The tortuous auction of Toshiba’s coveted NAND chip fab has finally started to wrap up. You would think that after over nine months of bidding and 2 trillion yen ($17.7 billion) the victors would like to gloat. A win of that size would be celebrated, but nooo…. The winning partners lead by venture capitalist Bain
Cryptocurrency Bitcoin has been on quite a roller-coaster ride the past weeks. From an all time high of $4,950.72 to $3,537.79 during the first 14 days of September 2017 in four days. That is a loss of nearly $1,413.00 which is over 9 shares of Apple (AAPL) or nearly 19 shares of Microsoft (MSFT). Not
Since the dawn of time, one of the questions most likely to strike fear into the heart of even a seasoned project manager is, “So how much is this project going to cost?” In fact, Bob Kreha at Brightwork says there are hieroglyphs on the wall of the tomb of the great pharaoh Khufu, depicting
For a long time, the man has held us down. They used their science and medicine to tell is that ingesting coffee, or more accurately the caffeine in coffee, was bad. Times they are a changing we no longer have to justify drinking coffee to anybody. Recent research carried out by many free-thinking independent medical
With apologies to Otis Redding, Americans don’t know much about security. They don’t know much privacy, or the SPAM they took. A new Pew Research Center survey, “What the Public Knows About Cybersecurity” quizzed 1,055 adults about their understanding of concepts important to online safety and privacy. The results of the Pew survey are unsettling.
What is up with Cisco? Their fiscal results for the recently closed 2017 Q3 showed revenue of $11.9 billion, a 1% decline in revenue, compared to the same quarter last year. This is the 6th consecutive down quarter. The networking goliath also issued downward guidance for 2017 Q4. They estimated a revenue declines of 4-6% year-over year.
On the earnings call, Cisco CEO Chuck Robbins blamed several factors for the lower guidance. He cited:
- “a pretty significant stall right now” in the U.S. federal public sector
- Service provider revenues were down in Mexico.
- United Kingdom business is being dampened by currency issues.
- Middle East, there is “pressure… relative to oil prices.”
In May 2017, we extended the restructuring plan to include an additional 1,100 employees with $150 million of estimated additional pretax charges.
I am pleased with the progress we are making on the multi-year transformation of our business.
These weak fiscal results and the move to a subscription-based business have led to speculation about what the Cisco business will look like in the future. TechTarget speculates that Cisco may go so far as to separate the Network Operating System (NOS) from the hardware. They contend that such a move would be a dramatic departure from Cisco’s traditional business model of bundling high-margin hardware with its NOS. The author believes that market trends will likely force the vendor to release an open NOS.
TechTarget cites reports from the The Information that a hardware-independent NOS called Lindt is coming. Reportedly Lindt will run on a white box powered by merchant silicon. According to the article, a number of market trends are driving the move to a hardware-independent NOS.
The first market trend forcing Cisco to release a hardware-independent NOS is the company’s declining dominance of the Ethernet switch market. Since 2011, the company’s share has dropped from about 75% to less than 60% last year, according to the financial research site Trefis. The decline is important to Cisco’s bottom line because switches accounted for 40% of Cisco’s product sales in 2016, 30% of net revenues and 20% of the company’s $162 billion valuation, Trefis reported.
Cisco’s weakening performance in switching is tied to the second market trend forcing Cisco to release a hardware-independent NOS. It’s customers are turning to public cloud providers, such as Amazon (AMZN) Web Services, Microsoft (MSFT) Azure and IBM (IBM) SoftLayer, for their IT infrastructure. The more enterprises subscribe to infrastructure as a service, the less networking gear they need in their data centers.
The shift to cloud providers is found in the latest numbers from Synergy Research Group. Revenue from public cloud infrastructure services is growing at almost 50% a year. In the fourth quarter of last year, revenues topped $7 billion.
The third market trend forcing Cisco to release a hardware-independent NOS is the trend where enterprises that were Cisco’s largest customers are joining cloud providers in building open networking hardware and software to replace inflexible proprietary systems that lock them to a vendor. Those companies include large financial institutions, like Bank of America, Goldman Sachs and Fidelity Investments, and communication service providers, such as AT&T (T), Deutsche Telekom and Verizon (VZ).
The technology shift is driving an enormous amount of spending on IT infrastructure. Worldwide spending on public and private cloud environments will increase 15% this year from 2016 to $42 billion, according to IDC. Meanwhile, spending in Cisco’s core market of traditional infrastructure for noncloud data centers will fall by 5%.
While Cisco is ignoring the trend away from proprietary hardware, the article says Cisco’s rivals are embracing it. Juniper Networks (JNPR) and Arista Networks (ANET) have released a version of their NOS for white boxes favored by cloud providers and large enterprises. Both companies reported year-to-year revenue growth in switching last year. Even Cisco’s patent lawsuit against upstart Arista was set-back by the courts.
Rohit Mehra, an analyst at IDC hypothesized that Cisco’s resistance to change is likely due to fear that giving customers other hardware options would accelerate declining sales in switching. “There would be potentially some risk of cannibalization in the enterprise space,” he added.
Cisco insists its customers are not interested in buying networking software that’s separate from the underlying switch. The Cisco spokesperson told TechTarget:
The vast majority of our customers see tremendous value in the power and efficiency of Cisco’s integrated network platforms, and the tight integration of hardware and software will continue to be the basis of the networking solutions we offer our customers
TechTarget adds that Cisco doesn’t say the article is wrong. Instead, the company falls back on a corporate cliché for refusing to discuss a media report. “We don’t comment on rumor or speculation,” a Cisco spokesperson said.
The networking market is evolving away from the hardware that Cisco depends on for much of its valuation. Cisco will resist changing its market approach for as long as possible. But in the end, the company will have to become a part of the trend with an open NOS capable of running on whatever hardware the customer chooses.
Rather than change its model for selling networking gear, Cisco has spent billions of dollars on acquisitions over the last few years to create software and subscription-based businesses in security and analytics. But Cisco’s software push has yet to pay off with 5 conservative down quarters.
Finally, Cisco just recently patched a flaw in IOS software that affected more than 300 models of its switches. Despite issuing an advisory on March 17, Cisco did not release the patch for this vulnerability until May 8, 2017. The Cisco vulnerability was part of the Vault 7 WikiLeaks dump of alleged CIA hacking tools.
The vulnerability, rated a critical 9.8 out of 10 by the Common Vulnerability Scoring System, is in the Cluster Management Protocol, or CMP. could allow a remote, unauthenticated attacker to reload devices or execute code with elevated privileges. This vulnerability can be exploited during Telnet session negotiation over either IPv4 or IPv6.
Lost in last month’s hub-bub over WannaCry ransomware was the revelation that hackers had successfully exploited the SS7 “flaw” in January 2017. In May reports surfaced that hackers were able to remotely pilfer German bank accounts by taking advantage of vulnerabilities in Signaling System 7 (SS7). SS7 is a standard that defines how to public phone system talks to itself to complete a phone call.
The high-tech heist was initially reported by the German newspaper Süddeutsche Zeitung (auf Deutsch). The attack was a sophisticated operation that combined targeted phishing emails and SS7 exploits to bypass two-factor authentication (2FA) protection. This is the first publicly known exploit of SS7 to intercept two-factor authentication codes sent by a bank to confirm actions taken by online banking customers.
According to ars technica the attack began with traditional bank-fraud trojans. These trojans infect account holders’ computers and steal the passwords used to log in to bank accounts. From there, attackers could view account balances, but were prevented from making transfers without the one-time password the bank sent as a text message. After stealing the necessary login details via phishing emails, the perpetrators leveraged the SS7 flaw to intercept the associated mTAN (mobile transaction authentication numbers) authentication codes sent to the victims — messages notifying them of account activity — to validate the transactions and remain hidden, investigators say.
German Telecommunications giant O2-Telefonica confirmed details of the SS7-based cyber attacks to the newspaper. Ars says, in the past, attackers have obtained mTANs by obtaining a duplicate SIM card that allows them to take control of the bank customer’s phone number. SS7-facilitated compromises, by contrast, can be done remotely on a much larger quantity of phone numbers.
O2 Telefonica confirmed to Help Net Security that the attackers were able to gain access to the network of a foreign mobile network operator in January 2017. The attackers likely purchased access to the foreign telecommunications provider – this can apparently be done for less than 1,000 euros – and have set up call and SMS forwarding.
Two-factor authentication (2FA) is a security process in which the user provides two authentication factors to verify they are who they say they are. 2FA provides an extra layer of security and makes it harder for attackers to gain access to a person’s devices and online accounts, because knowing the victim’s password alone is not enough to pass the authentication check. Two-factor authentication has long been used to control access to sensitive systems and data, and online services are increasingly introducing 2FA to prevent their users’ data from being accessed by hackers who have stolen a password database or used phishing campaigns to get users’ passwords.
News of the incident prompted widespread concern online. Security advocates railed against the popular and continuous use of text messages to authenticate account information while growing evidence suggests that SS7 is an unsafe channel to deliver such data. Security experts told ars that the same SS7-centric hacking techniques used against German banks will become increasingly prevalent in the future, forcing organizations to reconsider how they authenticate user activity.
Cris Thomas, a strategist at Tenable Network Security warns in the article:
While this is not the end of 2FA, it may be the end of 2FA over SS7, which comprises a majority of 2FA systems … Vulnerabilities in SS7 and other cellular protocols aren’t new. They have been presented at security conferences for years … there are other more secure protocols available now that systems can switch to…
Cyber security researchers began issuing warning about this flaw in late 2014 about dangerous flaws in SS7. I wrote about the SS7 flaw in September of 2016 and in March 2107. Maybe this will be the wake up call for the carriers. One industry insider quipped:
This latest attack serves as a warning to the mobile community about what is at stake if these loopholes aren’t closed … The industry at large needs to go beyond simple measures such as two-factor authentication, to protect mobile users and their data, and invest in more sophisticated mobile security.
In 2014 security researchers first demonstrated that SS7 could be exploited to track and eavesdrop on cell phones. This new attack is essentially a man-in-the-middle attack on cell phone communications. It exploits the lack of authentication in the communication protocols that run on top of SS7.
Developed in 1975, today, over 800 telecommunications companies around the world, including AT&T (T) and Verizon (VZ), use SS7 make sure their networks interoperate. This technology has not kept up with modern times. In May 2017, Wired published an article which explains some of the ways to secure SS7. Overcoming SS7 insecurity requires implementing a series of firewalls and filters that can stop the attacks. Researchers Wired spoke to suggest that adding encryption to SS7 would shield network traffic from prying eyes and bolster authentication. Both of these changes are unpopular with the carriers, because they cost money and can impact the network core, so don’t expect any network changes to address the SS7 flaw anytime soon.
The Register reports that the FCC’s Communications Security, Reliability and Interoperability Council found that the proposed replacement for SS7 on 5G networks, dubbed the Diameter protocol has security holes too.
In March 2017, Oregon Sen. Ron Wyden and California Rep. Ted Lieu sent a letter to Homeland Security’s John Kelly requesting that DHS investigate and provide information about the impact of SS7 vulnerabilities to U.S. companies and governmental agencies. Kelly has not responded to the letter, according to the Wired article.
Of course the TLA’s would never use this “flaw” in SS7 to spy on us.
They recommend for text messages, avoiding SMS and instead using encrypted messaging services such as Apple’s (AAPL) iMessage, Facebook‘s (FB) WhatsApp or the many others available will allow you to send and receive instant messages without having to go through the SMS network to protect your messages from surveillance.
For calls, the Guardian recommends using a service that carries voice over data rather than through the voice call network. This will help prevent your calls from being snooped on. Messaging services including WhatsApp permit calls. Silent Circle’s end-to-end encrypted Phone service or the open-source Signal app also allow secure voice communications.
Your location could be being tracked at any stage when you have your mobile phone on. The only way to avoid it is to turn off your phone or turn off its connection to the mobile phone network and rely on Wi-Fi instead.
- Privacy hawks in Congress call on Homeland Security to warn Americans of SS7 hacking threat (TechCrunch)
The attackers behind last month’s WannaCry ransomware were planning to extort $300 in Monero cryptocurrency to unlock encrypted files. Until this crisis, who had ever heard of Monero? How could you even buy Moneros to unlock your PC, if you wanted to take that chance? More people are probably aware of Bitcoin (BTC). The Visual Capitalist explains that Bitcoin is the original cryptocurrency, and its meteoric rise has made it a mainstay of conversation for investors, media, and technologists alike.
Despite its shady history, Bitcoin has spawned over 800 new markets and cryptocurrencies. While Bitcoin is the dominate cryptocurrency, with a market cap of $37.2 billion, the rest of the cryptocurrencies are worth even more, in combination they are worth nearly $40 billion. The leaders of the altcoin movement are:
Ethereum (ETH) launched in 2015, is the second largest by market capitalization. It is also quite different from Bitcoin. The Visual Capitalist explains that while Bitcoin is designed to be a payments protocol first, Ethereum is designed to work as a blockchain-based computing platform for developers to build and deploy decentralized applications, while also enabling smart contracts. The tokens used to power the network are called Ether, but they can also be traded online. At time of writing, Ethereum’s market capitalization is $15.4 billion.
Ripple (XRP) is the native currency of the Ripple Protocol – a broader catch-all for an open-source, global exchange according to the Visual Capitalist. Ripple is aiming to be a settlement protocol for major banks, It’s already being used by banks such as Santander, Bank of America Merrill Lynch, UBS, and RBC. Ripple has a market cap of $10.9 billion.
Ethereum Classic (ETC) The Ethereum network actually split into two in 2016.The Visual Capitalist says it’s a complicated situation. You can read about the hack v. hack battle here. Ethereum Classic is based on the original Ethereum blockchain, and has a market capitalization of $1.4 billion.
Litecoin (LTC) is one of the first altcoins, and it is nearly identical to Bitcoin after being “forked” in 2011. Litecoin aims to process blocks 4x faster than Bitcoin to speed up transaction confirmation time, though this creates several other challenges as well according to the Visual Capitalist. At time of writing, Litecoin’s market capitalization is worth $1.3 billion.
Monero (XMR) is an open-source, privacy-oriented cryptocurrency launched in April 2014. It is the result of a fork of the Bytecoin cryptocurrency According to CoinDesk, Monero is private by default, and it has achieved the widespread adoption of those interested in using cryptocurrencies to remain anonymous. Monero has a market capitalization of $6.2 million.
The price of Monero’s XMR has experienced significant volatility at times, climbing more than 1,300% since it began trading on CoinMarketCap. Since its start, the cryptocurrency has fluctuated between roughly $0.25 (in January 2015) and close to $60 (in May 2017).
Monero leverages ring signatures and stealth addresses to obscure the senders and recipients identity. Ring signatures combine or ‘mix’ a user’s account keys with public keys obtained from Monero’s blockchain to create a ‘ring’ of possible signers, meaning outside observers cannot link a signature to a specific user.
Originally, ring signatures obscured the senders and recipients involved in a Monero transaction without hiding the amount transferred. However, an update called RingCT implemented a new ring signature that concealed both the value of each transaction and the senders and recipients identities to make transaction tracking harder.
In addition to leveraging ring signatures, Monero also enhances anonymity through stealth addresses, which are randomly generated, one-time addresses created for each transaction on behalf of the recipient. With this feature, recipients publish a single address and transactions they receive go to separate, unique addresses. As a result, Monero transactions cannot be linked to the published address of the sender or recipient.
By providing a high level of anonymity, Monero offers fungibility, meaning that each individual unit of a currency can be substituted for another. Another way of putting this is that every coin has equal value.
Due to Monero’s untraceable nature, no two coins are distinguishable from one another, and they are both equal in the eyes of merchants. Without this level of fungibility, a vendor that accepts cryptocurrency might refuse a unit of one of these assets because of its past possibly illegal transaction history.
CoinDesk points out that Monero has enjoyed a steady increase in adoption since its release. This adaption seems to be led by Dark web marketplaces like AlphaBay and Oasis which have embraced it, reportedly due to popular demand.
For those who want to purchase Monero’s, to pay a ransom or for other reasons, can purchase them at an exchange. The Monero market operates like that of many other cryptocurrencies. Those interested in buying the cryptocurrency can get it through exchanges including Poloniex, Bitfinex and Kraken.
If the fraudsters who set off the WannaCry crisis were expecting to make a fortune in cryptocurrenncy, it didn’t work. Apparently there have only made approx. BTC 50.91735344 or just under $150,000 on 320 payments world-wide according to a twitter bot actual_ransom from @collinskeith which is watching the bitcoin wallets tied to the
#WannaCry ransomware attack.
The value of cryptocurrencies are really hard to pin down because no one really knows how much they should be worth. Unlike a company there are no assets or revenues that can be used to assess a predictable valuation. So they are subject to wide swings in valuations because they operate without any tangible value behind it.
The underlying technology of blockchain seems to have a brighter future
- Even the world’s largest bitcoin exchange couldn’t handle this week’s cryptocurrency boom (Techcrunch)
Redmond’s Terrible, Horrible, No Good, Very Bad month continues. The WannaCry ransomware hit mostly Windows 7 machines, and now researchers from the Russian information security company Aladdin RD, recently discovered a new bug that will slow down and crash Microsoft (MSFT) Windows Vista, Windows 7 and Windows 8 PCs, but does not seem to impact Windows 10 so far.
In a throw back to the Windows 95 and 98 era Ars Technica reports that certain specially crafted filenames could make the operating system lock up or occasionally crash with a blue screen of death. Ars reports that the bug allows a malicious website to try to load an image file with the “$MFT” name in the directory path. Windows uses “$MFT” for special metadata files that are used by NTFS file system. The effected systems do not handle this directory name correctly.
The file exists in the root directory of each NTFS volume, but the NTFS driver handles it in special ways. Ars explains that it’s hidden from view and inaccessible to most software. Attempts to open the file are normally blocked, but if the filename is used as if it were a directory name—for example, trying to open the file c:\$MFT\123—then the NTFS driver takes out a lock on the file and never releases it. Every subsequent operation sits around waiting for the lock to be released. Forever. This blocks all other attempts to get access to the file system, and so every program will start to hang, rendering the machine unusable until it is rebooted.
Ars says that web pages that use the bad filename in an image source for example, will provoke the bug and make the machine stop responding. Depending on what the machine is doing concurrently, it will sometimes blue screen. Either way, you’re going to need to reboot it to recover. Some browsers will block attempts to access these local resources, but Internet Explorer, will try open the bad file.
Ars couldn’t immediately cause the same thing to occur remotely (by sending IIS a request for a bad filename), but it wouldn’t immediately surprise us if certain configurations or trickery were enough to cause the same problem.
The Verge has successfully tested the bug on a Windows 7 PC with the default Internet Explorer browser. Using a filename with “c:\$MFT\123” in a website image, their test caused a machine to slow down to the point they had to reboot to get the PC working again.
A Microsoft spokesperson told Engadget that the company is looking into the matter and will give an update as soon as it can.
“Our engineers are currently reviewing the information. Microsoft has a customer commitment to investigate reported security issues and provide updates as soon as possible.”
The Redmond boys also had to release an emergency out of band update for the Malware Protection Engine aka Windows Defender. Two Google security researchers discovered the “crazy bad” flaw. They claimed it was “the worst Windows remote code exec in recent memory.” The TechNet article says the vulnerability they patched would allow remote code execution if the Microsoft Malware Protection Engine scans a specially crafted file (CVE-2017-0290). To MSFT’s credit, they did fix the bug and release the patch with a week of being notified.
Early reports are that this bug is an attack vector. However, this is a denial of service attack that will need a reboot. This new flaw could be bundled with other more dangerous malware to force the user to reboot allowing the attack malware to get loaded.
Computer Economics says that too few organizations adequately staff the project manager function and, as a result, too many projects fall short of objectives, miss deadlines, or overrun budgets. In their report, IT Project Management Staffing Ratios (Reg. Req.), the research firm found that project managers as a percentage of the IT staff dropped slightly at the median from 4.8% in 2015 to 4.5% in 2016.
The Irvine, CA based firm speculates that there are a variety of reasons for the recent decline in the percentage of project managers. They found that like other IT functions, the staffing ratio for project managers is in flux. The percentages of staff in certain other IT job categories are growing, with a higher percentage going to application development, business analytics, and security. This, by definition, pushes down the percentage in project management.
Other reasons Computer Economics cites include the improvement in project management tools, which might allow project managers to handle more projects. It also appears a small number of companies might be abandoning the dedicated role of project manager, combining it with the role of lead developer, for example. The study also blames the growing popularity of agile development, with its focus on, also may be contributing to the decline in project management as a discrete function. However, this decline has only been recent and may not yet reflect a trend. Tom Dunlap, research director for Computer Economics said,
Despite the slight drop in the percentage of PMs, I’d be surprised if that turned into a long-term trend. With the rapidly changing nature of technology in the enterprise and the generally bad track record of IT departments getting projects in on time and on budget, I expect the percentage of PMs to go up.
Compare this data to that PMI reported in their Project Management Job Growth and Talent Gap 2017–2027 (PDF) report where they are making the case for a growing job market for PM’s. The report claims that through 2027, the global project management-oriented labor force in seven project-oriented sectors is expected to grow by 33 percent, or nearly 22 million new jobs.