to be mindful of the fact that it is business data, says Armstrong-Smith. It is a business context, so what tools do you have available today that are going to have all the governance in place? Its going to have security; its going to have resilience. Its going to have all of those things built in by design.If a significant proportion of employees are routinely relying on external applications, then there is demonstratively a need for that digital tool. To ascertain the most appropriate generative AI solution, it is best to identify the use cases. That way, the most appropriate tool can be deployed to meet the needs of employees and to seamlessly fit into their existing workflow.The key advantage of using a corporate generative AI tool rather than an open platform, such as ChatGPT, is that data management is maintained throughout the development process. As the tool is kept within the network boundaries, corporate data can be protected. This mitigates possible leakages from using external tools.The protection offered by using a corporate AI tool is that the back-end system is protected by the AI provider. However, it is worth noting that protection for the front end as in the use cases and deployment models remains the responsibility of the user organisation. It is here that data governance remains key and should be considered an essential element of any development process when deploying generative AI tools.Weve always referred to it as a shared responsibility model, says Armstrong-Smith. The platform providers are responsible for the infrastructure and the platform, but what you do with it in terms of your data and your users is the responsibility of the customer. They have to have the right governance in place. A lot of these controls are already built-in by default; they just have to take advantage of them.Once generative AI tools are available in-house, employees need to be aware of their presence for them to be used. Encouraging their adoption can be challenging if employees have developed a way of working that relies on using external GenAI platforms.As such, an awareness programme promoting the generative AI tool would educate users on the tools accessibility and functionality. Internet moderation systems could also redirect users from external platforms to the in-house GenAI tool.Generative AI is here to stay, and while expectations may have peaked, its uses are likely to grow and become ubiquitous.I think for a lot of companies, and where you will certainly see Microsoft focusing, is on this concept of agentic generative AI, says Henderson. This is where you take a business process and figure out how an agent might serve an organisation internally. An agent could operate within an organisations network and carry out specific functions, such as scheduling meetings or sending invoices.Although generative AI is a new technology, which could mitigate mundane and time-consuming tasks, data protection continues to remain a key concern. It is therefore incumbent upon organisations to make employees aware of the risks posed by using external tools and to have the appropriate generative AI tools within their own network to protect the sanctity of their data.As we know with technology, as it gets more commoditised, the price is going to come down, which means AI is going to be more mainstream across the board and youve got more choice about what model to use, concludes Armstrong-Smith.Read more about generative AI riskAs its adoption grows, GenAI is upending business models and forcing ethical issues like customer privacy, brand integrity and worker displacement to the forefront.At the MIT Sloan CIO Symposium, enterprise leaders grappled with AIs benefits and risks, emphasising the need for cross-team collaboration, security controls and responsible AI.With great power comes, in the case of GenAI, great security and compliance risks. Learn how an AI acceptable use policy can help ensure safe use of the technology.0 Yorumlar 0 hisse senetleri 47 Views
-
WWW.COMPUTERWEEKLY.COMBeyond VPNs: The future of secure remote connectivityAs more companies adopt cloud services and remote work, the limitations of virtual private networks (VPNs) are becoming obvious. VPNs were designed to secure a fixed network perimeter, but they dont work well with decentralised, cloud-based infrastructures.Todays complex IT environments need solutions that offer more than just encrypted traffic. Data shows that almost 70% of VPN providers fail to meaningfully comply with privacy regulations. In this current environment, other remote access alternatives are both more secure and come with fewer privacy-related inconveniences.VPNs have been crucial for secure remote access but were designed for a time when employees worked in fixed locations, which isnt the case today. As more people work remotely and use cloud applications, VPNs have struggled to keep up.One of the biggest issues is scalability. When too many employees and devices connect through a VPN, performance drops. This leads to slower speeds, higher latency and a frustrating user experience. VPNs also rely on a perimeter-based security model, assuming that everything inside the network is trusted. This leaves organisations exposed to threats that come from within the network.Another problem is the lack of control. VPNs lack detailed, dynamic security policies. Once users connect, they can access more resources than they may need, which becomes a security risk if their credentials are stolen. This means that additional identity theft protection measures may be required, depending on the importance of the data involved.VPNs also arent built for cloud environments, where resources are distributed across different services, making them harder to secure.Software-defined perimeter (SDP) is a modern security framework designed to provide secure remote access by hiding network resources from unauthorised users. Unlike traditional security models that rely on a fixed perimeter (such as firewalls), SDP takes a zero-trust approach, where no one is trusted by default, regardless of their location.SDP works by dynamically creating secure, encrypted connections between users and the specific resources they need. It first verifies the users identity, device and context before granting access, and only allows connection to the resources that user is authorised for.This approach reduces the attack surface because unauthorised users cant even detect the existence of resources they dont have access to.Another key benefit of SDP is its flexibility. Its cloud-native, meaning it can secure connections across on-premise and cloud environments seamlessly. This makes it ideal for remote work, BYOD policies and hybrid infrastructures where traditional VPNs fall short.Additionally, SDP minimises the risks of lateral movement within a network. Thanks to the zero-trust model, if an attacker gains access to one part of the network, they cant move freely to other areas. SDP also integrates well with multi-factor authentication (MFA) and other identity verification tools to enhance security further.Secure access service edge (SASE) is a cloud-based architecture that combines network and security functions into a single, integrated service. Unlike traditional setups where security tools and networking are separate, SASE merges them, providing security and networking through the cloud. This approach is designed to support todays distributed workforces and cloud-based applications.SASE offers important security features such as firewall-as-a-service (FWaaS), secure web gateways (SWG), cloud access security brokers (CASB), and zero-trust network access (ZTNA). These features work together to give users secure access to the resources they need from any location, without relying on traditional on-premise security systems.A key strength of SASE is its scalability. It easily adapts to different environments, such as hybrid, multicloud and remote work setups. Since it operates in the cloud, SASE reduces the need for complex on-site infrastructure, saving costs and simplifying management.SASE excels in performance as well. Instead of routing traffic through a centralised datacentre, which can cause delays and higher latency, SASE sends traffic through the nearest cloud service point. This results in faster data transmission and a smoother user experience. Studies have shown that SASE significantly reduces latency compared with traditional VPN setups, boosting productivity for remote teams worldwide.SASE enhances performance further by minimising latency. Rather than sending traffic through a central location, SASE directs it through the nearest cloud service, optimising speed and efficiency.Choosing between VPNs, SDP and SASE depends on the specific needs of your organisation and how you manage remote access.VPNs can still be a good option for smaller organisations with limited remote access needs or for individuals to use to secure their digital footprints. They are simple to set up and cost-effective for securing smaller, less complex networks.However, as larger organisations increasingly leverage AI for automating processes like customer service, data analysis or sales, the security risks grow in complexity. VPNs, which rely on traditional perimeter-based security models, are often not equipped to handle the advanced threats that emerge with AI integration.AI-driven systems handle sensitive data and are prone to new forms of attacks, such as AI-targeted malware or data breaches. Even efficient use of AI for sales might create problems for remote companies. Is the boost in productivity worth the higher risk?This raises the stakes for companies, making advanced security solutions such as SDP and Secure SASE more attractive.SDP uses a zero-trust model that verifies every user and device before giving access, which is critical for protecting AI systems and sensitive data. On the other hand, SASE combines networking and security into one cloud-based service. It works well for large teams, multiple offices and cloud-heavy businesses.The choice depends on your organisations size, network complexity and security needs. If your company is facing any of the following situations, it may be time to make the switch:Increased reliance on remote work or hybrid teamsIf a significant portion of your workforce is working remotely, VPNs may not scale efficiently. When too many users connect, VPNs often create latency and performance bottlenecks, leading to productivity loss.Additionally, traditional VPNs arent built to secure cloud resources, making remote access to cloud applications vulnerable.Need for better securityVPNs operate on a perimeter-based model, which assumes that anyone inside the network is trusted. This can be risky as it opens up the network to potential lateral movement if one segment is compromised.SDPs zero-trust approach verifies every user and device before granting access, ensuring tighter security controls, especially for organisations handling sensitive data or complying with regulatory standards such as GDPR, HIPAA, or PCI-DSS.Challenges with managing complex or distributed environmentsIf your organisation is spread across multiple locations or heavily dependent on cloud applications, managing a traditional VPN setup can become cumbersome.SASE offers an integrated solution that combines networking and security in a single cloud-based platform. This reduces the need for separate, on-premise security tools, simplifies management, reduces operational costs and ensures better performance through local cloud gateways.Performance issues due to network complexityVPNs often route traffic through a central location, which can lead to delays and higher latency, especially for global teams. SASE optimises performance by routing traffic through the nearest cloud service, reducing latency and improving the user experience.If your users are experiencing significant delays with VPNs, moving to SASE can alleviate those issues.Organisations are changing how they manage secure remote access due to the need for stronger, more adaptable solutions. Traditional perimeter-based security no longer fits todays decentralised, cloud-based environments.As remote work grows and cyber threats become more advanced, the need for better security is clear. Solutions such as SDP and SASE offer the flexibility, scalability and security that older technologies lack.Companies that adopt these modern solutions are better equipped to protect their networks and data while allowing secure access from anywhere.Read more about network securityVPN use continues despite its outdated status in the networking industry. But usage has declined as enterprises make room for remote access alternatives, like ZTNA, SASE and more.Managed services, secure remote access, AI applications and 5G wireless network connectivity are four important trends that should propel the SD-WAN market.When it comes to adopting SASE or zero trust, its not a question of either/or, but using SASE to establish and enable zero-trust network access.0 Yorumlar 0 hisse senetleri 36 Views
-
WWW.COMPUTERWEEKLY.COMESET shines light on cyber criminal RedLine empireCyber security analysts at ESET have released an in-depth look at the inner workings of the RedLine Stealer operation and its clone, known as Meta, in the wake of a Dutch-led operation thatsaw the cyber criminal empire laid low.Operation Magnus saw the Dutch National Police force, working with European Union support and other agencies including the FBI and the UKs National Crime Agency (NCA), dismantle the infamous infostealers infrastructure.The action was the culmination of a lengthy investigation to which ESET which initially notified the authorities in the Netherlands that some of the malwares infrastructure was being hosted in their jurisdiction was a key contributor, taking part in a preliminary operation last year that targeted the gangs ability to use GitHub repositories as a dead-drop control mechanism.In an extensive dossier, ESET said that having conducted an extensive analysis of the malwares source code and backend infrastructure in the run-up to Operation Magnus, it was now able to confirm with certainty that both Redline and Meta did indeed share the same creator, and identified well over 1,000 unique IP addresses that had been used to control the operation.We were able to identify over 1,000 unique IP addresses used to host RedLine control panels, said ESET researcher Alexandre Ct Cyr.While there may be some overlap, this suggests on the order of 1,000 of subscribers to the RedLine MaaS [malware as a service], he added.The 2023 versions of RedLine Stealer ESET investigated in detail used the Windows Communication Framework for communication between the components, while the latest version from 2024 uses a REST API.The IP addresses found by ESET were dispersed globally, although mostly in Germany, the Netherlands and Russia, all accounting for about 20% of the total. Approximately 10% were located in Finland and the US.ESETs investigation also identified multiple distinct backend servers, with about 33% in Russia, and Czechia, the Netherlands and the UK all accounting for about 15%.Ultimately, the goal of the RedLine and Meta operations was to harvest vast amounts of data from its victims, including information on cryptocurrency wallets, credit card details, saved credentials, and data from platforms including desktop VPNs, Discord, Telegram and Steam.The operators clients bought access to the product, described by ESET in corporate terms as a turnkey infostealer solution, through various online forums or Telegram channels. They could select either a monthly rolling subscription or a lifetime licence, and in exchange for their money received a control panel to generate malware samples and act as a personal command and control server.Using a ready-made solution makes it easier for the affiliates to integrate RedLine Stealer into larger campaigns, said Ct Cyr. Some notable examples include posing as free downloads of ChatGPT in 2023 and masquerading as video game cheats in the first half of 2024.At its peak, prior to the takedown, RedLine was probably the most widespread infostealer in operation, with a comparatively large number of affiliates. However, said ESET, the MaaS enterprise was likely orchestrated by a very small number of people.Crucially, the creator of the malwares, named as Maxim Rudometov, has been identified and charged in the US.Read more about malwareBlackBerrys latest Global threat intelligence report details a surge in unique malware samples as threat actorsramp up the pace of targeted attacks.Peach Sandstorm, an Iranian state threat actor, has developed a dangerous new malware strain that forms a key element ofa rapidly evolving attack sequence.US State Department puts a $2.5m bounty on the head of Angler exploit kit developer and ransomware crew member Volodymyr Kadariyaas part of a major developing case.0 Yorumlar 0 hisse senetleri 58 Views
Daha Hikayeler