Technology

You have reached the point where you have your prospect in front of you, and now it’s time to pitch your services. How do you maximize the chances of your prospect signing the dotted line? In this article, we’ll share how understanding your prospect’s motivations increases your chance of a conversion. The prospect was motivated […]

Source: Convert More Clients: What Motivates MSP Prospects - Technibble.com

Oracle has announced Oracle Code Assist, an AI-powered coding assistant that will provide developers with context-specific suggestions that can be tailored to an organization’s best practices and codebases.

Oracle did not provide an availability date for Oracle Code Assist, but said that developers at Oracle have been using the tool to build Oracle products and services. Oracle Code Assist can be used to write, upgrade, and refactor code written in most modern programming languages, the company said.

Powered by large language models (LLMs) running on Oracle Cloud Infrastructure (OCI), Oracle Code Assist is optimized for Java, SQL, and general application development on OCI. It also supports Ruby and C++ and is being tested for use with Python, the Terraform infrastructure-as-code language, and the Netsuite SuiteScript scripting language.

To read this article in full, please click here

Microsoft is reportedly working on a new large language model (LLM) to take on Google’s Gemini and OpenAI’s GPT-4.

Codenamed MAI-1, the new LLM is currently in the development phase and is being led by Mustafa Suleyman, co-founder of Google DeepMind and Inflection AI, The Information reported citing two sources.

To read this article in full, please click here

The generative AI party is still raging. This zeitgeist has rocked the business world daily in a million ways, and the ground is still shifting. Now, four months into 2024, we’re starting to see businesses, particularly those with rarified pragmatic brands, starting to demand evidence of value, of the path to the true ROI derived from AI. As pragmatic voices for value rise, how do thoughtful business leaders respond?

Alteryx studied exactly this question. What are the concrete pathways to AI value? We surveyed leading CIOs and board members and found a brightly lit approach to engineering emerging AI capabilities into business outcomes.

To read this article in full, please click here

Much of the angst about social media revolves around how they deal with your personal data. They sell your attention to advertisers. They sell your online activity, tendencies, and interests to people who want to sell you products. Personally, this doesn’t bother me, because I prefer ads for things I am interested in over ads for things I will never buy, but your mileage may vary. I get it.

I reserve my outrage for something that you may have have given little thought. What really gets me is that we do all the work, but they make all the money.

It is said of social media that if you aren’t paying for the product, then you are the product. As noted, they sell your information to advertisers. But of course, the advertising is only effective if you actually visit the social media site. 

To read this article in full, please click here

The recent discourse around the security of cloud computing in the banking sector, highlighted by Nicholas Fearn’s piece in the Financial Times, paints a somewhat grim picture of the cybersecurity landscape when it comes to banks moving to cloud computing. Not to pick on just this article, but I’ve seen this as a trend in the past few years, as the value of cloud computing has been called into question more and more. This is a change from just a few years ago when it was verboten to criticize “the cloud.” 

What happened between then and now? Enterprises saw the weaknesses of cloud computing platforms, such as costing too much and being difficult to leave. This made it okay to point out the issues with public cloud providers, and I’ve certainly done my share, even when it was not trendy to do so.

To read this article in full, please click here

Fortran’s return to the top 10 in Tiobe’s monthly index of language popularity is being attributed to the growing importance of numerical or mathematical computing.

Fortran returned to the top 10 in the index for April 2024 and retains the 10th place in the index for May 2024. The rating for Fortran did slip a bit, from 1.47% last month to 1.24% this month. But before April, Fortran’s last appearance in the Tiobe top 10 was April 2002.

Paul Jansen, CEO of Tiobe, a provider of tools for measuring software quality, attributed Fortran’s recent rise to the language’s advantages for numerical/mathematical computing. “Despite lots of competitors in this field, Fortran has its reason for existence,” Jansen said. He noted shortcomings in the competition: Python, while the top choice, is slow; MATLAB comes with expensive licensing; C/C++, while mainstream and fast, has no native computation support; R is slow; Julia, while rising, is not mature yet. “And in this jungle of languages, Fortran appears to be fast, having native mathematical computation support, mature, and free of charge. Silently, slowly but surely, Fortran gains ground. It is surprising but undeniable.”

To read this article in full, please click here

Virtual private networking (VPN) companies market their services as a way to prevent anyone from snooping on your Internet usage. But new research suggests this is a dangerous assumption when connecting to a VPN via an untrusted network, because attackers on the same network could force a target’s traffic off of the protection provided by their VPN without triggering any alerts to the user.

Image: Shutterstock.

When a device initially tries to connect to a network, it broadcasts a message to the entire local network stating that it is requesting an Internet address. Normally, the only system on the network that notices this request and replies is the router responsible for managing the network to which the user is trying to connect.

The machine on a network responsible for fielding these requests is called a Dynamic Host Configuration Protocol (DHCP) server, which will issue time-based leases for IP addresses. The DHCP server also takes care of setting a specific local address — known as an Internet gateway — that all connecting systems will use as a primary route to the Web.

VPNs work by creating a virtual network interface that serves as an encrypted tunnel for communications. But researchers at Leviathan Security say they’ve discovered it’s possible to abuse an obscure feature built into the DHCP protocol so that other users on the local network are forced to connect to a rogue DHCP server.

“Our technique is to run a DHCP server on the same network as a targeted VPN user and to also set our DHCP configuration to use itself as a gateway,” Leviathan researchers Lizzie Moratti and Dani Cronce wrote. “When the traffic hits our gateway, we use traffic forwarding rules on the DHCP server to pass traffic through to a legitimate gateway while we snoop on it.”

The feature being abused here is known as DHCP option 121, and it allows a DHCP server to set a route on the VPN user’s system that is more specific than those used by most VPNs. Abusing this option, Leviathan found, effectively gives an attacker on the local network the ability to set up routing rules that have a higher priority than the routes for the virtual network interface that the target’s VPN creates.

“Pushing a route also means that the network traffic will be sent over the same interface as the DHCP server instead of the virtual network interface,” the Leviathan researchers said. “This is intended functionality that isn’t clearly stated in the RFC [standard]. Therefore, for the routes we push, it is never encrypted by the VPN’s virtual interface but instead transmitted by the network interface that is talking to the DHCP server. As an attacker, we can select which IP addresses go over the tunnel and which addresses go over the network interface talking to our DHCP server.”

Leviathan found they could force VPNs on the local network that already had a connection to arbitrarily request a new one. In this well-documented tactic, known as a DHCP starvation attack, an attacker floods the DHCP server with requests that consume all available IP addresses that can be allocated. Once the network’s legitimate DHCP server is completely tied up, the attacker can then have their rogue DHCP server respond to all pending requests.

“This technique can also be used against an already established VPN connection once the VPN user’s host needs to renew a lease from our DHCP server,” the researchers wrote. “We can artificially create that scenario by setting a short lease time in the DHCP lease, so the user updates their routing table more frequently. In addition, the VPN control channel is still intact because it already uses the physical interface for its communication. In our testing, the VPN always continued to report as connected, and the kill switch was never engaged to drop our VPN connection.”

The researchers say their methods could be used by an attacker who compromises a DHCP server or wireless access point, or by a rogue network administrator who owns the infrastructure themselves and maliciously configures it. Alternatively, an attacker could set up an “evil twin” wireless hotspot that mimics the signal broadcast by a legitimate provider.

ANALYSIS

Bill Woodcock is executive director at Packet Clearing House, a nonprofit based in San Francisco. Woodcock said Option 121 has been included in the DHCP standard since 2002, which means the attack described by Leviathan has technically been possible for the last 22 years.

“They’re realizing now that this can be used to circumvent a VPN in a way that’s really problematic, and they’re right,” Woodcock said.

Woodcock said anyone who might be a target of spear phishing attacks should be very concerned about using VPNs on an untrusted network.

“Anyone who is in a position of authority or maybe even someone who is just a high net worth individual, those are all very reasonable targets of this attack,” he said. “If I were trying to do an attack against someone at a relatively high security company and I knew where they typically get their coffee or sandwich at twice a week, this is a very effective tool in that toolbox. I’d be a little surprised if it wasn’t already being exploited in that way, because again this isn’t rocket science. It’s just thinking a little outside the box.”

Successfully executing this attack on a network likely would not allow an attacker to see all of a target’s traffic or browsing activity. That’s because for the vast majority of the websites visited by the target, the content is encrypted (the site’s address begins with https://). However, an attacker would still be able to see the metadata — such as the source and destination addresses — of any traffic flowing by.

KrebsOnSecurity shared Leviathan’s research with John Kristoff, founder of dataplane.org and a PhD candidate in computer science at the University of Illinois Chicago. Kristoff said practically all user-edge network gear, including WiFi deployments, support some form of rogue DHCP server detection and mitigation, but that it’s unclear how widely deployed those protections are in real-world environments.

“However, and I think this is a key point to emphasize, an untrusted network is an untrusted network, which is why you’re usually employing the VPN in the first place,” Kristoff said. “If local network is inherently hostile and has no qualms about operating a rogue DHCP server, then this is a sneaky technique that could be used to de-cloak some traffic – and if done carefully, I’m sure a user might never notice.”

According to Leviathan, there are several ways to minimize the threat from rogue DHCP servers on an unsecured network. One is using a device powered by the Android operating system, which apparently ignores DHCP option 121.

Relying on a temporary wireless hotspot controlled by a cellular device you own also effectively blocks this attack.

“They create a password-locked LAN with automatic network address translation,” the researchers wrote of cellular hot-spots. “Because this network is completely controlled by the cellular device and requires a password, an attacker should not have local network access.”

Leviathan’s Moratti said another mitigation is to run your VPN from inside of a virtual machine (VM) — like Parallels, VMware or VirtualBox. VPNs run inside of a VM are not vulnerable to this attack, Moratti said, provided they are not run in “bridged mode,” which causes the VM to replicate another node on the network.

In addition, a technology called “deep packet inspection” can be used to deny all in- and outbound traffic from the physical interface except for the DHCP and the VPN server. However, Leviathan says this approach opens up a potential “side channel” attack that could be used to determine the destination of traffic.

“This could be theoretically done by performing traffic analysis on the volume a target user sends when the attacker’s routes are installed compared to the baseline,” they wrote. “In addition, this selective denial-of-service is unique as it could be used to censor specific resources that an attacker doesn’t want a target user to connect to even while they are using the VPN.”

Moratti said Leviathan’s research shows that many VPN providers are currently making promises to their customers that their technology can’t keep.

“VPNs weren’t designed to keep you more secure on your local network, but to keep your traffic more secure on the Internet,” Moratti said. “When you start making assurances that your product protects people from seeing your traffic, there’s an assurance or promise that can’t be met.”

A copy of Leviathan’s research, along with code intended to allow others to duplicate their findings in a lab environment, is available here.

No one thinks software development is easy, but who would have thought it could be hard in so many different ways? Evans Data estimates there are 26.9 million software developers globally. Recently more than 100 of those developers weighed in on Ali Spittel’s question, “What’s the most difficult part of your job as a developer?”

I expected the answers to mostly coalesce around a few key themes, but the responses were highly varied. It’s worth digging into them to see how your company can improve life for your developers.

Sometimes we love our developers too much. We rely on them (the new kingmakers and queenmakers) to innovate and to keep innovating. As Kyle Shevlin notes, “The constant threat of scope creep from product and design” makes life difficult for developers. This stems from a healthy confidence in developers’ talents, but scope creep translates into bloated software, which is hard to maintain, something Sofiene Salem highlights. Couple this with “unrealistic deadlines set by non-developers,” as Brian Shimkus stresses, and you end up in double trouble.

To read this article in full, please click here

No one thinks software development is easy, but who would have thought it could be hard in so many different ways? Evans Data estimates there are 26.9 million software developers globally. Recently more than 100 of those developers weighed in on Ali Spittel’s question, “What’s the most difficult part of your job as a developer?” I expected the answers to mostly coalesce around a few key themes, but the responses were highly varied. It’s worth digging into them to see how your company can improve life for your developers.

Sometimes we love our developers too much. We rely on them (the new kingmakers and queenmakers) to innovate and to keep innovating. As Kyle Shevlin notes, “The constant threat of scope creep from product and design” makes life difficult for developers. This stems from a healthy confidence in developers’ talents, but scope creep translates into bloated software, which is hard to maintain, something Sofiene Salem highlights. Couple this with “unrealistic deadlines set by non-developers,” as Brian Shimkus stresses, and you end up in double trouble.

To read this article in full, please click here

When we set out to rebuild the engine at the heart of our managed Apache Kafka service, we knew we needed to address several unique requirements that characterize successful cloud-native platforms. These systems must be multi-tenant from the ground up, scale easily to serve thousands of customers, and be managed largely by data-driven software rather than human operators. They should also provide strong isolation and security across customers with unpredictable workloads, in an environment in which engineers can continue to innovate rapidly.

To read this article in full, please click here

About a decade ago, I was a CIO evaluating a technology solution and I shared our primary requirements with a prospective vendor’s rep. He demoed at least three products from the company’s portfolio. Each tool had its own user experience, development approach, and learning requirements, but all three were needed to solve our business requirements. As CIO, I recognized that different parts of my team would either need to collaborate using these different tools, or I would have to hire more advanced developers capable of mastering them all. I decided not to invest in this technology solution because of the complexities of development involved.

The concept of developer experience (DX or DevEx) was not a primary or measurable objective back then. Few business leaders were thinking about the value of improving developer satisfaction, productivity, and happiness. But leading CTOs, digital trailblazers, delivery managers, and technical leads understood its importance. It’s why we bought large, multi-monitor workspaces, upgraded desktops to use the most powerful devices, brought in foosball tables to encourage work breaks, and celebrated major releases with our developer teams.

To read this article in full, please click here

In this episode of This Week in Tech, Leo Laporte is joined by Georgia Dow, Shoshana Weissmann, and Fr. Robert Ballecer, tackling a wide range of thought-provoking topics, from the ethical implications of AI in sensitive fields to the challenges of creating and consuming content in an increasingly commercialized digital landscape.

• The panel grapples with the potential risks and benefits of AI-powered therapists and priests, stressing the need for human empathy and discernment in these emotionally charged roles.

• They confront the harsh realities of the internet's "heat death," as the relentless pursuit of profits and engagement leads to a glut of low-quality content and erodes user trust.

• The group reflects on the double-edged sword of democratized media, celebrating the value of supporting emerging voices while acknowledging the importance of professional standards.

• As Twitter faces existential challenges, the panel surveys the social media horizon, evaluating alternative platforms like Mastodon and Bluesky, and weighing the implications of Jack Dorsey's departure from the Bluesky board.

• Elon Musk's reckless tweets about taking Tesla private have come back to haunt him, with the Supreme Court upholding an SEC settlement requiring his Tesla-related posts to be vetted by a lawyer.

• The FCC has cracked down on major telecom companies for the illegal sale of location data, while legislators push for reforms to prevent the government from exploiting privacy loopholes.

• Congress continues its misguided crusade to protect children online, with ill-conceived age verification mandates and privacy-eroding measures that threaten the very foundations of digital security. The panel offers an impassioned critique of these shortsighted efforts.

• The once-beloved video game Helldivers 2 serves as a cautionary tale of platform overreach, as a heavy-handed PlayStation Network login requirement sparks a massive player revolt and torpedoes the game's reputation.

• Apple's quarterly results are analyzed, and all eyes are on Apple's upcoming event, where new iPads and an enhanced Apple Pencil are expected to take center stage. But the real buzz surrounds the rumored M4 chip and its tantalizing AI capabilities, hinting at a potential game-changer for the iconic brand.

• The group geeks out over Disney+'s radical revival of X-Men '97 and Amazon's ambitious Fallout adaptation, complete with an immersive easter egg phone experience

• The freewheeling discussion also touches on Shoshana's ingenious Alexa hacks for Sabbath TV viewing, a UK council's apostrophe apocalypse, the looming cicada invasion, and Fr. Robert's role as a guardian angel for the Vatican's feral felines.

Host: Leo Laporte

Guests: Georgia Dow, Shoshana Weissmann, and Fr. Robert Ballecer, SJ

Download or subscribe to this show at https://twit.tv/shows/this-week-in-tech

Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit

Sponsors:

• Stamps.com promo code TWiT
• kolide.com/twit
• IntouchCX.com/twit
• expressvpn.com/twit
• NetSuite.com/TWIT

Visual Studio Code 1.89, the April 2024 release of Microsoft’s popular code editor, has arrived with capabilities including enhanced branch switching and middle-click paste support.

The update, downloadable from the project website, was announced May 2. Enhanced branch switching addressed a long-standing feature request to save and restore editors when switching between source control branches. Developers can use the scm.workingSets.enabled setting to enable this capability.

To read this article in full, please click here

Rust 1.78, just released as the latest version of the popular, memory-safe programming language, adds backing for a #[diagnostic] attribute namespace to influence compiler messages.

These messages are treated as hints that the compiler is not required to use, the Rust team said. Also it is not an error to provide a diagnostic that the compiler does not recognize. The feature is designed to allow source code to provide diagnostics even when they are not supported by all compilers.

Announced May 2, Rust 1.78 can be installed via rustup:

To read this article in full, please click here

As a seasoned advocate and expert in cloud computing and generative AI, I’ve observed the immense transformative potential these technologies offer. Yet, we’re doing things just as stupidly as we did in the early days of cloud computing.

If you have not noticed lately, enterprises are running around in circles to fix mistakes they made 10 years ago in migrating and building new cloud-based systems. Repatriation is shorthand for “whoops!” The lack of planning and understanding has led to huge bills that nobody expected, and CIOs are attempting to mitigate. This means instead of focusing on innovation, we’re looping back to fix things after the fact.

To read this article in full, please click here

ASP.NET Core offers a simplified hosting model, called minimal APIs, that allows us to build lightweight APIs with minimal dependencies. However, “minimal” doesn’t mean minimal security. Minimal APIs need authentication too.

We’ve explored JWT authentication in an earlier post here. In this article we’ll examine how we can build a basic authentication handler for minimal APIs in ASP.NET Core. Below we’ll implement a basic authentication handler that will identify and authenticate the user. Because we will validate the user’s identity using credentials stored in a database, we will make use of Entity Framework Core. 

To read this article in full, please click here

Microsoft has introduced TypeSpec, a language for API-centric development.

Unveiled April 25, TypeSpec is designed to meet the needs of API developers, managers, and architects in an environment where delivering high-quality APIs and related experiences has become increasingly critical and complex, Microsoft said. The company described TypeSpec as a lightweight language that describes APIs using any protocol or serialization format and encapsulates common data types, API patterns, and API guidelines into high level, reusable components. It can define complex data and API shapes with minimal types. 

To read this article in full, please click here

MongoDB has made Atlas Stream Processing, a new capability it trailed last June, generally available, it announced at its MongoDB.local event in New York City.

It added  Atlas Stream processing to its NoSQL Atlas database-as-a-service (DBaaS) in order to help enterprises manage real-time streaming data from multiple sources in a single interface.

To read this article in full, please click here

Oracle is making the latest long-term support release version of its database offering — Database 23c — generally available for enterprises under the name Oracle Database 23ai.

The change in nomenclature can be attributed to the addition of new features to the database that are expected to help with AI-based application development among other tasks, the company said.

Database 23c, showcased for the first time at the company’s annual event in 2022, was released to developers in early 2023 before being released to enterprises, marking a shift in the company’s tradition for the first time.

Stiff competition from database rivals forced Oracle to shift its strategy for its databases business in favor of developers, who could offer the company a much-needed impetus for growth.

To read this article in full, please click here