Microsoft is dedicated to working with the community and our customers to continuously improve and tune our platform and products to help defend against the dynamic and sophisticated threat landscape. Earlier this year, we announced that we would replace the existing software testing experience known as Microsoft Security and Risk Detection with an automated, open-source tool as the industry moved toward this model. Today, were excited to release this new tool called Project OneFuzz, an extensible fuzz testing framework for Azure. Available through GitHub as an open-source tool, the testing framework used by Microsoft Edge, Windows, and teams across Microsoft is now available to developers around the world.

Fuzz testing is a highly effective method for increasing the security and reliability of native codeit is the gold standard for finding and removing costly, exploitable security flaws. Traditionally, fuzz testing has been a double-edged sword for developers: mandated by the software-development lifecycle, highly effective in finding actionable flaws, yet very complicated to harness, execute, and extract information from. That complexity required dedicated security engineering teams to build and operate fuzz testing capabilities making it very useful but expensive. Enabling developers to perform fuzz testing shifts the discovery of vulnerabilities to earlier in the development lifecycle and simultaneously frees security engineering teams to pursue proactive work.

Microsofts goal of enabling developers to easily and continuously fuzz test their code prior to release is core to our mission of empowerment. The global release of Project OneFuzz is intended to help harden the platforms and tools that power our daily work and personal lives to make an attackers job more difficult.

Recent advancements in the compiler world, open-sourced in LLVM and pioneered by Google, have transformed the security engineering tasks involved in fuzz testing native code. What was once attachedat great expensecan now be baked into continuous build systems through:

These advances allow developers to create unit test binaries with a modern fuzzing lab compiled in: highly reliable test invocation, input generation, coverage, and error detection in a single executable. Experimental support for these features is growing in Microsofts Visual Studio. Once these test binaries can be built by a compiler, todays developers are left with the challenge of building them into a CI/CD pipeline and scaling fuzzing workloads in the cloud.

Project OneFuzz has already enabled continuous developer-driven fuzzing of Windows that has allowed Microsoft to proactively harden the Windows platform prior to shipment of the latest OS builds. With a single command line (baked into the build system!) developers can launch fuzz jobs ranging in size from a few virtual machines to thousands of cores. Project OneFuzz enables:

Project OneFuzz is available now on GitHub under an MIT license. It is updated by contributions from Microsoft Research & Security Groups across Windows and by more teams as we grow our partnership and expand fuzzing coverage across the company to continuously improve the security of all Microsoft platforms and products. Microsoft will continue to maintain and expand Project OneFuzz, releasing updates to the open-source community as they occur. Contributions from the community are welcomed. Share questions, comments, and feedback with us: fuzzing@microsoft.com

To learn more about Microsoft Security solutions visit our website. Bookmark theSecurity blogto keep up with our expert coverage on security matters. Also, follow us at@MSFTSecurityfor the latest news and updates on cybersecurity.

Originally posted here:

Microsoft announces new Project OneFuzz framework, an open source developer tool to find and fix bugs at scale - Microsoft

The U.S. Commerce Department has nowannounced the details of how it will enforce the shutdown of TikTok and WeChat in the country, after announcing in August plans to do so by September 20 over national security concerns. The news is structured along two dates, September 20 and November 12. Both apps and their app updates will no longer be distributed in U.S. app stores as of September 20. But TikTok specifically gets an extension on how it operates until November 12.

That not only keeps it up until after the November 3 U.S. election, but leaves the door open for it to complete a complicated deal with Oracle and partners to take control of its U.S. operations without an interruption in service.

That timing, plus the statement from the Department of Commerce Secretary Wilbur Ross, underscores the strong political current running through the news.

Todays actions prove once again that President Trump will do everything in his power to guarantee our national security and protect Americans from the threats of the Chinese Communist Party, said Ross in a statement.At the Presidents direction, we have taken significant action to combat Chinas malicious collection of American citizens personal data, while promoting our national values, democratic rules-based norms, and aggressive enforcement of U.S. laws and regulations.

The first part of the action, starting September 20, has to do with halting all new app distribution for both WeChat (owned by Tencent) and TikTok (owned by ByteDance) . In other words, no new downloads of either app as of September 20, and no new updates. And it also forbids any provision of services through theWeChatmobile application for the purpose of transferring funds or processing payments within the U.S. that is, all payments.

WeChats owner Tencent has issued a response to the announcement:

We are reviewing the latest announcement from the Department of Commerce restricting the use of WeChat by U.S. users, said a spokesperson. WeChat was designed to serve international users outside of mainland China and has always incorporated the highest standards of user privacy and data security. Following the initial executive order on August 6 we have engaged in extensive discussions with the U.S. government, and have put forward a comprehensive proposal to address its concerns. The restrictions announced today are unfortunate, but given our desire to provide ongoing services to our users in the U.S. for whom WeChat is an important communication tool we will continue to discuss with the government and other stakeholders in the U.S. ways to achieve a long-term solution.

It seems that the different dates might mean that those that already have TikTok installed by September 20 should still be able to continue using it, even if youre an iPhone user updating to iOS 14.

We write might because the government hasnt provided technical detail around how it plans to implement its rules.

From that date, WeChat also will not, seemingly, work at all, with the U.S. forbidding any provision of internet hosting services enabling the functioning or optimization, any provision of content delivery, internet transit or peering services, or any provision of constituent code, functions or services of the app.

Notably, TikTok will not face the same operational roadblock on September 20.

TikTok has until November 12 before those rules come into play. That is to say, if you have TikTok downloaded by September 20, you will still be able to use it.

The date is important for a couple of reasons. It firstly leaves the app up and running in the run-up to the U.S. presidential election. Many have said that Trump shutting down the popular app which has some 100 million users in the U.S., but beyond that a much wider public following in pop culture, where TikToks are shared on national television and across a lot of other social channels now could hurt him with younger voters. Whether or not that really would have been the case, this seems to have knocked that problem out of his re-election calculus.

It secondly leaves the door open for Oracle, Walmart and the rest in that consortium negotiating to take over the operation of TikTok to seal their deal without any interruption in service. The app has around 100 million users in the country, similar to its number of users in Europe.

The story around the deal has been changing by the day, shifting from an outright acquisition to one where Oracle might control the data in the app but not the source code, to licensing the source code too, to getting Chinas approval as well as that of the U.S., and other permutations. The most recent developments have included the idea of a public listing and even considering Instagram co-founder Kevin Systrom to take it over as the new CEO.

Ironic, then, that one of the more outspoken tech leaders around this latest development has been Adam Mosseri, the current head of Instagram, who has been tweeting his thoughts about the wider implications for other big tech companies.

(Weve been in a tit-for-tat war around apps and freedom to operate them across national boundaries for some time already, and many countries with national firewalls have long decided that there is absolutely nothing wrong with prohibiting some apps from other countries if you feel they compromise your national security.)

The U.S. Department of Commerce decisions are in line with an executive order signed by President Trump on August 6, which put ByteDance and Tencent, the respective owners of TikTok and WeChat, on notice of the governments intention to block access to their products over purported concerns about national security.

That executive order precipitated the last few weeks of feverish dealmaking to avoid a shutdown of TikTok, discussions that remain ongoing and are not finalized. As of today, Oracle and what looks like Walmart are still negotiating with the White House, Treasury Department and ByteDance to come to a deal that will be acceptable to the president. China also has authority to approve a sale of TikTok.

Over the last few weeks, the administration has promoted a policy known as Clean Network designed to eliminate foreign interference in applications and cloud infrastructure that powers American technology.

That policy calls for the removal of certain apps, data sovereignty to onshore American user data to the United States, mobile network infrastructure built from clean equipment and a host of other measures to create a clean computing environment for U.S. citizens. While those policies are generally written broadly, their clear target has been China, based on speeches from administration officials.

TikTok and WeChat are not the only app removals announced overnight. In India, one of the most popular payment apps in the country Paytm has been removed from Googles Play Store for repeat policy violations. The app has tens of millions of monthly users. In late June, the country also announced a list of 59 apps developed by Chinese companies that would be banned, including TikTok.

Such national fights over the future of technology have increasingly come to a head as tech drives a larger segment of the global economy and increasingly becomes intertwined with competing national interests.

Go here to read the rest:

In the WeChat, TikTok US shutdown order, TikTok gets Nov. 12 stay, keeping it up through the US election and Oracle dealmaking - TechCrunch

The default login option for agents used by the Australian Taxation Office (ATO) is vulnerable to a code replay attack, security researchers Ben Frengley and Vanessa Teague said.

Writing in a blog post, the pair described that an attacker could use a malicious login form to capture user details, which the attacker could then use to login into other accounts held by the myGovID user.

The nub of the attack is that when a myGovID user attempts to login into a site, they are asked to input a four-digit code into the myGovID smartphone app to verify the login -- no passwords are used, and the only identifying piece of information is an email address.

If the attacker can capture an email address, that can be used by the attacker to log into another myGovID service and replay the generated code to the user to enter into the myGovID app. Once the code is entered, the user will believe they are logged into a proper site, while the attacker can simultaneously log into their account elsewhere.

The user is not alerted to the other login taking place.

"This attack is detectable by a diligent user who understands the protocol well enough to know that they should only accept 4-digit codes from mygovid.gov.au (and knows how to check for TLS)," the pair wrote.

"However we believe that there are very few users in this category, because it is a counter-intuitive protocol designed to reverse the information flow relative to what users are accustomed to."

The suggested short term mitigation from the researchers is to inform users about what site is requesting a login, and for the long term, the pair recommended ditching the framework altogether.

"In the long run, the [Trusted Digital Identity Framework] and all its current implementations should be deprecated and replaced with an open standard such as OpenID Connect or a protocol modelled on that of a nation with an existing secure public key infrastructure such as Belgium or Estonia," they wrote.

"The implementation and design documentation should be openly available to the Australian public to allow for the identification and responsible disclosure of other vulnerabilities.

"We have no reason to believe that this is the only, or the worst, vulnerability in this system. Its complex nature and the desire to hide information makes enforcing and validating correct, secure behaviour close to impossible."

For users, the pair recommended they do not use myGovID unless unavoidable, and in that case, to ensure they only receive codes from the mygovid.gov.au site.

"This unlikely to work in practice for most users, who will struggle to recognise a secure website with the right URL," they said.

The pair said they informed the Australian Signals Directorate of the issue on August 19, and were told on Friday by the ATO that "they did not intend to change the protocol, at which point we immediately informed them that we would make a warning to users public".

In October, the Digital Transformation Agency said almost 7,000 Australians had created a myGovID.

Also on Monday morning, the ATO announced it has signed a three-year, AU$11.4 million deal with Vocus for managed network services.

"The contract will see Vocus provide up to 230 services across 80 ATO sites, on its fully separated secure network," Vocus said.

"The types of services include IP WAN, internet and data centre connectivity for all existing and future ATO sites."

The contract has three potential two-year extensions.

Link:

ATO declines to fix code replay flaw within myGovID - ZDNet

The office for Shenzhen Zhenhua Data Information Technology Co. Ltd., a small Chinese technology company that is building tools to process the worlds open-source information about influential people.

Nathan VanderKlippe/The Globe and Mail

On the 14th floor of a tower filled with cramped workspaces in Chinas high-tech city, a small military contractor is building tools to track politicians, aerospace entrepreneurs, scholars and other influential people around the world, including thousands in Canada.

The office of Shenzhen Zhenhua Data Information Technology Co. Ltd. is modest. When a Globe and Mail reporter visited, three people sat at desks in what appeared to be a converted studio apartment, with the bathroom door open. One person was entering code into a computer, while another worked on a PowerPoint presentation. The third person said the company has a work force of more than 30 employees. And although she said Zhenhua is expanding, thats small even by startup standards in China.

Its ambitions, though, extend far beyond its small real estate footprint. It is building tools to process the worlds open-source information about influential people culled from Twitter, criminal records, LinkedIn posts, YouTube videos and more into data that can be analyzed and used by universities, companies, government actors and the Chinese military.

Story continues below advertisement

Our client base is a bit special, the woman said.

The Globe and a consortium of international journalists have accessed an early copy of the companys Overseas Key Information Database (OKIDB), which shows the type of information Zhenhua is collecting for use in China, including records on small-town mayors in Western Canada, where Chinese diplomats have sought to curry favour.

The company claims to have built tools to manipulate content on Twitter, WhatsApp and other platforms, including Facebook which says it has banned Zhenhua from gathering data on its platform.

The company declined an interview request, saying it was not convenient to disclose trade secrets. Its website became inaccessible after The Globe visited its office, which is located in a government-backed business incubator building across the street from an investigative centre for the local Public Security Bureau all a short drive from the headquarters of some of Chinas most important technology companies and civilian military contractors, including Tencent and China Electronics Corp.

The company, led by a former IBM data centre management expert, has also described its work online in job postings, LinkedIn records, blog articles and software patents. One employee described work mining the business needs of military customers for overseas data. Before it became inaccessible, Zhenhuas website listed a series of partners that included important military contractors.

It claims to have collected information on more than 2.4 million people and 650,000 organizations from about two billion social-media articles.

Together the documents reveal a Chinese firm with a keen interest in advanced forms of warfare, the structure of the U.S. intelligence apparatus and the use of social media to achieve military victories.

Story continues below advertisement

The company has secured a software patent for a social media account simulation system, a title that connotes a tool for managing networks of fake social-media usernames in ways that emulate human characteristics, making them more effective at spreading messages.

Zhenhuas name translates to China Revival, a reference to a mantra of President Xi Jinping, who has proclaimed the great rejuvenation of the Chinese nation.

It seems to be collecting information about people who are around things that China would be interested in. The question is whether this is a database of potential targets that could be used by the intelligence services of China to get what they want, said Stephanie Carvin, a former national security analyst who is now an associate professor of international relations at Carleton University.

Prof. Carvin looked at the database on behalf of The Globe and said it wasnt clear whether it was being used by Chinese intelligence or had simply been created by a company hoping to sell it to Chinese intelligence.

But she found it curious that it contained records on people such as Ella-Grace Trudeau, the 11-year-old daughter of Prime Minister Justin Trudeau, and Jeremy Fry, the adult son of long-time MP Hedy Fry. That, Prof. Carvin said, suggested an attempt to learn more not just about the people in power in Canada but about those around them.

Why have these people in some kind of database? That, to me, is the question that national security agencies in the West have to figure out. Thats the thing I worry about, Prof. Carvin said. Is this an attempt to create a database of targetable individuals? And what are they trying to do with that?

Story continues below advertisement

A version of the Zhenhua OKIDB database analyzed by The Globe contained almost 16,000 entries mentioning Canada.

Its files seem to have been cobbled together from various sources. Some catalogue news stories, including hundreds of Globe articles, while others are archived Facebook posts from U.S. President Donald Trump about trade tariffs. A large portion of the data appears to have been extracted from the business information website Crunchbase and serves as a Rolodex of social-media accounts and contact information for people in all sorts of occupations, from tech executives to university professors. Roughly 70 per cent of the people captured in the data are men.

The database appears to have a special focus on mayors of Western Canadian towns, as well as academics and bureaucrats who focus on international relations.

However, the effort is broader than it is deep.

Jeremy Kirk, an information security analyst who said he gained independent access to the database earlier this year, said he didnt see any sign that it was a tool of an intelligence service.

This is data that anyone could find through a Google search. So far, none of the data has been linked to a non-public data source. As it stands, it doesnt represent a threat to any country, said Mr. Kirk, who is the executive editor of the Australia-based Information Security Media Group. But people should be mindful of what they post publicly on the internet, as it could be collected by other countries for commercial gain or intelligence purposes.

Story continues below advertisement

The vast majority of the files contain little more than what can be found about the individuals on social-media websites such as Twitter, Facebook and LinkedIn. If the person of interest has a police record, links are included to newspaper stories about their cases.

The mass scraping of data contravenes Facebooks policies, spokeswoman Liz Bourgeois said. We have banned Shenzhen Zhenhua Data Technology from our platform and sent a cease and desist letter ordering them to stop, she said. LinkedIn does not permit the use of any software that scrapes or copies information from LinkedIn, spokesperson Billy Huang said. If any violation of our user agreement is uncovered or reported, we investigate and take necessary steps to protect our members' information.

The database also contains a shorter list of 3,767 Canadians who have been assigned a grade of 1, 2 or 3. Those assigned a 1 appear to be people of direct influence, such as mayors, MPs or senior civil servants, while those assigned a 2 are often relatives of people in power, such as Mr. Trudeaus daughter and Ms. Frys son. Those assigned a grade of 3 often have criminal convictions, mostly for economic crimes.

Dozens of current and former MPs dot the list, including new Conservative Party Leader Erin OToole, whose file includes a link to the web page of his official parliamentary profile and, like most, a seven-digit ID number.

Others with files assigned a grade of 1 include senior bureaucrats at the Canadian Nuclear Safety Commission, the Canadian Food Inspection Agency, the Treasury Board, the Transportation Safety Board, Export Development Canada even the Office of the Privacy Commissioner.

The justice system appears to be another focus of the database, which contains entries on judges up to and including current and former members of the Supreme Court of Canada.

Story continues below advertisement

Notable individuals assigned a grade of 3 include former theatre impresario Garth Drabinsky, who was convicted of fraud in 2009, former SNC-Lavalin executive Riadh Ben Aissa, who pleaded guilty to corruption charges in Switzerland before testifying against his superiors in Canada, and Nicola Iammarrone, a former Canada Revenue Agency auditor who pleaded guilty to taking bribes.

It is unclear how often the database is updated, as several names on the list appear to correspond with those of prominent Canadians who have died, in some cases many years ago.

Entries about Canadian criminals feature prominently. The database lists 198 people it says are associated with narcotics, 178 with conspiracy, 162 with fraud and 100 with money laundering. A handful of people are mentioned multiple times, including Gilles Vaillancourt, the former Laval, Que., mayor jailed in 2016 on fraud charges; Amin Mohamed Durrani, jailed after being arrested in the 2006 Toronto anti-terrorism sweep; and Michael Witen, an accountant who was found guilty of defrauding the federal government.

Zhenhua appears to be a company hoovering up open-source intelligence, and one of the things where there is a lot of open-source intelligence is around criminal records and court records, said Garrett Graff, co-author of Dawn of the Code War: Americas Battle Against Russia, China, and the Rising Global Cyber Threat.

According to database timestamps, all of the Canadian entries analyzed by The Globe were collected in mid-to-late 2018.

Data collection on this scale is not without precedent. The internet made collecting massive amounts of general-purpose data infinitely easier, giving rise to data brokers. Today these companies sell datasets ranging from credit-card purchasing histories to cellphone geolocation data, and their clients rely on the information for everything from tailoring advertising campaigns to calculating credit scores.

Story continues below advertisement

But other evidence points to Chinese players attempting to take in large amounts of data. A series of data breaches between 2013 and 2018 attributed to Chinese hackers stole personal information from Marriott hotels, the United States Office of Personnel Management and health insurer Anthem. China routinely denies involvement in hacking.

Each individual collection of data may be of limited value. But when you begin to layer these databases on top of one another, it provides an arguably unparallelled window into human targeting backgrounds, personal motivations, personal weaknesses and provides a roadmap for influencing people, Mr. Graff said.

Zhenhuas data is structured in a way similar to that of Factiva, a research tool from Dow Jones that also catalogues influential people around the world. In fact, the woman at the Zhenhua office likened the companys products to those of Dow Jones and Wind Information, a Chinese provider.

Some foreign software companies are able to obtain content such as videos, text and music from social media posts. What we can do is to get them all at once, she said. The company describes OKIDB as tracking people, institutions, connections and relationships. The people include global leaders and core figures in the fields of military, politics, business, science and technology, media, civil organizations and the like.

Zhenhuas clients are in government, the military, universities and academic institutes, the woman at the company said, adding they can use the companys technology to conduct a more detailed analysis of a certain professor. She said the company is not merely a technology provider, as its employees actively work with customers and are based in cities across China, including Nanjing and Wuhan.

Western intelligence services now estimate that China has collected personally identifiable information on 80 per cent of the U.S. population, said Nicholas Eftimiades, a former senior U.S. intelligence officer and China expert who recently published Chinese Espionage: Operations and Tactics. For a company like Zhenhua, applying artificial intelligence tools to a trove of social-media data can help its customers attain their goals locally, regionally, nationally or commercially, he said.

Youre talking about the ability to influence academics, political leaders ranging from mayors up through senior leaders in a government. Its about influencing them to serve the Chinese Communist Partys desires, their goals.

Online, Zhenhua stresses its military connections. On LinkedIn posts, a senior R&D engineer describes working on a social media cultivation system, and military deployment simulation demonstration system, while a product sales manager discusses mining military customers' business needs for overseas data. A job posting seeks a candidate that can manage sales and focus management systems at the direction of the Party, government, and military.

Zhenhua also lists a series of corporate partners with ties to the security establishment. Wenge Group uses big data and artificial intelligence to aid smart law enforcement. LSSEC Tech provides encryption tools and IT equipment to national security and military customers and has trained its employees to keep secrets on weaponry research. GTCOM sifts social media to spot the development of heated public opinion, equipping authorities to minimize the probability of group incidents. TRS lists the police and the Communist Party as customers for software services that include online relationship mining, a public opinion management system and a crystal ball intelligence analysis platform. CHRTC provides urban governance products to the countrys security apparatus.

Zhenhua itself has been granted 10 software patents, Chinese records show, for systems that include searching global think tanks, monitoring personnel appointments and removals around the world, gathering real-time telecommunications content and social-media account simulation. The latter appears to describe a technology to teach a computerized system to better mimic humans on social media.

The ultimate intent of this sort of thing is to get attention, to stimulate phony online traffic, said Wu Fei, director of the AI Research Centre at Zhejiang University. When people see content that has already received thousands of likes or comments, the majority of which may be created and stimulated by the system they would immediately be interested.

Zhenhua said on its website that its system manages multiple social-media accounts belonging to virtual humans bots. When an assigned task is received, the user can select all social media accounts or part of them to execute the assigned instructions.

Such tools can be used by companies to promote products. But Zhenhua has explained how they could also hold military value.

The company has published extensively on Number 99 Institute, a blog account on the WeChat messaging app. Its articles reveal an interest in the structure and hierarchy of U.S. intelligence agencies, as well as in future forms of conflict. One, which was also posted to the Zhenhua website, describes social media as important tools for hybrid warfare, explaining how the manipulation of public opinion through social media can be a cost-effective and powerful way to prevail in battle. Social media can manipulate reality and weaken a countrys administrative, social, military or economic power, the company wrote. It can also lead to internal conflicts, social polarization and radicalization in a country.

Our Morning Update and Evening Update newsletters are written by Globe editors, giving you a concise summary of the days most important headlines.Sign up today.

See the article here:

Chinese firm amasses trove of open-source data on influential Canadians - The Globe and Mail

If you use or have been following NVIDIA GeForce Now, the cloud gaming platform that delivers PC titles you already own from sources such as Steam and Epic Games to a multitude of devices, the latest development seems to have emerged silently. Spotted by the team at GamingonLinux, users of Linux can now, it seems, access GeForce Now in either Chromium of Google Chrome.

Indeed, previously this tactic involved fudging user agents to make GeForce Now believe you were on a Chromebook, following the launch of the web client for Google's laptops. And it works just fine, I logged in and played some games with no issues on Ubuntu in both browsers. And just to double check, Firefox still shows an incompatible device error.

So, if you've been waiting on Linux support for GeForce Now, definitely go check it out. It also means the platform is usable now on all major desktop operating systems. Mobile access is currently limited to Android.

Along with this bit of good news NVIDIA also added its regular weekly slew of new games to the GeForce Now library, and while it's a smaller week in numbers, the headline act is a big hitter. Earth's Mightiest Heroes join GeForce Now as Marvel's Avengers joins the service, alongside Stick it to the Man, ULTRAKILL and Zero Escape: The Nonary Games.

Other interesting GeForce Now news includes work of Fortnite with RTX enhancements coming to GeForce Now for Founders members in the weeks after it launches on PC. Buyers of a new NVIDIA RTX 30 Series graphics card can also get a year's access to GeForce Now bundled in along with a free copy of Ubisoft's forthcoming title, Watch Dogs: Legion. Not too shabby at all.

Read the original here:

NVIDIA GeForce Now quietly starts working on Linux as the Avengers come to play - Android Central

Microsoft has released a new open-source security tool called Project OneFuzz, a testing framework for Azure that brings together multiple software security testing tools to automate the process of detecting crashes and bugs that could be security issues.

Google's open-source fuzzing bots have helped it detect thousands of bugs in its own software and other open-source software projects. Now Microsoft is releasing its answer to the same challenge for software developers.

Project OneFuzz is available on GitHub under an open-source MIT license like Microsoft's other open-source projects, such as Visual Studio Code, .NET Core and the TypeScript programming language for JavaScript.

SEE: Hiring Kit: Python developer (TechRepublic Premium)

Microsoft describes Project OneFuzz as an "extensible fuzz testing framework for Azure".

Fuzzing essentially involves throwing random code at software until it crashes, potentially revealing security issues but also performance problems.

Google has been a major proponent of the technique, pushing coders and security researchers towards fuzzing utilities and techniques. Its open-source fuzzers include OSS-Fuzz and Cluster Fuzz.

OSS-Fuzz is available for developers to download from GitHub and use on their own code. It's also available as a cloud service for select open-source projects.

Microsoft previously announced that it would replace its existing software testing toolset known as Microsoft Security and Risk Detection with the automated, open-source fuzzing tool.

The Redmond company also says it's solving a different and expensive challenge for all businesses that employ software developers, and gives credit to Google for pioneering the technology.

OneFuzz is the same testing framework Microsoft uses to probe Edge, Windows and other products at the company. It's already helped Microsoft harden Windows 10, according to Microsoft.

"Fuzz testing is a highly effective method for increasing the security and reliability of native code it is the gold standard for finding and removing costly, exploitable security flaws," said Microsoft Security's Justin Campbell, a principal security software engineering lead, and Mike Walker, a senior director, special projects management.

"Traditionally, fuzz testing has been a double-edged sword for developers: mandated by the software-development lifecycle, highly effective in finding actionable flaws, yet very complicated to harness, execute, and extract information from.

"That complexity required dedicated security engineering teams to build and operate fuzz-testing capabilities making it very useful but expensive. Enabling developers to perform fuzz testing shifts the discovery of vulnerabilities to earlier in the development lifecycle and simultaneously frees security engineering teams to pursue proactive work."

As Microsoft notes, "recent advancements in the compiler world, open-sourced in LLVM and pioneered by Google, have transformed the security engineering tasks involved in fuzz testing native code".

SEE: Open-source security: This is why bugs in open-source software have hit a record high

These advances make it cheaper for developers to handle what was once attached and instead bake these processes into continuous build systems, according to Microsoft. This includes crash detection, which was previously attached via tools such as Electric Fence. Now they can be baked in with asan.

It also addresses previously attached tools such as iDNA, Dynamo Rio, and Pin that are now built in with sancov.

"Input harnessing, once accomplished via custom I/O harnesses, can be baked in with libfuzzer's LLVMFuzzerTestOneInput function prototype," Campbell and Walker note.

Microsoft has also been adding experimental support for these features to Visual Studio so that test binaries can be built by a compiler, allowing developers to avoid the need to build them into a continuous integration (CI) or continuous development (CD) pipeline. It also helps developers scale fuzzing workloads in the cloud.

View original post here:
Microsoft: Windows 10 is hardened with these fuzzing security tools now they're open source - ZDNet

Girls on the Run virtual programming will include physical activity and social-emotional learning. (Photo courtesy Girls on the Run)

Girls on the Run of Snohomish County (GOTRSnoCo) has announced the launch of a special virtual fall season.

GOTRSnoCo is a leader in delivering evidence-based, life skills curriculum to girls of all abilities through a program that creatively integrates running and movement. With more than 45 sites across the county, the organization has served more than 1,600 girls since it was founded in 2015. For the 2020 fall season, GOTRSnoCo is offering 100% virtual programming for girls in 3rd-8th grades to accommodate the changing and unpredictable school schedules due to the pandemic. Registration for the eight-week season is now open at http://www.GirlsontheRunSnoCo.org.

Our staff and coaches are ready to bring critical social-emotional programming to girls at a time when they need it the most, said Megan Wolfe, Executive Director of GOTRSnoCo. We have adapted based on the recommendations of local health officials and decisions of local governments and school districts. Our virtual programming makes it possible for girls to stay active and connected despite the pandemic.

Virtual fall programming is delivered by trained coaches in a safe virtual space, with lessons that mirror the in-person Girls on the Run for younger girls or Heart & Sole program for older girls. Virtual programming will include physical activity and social-emotional learning, providing girls with an opportunity to still build meaningful connections with their peers and caring adult role models.

Volunteer coaches will receive the training and materials required to provide girls a safe, trauma-sensitive space to learn valuable life lessons and be active.

Added Wolfe, Together, we will find a way to motivate girls to nurture their physical and emotional health, no matter the circumstances.

Sign Up for Our Daily Edmonds Newsletter

Follow this link:
Girls on the Run of Snohomish County launches virtual fall season - My Edmonds News

Before the shutdown hit New York City museums in March, 70 percent of the Metropolitan Museum of Arts visitors traveled to it from other cities and countries. Now, since the museums August 29 reopening, that number has dwindled to just 20 percent, leading the Met, and institutions across the globe, to grapple for the first time with what it means to run a museum without tourists.

As social distancing shrinks visitor capacities, ticket sales are down and museums are feeling the financial hit. They are also having to retool programming for their newly local audiences.

Before the shutdown, the Met welcomed anywhere from 15,000 visitors to 25,000 (on a peak summer day). Now, capacity is 14,000, and the Met is currently using its timed ticketing system to generate audiences of about 5,000 visitors per day.

With loans and traveling shows curtailed, the museum will be relying heavily on its own collection to create exhibitions, Met director Max Hollein said. Overall, programming will be sharply reduced for the next 17 to 24 months, prompting the museum to explore new juxtapositions and new ways of contextualizing objects in its collection, said Hollein.

The museums current 150th anniversary exhibition, Making the Met 1870-2020, was already in the works long before the current crisis, but its nonetheless a good example of the kind of show that can be done from drawing on the museums own resources.

A view of the Metropolitan Museum of Art in April. Photo by Rob Kim/Getty Images.

We also became more local in the lockdown, Hollein said. Were focusing on what we have to energize and galvanize us in that direction. To that end, the museum is adding a modern spin to its period rooms display that represents a local New York story. Detailsabout the new installation will be revealed in coming months, but, for now, Its time we start to imagine a period room not of the past but of today that can reflect our current time and challenge contemporary issues, Hollein said.

Hollein expects that it could be two to three years before tourism approaches its pre-pandemic levels. The local audience is really the central audience, he said. Its an audience that has grown up with the institution and comes to you again and again. They have a much closer connection because they enjoy and notice constant changes within the institution. Their level of expectation is higher, than, for example, a tourist who comes once every few years.

Two friends in face masks sit in front of Claude Monets paintings at the Metropolitan Museum of Art during its first day open to members since March on August 27, 2020. Photo by Taylor Hill/Getty Images.

It appears the Met has plenty of company on this path. In June, Vastari, a digital platform that helps arts and cultural institutions source individual objects or entire exhibitions from peer institutions and private collectors, conducted a multiple-choice survey with its members about programming strategy through the end of 2021.

The majority of the 50 respondents were art museums, and 26 of them were based in the US. From this cohort, 52 percent replied that they would focus on organizing shows with their own permanent collections. Another 38 percent said budget restrictions would compel them to book only small exhibitions. Among the museums who responded other to the question, the most frequent explanation written in was an intent to focus on their local audiences.

Vastari CEO Bernadine Brcker Wieder told Artnet News that activity on the platform in the months since the survey has reinforced its findings. Although a few major institutions are planning to move ahead with blockbuster shows under the belief that they can still tempt sufficiently largeyet still socially distantcrowds from a newly local pool of potential visitors, others are pivoting to more modular programming: smaller, nimbler shows devised to directly engage the communities in their immediate surroundings.

Rather than hire whole touring exhibitions on Vastari, many institutions are now interested in paying for just a few objects from another museum that they can build a marketing campaign around, says Brcker Wieder. They still get the draw of a big touring show without the cost of a big touring show.

Vastari is even in the midst of changing its policies and capabilities in response. Prior to the shutdown, the platform only allowed member institutions to offer complete exhibitions to other member institutions, while private collectors could offer individual objects for show. But it is now working to give museums the same flexibility to hire out as little as a single work to their peersa practical acknowledgment of the new normals shifting priorities.

Its nottourism versus local, in many cases its audience versus curatorial interest, said Adrian Ellis, founder of AEA Consulting, which tracks spending and strategy in the cultural industries. The financial pressure of the past few months will lead to a more considered approach to programming generally, driven more on balance by considerations of audience than curatorial agendas.

Striking that balance is not exactly a new phenomenon, but Ellis predicts it will likely tip toward market and toward cost consciousness.As a result, small exhibitions that draw more heavily on permanent collections and less on borrowed objects may become more frequent. There will also of course be exhibitions exploring the current momentand our national preoccupations with race and social justice will clearly affect thinking about exhibitions. There will be continuing efforts to broaden audience demographics, he says.

Visitors walk through an exhibition at the newly reopened Whitney Museum. Photo by Angela Weiss/AFP via Getty Images.

Of course the situation is different for each institution. The Whitney Museum, like the Met, says the overwhelming majority of visitors are New Yorkers. The museum reopened with a month of pay-what-you-wish admission to welcome back New Yorkers while engaging and supporting the local community. Notably, it is one of the few museums that has not yet had a major disruption in programming. It was able to keep exhibitions on view that were installed before the shutdown, includingVida Americana: Mexican Muralists Remake American Art, 19251945, Cauleen Smith: Mutualities, and Agnes Pelton: Desert Transcendentalist, as well as its two collection installations which were on view prior to the museums closure.

We kept these shows installed for the duration of the closure so that they would be on view to welcome visitors back following the reopening, said a museum representative, adding that previously planned exhibitions remain on the schedule as well. Our programming has not been impacted by the shift in visitor composition.

Jackson Pollock, Mural (1943). University of Iowa Stanley Museum of Art, Gift of Peggy Guggenheim, 1959.6 2020 The Pollock-Krasner Foundation/Artists Rights Society (ARS), New York.

Another emergent trend in the museum sectors new normal is geographic disparity. The nations disjointed public-health response to the coronavirus has left the most popular institutions on the East Coast in vastly friendlier scenarios than their counterparts on the West Coast.

When the Guggenheim Museum reopens on October 3 with new exhibitions of Jackson Pollocks famedMural(1943) and related sculptures, all of New Yorks flagship arts institutions will once again be operational. Caveats apply, of course. According to a Guggenheim spokesperson, the museum will only accommodate a quarter of its normal capacity, with timed tickets and observance of other safety measures required. The Guggenheim also anticipates a 25 percent year-over-year decline in overall attendance in 2020, meaning the institution would host only about 900,000 total visitors by years end versus roughly 1.2 million in 2019.

The composition of its audience will also change substantially. Annual visitorship at the museum typically breaks down as roughly half international and half domestic, with nearly 40 percent of US visitors (meaning about 20 percent of all visitors) being New Yorkers. Although the museum does not have a projection for how much more of its overall attendance locals will comprise, it is safe to say that this year will deviate from the usual demographic trend.The Guggenheim is adjusting its communications strategy accordingly by featuring content aimed towards New York audiences on its social-media and digital platforms, the spokesperson said.

This approach harmonizes with the one already in practice at the Art Institute of Chicago. Since reopening on July 30, three-quarters of visitors to the encyclopedic museum have been local residents, according to a representative. Normally, this constituency makes up only about 50 percent of attendees. The Art Institute has responded by eliminating advertising targeted to tourists for the time being, as well as shifting the emphasis further toward the Chicago element of the campaigns for its current exhibition Monet and Chicago. The shows layout was also modified during the shutdown to optimize traffic flow through the galleries for a socially distanced world.

While the wildly popular art museums above undoubtedly wish their situations were better, their peer institutions in the west would likely love to have the same problems. The Getty Center and the Getty Villa will not welcome visitors until January 2021, according to a spokesperson. A representative for the Los Angeles County Museum of Art, whose website simply designates the campus as temporarily closed amid the pandemic and its controversial architectural overhaul, declined to comment for this story. Multiple email inquiries to the Museum of Contemporary Art Los Angeles went unanswered; alsotemporarily closed, the institution is scheduled to debut two new major exhibitions in October, but as of publication time, opening dates had yet to be announced.

The atrium of the new Kinder Building at the Museum of Fine Arts, Houston. Photo by Peter Molick, courtesy of MFAH.

To the extent that any institution can operate as it did pre-shutdown, the Museum of Fine Arts, Houston has been remarkably consistent. It reopened to the public a full three months ahead of most New York institutions, on May 23. The date set bymuseum leaders followed three weeks after that set by the states governor for museums to reopen.

Social distancing protocols are in place, including mask requirements, and timed ticket entries, and the museum is currently operating below 25 percent capacity, which is 900 visitors across the 14-acre main campus. A representative said the museum does not expect programming to be impacted as 90 percent of our audience has been and continues to be from the greater Houston area.

One pandemic-related delay is the opening of its newNancy and Rich Kinder Building, now set for November 21, about three weeks delayed. The Kinder Building will present works from the museums international collections of modern and contemporary art, opening with the first comprehensive installation drawn from the collections of Latin American and Latino art.

Still the Houston museums experience remains an outlier at this stage. As the conditions on the ground continue to evolve in the months ahead, the only certainty is that arts institutions will need to keep their creative problem-solving skills sharp. The crisis and its effect on the museum-going public have already forced several of the USs best-attended public collections to reappraise everything from programming, to communications, to operations. And asBrcker Wieder of Vastari sees it, in some cases this soul-searching was overdue.

I grew up in a country with a lot of hurricanes, shesays. After a hurricane, everything is chopped down. Maybe this is time for a spring cleaning in museums.

Continue reading here:
The Local Audience Is the Central Audience: As Tourism Tanks Across the US, Museums Pivot to the Visitors in Their Own Backyards - artnet News

Virus

In the early days of the semiconductor industry, integrated circuits were designed by one or two engineers with slide-rules, hand-drawn on paper, and then given to a lithographer to print onto silicon wafers. As circuits became more complex, blueprints gave way to software. These digitally represented designs were much more than a reproduction of a pencil sketch: productivity, design quality, and communication all improved rapidly thanks to softwares ability to codify desired behaviors into actionable layouts, while also allowing for easy, iterative design improvements.

Today, large teams of engineers design circuits using high-level languages that automate the process, and chip layouts more detailed than a street map of the entire U.S. can be generated automatically. The result has been a revolution in engineering and design, manifesting itself as Moores Law and the Information Age itself.

Today, a similar revolution is happening in biology, most notably in the field of synthetic biology. And comparisons between computer-aided design (CAD) and computer-aided biology (CAB) are hardly accidental.

In recent years, automation has revolutionized how we do biology: driving down the cost of sequencing, facilitating open-source science, and pushing screening and many other processes towards higher throughput. In parallel, this trend has pushed biological experimentation into the realm of big data, where the inherent complexity of biology is finally beginning to be codified in the form of large datasets from increasingly optimized experimentation.

However, the engineering and synthetic biology world has not quite been able to harness and systematize these developments into a sustainable positive feedback loop. Single-factor experiments, such as the one described above, remain the norm because of how this automation has scaled in the form of liquid handling robots or electronic lab notebook technology, for example, but not at the foundational level of expanding and enhancing experiments to enable effective data integration and iterative design which effectively captures the multivariate complexity of biology.

Tim Fell, CEO of Synthace

It takes weeks and weeks to program robots, and its not good for a different combination of factors with a completely different experiment the next day, says Tim Fell, CEO of Synthace and member of the United Kingdoms Synthetic Biology Leadership Council. Its important to look at manufacturing holistically so we simultaneously can bring wonderfully flexible automation to inflexible hardware and enter this new frontier of computer-aided biology.

Synthace is a bioprocess-turned-software company founded in 2011, and it wants to accelerate the inevitable equivalent shift in biology by making high-throughput experiments easy and ubiquitous. For Fell, automating biology and silicon chip production, at their highest levels, are essentially the same thing.

These shifts are both about making the physical digital and the manual automated, he says. Theyre both digital tooling to help these processes along. And its digital tooling we need to leverage tools such as machine learning to unravel biological complexity faster, and with that better insight, to close loops of iterative design, he posits.

The cornerstone of Synthaces engineering biology endeavors is Antha, a cloud-based software platform for automating and improving the success rate, efficiency, and scalability of biological processes by connecting together all the hardware in a lab. Unlike most other platforms that digitize biology, Synthace still has a lab a key differentiating factor that facilitates essential validation of new workflows.

To Fell, this is the key to ensuring everything from easily tweakable out-of-the-box protocols for processes as simple as PCRs (the same technique used for COVID-19 testing) and automated data aggregation creating structured datasets for high-dimensional statistical learning to iterative multifactorial experiments and optimization of protein and gene-based bioprocessing. Our customers dont want software, he explains. They want a biological outcome that produces reliable biological outputs.

This technology is the framework of the companys two white papers: Computer-Aided Biology: The Metadata Responsibility, which highlights the crucial responsibility to define, capture, and combine metadata at the point of creation to facilitate deeper analysis downstream, and Computer-Aided Biology: Delivering biotechnology in the 21st century. This philosophy has not gone unnoticed: Synthaces major partners and customers include Merck, Oxford Biomedica, Dow, Microsoft Station B, Tecan, and Syngenta, with work ranging from vectors for CAR-T cancer therapies to optimization of liquid handling robots.

The value of such a mindset becomes apparent when considering the myriad intertwined pathways that accompany most any biological phenomena there is seldom just one protein involved. Multiple proteins and pathways need to be screened and understood against the backdrop of innumerable other cellular components. That kind of experimental design requires intense scalability and organization.

We can only do this if we codify biological experiments in an unambiguous way, akin to standards of CAD, Fell explains. To do that, you have your examples of what needs to be defined, then you build experimental blocks, and then you pass your parameter set. That gives you the structure and context to be able to use your data downstream.

Synthaces approach has gained notable traction within a variety of communities, drawing on its own team with broadly interdisciplinary skillsets to push the technology forward. Multifactoring [screening beyond just one variable] turns cynics into evangelists in one experiment, Fell remarks. Theres no going back. You need these higher-order interactions to extra true insights.

Judging by the investing team behind Synthace, many agree. Chairman of the Board Bob Widerhold, integrated circuit veteran from Bell Labs and later Cadence, is incredibly optimistic about the future of computer-aided biology. Cadence turned out to be the leader in the [integrated circuit] space and a multi-billion dollar company. I see the exact same scenario playing out 40 years later in biology with the formation of a computer-aided biology industry, and I hope to help Synthace be the Cadence of the Biology industry, he says.

Widerhold sees this change as not only inevitable but also crucial. The same shift that happened in the early '80s in the semiconductor industry, designing every aspect of a microprocessor on a computer to handle increasing complexity, needs to happen in the biology industry, he asserts. I believe this shift will usher in a period of incredible exponential progress in biology and enable biology to reach its full potential to change the world in a very positive way.

Herman Houser, Co-Founder of Amadeus Capital Partners

Hermann Hauser, co-founder of Amadeus Capital Partners with successes including acquisitions by Microsoft, Illumina, and Nvidia, emphatically agrees on biologys potential and the progress needed to make a promising future reality. Synthetic biology is the future of biology, Hauser suggests, but biology needs standardized lab procedures to produce replicable results the way microprocessors standardized instruction sets for programming. This will make it possible to program biology.

These are grand visions of where the engineering biology industry is headed next, but many moving parts will need to mature to realize these visions. Everyone has a part to play in this ecosystem, Fell declares, and ours is in experiment execution. While Synthace hopes to find enthusiastic advocates in other companies to evangelize their overarching missions, the company will continue to drive the field forward and its most basic, foundational level: automating and abstracting biology to scale experimentation into the next frontier.

Subscribe to my weekly synthetic biology newsletter. Thank you to Aishani Aatresh for additional research and reporting in this article. Im the founder of SynBioBeta, and some of the companies that I write about are sponsors of the SynBioBeta 2020 Global Synthetic Biology Summit.

Continued here:
Youve Heard Of Computer-Aided Design. What About Computer-Aided Biology? - Forbes