Page 272«..1020..271272273274..280290..»

More social engineering attacks on open source projects observed – ComputerWeekly.com

The Open Source Security Foundation (OpenSSF) and the OpenJS Foundation, which backs multiple JavaScript-based open source software (OSS) projects, have warned that the attempted social engineering observed earlier in April 2024 against the XZ Utils data compression library may not be an isolated incident.

The XX Utils attack saw a threat actor known as JiaTan infiltrate the XZ Utils project over a multiple-year period, becoming trusted by the project maintainers and contributing legitimate updates to the software before trying to sneak in a backdoor vulnerability, CVE-2024-3094, which could have caused carnage had it not been for the swift actions of an eagle-eyed researcher.

Now, OpenSSF and OpenJS are calling for all open source maintainers to be alert for similar takeover attempts after the OpenJS Cross Project Council received multiple suspicious emails imploring them to update one of its projects to address critical vulnerabilities without citing any specific details.

Robin Bender Ginn, OpenJS Foundation executive director, and Omkhar Arasaratnam, OpenSSF general manager, said that the authors of the emails, which bore different names but came from overlapping GitHub-associated accounts, wanted to be designated as project maintainers despite having little prior involvement, similar to how JiaTan was able to weasel their way into the XZ Utils project.

They added that OpenJS team also became aware of a similar pattern at two other widely-used JavaScript projects that it doesnt host itself, and has flagged the potential security risk to respective OpenJS leaders, as well as the US cyber security authorities.

None of these individuals have been given privileged access to the OpenJS-hosted project. The project has security policies in place, including those outlined by the Foundations security working group, wrote Bender Ginn and Arasaratnam in a joint blog post detailing the attack.

Open source projects always welcome contributions from anyone, anywhere, yet granting someone administrative access to the source code as a maintainer requires a higher level of earned trust, and it is not given away as a quick fix to any problem.

Together with the Linux Foundation, we want to raise awareness of this ongoing threat to all open source maintainers, and offer practical guidance and resources from our broad community of experts in security and open source, they said.

Among other things, OSS project members should be alert to friendly, yet aggressive and persistent pursuit of maintainer status by any new or relatively unknown community members, new requests to be elevated, and endorsement from other unknown community members, which may potentially be sockpuppet accounts.

Members should also be aware of pull requests (PRs) that contain blobs as artifacts the XX backdoor was a file that wasnt human readable, not source code; intentionally obfuscated or hard to understand source code; security issues that seem to escalate slowly the XZ attack started with a relatively innocuous test amendment; deviation from typical project compile, build and deployment procedures; and a false sense of urgency, particularly if someone appears to be trying to convince a maintainer to bypass a control or speed up a review.

These social engineering attacks are exploiting the sense of duty that maintainers have with their project and community in order to manipulate them, wrote Bender Ginn and Arasaratnam. Pay attention to how interactions make you feel. Interactions that create self-doubt, feelings of inadequacy, of not doing enough for the project, etcetera, might be part of a social engineering attack.

Social engineering attacks can be difficult to detect or protect against via programmatic means as they prey on human emotions and trust, so in the short term, it is also important to share as much information about possible suspicious activity as possible, without shame or judgment, so that community members can learn protective strategies.

Chris Hughes, Endor Labs chief security officer and a cyber innovation fellow at the Cybersecurity and Infrastructure Security Agency (CISA), said he was unsurprised to hear about more widespread social engineering attacks against the open source world moreover given the XZ attack received significant publicity, it is likely that other malicious actors will try similar tactics going forward.

We can likely suspect that many of these are already underway and may have already been successful but havent been exposed or identified yet. Most open source projects are incredibly underfunded and run by a single or small group of maintainers, so utilising social engineering attacks on them isnt surprising and given how vulnerable the ecosystem is and the pressures maintainers are under, they will likely welcome the help in many cases, he said.

If done well by the attackers, it may be difficult for the maintainers to determine which involvement is from those interested in collaborating and contributing to projects versus those with malicious intent.

More generally, warned Hughes, this poses a massive risk to the open source community in general, with around a quarter of all open source projects having just one maintainer, and 94% less than 10. This risk then carries forward into organisations that use open source software components in their software.

This raises awareness of the larger issue of how opaque the OSS ecosystem is. Components and projects that run the entire modern digital infrastructure are often maintained by unknown aliases and individuals scattered around the globe. Furthermore, many OSS projects are maintained by a single individual or small group of individuals often in their spare time as a hobby or passion project and typically without any sort of compensation.

This makes the entire ecosystem vulnerable to malicious actors preying on these realities and taking advantage of overwhelmed maintainers with a community making demands of them with no actual compensation in exchange for their hard work and commitment to maintaining code the world depends on, he said.

Originally posted here:

More social engineering attacks on open source projects observed - ComputerWeekly.com

Read More..

Six Hankinson students selected for International Science and Engineering Fair – Wahpeton Daily News

State Alabama Alaska Arizona Arkansas California Colorado Connecticut Delaware Florida Georgia Hawaii Idaho Illinois Indiana Iowa Kansas Kentucky Louisiana Maine Maryland Massachusetts Michigan Minnesota Mississippi Missouri Montana Nebraska Nevada New Hampshire New Jersey New Mexico New York North Carolina North Dakota Ohio Oklahoma Oregon Pennsylvania Rhode Island South Carolina South Dakota Tennessee Texas Utah Vermont Virginia Washington Washington D.C. West Virginia Wisconsin Wyoming Puerto Rico US Virgin Islands Armed Forces Americas Armed Forces Pacific Armed Forces Europe Northern Mariana Islands Marshall Islands American Samoa Federated States of Micronesia Guam Palau Alberta, Canada British Columbia, Canada Manitoba, Canada New Brunswick, Canada Newfoundland, Canada Nova Scotia, Canada Northwest Territories, Canada Nunavut, Canada Ontario, Canada Prince Edward Island, Canada Quebec, Canada Saskatchewan, Canada Yukon Territory, Canada

Zip Code

Country United States of America US Virgin Islands United States Minor Outlying Islands Canada Mexico, United Mexican States Bahamas, Commonwealth of the Cuba, Republic of Dominican Republic Haiti, Republic of Jamaica Afghanistan Albania, People's Socialist Republic of Algeria, People's Democratic Republic of American Samoa Andorra, Principality of Angola, Republic of Anguilla Antarctica (the territory South of 60 deg S) Antigua and Barbuda Argentina, Argentine Republic Armenia Aruba Australia, Commonwealth of Austria, Republic of Azerbaijan, Republic of Bahrain, Kingdom of Bangladesh, People's Republic of Barbados Belarus Belgium, Kingdom of Belize Benin, People's Republic of Bermuda Bhutan, Kingdom of Bolivia, Republic of Bosnia and Herzegovina Botswana, Republic of Bouvet Island (Bouvetoya) Brazil, Federative Republic of British Indian Ocean Territory (Chagos Archipelago) British Virgin Islands Brunei Darussalam Bulgaria, People's Republic of Burkina Faso Burundi, Republic of Cambodia, Kingdom of Cameroon, United Republic of Cape Verde, Republic of Cayman Islands Central African Republic Chad, Republic of Chile, Republic of China, People's Republic of Christmas Island Cocos (Keeling) Islands Colombia, Republic of Comoros, Union of the Congo, Democratic Republic of Congo, People's Republic of Cook Islands Costa Rica, Republic of Cote D'Ivoire, Ivory Coast, Republic of the Cyprus, Republic of Czech Republic Denmark, Kingdom of Djibouti, Republic of Dominica, Commonwealth of Ecuador, Republic of Egypt, Arab Republic of El Salvador, Republic of Equatorial Guinea, Republic of Eritrea Estonia Ethiopia Faeroe Islands Falkland Islands (Malvinas) Fiji, Republic of the Fiji Islands Finland, Republic of France, French Republic French Guiana French Polynesia French Southern Territories Gabon, Gabonese Republic Gambia, Republic of the Georgia Germany Ghana, Republic of Gibraltar Greece, Hellenic Republic Greenland Grenada Guadaloupe Guam Guatemala, Republic of Guinea, Revolutionary People's Rep'c of Guinea-Bissau, Republic of Guyana, Republic of Heard and McDonald Islands Holy See (Vatican City State) Honduras, Republic of Hong Kong, Special Administrative Region of China Hrvatska (Croatia) Hungary, Hungarian People's Republic Iceland, Republic of India, Republic of Indonesia, Republic of Iran, Islamic Republic of Iraq, Republic of Ireland Israel, State of Italy, Italian Republic Japan Jordan, Hashemite Kingdom of Kazakhstan, Republic of Kenya, Republic of Kiribati, Republic of Korea, Democratic People's Republic of Korea, Republic of Kuwait, State of Kyrgyz Republic Lao People's Democratic Republic Latvia Lebanon, Lebanese Republic Lesotho, Kingdom of Liberia, Republic of Libyan Arab Jamahiriya Liechtenstein, Principality of Lithuania Luxembourg, Grand Duchy of Macao, Special Administrative Region of China Macedonia, the former Yugoslav Republic of Madagascar, Republic of Malawi, Republic of Malaysia Maldives, Republic of Mali, Republic of Malta, Republic of Marshall Islands Martinique Mauritania, Islamic Republic of Mauritius Mayotte Micronesia, Federated States of Moldova, Republic of Monaco, Principality of Mongolia, Mongolian People's Republic Montserrat Morocco, Kingdom of Mozambique, People's Republic of Myanmar Namibia Nauru, Republic of Nepal, Kingdom of Netherlands Antilles Netherlands, Kingdom of the New Caledonia New Zealand Nicaragua, Republic of Niger, Republic of the Nigeria, Federal Republic of Niue, Republic of Norfolk Island Northern Mariana Islands Norway, Kingdom of Oman, Sultanate of Pakistan, Islamic Republic of Palau Palestinian Territory, Occupied Panama, Republic of Papua New Guinea Paraguay, Republic of Peru, Republic of Philippines, Republic of the Pitcairn Island Poland, Polish People's Republic Portugal, Portuguese Republic Puerto Rico Qatar, State of Reunion Romania, Socialist Republic of Russian Federation Rwanda, Rwandese Republic Samoa, Independent State of San Marino, Republic of Sao Tome and Principe, Democratic Republic of Saudi Arabia, Kingdom of Senegal, Republic of Serbia and Montenegro Seychelles, Republic of Sierra Leone, Republic of Singapore, Republic of Slovakia (Slovak Republic) Slovenia Solomon Islands Somalia, Somali Republic South Africa, Republic of South Georgia and the South Sandwich Islands Spain, Spanish State Sri Lanka, Democratic Socialist Republic of St. Helena St. Kitts and Nevis St. Lucia St. Pierre and Miquelon St. Vincent and the Grenadines Sudan, Democratic Republic of the Suriname, Republic of Svalbard & Jan Mayen Islands Swaziland, Kingdom of Sweden, Kingdom of Switzerland, Swiss Confederation Syrian Arab Republic Taiwan, Province of China Tajikistan Tanzania, United Republic of Thailand, Kingdom of Timor-Leste, Democratic Republic of Togo, Togolese Republic Tokelau (Tokelau Islands) Tonga, Kingdom of Trinidad and Tobago, Republic of Tunisia, Republic of Turkey, Republic of Turkmenistan Turks and Caicos Islands Tuvalu Uganda, Republic of Ukraine United Arab Emirates United Kingdom of Great Britain & N. Ireland Uruguay, Eastern Republic of Uzbekistan Vanuatu Venezuela, Bolivarian Republic of Viet Nam, Socialist Republic of Wallis and Futuna Islands Western Sahara Yemen Zambia, Republic of Zimbabwe

Read more from the original source:

Six Hankinson students selected for International Science and Engineering Fair - Wahpeton Daily News

Read More..

MVU participates in the 2024 Vermont Science, Technology, Engineering & Math Fair – St. Albans Messenger

SWANTON Six students from Missisquoi Valley Union competed in the Vermont State Science, Technology, Engineering & Math Fair March 30 at Norwich University.

The students who attended were finalists in the local MVU STEM Fair held on Feb. 8. They spent Saturday presenting to multiple judges and visitors. MVU students performed admirably by winning a gold medal (top 10 percent among participants) and claiming one of the $3,000 scholarships to the New Hampshire Academy of Science, a three-week prestigious summer program, along with other prizes.

Attending the fair were Kelsey Paradee, Avery Guyette, Surelle Casperson and Rowan Gregory in grade 10 and Briana Fremeau and Emma Flanders in grade 9, along with MVU STEM Fair coordinator Rich Ballard.

Awards:

Avery Guyette - with her project: Does Perceived Attractiveness Influence Judicial Decisions In Respective Court Cases?

Gold Medalist (Top 10% in Vermont)

Vermont Academy of Arts and Sciences Top Project showing good research techniques. ($200 prize)

American Psychological Association - Achievement in research in physiological science

Emma Flanders - with her project - How Luminol Reacts When Mixed with Other Chemicals

Many thanks to the MVU science teachers for challenging their students to do some great projects. Thanks to the many local businesses and community organizations that supported the effort, including Viatris, for supporting the MVU STEM Fair with a generous grant.

Thanks also goes to the non-profit STEM Challenge Initiative organization, which promotes STEM education in the region and also provided a grant to the MVU STEM Fair, as well as MVU STEM Fair coordinator Rich Ballard for organizing and supporting the student participation in the 2024 event.

See more here:

MVU participates in the 2024 Vermont Science, Technology, Engineering & Math Fair - St. Albans Messenger

Read More..

Manhasset Students Traveling To International Science And Engineering Fair – Anton Media Group

Three Manhasset High School students will be making the trip to Los Angeles this May to participate in the prestigious International Science and Engineering Fair (ISEF). Senior Dylan Yoon and junior Alena Tsai are Long Island Science and Engineering Fair (LISEF) Finalists and will be representing Long Island at the fair. Dylans project The Enhancement of a Novel 3D-Printed Electrodialysis Device through the Implementation and Optimization of Spacer Designs, and Alenas project Integrated In-silico and In-vitro Experimental Strategies for the Application of Carbon Quantum Dots in Alzheimers Research, were both top finishers in the local competition. Additionally, junior Emily Zhao is a New York State Science and Engineering Fair (NYSSEF) ISEF finalist and will be representing New York State at ISEF. Her project Novel Eutrophication Remediation Turbine For Piezocatalytic Inactivation Of Anabaena In Optimized Turbulent Flow was a top finisher in the state competition. All three students will have the opportunity to compete in the annual national science fair, which is owned and administered by the Society for Science, a 501 non-profit organization based in Washington, D.C. Submitted by Manhasset Public Schools

Read more here:

Manhasset Students Traveling To International Science And Engineering Fair - Anton Media Group

Read More..

Is Platform Engineering Really Just API Governance? – The New Stack

LONDON — “If API governance and platform engineering had a Venn diagram, they’d be a circle,” contended Mark Boyd, director of Platformable, during his keynote at the API Conference April 10.

He doesn’t distinguish between your API governance toolkit and your platform engineering strategy. And maybe you shouldn’t either. After all, both prioritize the same ideal customer profile: your internal developer colleague.

Indeed, APIs have emerged as the preferred way that developers want to access and build on top of any internal developer portals and golden paths to production. And a focus on API and data standardization and cross-organizational service reusability is at the foundation of any platform strategy.

“The API is the tail wagging the dog,” Boyd argued, “as so often APIs can fundamentally change the business.”

Externally available APIs create an ecosystem around the business, he said, opening up new routes to market. APIs become a cross-functional language that allows both technical and business stakeholders to communicate. And, he said, building an API ecosystem with different business units allows for cross-organization collaboration — like via an internal developer platform — instead of fostering internal competition for time and teams.

This is especially relevant today, at a time when everyone is trying to do more with less, to increase developer productivity right when developer burnout is running high.

So what does a lightweight API governance strategy look like? How do you overcome API complexity? asked the APICon audience. Here’s how to streamline that complexity now.

How does an API life cycle start? Usually in isolation. An API user, Boyd reflected, needs something and the solution architect looks to either extend an existing API or, more often, create a new API. A product manager may be involved but only at the beginning stages, for gathering requirements.

There’s very little checking what’s already out there — likely because there usually aren’t simple ways to do that. And there’s rarely standardization around APIs to boot.

Only about half the APICon audience raised their hands when asked if they use API specification formats like OpenAPI, AsyncAPI and AWS RAM. Use of these formats can cultivate uniformity across an organization and potentially save time, as at least this activity means there’s a definition of an API written out in an understandable and consistent format.

In addition, only a few members of the audience said they created or reused data object schemas: meaning each API could potentially use a different data model to describe the same sorts of things.

Boyd gave the example of a user account: each API may create a user account data model slightly differently: some may use FirstName, LastName, title, organization, and email, others may make one field name for first and last name, and then just ask for an email address, while others may have even more fields.

To apply API governance when creating a new API, Boyd recommended you begin by mapping out the developer’s journey. Ask: What are the pain points? What programming languages do they use? What architectural patterns do they rely on?

Write down your use case description for the API at the start — not just the API name, he emphasized. This practice helps the API architect verbalize what their API is intended to achieve. This description can then be included at the start of your documentation, which increases discoverability, which in turn increases reusability. And, if you’re planning to expose your API and documentation externally, it increases your human and machine-readable searchability.

“That sort of little user story templating helps stop developers [from] leaving their flow and thinking: OK, what model should I use?” Boyd said.

It also helps with API discovery and reusability across the organization. Everything becomes more easily searchable through an internal developer portal or API catalog, so this API will be more likely found and reused, which is much cheaper than building from scratch.

Finally, as we move into the generative AI developer productivity space, this quick exercise of jotting down what an API is intended for also makes it more machine-readable, which increases the possibility for it to be suggested by a GenAI coding assistant. These steps help decrease interruptions to developer flow and eventually save time and money, as developers focus on new, differential work.

To help foster even more design thinking, Boyd also recommended writing a press release, even if it is likely never to be shared.

“Imagine it’s the end of the project. You’re releasing that API, or the new features of an API. And you’re describing it externally, what’s it going to do? What value is it going to create for others? How will people use it?”

He said this public relations practice “will help clarify your thinking about all of the things that you need in that API as well.”

Platform engineering is a sociotechnical practice that looks to reduce the complexity and cognitive load that comes from disparate tooling, by creating a single pane of glass view of shared services to better serve the internal developer. API governance via a platform or internal developer portal enables service and API reusability, instead of teams building everything from scratch.

A key pillar of platform engineering is the laying down of golden paths, which Boyd called “agreed upon architecture.” These are typically the simplest way to accomplish a repeated activity. By clarifying these paved routes, organizations typically see a reduction of complexity and developer cognitive load, which in turn speeds up the delivery of value to the end user.

Since Conway’s Law reigns supreme, communication structure and technology are intrinsically linked. Boyd offered up another platform favorite, Team Topologies, an engineering management system that can help organize teams around a new way of shared API governance.

Introducing a Team Topologies approach requires organizational restructuring and reallocation of resources from stream/line of business teams to a centralized platform team, and giving them the authority to support line-of-business teams to use common tooling across the organization.

“Often, APIs have gone out to lines-of-business where each line of business has their own API teams building their own APIs independently,” Boyd said.

Much of the tech industry is moving slowly toward a platform team that offers centralized services to what Team Topologies refer to as stream-aligned teams. It doesn’t enforce API governance on these teams but rather a Platform as a Product mindset compels these stream-aligned teams to adopt golden paths because it’s just easier. You might have to persuade teams that this is indeed the path of least resistance.

Teams may push back, Boyd warned, claiming, “Our line of business is very unique and very special.” Not every team has to follow your golden paths, but the platform team must persevere in its attempts to centralize resources common to the whole or the majority of business lines.”

This can include the API catalog and an API management solution.“Even the developer personas could be owned by that sort of central team,” Boyd said, “because those developer personas might be matching for multiple lines of business.”

Just remember to start small. He emphasized the importance of API documentation and cross-organizational API discoverability as the first steps to the thinnest viable platform. Because, judging by the reaction of the APICon audience, very few platform teams have big budgets, so you’ll have to work with what you’ve got.

We are constantly in a state of bundling and unbundling in the tech industry, Boyd said. The popularity of platform engineering and Team Topologies is just that pendulum swinging back from the recent extremes of developer autonomy toward re-bundling common services. In a time of trying to do more with less, this is sensible, but also it helps address tool overload and cognitive load.

Often In the API development stage, “I see the product manager being released from their duties too early,” Boyd said. And then they aren’t often brought in until the API is ready for deployment.

“We need more product managers in the room,” he said to an audience of mostly AI architects and API engineers — and only one API product owner.

This is a mistake, he argued, especially when your API catalog and developer platform need to be “sold” to your internal customers. Plus, it’s unnecessary to exclude them since, when using something like the OpenAPI specification, you are able to communicate in a human-readable way that allows business and tech to communicate more easily.

“You can walk through it and talk about what some of the functionalities you’re exposing are and just double-check that [it] matches those functional requirements that they’ve helped identify in the first place,” Boyd advised.

While the product doesn’t stick around long enough, security often isn’t brought in until the end of API creation, which risks not just code security and stability, but all that work being for naught if security doesn’t clear it. It’s especially important to bring security in early, he said, if the API is going to expose any data or services externally, “so that you don’t have to remake those decisions.”

Security guidelines are an excellent way to address security early, he said. When his team at the data and tooling startup Platformable works with clients to write an OpenAPI specification, each item of data in a model that’s being exposed is given a risk factor — low, medium or high — considering an organization’s data sensitivity, compliance risk, and brand risk. The higher the risk, the earlier in the API development life cycle you bring security in.

An API style guide contributes to that consistency that drives reusability, but it isn’t something you need to create from scratch. The API Stylebook is a collection of guidelines and resources for API designers. Boyd touted Zalando’s RESTful API Guidelines and the Adidas API design guidelines as exemplary.

Since APIs expose data, API governance is really about data governance too, he contended. “What I see in a lot of businesses is API governance and data governance are seen as completely different.”

Since APIs are usually scattered across organizations, API architects can make the lives of the data teams easier by creating an agreed-upon taxonomy of functionalities. This can include setting field standards, like trying to influence whether to use “user” or “account,” and whether you use “first, last” in a single field or in separate fields.

When moving to an API governance model, you don’t have to go back and update all your APIs, he said. But you can follow those outlined steps when designing new APIs and when updating older ones.

Follow API architecture influencer Mike Amundsen’s advice on guide implementations with the EASE rubric, Boyd said, which helps you assess whether to go back and refactor existing legacy technologies to meet new governance guidelines. The EASE rubric considers four identifiable qualities:

“A key thing to keep in mind is that not all solutions need to excel at all four qualities. If the API is only used internally by a single team, then it is likely that it will have only minimal scalability and efficiency,” Amundsen wrote. “And might only need a bit of extra work in order to meet availability needs.”

But if an API is to be exposed or have a cross-organizational functionality, it needs to score high on all four, which means it is more likely that the new API governance framework you are introducing (such as style guides) should be imposed.

API sprawl is something the industry has been grappling with for over a decade now triggering a huge discoverability problem. For too long, siloed teams have been using APIs as a way to connect both internal and external services and data with both internally and externally created APIs.

No organization really knows how many APIs are connecting which services and exposing what data. This makes both API standardization and security more challenging.

Fortunately, Boyd argues that the industry’s scaled adoption of internal developer portals is really just another — perhaps more efficient — way of approaching API portfolio management. Specifically, since a great early win of any platform engineering initiative is service discoverability, anything that can facilitate the creation of an internal API catalog is welcome.

“With internal catalogs, at least all of the APIs could be listed in one place so people can see. You can actually have in an internal developer portal the data models as well, so people can [also] reuse those.”

His team is trying to cultivate a developer’s reflex, he added, so that “whenever you have to build something new for your API, you should be thinking, ‘Hang on a second. Let me check the internal catalog to see whether or not we’ve already got one of those’” data models or APIs.

Boyd mentioned four different internal developer portal tools:

He also suggested looking at Stoplight, recently acquired by SmartBear, as an API design tool. “What I love about this is you can actually define your style guide in it,” Boyd said. “And then, as you’re building your OpenAPI specification, it’s telling you whether or not you’re out of bounds from your own style guide.”

If you have an external API ecosystem, you can even publicly release your style guide. Stoplight also maintains Spectral, an open source linter, which can check your API design against your style guide, industry standards or more widely accepted API design best practices.

He also recommended running all your APIs through 42crunch, an API security platform that can take an OpenAPI description and assess its robustness. He also pointed to new open source tools that perform similar assessments, such as the recently released open source OWASP Ruleset.

But, as he said, the immense API Landscape is continuously expanding — particularly if you follow Boyd’s overlap of API governance and platform engineering. To date, it features 2,159 API tools.

No matter what you choose — and whatever you call this strategy of service and API standardization and reusability — Boyd urges that you remember your internal developers are your customers. You should be publishing your roadmap and sharing it with them to get feedback. This also enables inner sourcing where you can leverage the work of developers organization-wide, which is especially important in these tighter times.

And of course, measure the results of your program. Some metrics you could track include:

“Your metrics may vary,” Boyd emphasized, noting many of these ideas were presented by John Musser in his work on Ford’s platform engineering program. One key metric his team uses is developer days saved per project and overall, calculated as a monetary value of dollars saved by the organization by introducing standardized approaches.

Kick-off any API governance or platform engineering initiative by asking your developers what their pain points are, and craft your strategy from there. And keep track of data like the four golden signals — latency, traffic, errors and saturation.

When in doubt, creating an ideal developer flow, Boyd said, should look to continuously answering three questions:

Just remember, he said, as you face this complexity: “You’ve got to start small and show the benefits to your team and to all decision makers involved.”

YOUTUBE.COM/THENEWSTACK

Tech moves fast, don't miss an episode. Subscribe to our YouTube channel to stream all our podcasts, interviews, demos, and more.

SUBSCRIBE

Read the rest here:

Is Platform Engineering Really Just API Governance? - The New Stack

Read More..

Criminals ramp up social engineering and AI tactics to steal consumer details – Yahoo News UK

Criminals are finding new ways to target consumers using social media and deepfake technology, with cost-of-living pressures also having an impact, according to a fraud prevention body.

Cifas said that over the past year, members had reported being increasingly concerned about the potential growth in fraud generated by AI or artificial intelligence.

It is seeing an increase in AI-enabled identity fraud, such as sophisticated phishing scams, deepfake images, videos and audio.

In total, according to its Fraudscape report, more than 374,000 fraud cases generally were reported to the Cifas National Fraud Database (NFD) last year.

Cifas said that members prevented 1.8 billion worth of fraud losses.

Identity theft remained the most dominant type of fraud, accounting for nearly two-thirds (64%) of incidents. More than 237,000 cases were recorded in 2023.

Criminals sharpened their social engineering tactics and continued to exploit cost-of-living pressures, Cifas found.

An increased use of AI and data harvesting techniques to fraudulently open and abuse accounts, steal identities and take over customer accounts was also highlighted.

Personal bank accounts are a particular target for identity fraudsters, Cifas said.

Account takeover attempts may also use spoof voices to answer security questions.

Cifas has more than 700 members from industries including banking and finance, insurance, telecommunications, retail and the public sector.

Facility takeover fraud when an account is taken over by a fraudster is also an increasing issue. Cifas said the telecommunications sector was particularly affected.

This increase partly reflects a shift in fraudulent methods, with criminals increasingly targeting existing accounts to obtain new products or upgrades, it said.

Misuse of facility when a product is obtained with the intent of misusing it was also found to have increased. There was a notable rise regarding loan products, Cifas said.

Story continues

Cifas said the overall misuse of facility data covered several industries, highlighting the impact of the cost-of-living pressures and people attempting to avoid payments or financially gain from stealing assets.

Stephen Dalton, director of intelligence for Cifas, said: As our latest data shows, the impact of fraud and financial crime on people, companies and the public sector continues at epidemic levels.

Ongoing economic uncertainty and cost-of-living pressures provide a rich source of opportunity for criminals to exploit people at their most vulnerable. These circumstances may also be the catalyst for some individuals to commit fraud and supplement their income during difficult times.

Mike Haley, chief executive of Cifas, added: Criminals are finding new and sophisticated ways to target consumers, such as through social media and AI and deepfake technology. We are committed to driving down these cases through the sharing of data and intelligence and building effective defences to prevent fraud.

To achieve our goal takes a huge multi-sector, collaborative effort. That means having effective cross-government leadership in response to fraud, enhancing victim support, providing critical counter-fraud insight to social media and big tech companies, and educating young people about the serious consequences of financial crime.

We continue to work closely with the fraud prevention industry and multiple sectors to stem the rising tide of fraud and financial crime.

Excerpt from:

Criminals ramp up social engineering and AI tactics to steal consumer details - Yahoo News UK

Read More..

‘All I Did Was READ GOD’s WORD’Sound Engineer Trusts in Jesus After Listening to Jackie Hill Perry Record Audio … – Church Leaders

Sound engineer William Felton was saved from pornography addiction and depression to new life in Jesus in 2023 as a result of listening to Jackie Hill Perry record the Bible on audiobook. Perry revealed on Instagram Sunday that she had prayed for Felton throughout the recording process, and Felton shared how God transformed his heart.

[Perry] being a servant, planted a seed and God began to water it and open my eyes, Felton said in a post on Dec. 27. I began to pray more and read the Bible for myself and God started to do a mighty work in me. One day in my room I just surrendered fully to the Lord and he filled me with his Holy Spirit.. i am redeemed in Christ now!!!!!

RELATED: Danica McKellar Celebrates 2 Years of Being a Christian

In that studio, I didnt preach a sermon. I didnt exegete a text. All I did was READ GODs WORD and that alone brought my guy from death and into life, Perry said in the caption of a photo of her and Felton. I say all of that to say, God doesnt need antics to save souls. If you just give folks His word, you would be amazed at what He can do!

Jackie Hill Perry is a Christian author, speaker and hip hop artist. Last year, she recorded an audio version of the Bible for Crossway. Doing it in a studio meant Id have an engineer there to make sure the sound and all of that was good. A particular task the engineer had to take on was reading the Bible along with me to ensure that I didnt skip any words, Perry explained. Knowing this, I would pray before every session that God would use His word to do a work in the engineers heart.

This man right here worked alongside me while I read most of the major and minor prophets. Before each session, I prayed for him hoping that God would grant Him understanding since the prophets aint the easiest to make sense of sometimes, Perry said. On certain days, Id pick his brain on what he thought about Amos or [Habakkuk] just to get a sense of where he was with it.

In his December post, Felton described the state of his inner life before he took on the project with Perry. Earlier this year, I had no thoughts of God in my mind, he said. I was chasing this music industry so hard this screen right in front of me was my god. A false idol. I was stuck in pornography addiction and was so depressed.

RELATED: Its Not OkPastor Who Left Porn Industry Critiques Dennis Pragers Views on Pornography

Felton works for Patchwerk Recording Studios and around March was tasked with working with Perry as she recorded the Bible on audiobook. I didnt want to do it [at] first but I took a chance because I believed in God and figured this could be good for me to learn about the Bible more, Felton said. However, after months of us working I started to hate it, and dread it.

Link:

'All I Did Was READ GOD's WORD'Sound Engineer Trusts in Jesus After Listening to Jackie Hill Perry Record Audio ... - Church Leaders

Read More..

Vast Executes VS1 Engineering Contracts Advancing Toward Construction of 288 MWh Concentrated Solar Thermal … – GlobeNewswire

SYDNEY, Australia, April 15, 2024 (GLOBE NEWSWIRE) -- Vast Renewables Limited (Vast) (Nasdaq: VSTE), a renewable energy company specialising in concentrated solar thermal power (CSP) systems that generate zero-carbon, utility-scale electricity and industrial process heat, today announced it has executed key engineering contracts with Afry, FYFE, Primero and Worley to complete Front-EndEngineeringDesign (FEED) on its VS1 project.

VS1 is a 30MW / 288 MWh CSP plant to be located in Port Augusta, South Australia. Utilising Vasts proprietary modular tower CSP v3.0 technology, VS1 will generate clean, low-cost, dispatchable power with over 8 hours of thermal energy storage. The project is anticipated to create dozens of green manufacturing jobs, hundreds of jobs during construction and long-term plant operations roles.

Todays announcement with Afry, FYFE, Primero and Worley follows Vasts appointment in May 2023 of Worley and its specialist consulting division, Worley Consulting, to complete VS1 basic engineering. FEED is expected to be completed by August ahead of a Final Investment Decision in Q3 2024 and construction starting in late 2024.

Afry, FYFE, Primero and Worley bring extensive experience designing, engineering and building major energy projects in remote Australia and around the world.

Craig Wood, CEO of Vast said, "This is a major step forward for Vast and VS1, putting this historic CSP project on the path to construction. Afry, FYFE, Primero and Worley will bring the right combination of global and local expertise to VS1, which will utilise our industry-leading technology to capture and store the suns energy during the day before generating heat and dispatchable power during the day or night.

Vasts proprietary CSP v3.0 technology has received significant support from the Australian Government, including the Australian Renewable Energy Agency (ARENA), announcing it has approved up to AUD$65 million in funding to support the construction of VS1.

VS1 will be co-located with Solar Methanol 1 (SM1), a world-first green methanol demonstration plant. In February, Vast, along with its consortium partner, announced that they signed funding agreements to receive AUD$19.48 million and EUR13.2 million from a collaboration between the Australian and German governments, respectively. SM1 will use zero-emissions dispatchable electricity and heat from VS1 to produce green methanol for use as a sustainable shipping fuel.

Vasts 1.1 MW CSP Demonstration Plant in Forbes, Australia was operated for 32 months

About Vast Vast is a renewable energy company that has CSP systems to generate, store, and dispatch carbon-free, utility-scale electricity, industrial heat, or a combination to enable the production of green fuels. Vasts CSP v3.0 approach utilises a proprietary, modular sodium loop to efficiently capture and convert solar heat into these end products.

On December 19, 2023, Vast listed on the Nasdaq under the ticker symbol VSTE, while remaining headquartered in Australia.

Visit http://www.vast.energy for more information.

About Afry

AFRY provides engineering, design, digital and advisory services to accelerate the transition towards a sustainable society. With 19,000 devoted experts in the industry, energy and infrastructure sectors, AFRY is seeking to create impact for generations to come. The company has Nordic roots with a global reach, net sales of 27 BSEK and is listed on Nasdaq Stockholm.

About Fyfe

Fyfe is a fully integrated engineering, environment, planning and survey firm, employing 465+ staff across major capital cities and regional centres in Australia.

About Primero

Primero, a subsidiary ofNRW Holdings, is a multi-national engineering, procurement and construction business with a global reach. Primero was founded in 2011 with a vision to create a vertically integrated business in the mineral processing, energy, iron ore and non-process infrastructure (NPI) market segments as a turnkey project solution provider.

From major greenfield projects through to brownfield projects on operating sites, Primeros team of professionals work with clients from the outset to solve complex engineering challenges and create fit for purpose design and construction solutions.

About Worley

Worley Limited is a global company headquartered in Australia and listed on the Australian Securities Exchange (ASX: WOR). The company is a leading global provider of professional project and asset services in the energy, chemicals and resources sectors. As a knowledge-based service provider, Worley uses its knowledge and capabilities to support customers to reduce their emissions and move towards a low carbon future.

Contacts For Investors: Caldwell Bailey ICR, Inc. VastIR@icrinc.com

For US media: Matt Dallas ICR, Inc. VastPR@icrinc.com

For Australian media: Nick Albrow Wilkinson Butler nick@wilkinsonbutler.com

Forward-Looking Statements

The information included herein and in any oral statements made in connection herewith include "forward-looking statements" within the meaning of Section27A of the Securities Act of 1933, as amended, and Section21E of the Securities Exchange Act of 1934, as amended. All statements, other than statements of present or historical fact included herein, regarding VS1, SM1, Vast's future financial performance, as well as Vast's strategy, future operations, financial position, estimated revenues and losses, projected costs, prospects, plans and objectives of management are forward-looking statements. When used herein, including any oral statements made in connection herewith, the words anticipate, believe, "could," estimate, expect, intend, may, project, "should," will, the negative of such terms and other similar expressions are intended to identify forward-looking statements, although not all forward-looking statements contain such identifying words. These forward-looking statements are based on Vast managements current expectations and assumptions, whether or not identified in this press release, about future events and are based on currently available information as to the outcome and timing of future events. Except as otherwise required by applicable law, Vast disclaims any duty to update any forward-looking statements, all of which are expressly qualified by the statements in this section, to reflect events or circumstances after the date hereof. Vast cautions you that these forward-looking statements are subject to risks and uncertainties, most of which are difficult to predict and many of which are beyond the control of Vast. These risks include, but are not limited to, general economic, financial, legal, political and business conditions and changes in domestic and foreign markets; the inability to recognise the anticipated benefits of Vasts recent business combination; costs related to that business combination; Vasts ability to manage growth; Vasts ability to execute its business plan, including the completion of the Port Augusta project (including VS1 and SM1), at all or in a timely manner and meet its projections; Vasts ability to comply with its, and its counterparties respective compliance with their, respective obligations under the FEED contracts, funding agreements related to VS1 and SM1 and Vasts other financing and commercial agreements; potential litigation, governmental or regulatory proceedings, investigations or inquiries involving Vast or its subsidiaries, including in relation to Vasts recent business combination; changes in applicable laws or regulations and general economic and market conditions impacting demand for Vasts products and services. Additional risks are set forth in the section titled "Risk Factors" in the final prospectus, dated March 11, 2024, as supplemented, and other documents filed, or to be filed with the SEC by Vast. Should one or more of the risks or uncertainties described herein and in any oral statements made in connection therewith occur, or should underlying assumptions prove incorrect, actual results and plans could differ materially from those expressed in any forward-looking statements.Additional information concerning these and other factors that may impact Vasts expectations can be found in Vasts periodic filings with the SEC. Vasts SEC filings are available publicly on the SECs website at http://www.sec.gov.

A photo accompanying this announcement is available at https://www.globenewswire.com/NewsRoom/AttachmentNg/0aefddee-19f6-41b0-b9e3-120a46d23161

The rest is here:

Vast Executes VS1 Engineering Contracts Advancing Toward Construction of 288 MWh Concentrated Solar Thermal ... - GlobeNewswire

Read More..

Misagh Daraei’s innovations: Optimizing structural designs for weight reduction in mechanical engineering with genetic … – Raver Mag.

Misagh Daraei ( ) chatted about optimizing structural designs for weight reduction in Mechanical Engineering with Generic Algorithms. #Powerjournalist Markos Papadatos has the scoop.

In the fast-evolving landscape of mechanical engineering, the quest for lightweight yet robust structural designs stands as a cornerstone of innovation. Misagh Daraei, a pioneering researcher in the field, has been at the forefront of this endeavor, employing genetic algorithms to revolutionize the optimization process.

Structural design optimization plays a crucial role across industries, from aerospace and automotive to civil engineering and beyond. The traditional approach involves exhaustive iterations and simulations to find the optimal configuration, often resulting in time-consuming and resource-intensive processes. However, Daraeis groundbreaking work has introduced a paradigm shift by harnessing the power of genetic algorithms to streamline and enhance this optimization journey.

Genetic algorithms, inspired by the principles of natural selection and evolution, offer a powerful solution to the complex optimization challenges faced in structural design. By mimicking the process of natural selection, genetic algorithms iteratively generate and refine potential solutions, favoring those that exhibit desirable traits such as reduced weight while maintaining structural integrity and performance.

Daraeis research endeavors have yielded remarkable insights and advancements in this domain. By integrating genetic algorithms into the design optimization workflow, he has demonstrated significant reductions in weight without compromising on safety or functionality. Whether its the design of aircraft components, automotive frames, or high-rise structures, Daraeis methodologies have consistently delivered solutions that push the boundaries of whats possible in lightweight engineering.

One of the key advantages of Daraeis approach lies in its ability to explore vast design spaces efficiently. Genetic algorithms excel at navigating complex, multidimensional search spaces, allowing engineers to uncover novel design configurations that may have remained elusive through traditional methods. This capability not only accelerates the optimization process but also enables the discovery of innovative solutions that defy conventional wisdom.

Moreover, Daraeis research extends beyond mere optimization to encompass holistic considerations such as manufacturing feasibility, sustainability, and lifecycle performance. By integrating these factors into the optimization framework, he ensures that the resulting designs are not only lightweight but also practical and environmentally conscious, aligning with the evolving needs of modern engineering practices.

As the demand for lightweight, energy-efficient structures continues to grow in an increasingly interconnected world, Daraeis contributions stand as a beacon of innovation. His pioneering work not only advances the frontiers of mechanical engineering but also inspires future generations of researchers and practitioners to push the boundaries of whats achievable in structural design optimization.

In conclusion, Misagh Daraeis research on optimizing structural designs for weight reduction in mechanical engineering using genetic algorithms represents a transformative leap forward in the quest for lightweight, high-performance structures. By leveraging the power of genetic algorithms, Daraei has redefined the optimization process, unlocking unprecedented possibilities for innovation and sustainability in engineering design.

Read the rest here:

Misagh Daraei's innovations: Optimizing structural designs for weight reduction in mechanical engineering with genetic ... - Raver Mag.

Read More..

An engineer’s life: What the heck are railroad fusees for? – Trains – TRAINS Magazine

Railroad fusees Taken many years ago at Baring, Wash., on the Scenic Subdivision (Stevens Pass), my conductor is giving a back-up sign, while we wait for a westbound meet. I didnt take my tripod to work very often. Replace the lantern bulb for the red of a fusee and you can imagine the story. Michael Sawyer

My first memory of using railroad fusees [flares] for signaling was on an early winter morning in 1978. Coming back from lunch on the midnight shift at Auburn yard, the scenery had turned very foggy. Lanterns, while not useless, were hard to see at a distance in that kind of weather.

During those days, we normally only had one portable radio per crew. The foreman on the switch job had the radio; that way the yardmaster could make a change to the switch list when needed. The fieldman would borrow the radio from the foreman when hand signals could not be used due to the distance.

At Auburn, when the fieldman got the whole train together, they would throw the fusee into the air as high as they could signaling to the rest of the crew that the track was together this was in lieu of borrowing the radio.

I joined the naval reserves in 1983 near the end of a three-year furlough from the railroad. I returned home from active duty after graduating from the U.S. Naval Schools of Photography in Pensacola, Fla., summer of 1984 as a Photographers Mate.

I didnt have any good railroad options for working near Seattle, so I ended up moving to Spokane in eastern Washington. One night I was working the fieldman position at Yardley. After I had the track together, I threw the fusee as high as I could. I heard the air go, meaning the engineer had placed the train brakes into emergency, and everything came to a stop. The foreman marched down to where I was. He was upset wanting to know why I gave him the washout, thus his emergency stop. I said that I gave a highball so he asked where I was from.

Ah, right, youre one of those Coasties. Well, that has exactly the opposite meaning in Spokane, he said. Which I found interesting, considering both were Northern Pacific yards.

On my first solo trip as an engineer on the Mojave Subdivision out of Bakersfield, my conductor got a late call. I was standing around the yard office when the road foreman came up to me and told me to keep an eye on this guy, he was a little different. Nice kid; I do not recall the trip until we were between the siding of Jimgray and Hinkley on the old ATSF to Barstow.

The dispatcher (DS) called and said, I want you to pull in the clear; you are going to have to cut the crossing. Hinkley was the last siding eastbound before the hump yard at Barstow. As we started into the siding my conductor pulled the emergency brake handle on his side. I looked over in disbelief. He was not happy about the long wait. He explained that this way the DS could wait. I didnt even bother to rip him apart about what trains can do when they go into emergency. I was just trying to get the first solo trip over with.

After I recovered the air, we pulled into the clear and cut the crossing as instructed. After a 2-hour wait, the DS called and said it was our turn. My conductor could not find his lantern. The head end of the trains was about 30 car lengths over the crossing, so I was not going to see his hand signals in the dark. We would have to use fusees.

I told him to light up the fusee, while I whistled three times to show I would be slowly starting back. I had told him to give me two big circles at ten cars and one circle for five cars, then the normal signs for 4-3-2-1-stop. We had the train back together. As he was walking back up to the lead unit, I saw him in my mirror and noticed he was walking weird. He had both arms out from the shirts shoulders with his arms hanging down, like a sad scarecrow.

As he got back into the cab, I looked over at him with part concern and part amusement he had peppered himself with the slag of the burning fusee. As he stood there, he had a dozen or so tiny holes in each arm still smoldering.

He had never used a fusee and was waving it around like a lantern. When I figured out the only thing hurt was his pride and his brand-new coat from his wife, it took everything I had to not bust out laughing. Ah, karma. Highball.

Like this column on railroad fusees? Read the last one, An engineers life: Mojave Green.

Read more:

An engineer's life: What the heck are railroad fusees for? - Trains - TRAINS Magazine

Read More..