Category Archives: postmedia

Cisco is buying internet monitoring solution ThousandEyes

While Cisco wouldn’t say what it plans to pay, the tech giant announced Thursday it plans to buy internet monitoring solution startup ThousandEyes.

The move complements the company’s 2017 $3.7 billion acquisition of AppDynamics and is another clear sign that Cisco is pushing further into software and services. CNBC and other outlets have reported the ThousandEyes acquisition is valued at around $1 billion.


Your business application’s health is more important than ever 


ThousandEyes is backed by several venture capital firms, including Sutter Hill Ventures, Sequoia Capital, and Salesforce Ventures, according to Pitchbook. Its chief executive officer and co-founder Mohit Lad said early discussions with Cisco and AppDynamics could be traced back to early last year.

“In our customer base, we kept running into AppDynamics on the application side and Cisco products on the network side and naturally started having conversations on collaborating with both sides of Cisco to formulate a strong joint vision. It was during these conversations over the last 12 months or so, that the two companies have gotten to know each other and developed a strong sense of mutual respect,” Lad wrote in a blog post. “Cisco’s excitement about what we were doing and how it complements Cisco’s strengths has been evident in every conversation across different parts of the organization.”

Cisco said that the purchase will close before the first quarter of its fiscal year 2021.

Canadian smart padlock maker rapped by Federal Trade Commission

A Canadian maker of smart padlocks has agreed to implement a comprehensive security program and not misrepresent its privacy and security practices under an agreement with the U.S. Federal Trade Commission.

Earlier this month, the FTC gave final approval to a settlement with Tapplock Inc. of Toronto, maker of a fingerprint-enabled padlock sold to enterprises and consumers, related to allegations it falsely claimed that its internet-connected smart locks were designed to be “unbreakable” and that it took reasonable steps to secure the data collected through a mobile app.

Tapplock padlocks can be managed through enterprise console.

Security researchers identified both physical and electronic vulnerabilities with Tapplock’s smart locks, according to the complaint. The FTC also alleged that Tapplock failed to implement a security program or take other steps that might have helped the company discover electronic vulnerabilities with its locks.

Under the settlement, Tapplock is required to implement a comprehensive security program and obtain independent biennial assessments of the program by an assessor that the FTC approves. The company also is prohibited from misrepresenting its privacy and security practices.

The two sides came to an agreement on a settlement of the allegations in April. That needed final approval of the commission.

Under the consent order, Tapplock agreed to not transfer, sell, share, collect, maintain, or store personal information or manufacture or sell devices unless it implements a comprehensive security program that protects the security of devices and the security, confidentiality, and integrity of personal information.

According to its website this week, the company sells two models: The Tapplock one+, described as “Sturdy” and “Secure”  and stores up to 500 fingerprints per lock; and the Tapplock lite, described as having a “strong, lightweight chassis” and stores up to 100 fingerprints. Bluetooth lets users share remote access.

For organizations that issue and control multiple padlocks, the company offers an enterprise software-based management console allowing an administrator to set custom permissions for users and manage them by groups.  Customers listed on the site include Bombardier, Lufthansa and Foxconn.

The FTC’s background complaint document supporting the consent order says that in 2018 “security researchers identified critical physical and electronic vulnerabilities” with Tapplock smart locks. “Some could be opened within a matter of seconds, simply by unscrewing the back panel.”

One alleged vulnerability in the API could have been exploited to bypass the account authentication process in order to gain full access to the accounts of all Tapplock users and their personal information, including usernames, email addresses, profile photos, location history, and precise geolocation of smart locks. Because the company failed to encrypt the Bluetooth communication between the lock and the app, a second vulnerability could have allowed a bad actor to lock and unlock any nearby Tapplock smart lock. Finally, a third vulnerability prevented users from effectively revoking access to their smart lock once they had provided other users access to that lock.

The second count alleges that Tapplock deceived consumers about its data security practices by falsely representing that it took reasonable precautions and followed industry best practices to protect the personal information provided by consumers.

Tapplock neither admitted nor denied any of the allegations in the complaint other than those stated in the final decision and consent order.

The company didn’t respond to an email request Wednesday for comment.

Surface Laptop 3 15-inch (AMD) review: good, but not outstanding

Nestled within Microsoft’s family of convertible tablet PCs, the Surface Laptop 3 continues to offer a grounded, traditional laptop experience. The new 15-inch display provides a more comfortable viewing experience, and still features Microsoft’s superb build quality, fantastic keyboard, and an excellent display. But as sleek as it may be, the Surface Laptop 3’s conservative feature set is eclipsed by flashy designs from other manufacturers, and its high asking price means its competition is fierce and plentiful. Moreover, its lacklustre battery life (on the AMD models) and skimpy starting storage need improving.

  • Solid build quality
  • Decent performance
  • Excellent thermal management
  • One of the best laptop keyboards money can buy
  • Factory-calibrated display
  • Magnetic charging port

  • No front-facing speakers
  • Anemic 128GB starting storage
  • Wonky auto screen brightness adjustment
  • AMD models have subpar battery life
  • performance discrepancy between Intel and AMD models

Surface Laptop 3 15-inch specifications

Device Surface Laptop 3 15-inch Review model
Processor Up to AMD Ryzen 7 3780U or Intel Core i7-1065U for business models AMD Ryzen 5 3580U
Graphics Radeon Vega 9 (AMD) or Iris Pro (Intel) AMD Radeon Vega 9
RAM Up to 32GB DDR4  8GB DDR4
Storage Up to 1TB NVMe SSD 128GB NVMe SSD
Display 15-inch, 3:2, 2,946 x 1,664p touchscreen with Surface Pen support
Battery N/A N/A
  • 1x USB-C
  • 1x USB-A ports
  • 1x Surface port
  • 1x 3.5mm audio jack
Weight 3.4lbs (1.54kg)
Price Starting at CA$1,599 CA$1,599


The Surface Laptop returns for its third reiteration. This time around, Microsoft has added a bigger display, removed the fabric covers from the wristrest, and sourced processors from both Intel and AMD.

The Surface Laptop 3 sources processors from both Intel and AMD. The AMD processors in Microsoft’s Surface Laptop 3s are specifically optimized for these devices. With that said, having more options means more confusion for the buyer, a confusion we should address before we dig into the review.

Microsoft only uses AMD processors –the Ryzen 5 3580U and the Ryzen 7 3780U processors for its consumer Surface Laptop 3 15-inch models. The consumer 13-inch variant, as well as business 13-inch and 15-inch models, all use Intel’s 10th-gen Ice Lake mobile processors.

For its 13-inch and business customers, Microsoft exclusively uses the Intel Core i5-1035G7 or the Core i7-1065G7 processors. Intel variants cost CA$170 more than AMD models at the same RAM and storage capacities. Microsoft doesn’t offer the Intel-based Surface Laptop 3 15-inch on its consumer product page; it can be purchased through its business website.

Our review model features the AMD Ryzen 5 3580U processor, 8GB of RAM, and 128GB of storage.


The only glossy component on the Surface Laptop 3’s metal body is its Microsoft logo. Weighing in at 3.4lbs, the Surface Laptop 3 won’t break your back, although you may want to opt for the 13-inch model if portability is a key concern.

From the lid to the base, the Surface Laptop 3 features sharply chiselled lines for a stoic look.

Coming with a single USB-A and a USB-C port, you’ll need to buy adapters or the Surface Dock if you have multiple devices or need to connect to Ethernet.

Only a charging connector sits on the right edge. The connector latches onto the device magnetically so it won’t yank your laptop off the table if someone trips over the cable. This is also where the Surface Dock connects to.

A large keyboard and glass trackpad populate the interior. Although the Surface Laptop 3 omits a number pad, it allows the keyboard to sit in the center, orienting the typists directly in front of the screen. Microsoft now offers Surface Laptop 3s without the Alcantara fabric materials and instead exposes the raw metal for the palm rest. It’s a shame that even with ample room on the side, Microsoft has not installed upward-facing speakers.


The Surface Laptop 15 sports a 15-inch IPS 2,946 x 1,664p touchscreen. Its 3:2 aspect ratio affords more vertical space for viewing pages and documents.

With a Spyder 5 Pro colorimeter, I measured the display to cover 98 per cent of the sRGB colour gamut, enough for editing pictures for the web. Although it doesn’t support HDR, it did reach an impressive peak brightness of 398nits, bright enough to fend off glare against bright overhead lights. In addition, all Surface displays are factory-calibrated for supreme colour accuracy.

While the screen is eye-candy, the neurotic ambient light sensor got on my nerves. Under a consistent office room lighting condition, the display brightness would randomly ramp up and down. I’m sure this can be addressed through a software update, but the fix doesn’t seem to be present in the latest version of Windows 10 Home (as of May 26, 2020).

Like all Surface devices, the Microsoft Surface Laptop 15 supports the Surface Pen. Because the display doesn’t fold 360-degrees, the pen is more suited to making quick annotations as opposed to sketching.


As aforementioned, Microsoft decided to source both AMD and Intel processors for the Surface Laptop 3. The 15-inch model features either a 4-core / 8-thread Ryzen 5 3580U or Ryzen 7 3780U Surface Edition processor, earning their names from Microsoft’s partnership with AMD to optimize these chips specifically for the Surface Laptops.

Both the Ryzen 5 and Ryzen 7 processors use integrated graphics based on AMD’s Vega architecture.

AMD hasn’t had a significant presence in mobile platforms for years. Frankly, I don’t remember ever seeing an AMD processor in a flagship laptop before 2018. AMD’s return was made possible by a cohort of factors, including Intel’s processor supply constraint and the increasingly competitive performance of AMD’s Ryzen processors.

Cinebench R20

Maxon’s Cinebench benchmark measures a processor’s performance using the Cinema4D’s rendering engine. The test measures single and multi-threaded performance.

Our model with the Ryzen 5 3580U processor produced 1231 points in multi-core performance and 369 in single-core performance. It trails behind the Intel Core i7-1065G7 in the LG gram 17, but its real competitor is the Intel Core i5-1035G7. Unfortunately, we were unable to obtain a laptop using that processor for benchmarking.

UL PCMark 10

PCMark 10 tests a system overall performance, not just the processor. Its benchmark suite simulates real-world workloads in spreadsheet processings, word editing, web browsing, video playback, and content creation.

A score of 3848 once again lags behind the LG gram 17 and its Intel Core i7-1065G7 in the Essentials (8820) and Productivity (6869) suites. Interestingly, the Surface Laptop 3 was able to best the LG gram 17 in Digital content creation (3285) thanks in part to its beefy integrated Vega graphics.

Geekbench 4

Geekbench puts the processor through a mix of workload intensities and spits out a score based on the combined total. These include basic arithmetic, image compression, and web processing. It’s a quick and easy benchmark for measuring a processor’s burst performance.

The Ryzen processor was demolished by the Intel Core i7-1065G7. The Intel chip scored 5663 and 14985 in single and multi-core performance respectively.


CrystalDiskMark paints a snapshot of the disk drive’s performance at varying queue depths and thread count. The most important metric to a consumer mobile device is sequential and random access speeds at low queue depth and low thread count.

It sucks that a laptop in 2020 still starts with just 128GB of storage. Nevertheless, the Surface Laptop 3’s SSD is not slow by any means, scoring nearly 2GB/s and 31MB/s in sequential and random reads respectively.


Synthetic benchmarks are great at slotting a device on a hierarchy, experience is where it counts.

Despite what the benchmarks show, even the lowest-end Surface Laptop 3 is blazing fast in everyday productivity.  It easily handled writing, emails, and general multitasking in applications like Google Chrome, PDFs, Outlook, and various business communication tools like Zoom and Cisco Webex Teams. It also competently handled light editing of RAW image files in Adobe Lightroom. Applying spot removal, cropping, and applying distortion transformation were all very speedy.

Battery life

This is where the Ryzen mobile processor falls short. my AMD-equipped model struggled to reach a full day of productivity, often hitting power-saving mode at around the 7-hour mark. My day-to-day apps include browser-based applications like the Google suite, watching web conferences, attend remote meetings, and manipulating images.

Keyboard and trackpad

Microsoft’s excellent keyboard returns on the Surface Laptop 3. The large keycaps have a grippy, powder-like finish that prevents fingerprints from accumulating too quickly. Key actuation is soft, quiet, yet very tactile. I had no problem transitioning from my mechanical keyboard to working on the Surface Laptop 3 all day. The keys are backlit with white backlights, making key searching in the dark a thing of the past.

The glass trackpad is spacious and exceptionally smooth as well. Microsoft has seriously improved its trackpad’s accuracy and reliability over the years. The large slab of glass has a velvety-smooth finish that resembles marble.

Compared to the Surface Pro convertible tablet PCs, I much prefer the one of the Surface Laptop 3 due to its solid base. Its rigidity and weight eliminates keyboard wobble and is easier to rest on my lap.

Thermal, noise and throttling

Long story short, the Surface Laptop demonstrated excellent thermal management, surely due to a robust cooler and processor optimization efforts.

In AIDA64 Extreme’s CPU stress test with the FPU and cache options enabled, the Surface Laptop 3 barely broke 45 degrees after 15 minutes. The temperature was so low that I had initially thought a faulty temperature probe was misreporting the results. My infrared thermometer showed that the bottom of the laptop reached around 40 degrees, proving that the internal temperature readings weren’t far off.

As robust as the cooling solution is, it couldn’t totally channel heat away from the keyboard. The top left quadrant of the keyboard was uncomfortably hot when the laptop was under sustained load during a major Windows update, and was also bothersome when I edited photos in Adobe Lightroom.

Low temperatures mean more than just lower throttling. It also prevents the laptop from turning your legs into roast. In addition, heat also poses a threat to the battery’s longevity.

Despite its tepid load temperatures, the processor’s clock speed still had to throttle from the advertised 3.7GHz boost frequency. At 45C, the Ryzen 5 3580U bounced between 3GHz to 3.4GHz on all cores.

When running day-to-day workloads like web browsing, video streaming, and word processing, the fans are completely inaudible. It’s only during heavy sustained workloads such as batch exports in Lightroom that it starts to whine. Even then, it’s far from annoying.


There’s much to love about the Surface Laptop 3. From the solid build and premium aluminum build, to the brilliant keyboard and picture-perfect display, the Surface Laptop 3 15 has all the marks of a brilliant business device. The USB-C and USB-A ports are enough to juggle multiple devices across the ports without a hub most of the time, although an extra USB-C port on the 15-inch model won’t hurt.

Most of the Surface Laptop 3’s flaws–like the annoying screen brightness issue–can be addressed through software updates. With that said, its base storage needs to be upgraded from 128GB to 256GB. Also, its battery life may struggle to last a single day. This seems like a problem specific to AMD models; other reviews indicate that Intel variants sport a much longer battery life.

Performance-wise, AMD’s new chips proved that it’s capable of keeping pace with Intel’s last-generation i7 mobile processors. It’s regrettable that we aren’t able to test out Intel-based models with similar configurations.

It will be interesting to see if Microsoft will continue to source processors from AMD for its next Surface Laptop refresh. At the time of writing, AMD’s new Ryzen 4000 series mobile processors are showing promising performance and efficiency improvements, earning their position in a variety of business designs like the HP ProBook.

Microsoft Reunion makes Windows devwork a little easier

At the Build 2020 conference, Microsoft announced Project Reunion, rolling its Windows desktop API and the universal windows platform (UWP) into a single package.

In its developer blog post, Microsoft defined four focus areas for app development in the coming years:

  • Unify app development across the billion Windows 10 devices for all current and future apps;
  • Leaning into the cloud and enabling new scenarios for Windows apps;
  • Creating new opportunities for developers to build connected apps using Microsoft 365 integration in the Windows experience; and
  • Making Windows great for developer productivity.

Project Reunion plays into the first point. It combines desktop app libraries and UWP libraries, given them the ability to communicate and control elements within each other. This unification enables developers to more easily create apps with better interoperability across device types. In addition, it lets developers update existing applications with new functions.

Microsoft introduced the Universal Windows Platform (UWP) in 2016 to attract developers to the then-barren Windows Store. The main goal back then was to provide a common app platform on every device that runs Windows 10. To achieve this goal, Microsoft introduced a common UWP core API that’s identical with Windows 10 devices like desktop, Xbox, IoT, and so on. Cross API compatibility is achieved through API bridges that translate UWP API calls to apps built on Android and iOS.

Win32, on the other hand, is a Windows API that exposes Windows components –Windows shell, user interface, network services and so forth–to the developer. Nearly all Windows desktop applications use Win32 to some extent.

In recent years, Microsoft has been working to add UWP into platforms that were previously incompatible. That effort eventually led to Project Reunion, finally melding the two together into a decoupled API that can be acquired through platform-agnostic package managers like NuGet.

Huawei chairman says ‘survival is the keyword’ for the company right now

As U.S. sanctions against Huawei continue, the company is feeling the pain. At its 17th annual Global Analyst Summit this week, rotating chairman Guo Ping said, “Over the past year, many technologies became unavailable to us. Despite this, Huawei struggled to survive and is striving to move forward.”

In a statement released at the beginning of the two-day hybrid (onsite and online) event, Huawei strongly condemned the most recent U.S. actions restricting its ability to use U.S. technology and software in its semiconductor design and manufacturing, calling the decision ” arbitrary and pernicious”, and saying it threatens to undermine the entire industry worldwide.

“This decision by the U.S. government does not just affect Huawei. It will have a serious impact on a wide number of global industries. In the long run, this will damage the trust and collaboration within the global semiconductor industry which many industries depend on, increasing conflict and loss within these industries,” the statement said.

Furthermore, it accused the U.S. of leveraging its own technological strengths to “crush companies outside its own borders”, noting, “This will only serve to undermine the trust international companies place in U.S. technology and supply chains. Ultimately, this will harm U.S. interests.”

Aaron Shum, senior director and practice lead, security, risk, and compliance at Info-Tech Research Group, remains skeptical about the U.S.’s claims about Huawei technology.

“Obviously the public position against China is tied to concerns about national security.  However, the U.S. has yet to produce hard evidence demonstrating Huawei technology compromising government data,” noted Shum. “These attacks result in a split between U.S. and its allies and the rest of the world in 5G development, though some U.S. allies such as the UK have chosen to allow Huawei into non-core 5G networks.  In Canada, the country’s delayed response in its decision on 5G, combined with U.S. influence on deprioritizing Huawei, will no doubt increase the cost of our deployment while limiting the available options to just two vendors.  Historically, at least Telus has disclosed the use of Huawei equipment.  Interestingly, Telus announced intent to use Huawei technologies for 5G earlier this year.”


During his keynote, Guo Ping said that to mitigate the impact of the entity listing, Huawei has significantly increased its research and development investments and expanded its inventory.

“Fixing the holes has been our focus,” he said. Over the past year, the company invested over 15,000 man-years to ensure its ICT business continuity, rewriting 16 million lines of code, and redeveloping more than 1800 circuit boards. As well, its procurement department reviewed over 16,000 part numbers.

“Such heavy investments have enabled Huawei to survive under the entity list,” he noted. “Our business has not been disrupted, our supply, our cooperation with partners, and our customer services have not been disrupted.”

He then pivoted to discuss the need for unified global standards, pointing out that while, since 2G days, U.S. carriers adopted competing standards while Europe’s have been unified, allowing its carriers to establish global operations while European equipment providers have remained competitive.

“I remember talking to a country leader last year. And he said to me, ‘I will build two clouds from different countries, as long as they don’t cause trouble at the same time, we are in good shape.'” Guo Ping said. “I believe that many customers would agree with him. More companies may do what we are doing, diversifying globalized supply chains to ensure business continuity. The lesson here is that unified standards are of vital importance to industry development.”

But, he went on, with foundations of trust and global collaboration under attack, the U.S. moves against tech companies in other countries will shake countries’ confidence in American technology.

“Given the changes in the industry over the past a year, it’s dawned on us more clearly that fragmented standards and supply chains benefit no one,” he went on. “If further fragmentation were to take place, the whole industry would pay a terrible price.”

He said he is confident the company will find a solution to the current situation soon; for now, “Survival is the keyword for us at present.”

Huawei Analyst Summit 2020: China’s telemedicine hinges on its 5G development

As 5G deployment plods along in Canada, the next-generation wireless standard has already been adopted by healthcare practitioners in China. At the Huawei Global Analyst Summit 2020, Dr. Lu QingJun, director at China-Japan Friendship Hospital and a full-time remote healthcare practitioner, shared his thoughts on the impact of the higher quality networks on hospitals of the future.


Lu gave a personal example by describing one of his previous remote cases at a primary care hospital. In his scenario, the patient had to wait for 25 hours to receive a consultation, due in large part to the 12GB of data that had to be sent over the network. Lu said that with 5G, that time can be cut to just “dozens of minutes”. The dataset is amplified for patients who need multiple tests, such as CT scans and electrocardiograms.

Future health care’s success will be intertwined with network quality.

When describing telemedicine, Lu precited that data, technology, and intelligence will become inseparable from healthcare. Although the course has been set, Lu also noted the perpetual battle to improve privacy and secure data transmission, all of which require new infrastructure for the intelligent hospital.

“We’ve always said that it’s not necessary to replace 4G with 5G in all cases, so we need to identify those cases where only 5G is able to support,” said Lu, noting that the introduction of technology built on 5G should not impede the efficiency of existing workflows.

The conversation then naturally leads to whether existing technologies like fibre internet could fill these roles.

“Hospitals already have fibre access, so do we actually need 5G?” Lu asked rhetorically. “You only say that because you don’t understand 5g…we need mobility, but not only that, we need to upgrade our equipment and currently our equipment is wired.”


During the presentation, Lu credited telemedicine in China’s battle against the COIVD-19 pandemic.

Network infrastructures will be the backbone to facilitate new communication demands. Thus, its development needs to keep pace with the ICT industry. Because telemedicine is still relatively new, the industry needs to generate new scenarios as testbeds for these newer technologies, Lu explained. These new use cases, whether they’re generated naturally by demand or synthetically, will help push along the development of these new technologies.

For example, 5G’s bandwidth massive bandwidth improvements could remove the bottleneck present in real-time communication and medical imaging. Increased bandwidth enables more immediate, higher quality remote checkups. It could also simplify the diagnostic process by enabling services like real-time remote full-body scanning, a procedure that generates large image files.

4G’s high latency, unreliableness and error rate presents challenges in realising telemedicine’s true potential. These issues could be solved by migrating to 5G.

Another factor that affects performance is latency. The ITU-R defined Ultra-Reliable Low Latency Communications (URLLC) as one of 5G’s main applications. In a highly-technical and mission-critical application like healthcare, low latency is a key concern.

“The 4G technologies are not enough to meet our needs,” Lu pointed out. “In the past, we compressed the data to make it fit into the smaller pipe. And the 4G latency was not acceptable. For 5G, the latency is very low. It’s almost a real-time so the doctors can get real-time data transfer to provide better services to the patients, especially when we talk about the complex and difficult.”

He specified remote monitoring, remote analysis, remote robotics, and remote visit as crucial areas of focus. He said that while doctors understand the benefits of remote practices, vendors are not yet prepared to manufacture this equipment due to inadequate certification and qualifications.

There are more than 13,000 secondary–or specialist–hospitals in China, and adding telemedicine capabilities to them all would incur significant cost. With that said, developing remote healthcare also stimulates new business opportunities for carriers.

Moreover, Lu said that the entire network stack–the slices, transport network and edge computing could all benefit from being supported by 5G technologies. The benefit isn’t limited to telemedicine but the communication industry as a whole.

In addition, 5G could help to streamline a hospital’s logistic operations like payment. China’s mobile payment system is the most established in the world by far. In 2019, over 81 per cent of the country’s smartphone owners frequently pay through proximity mobile systems such as QR codes. But while China’s digital commerce is being developed at an explosive pace, hospitals of the future will demand more robust transaction support.

“We need to have innovation in the healthcare service provision,” said Lu. “And and we also need to have some payment assurance like basic medical insurance, commercial insurance, and also some banking services support. And that has high requirements on computing on storage and on data processing. These requirements will only be satisfied by adding new ICT technologies.”

Attackers still exploiting old vulnerabilities, says NTT report

Failure to patch old vulnerabilities is still a leading cause of breaches of security controls, says a new report.

In its annual Global Threat Intelligence Report released this week, global services company NTT Ltd. said threat actors continue to focus on vulnerabilities that are several years old with apparent success.

“In our first report [seven years ago] we mentioned one of the problems is vulnerabilities 10 years or older represent 22 per cent of all breaches in our client base,” Matthew Gyde, CEO of NTT Ltd.’s security division, noted in an interview.

“While that’s got a little bit better, many organizations are still not maintaining their systems to prevent people from going after old vulnerabilities … Old school attacks are still strong.”

The report, which uses data from the company’s customers collected between October 2018 and September 2019, noted that during the period organizations continued to experience high levels of malicious scanning focused on identifying the six-year-old Shellshock (CVE-2014-6271) vulnerabilities. Continued attacks against vulnerabilities such as the six-year-old HeartBleed (CVE-2014-0160) helped make OpenSSL the second most targeted software technology with 19 per cent of hostile activity globally. Seventeen vulnerabilities in OpenSSL identified in the last two years contributed to a constant focus of attacks against vulnerable implementations.

Ironically, response to the current COVID-19 pandemic may change that, Gyde said, as CIOs shift from on-premise to cloud-based applications, which get regular updates from their developers.

NTT Ltd. is a subsidiary of Japanese telecom giant NTT Corp. which includes well-known units as Dimension Data and White Hat Security. NTT Ltd. operates in 31 countries outside of Japan. It has a staff of 60 in Canada, including 12 focusing on cybersecurity solutions.

The finding that threat actors continue to leverage old vulnerabilities in 2019 was one of six trends identified in the 73-page report. Others include the increased use of machine learning and artificial intelligence tools by threat actors to automate attacks; the weaponization of infected Internet of Things devices; increased attacks on content management systems; the tightening by governments and regulators of governance and privacy laws; and the increasing targeting by attackers of technology firms and governments.

The attack data indicates that over half (55 per cent) of all attacks in the study period were a combination of web-application and application-specific attacks, up from 32 per cent the year before. Twenty per cent of attacks targeted CMS suites and more than 28 per cent targeted technologies that support websites. For organizations that are relying more on their web presence during COVID-19, such as customer portals, retail sites, and supported web applications, they risk exposing themselves through systems and applications that cybercriminals are already targeting heavily.

The trends analysis is broken down geographically and by five industry sectors.

Among the recommendations for IT leaders:

  • Mature your organization’s approach to be secure by design. Understanding your organization’s goals, identifying acceptable risk, and building cyber-resilient capabilities are essential to navigating the threat landscape. An entire section of the report deals with cyber-resiliency.
  • Pursue intelligence-driven cybersecurity. Cybersecurity and business leadership must change the way they think and apply security, and must transform from a reactive mindset, to a more effective, proactive, intelligence-driven approach.
  • Monitor the threat environment. Leverage intelligent cybersecurity to guide decisions, support business agility, and maintain an acceptable risk level for the organization is essential to success.
  • Focus on standardization of controls. Cybersecurity defenders should focus on leveraging standards, knowledgebases, and frameworks such as the MITRE ATT&CK and NIST Cybersecurity Framework. These will help organizations mitigate risks and provide excellent information to help organizations assess organizational risk.

The report can be downloaded here. Registration required.

AMD 400 series motherboards to support ‘Zen 3’ processors

After receiving waves of backlash from its users, AMD announced support for its upcoming processors based on the Zen 3 microarchitecture for the X470 and B450 series motherboards, retracting an earlier decision to omit these platforms for these future products.

In a Reddit thread, AMD said that it’s working with motherboard partners to develop basic input-output systems (BIOS) versions that would enable support for Zen 3 processors on X470 and B450 motherboards.

Once flashed onto the motherboard, the new BIOS would disable support for older generation Ryzen processors to free up space for new BIOS codes. The upgrade is one-way, meaning that users cannot revert back to an older BIOS version once the upgrade is complete. To avoid a “no-boot” situation, users would need to provide proof that they’ve purchased a Zen 3 desktop processor and a 400 series motherboard before they can download the BIOS.

Earlier this month, AMD published a blog post announcing that the fourth generation Ryzen processors would not be compatible with 400 series motherboards despite using the same AM4 socket. The company had previously promised to support the AM4 socket “until 2020”, but never specified an exact date for its retirement.

In the initial blog post, AMD cited BIOS size constraints to be the limiting factor. The blogpost explained that at a maximum of 16MB, the read-only memory (ROM) used to store the BIOS is too small to hold the code necessary to support the new processors.

The hardware community immediately criticized the move. Users who had hoped to upgrade in the future were especially vocal. Because AMD delayed its affordable mainstream B550 motherboard chipset, many new entrants to AMD had to purchase 400 series motherboards as it’s the most affordable entry point to the platform. In addition, many blamed AMD for failing to communicate that new processor support would be a feature for 500 motherboards and that it would have affected their purchasing decision.

Furthermore, many dismissed AMD’s reasonings and argued that motherboard manufacturers could simply add more ROM. Others called for the company to trim support for older processors to make room for the new codes.

AMD noted that the availability of the new BIOS will vary and may not coincide with the Zen 3 processor launch.

Three factors involved in the bulk of data breaches: Verizon

Credential theft, social engineering attacks (including phishing and business email compromise) and human errors were involved in just over two-thirds of almost 4,000 data breaches around the world last year, according to the 13th annual Verizon Data Breach Investigations Report.

“These tactics prove effective for attackers,” say the report’s authors, so they return to them time and again. For most organizations, these three tactics should be the focus of the bulk of security efforts.”

The 130-page report released this morning aims at giving CISOs a better understanding of the varied threats they face not only generally but in regions and across several industries. This year’s report looks at 16 verticals.

Written in a slightly cheeky style and chock full of statistics, the report uses data from 81 partners (ranging from IT vendors to the U.S. Secret Service) to analyzes 32,000 incidents (events that compromise the integrity, confidentiality or availability of an information asset) and 3,950 data breaches (confirmed disclosures of data).

Among the highlights (or lowlights):

  • Hacking (defined as an attack using stolen credentials, exploiting vulnerabilities or using back doors) was involved in 45 per cent of breaches; 22 per cent involved attacks through social media (including email); 22 per cent involved malware. Also, employee errors were causal events in 17 per cent of breaches, while eight per cent involve the misuse of data by authorized users.
  • Ransomware accounted for 27 per cent of malware incidents (and it was higher some verticals like government and higher education);
  • Web application attacks doubled from 2018 to 43 per cent of all breaches.
  • Internal-error-related breaches almost doubled from 2018 (881, versus last year’s 424). However, report authors believe this increase is likely due to improved reporting requirements because of new legislation and changes in existing law rather than insiders making more frequent mistakes.

There is some good news:

  • Security tools are getting better at blocking common malware. Data shows that Trojan-type malware peaked at just under half of all breaches in 2016 and has since dropped to only 6.5 per cent. Malware sampling indicates that 45 per cent of malware is either droppers, backdoors or keyloggers. “Although this kind of threat is still plentiful, much of it is being blocked successfully,” say the authors.
Who were the victims?
  • Less than five per cent of breaches involved the exploitation of a vulnerability. “In our dataset, we do not see attackers attempting these kinds of attacks that often; only 2.5 per cent of security information and event management (SIEM) events involved exploiting a vulnerability. This finding suggests that most organizations are doing a good job at patching,” says the report. However, it adds, while patching does seem to be working, poor asset management can hide big problems. “Most organizations we see have internet-facing assets spread across five or more networks. It’s the forgotten assets that never get patched that can create dangerous holes in your defences.”

Finally, for those CISOs worried about insiders keep it in perspective: The report’s numbers continue a historical trend showing that insiders account for about 24 per cent of breaches — and a lot of times that’s a user error (losing laptop, misconfigurations).

“What continues to frustrate people like me is email phishing,” commented report co-author John Loveland in an interview. “We all know that it’s problematic, we all know we shouldn’t be clicking on [links in] emails, but there continue to be click-throughs.”

All that’s needed is one person to click on a malicious link for an attack to start, he noted, “but in this day and age with all the attention around phishing and the technologies that are used to intercept phishing emails it’s still a soft-side of security.”

“We as an industry have to get better and removing the human factor out of that exploit, not only from a training perspective but also from a technology perspective… because that is the primary attack vector. That’s an ongoing frustration every year for me.”

Most worthwhile security controls

Finally, the report points to eight controls the data suggests will be worthwhile for most organizations to tighten their security posture. (The numbers in brackets correspond to the Center for Internet Security Critical Security Controls):

  • Continuous vulnerability management (CSC 3). Use this method to find and remediate things like code-based vulnerabilities; also great for finding misconfiguration.
  • Secure configurations (CSC 5, CSC 11). Ensure and verify that systems are configured with only the services and access needed
    to achieve their function.
  • Email and Web Browser Protection (CSC 7). Lock down browsers and email clients to give your users a fighting chance.
  • Limitation and Control of Network Ports, Protocols and Services (CSC 9). Understand what services and ports should be exposed on your systems, and limit access to those.
  • Boundary Protection (CSC 12). Go beyond firewalls to consider things like network monitoring, proxies and multifactor authentication.
  • Data Protection (CSC 13). Control access to sensitive information by maintaining an inventory of sensitive information.
    encrypting sensitive data and limiting access to authorized cloud and email providers.
  • Account Monitoring (CSC 16). Lock down user accounts across the organization to keep bad guys from using stolen credentials. Use of multifactor authentication also fits in this category.
  • Implement a Security Awareness and Training Program (CSC 17).

Download the full report here. Registration required.

Fake Canada website among many using COVID-19 relief offers to phish for credentials

With governments around the world making billions of dollars available for COVID-19 financial relief, criminals are making every effort to take advantage. That includes building phony official coronavirus relief templates for websites to trick victims into giving up sensitive personal information.

Among the sites discovered by security vendor Proofpoint are the bilingual Government of Canada site pages that attempt to get credentials from victims in either English and French. The news is part of a blog released Friday that also details phishing financial relief pages for the U.S. Internal Revenue Service, the U.K. Revenue and Customs and the official registration site for France.


Screenshot by Proofpoint of fake Canada COVID-19 relief page

The goal of the Canadian site is to capture social insurance numbers, which are valuable for creating fake IDs.

“This spoof is noteworthy because while it copies the behaviour of the Canadian government website effectively, it does not match the look and feel of the current Canadian government website,” Proofpoint notes. “The malicious template correctly copies the name of Canada’s revenue ministry in English and French, Canada Revenue Agency and Agence du revenu du Canada respectively. However, the layout, colours, and branding of the malicious template do not match that of the legitimate Canadian government website.”

Fake websites would be created for people doing internet searches for financial relief programs. They would also be the landing pages for links in a mass email and text campaigns previously outlined in our Cyber Security Today podcasts.

Proofpoint screenshot of fake UK COVID-19 relief page

Proofpoint says it’s found more than 300 different COVID-19 campaigns since January across nearly every industry it tracks. The creators include well-known, established threat actor groups and unknown individuals.

Creation of Covid-19 phishing landing pages increased sharply in early March, peaking around the beginning of April and then sharply dropping off, says the blog. That plunge probably is caused by a combination of saturation for COVID-19 payment theme phishing templates and a move towards other COVID-19 themes as many one-time payments were disbursed, Proofpoint believes.

“It’s clear threat actors follow trends closely,” the blog adds. “We’ve seen throughout the COVID-19 situation how threat actors have followed the news and adapted their themes to match the unfolding public narrative. The movement by governments in particular to offer financial support has caught the attention of threat actors who have moved not only to target those funds directly but to use them as themes for their malware and credential phishing attacks.”


Intel releases 10th gen vPro processors for businesses

Intel recently released its 10th gen vPro desktop and mobile businesses, bringing a bevy of management and security features along with improved performance.

In total, Intel launched 27 SKU across its mobile and desktop Core i5, Core i7, and Xeon ranges. All announced processors are ones based on the Comet Lake architecture instead of Ice Lake. Interestingly, several vPro processors have unlocked multipliers for overclocking, as denoted by their “K” suffix. While overclocking capabilities are interesting for enthusiasts, business owners care little for them. They favour a product’s consistency and reliability over tunable performance.

Intel’s vPro platform is a portfolio of both quality assurance and hardware features. vPro-certified processors have higher quality, carry hardware security features for low-level protection and more robust remote management. They also undergo a rigorous validation process to ensure that they’re compatible with new technologies. The vPro platform also sets criteria outside of the processor by requiring specific chipset and high-end memory I/O components like Optane memory.

Intel vPro features list (click to expand)

Intel’s 10th gen vPro processors also bring implications for Project Athena, Intel’s new standard for mobile laptops. Previously, Athena-certified business laptops like the HP Elite Dragonfly had to rely on Intel’s 8th gen vPro processors. The release of the 10th gen vPro processors will replace them in future Athena business laptop designs.

Intel 10th gen vPro desktop processors (click to expand)
Intel 10th gen vPro mobile processors (click to expand)


Intel 10th gen vPro processors will be coming to products from HP, Dell and Lenovo among others.

Nvidia GTC 2020: Ampere is here, meet the EGX A100 accelerator

During the Nvidia GPU Technology Conference today, Nvidia CEO Jensen Huang revealed the Nvidia EGX A100 converged accelerator powered by the company’s next-generation Ampere graphics processing unit (GPU) architecture.

Though the Ampere GPU architecture is still shrouded in mystery, it has been confirmed that it will be built using TSMC’s 7nm transistors. Ampere is considered to be a major architectural redesign from the current Volta architecture. 

Ampere’s first product, the A100, will strictly target heavy workstation workloads such as simulation, rendering, machine learning, and cloud virtualizations. The particular GPU on the A100 consists of 54 billion transistors and new features like new security engine, third-gen Tensor cores with new Floating Point 32 precision. The A100 also integrates the Nvidia Mellanox CoonnectX-6DX network adapter onboard.

Nvidia EGX Edge AI software stack

“By installing the EGX into a standard x86 server, you turn it into a hyper-converged, secure, cloud-native, AI powerhouse, it’s basically an entire cloud data centre in one box,” said Huang.

Complementing the EGX A100 is Nvidia’s EGX cloud-native AI platform with a focus on remote management and secure data processing.

The A100 is also designed with scalability in mind. With the multi-instance GPU (MIG) feature, a single A100 can be partitioned into up to seven independent GPUs, each with its own dedicated resources. Or, several A100 servers can act as a single GPU by connecting through Nvidia’s NVLink.

On its product page, Nvidia claims that the A100 can deliver up to six times higher performance for training and seven times higher performance for inference compared to Volta, Nvidia’s previous architecture.

The Nvidia EGX A100 is in full production and shipping to customers worldwide. Expected system integrators include Amazon Web Services (AWS), Cisco, Dell Technologies, Google Cloud, Microsoft Azure among others. More details on the Ampere architecture will be revealed on Tuesday, May 19, at Nvidia’s GTC virtual event.

Surveys show conflicting support by Canadians for COVID-19 tracing app

Canadian governments are planning to approve COVID-19 mobile contact tracing apps to help health authorities track the spread of the infectious disease. However, two recent surveys offer conflicting numbers on whether residents here want the apps to be voluntary or mandatory.

The issue is crucial: Health experts say wide adoption of an app — perhaps as much as 50 per cent of the population — is needed for it to be useful.

In the most recent survey, released this morning by KPMG Canada, 55 per cent of respondents said digital contact tracing should be voluntary, citing privacy concerns and potential abuse of civil liberties. Two-thirds of respondents said they wouldn’t download such an app, calling it still “too invasive.”

Yet 57 per cent of respondents don’t believe such an app would be effective unless it is mandatory.

On the other hand, a survey commissioned by three Canadian Senators released last week found 65 per cent of respondents support the mandatory use of contact tracing apps.

However, in an interview one of those senators acknowledged the question on mandatory/voluntary adoption may not have been neutral. And Canadian privacy expert Ann Cavoukian said the Senate survey question “has no validity.” (See below for more detail)

Most privacy experts around the world say COVID contact tracing apps must be voluntary to get widespread adoption. That’s the position of federal and provincial privacy commissioners as part of a statement of principles they urge governments here follow on tracing apps. Alberta, the first Canadian jurisdiction to release an app, has made its adoption voluntary. But some privacy experts worry that if adoption is low a government will be tempted to make it mandatory.

Despite Alberta jumping the gun, federal and provincial officials are looking at about a dozen proposed apps for approval.


Skepticism from a Canadian panel

A number of contact tracing apps are being developed around the world, some — like Alberta’s — based on one of the earliest developed by Singapore. Broadly speaking, tracing apps use Bluetooth to capture encrypted ID signals from closeby mobile devices that also have an app, usually with a time limiter. (For example, Alberta’s app won’t obtain an ID number unless a person is nearby another for a total of 15 minutes over 24 hours). Depending on the app, each mobile device holds a list of contacts for a set number of days.

Depending on the app, one of two things happens if a person tests positive for COVID-19: Either the list of encrypted digital IDs is uploaded by the user so a health authority can notify and trace those who have been in contact with the victim, or the app transmits an alert directly to the apps of those on the list for those users to see. Either way, recipients of warnings would be expected to take appropriate steps, such as notify their doctors, monitor their health or take a COVID-19 test.

KPMG Canada surveyed 2,000 Canadians online between May 7 and 12. 

Among the highlights:

  • 62 per cent of respondents are in favour of letting the government use location tracking to send phone alerts to people who have come into contact with a person infected by COVID-19;
  • 82 per cent would be more comfortable with an app run by the health system that shows aggregate community “hot spots” for COVID-19 so they can make their own decisions about their health;
  • 65 per cent say any contact-tracing program needs to be administered by an independent body from the provincial or federal government.

“It’s clear that Canadians understand that contact-tracing apps are effective if participation is high, but the design of such apps must limit threats to privacy as most people aren’t comfortable letting the government have free rein to track their phones,” Sylvia Kingsmill, partner and national digital privacy leader for KPMG, said in a statement. “To make this work, governments will need to be completely transparent on how data will be collected, stored, erased, and managed – it’s about trust.

“There should be clarity about the circumstances under which that data will be shared, now and in the future. To this end, policies should be implemented and enforced to prevent misuse and/or abuse of the data to provide assurances to the public that principles of accountability and data minimization are being respected.”

The Senate’s online survey of 1,530 respondents was commissioned by Senators Colin Deacon, Donna Dasko and Rosemary Moodie and conducted between May 2 and May 4.

Among the findings:

  • In the absence of a vaccine or treatment for COVID-19, 90 per cent of respondents believe that it will be necessary to continue contact tracing in general (that may or may not include an app).
  • 80 per cent of respondents support the use of mobile device data by public health officials to notify those who have
    been close to someone who has tested positive for COVID-19.
  • 87 per cent of respondents believe contact tracing apps should trigger testing of themselves and others.
  • If assured that their data was kept confidential, large numbers of Canadians would share information from contact tracing apps with their physician (96 per cent), their family (95 per cent), public health officials (91 per cent) and health researchers (87 per cent). Fewer would share with employers and co-workers (75 per cent), other government officials (73 per cent), law enforcement (68 per cent), and social media platforms (35 per cent).
  • 65 per cent of respondents support the mandatory use of contact tracing apps.

[UPDATE, May 14, 3:30 pm EST]: In an interview this afternoon, Senator Colin Deacon acknowledged the question on mandatory/voluntary use of an app may not have been fair. The question was: “In some countries the installation of this app is mandatory. How supportive would you be for this to be the case in Canada.” Twenty-three per cent were very supportive and 42 per cent were somewhat supportive.

Asked if he thought that was a loaded question, Deacon said “potentially it is … I don’t know that it does. It asks, ‘What are your thoughts.'”

When it was suggested a neutral question would be ‘Should adoption be mandatory or voluntary,’ Deacon said, “That’s a fair point.”

Some experts object to the use of a mobile contact tracing app on privacy grounds, saying any system that collects personal data puts a user at risk. However, Deacon said the use of a contact tracing app has to be looked at as an aid to COVID-19 infection control. He said any approved app must protect privacy first. But, he added, many critics use smartphones and social media and manage access to their data. “As long as the [contact] data doesn’t leave your phone” except to notify people they should get tested “I don’t see how that is any more invasive” than people who test positive for the virus have to tell health authorities who they have recently been in close contact, with, he said.

“Alongside this strong support for the use of contact tracing apps, we do find concerns about personal privacy and the security of personal data,” said a report that analyzed the Senate survey findings. “Accordingly, any roll-out of an app(s) will require robust privacy protection to be in place in a manner that earns the support of potential users of the app.”

A contact tracing app could help health authorities who do manual contact tracing he said. It’s “unsustainable” to have large numbers of Canadians at home and not working because of the virus.

Former Ontario privacy commissioner Ann Cavoukian denounced the Senate survey mandatory adoption question. “It’s crazy,” she said in an interview. “It’s so skewed. To me this [question and result] has no validity … It creates the myth that the app is going to be mandatory,”

To her, the response to the KPMG Canada survey question is more credible.

Asked how an app should be introduced in Canada, Cavoukian urged governments to follow the Apple/Google framework, which doesn’t send the mobile IDs gathered by an app to health authorities for decryption and follow-up with individuals. Instead, when a user tests positive for COVID-19 they instruct the app to send a warning direct to those with a similar app whose mobile ID has been connected. That’s why Apple and Google have recently changed the description of their framework from a contact tracing app to “exposure notification,” she said.

(This story has been updated from the original by adding comments by Senator Colin Deacon and Ann Cavoukian)

Employee mistakes lead to information exposure in Nova Scotia, U.K.

It’s bad enough that hackers are able to exploit software vulnerabilities in IT environments to make off with sensitive data, but too often mistakes and misconfigurations by employees also lead to data being exposed. Two incidents reported this week show how serious this can be.

CBC News discovered the first incident recently which involved perhaps a decade’s worth of unedited appeal decisions of the Nova Scotia Workers Compensation Board being posted on a legal website name of workers. Some of the informati0n also included intimate personal information about claimants. Usually, names and other identifying information in those cases are deleted.


Nova Scotia removed the unedited documents after being told of their discovery by CBC.

“It’s terrible to hear,” the broadcaster quoted one WCB claimant whose 2009 case was posted. “I was shocked more than anything.”

The incident involves decisions between 1998 and 2009 of the Nova Scotia Workers Compensation Appeals Tribunal (WCAT) that were uploaded to the website of the Canadian Legal Information Institute (CANLII). Lawyers and legal researchers use the decisions filed there to support their cases. However, the database is open to the public.

According to the CBC, all WCAT cases filed after 2010 had the names of the worker and their employer redacted.

Asked for comment, the tribunal issued a statement saying it “is aware of this situation, and WCAT is following the Province’s privacy breach protocol. The WCAT has reported this incident to the Privacy Review Officer.”

The provincial information and privacy commissioner’s office has been notified of the incident. Provincial legislation doesn’t mandate that victims of a WCAT data breach be notified.

In the second case, discovered a presumably confidential U.K. health department document on a public Google drive with possible new features for the country’s COVID-19 contact tracing app. The series of slides, marked ‘OFFICIAL – SENSITIVE’, was part of a group of documents intended to be open so the public can see how the app, now in a trial, was developed.

Wired says the sensitive document was part of a group published by the U.K. National Health Service (NHS) on a Google Drive. It was accompanied by a privacy impact assessment of a U.K. COVID-19 contact tracing app now being tested and could be seen by anyone with a link. While other documents could not be accessed without approval, the sensitive slide deck with potential features wasn’t.

What could make the slide deck embarrassing to the government is it contains possible features to be added to the already controversial app now being tested among the population of the Isle of Wight. In addition to disputes over whether such mobile apps are effective in helping control the rate of infection, privacy and health experts are fighting over whether an approved app should hold encrypted contact information on a mobile device (the decentralized model pushed by Google and Apple) or uploaded to a government-controlled server (the centralized model). The U.K. app being tested uses a centralized model. However, this week news emerged that the U.K. government is also paying for the development of a decentralized app.

The slides say a future version of the app being tested could allow users to periodically enter their personal health status, as well as their postal code, demographic and location information to help the NHS in infection planning.

AMD releases Radeon Pro VII graphics card, offers big FP64 performance on a budget

AMD is targeting the pros with the announcement of its Radeon Pro VII workstation graphics card on May 13.

Based on the Vega 20 GPU, the Radeon Pro VII graphics card features 60 compute units (CUs), four fewer than the full Vega 20 GPU on the consumer Radeon VII graphics card. It comes with 16GB of ECC high-bandwidth memory (HBM) capable of reaching 1TB/s bandwidth. The card also communicates over the PCIe 4.0 bus, which has double the throughput as PCIe 3.0.

The AMD Radeon Pro VII excels at double-precision floating-point number crunching, offering 6.5 tera floating-point operations per second (TFLOPS) in FP64. With the Radeon Pro VII, AMD aims to offer an affordable option for design and simulation professionals working with high-precision workloads. Simultaneously, it hopes to capture the attention of VFX and media production teams with its 16GB memory buffer useful for holding high-res media assets.

One neat AMD’s exclusive feature is ProRender 2.0. Typically, the rendering process is done either through GPU or the CPU. ProRender 2.0 renders the CPU and GPU simultaneously to cut down on render time. It’s compatible with AMD Threadripper processors, as well as its consumer-oriented Ryzen 9 and 7 platforms. Applications with ProRender plug-in support include Unreal Engine, Autodesk Maya, SideFX Houdini, Blender among others. AMD made ProRender SDKs available under Apache Licence 2.0 to shaving off some back-and-forth legal headaches for developers looking to implement them into their software.

Radeon Pro VII comes with six DP1.4 ports for multi-panel synchronized high-resolution output. A typical use case would be a large scale, multi-panel digital signage, or filming using synchronized LED backdrops. By attaching up to four Radeon Pro VII to an AMD FirePro S400 sync module, up to 24 displays can work in sync as a common output.

The AMD Radeon Pro VII is available in June for US$1,900 (around CA$2,660) through Memory Express and Newegg Canada.

CIO Strategy Council director says its new standards needed while legislation ‘catches up’

The CIO Strategy Council published a new National Standard of Canada for third-party access to data last week, news that quickly got buried after Sidewalk Labs announced it was pulling the plug on its smart city project in Toronto.

And while the rest of the country argues over whether or not the project’s demise is good or bad for the country, the absence of such standards during the early planning stages of the project becomes increasingly evident in retrospect, according to Keith Jansa, executive director of the CIO Strategy Council.

“This is where standards become a very effective tool, because you have a consensus built across diverse interest groups, and you have that dialogue on a national level that effectively provides a high level of assurance that these minimum requirements benefit the businesses and individuals,” Jansa said.

A quick look at Waterfront Toronto’s initial request for proposal reveals next to zero mention of third-party access to people’s data or a set of standards interested applicants would have to adhere to. Meanwhile, Sidewalk Labs’ attempts to quell fears among the public when it came to protecting people’s information came in the form of an urban data trust, a concept that was eventually scrapped after pushback from privacy experts.

And while the project likely collapsed due to a number of reasons – Dan Doctoroff, Sidewalk Labs’ chief executive officer, published a blog post citing “unprecedented economic uncertainty” from the COVID-19 pandemic as the primary reason – a set of standards, such as the ones published by the CIO Strategy Council, could have helped Waterfront Toronto and Sidewalk Labs reach consensus on a number of items, including third-party access to data, much faster, Jansa explained.

“Whether you’re a public or private company, the government, a not-for-profit, the scope of these standards can be applied across all industries and across all the organizations,” he said, noting these guidelines help those organizations establish a strong baseline to combat the rising number of cyber and privacy threats.

The two standards that are currently published are around the ethical design and use of automated decision systems and third-party access to data. Another standard focusing on the data protection of digital assets was submitted to the Standards Council of Canada for approval as a National Standard of Canada on May 8, indicated Jansa on Twitter. The latest standard about third-party access to data is a 10-page document covering organizational and risk management, as well as control access and confidentiality. It got the attention of Navdeep Bains, Minister of Innovation, Science and Industry, who praised the new standard in a recent statement.

Several more are planned, including standards offering organizations guidance around de-identification. It’s unclear when, if at all, these standards will eventually be reflected in future legislation or amendments to current ones, but Jansa mentioned how the standards help support Canada’s 10-principle Digital Charter. The Charter is a series of proposals that would bring federal privacy private sector legislation — the Personal Information Protection and Electronic Documents Act (PIPEDA) — close to the European Union’s General Data Protection Regulation.

“These standards serve as an effective mechanism as regulation and legislation catch up,” Jansa said.

The government has confirmed that it wants the Digital Charter to apply to all federal legislation and regulations. However, PIPEDA, the Competition Act, the Canada Anti-Spam Legislation (CASL) and possibly the Competition Act would have to be changed.

Anyone interested in participating in the development of these standards, Jansa encourages people to contact him. The standards are formed with the help of technical committees featuring more than 100 stakeholders and experts spanning government, industry, academia and civil society groups, according to Jansa, who reinforced the notion that these standards can’t be built without a diverse group of participants engaged in the process.

“Any stakeholder can engage in the process. There’s no fee to participate,” he said.


Correction: A previous version of this article said the data protection of digital assets standard was submitted to the National Standards of Canada. However, the standard was submitted to the Standards Council of Canada for approval as a National Standard of Canada. IT World apologizes for the error.

IBM Think 2020: How 5G can benefit satellite networks

The ubiquity of 5G will cover everything from IoT sensors, to smart devices, to cloud communication. But the technology that spawned from 5G development can extend well beyond just global networks. At IBM Think 2020, MIT Professor Muriel Médard spoke about how satellites can also benefit from the development of 5G.



One of 5G’s plethora of features is a coding technique called Random Linear Network Coding (RLNC). Médard defined network coding as a “mathematical manipulation of data that to be reliably retrieved, reliably represented and transported in a network”.

In essence, through complex encoding and decoding techniques, RLNC can reassemble lost packets in a data stream by the receiver. This reduces the need to resend data when they become lost. It can increase reliability when sending sensitive information like financial data, as well as be applied to monitor sensors and vehicles in remote areas.

RLNC’s encoding, transmission, and decoding process. Source: Random Linear Network Coding for 5G Mobile Video Delivery

As a backgrounder, to transmit large quantities of data between two devices, the information must first be cut up and encapsulated into packets. Sending data via small packets provides many benefits, including higher efficiency and increased reliability. If data becomes corrupted or lost during transmission, only the affected packets need to be resent rather than the entire dataset.

In urban centres, radio towers are relatively near the user, thus creating stronger signals that are more resistant to environmental factors. In satellite networks, however, the long-distance between the sender and the receiver renders it vulnerable to disruptions from inclement weather. In addition, high latency compounds the finicky signal; if data becomes lost during transit, it will take longer to resend.

Despite its shortcomings, underserved communities in Canada and around the world rely on satellite to stay connected. Due to geographical and business limitations, it’s not always feasible to pull landlines and install towers to these locations. It’s critical for satellite network technologies to advance in parallel with the networks back on the ground.

Firebase developers urged to check their configurations to prevent data leaks

Android developers using Google’s Firebase application development platform are being warned to check their configurations after security researchers discovered thousands of apps are leaking sensitive data.

News website Comparitech says a team analyzed 155,066 apps on the Google Play store, of which 11,730 had publicly exposed databases. Of those 4, 282 apps were leaking sensitive information including email addresses, user names, passwords, full names credit card data and photos of government-issued IDs.

In addition, of the 11,730 with publicly-exposed databases, 9,014 of them included write permissions, which would allow an attacker to add, modify, or remove data on the server, in addition to viewing and downloading it.

The story says Firebase is used by an estimated 30 per cent of all apps on the Google Play Store. If the tested apps are representative, an estimated 0.83 per cent of all Android apps on Google Play leak sensitive data through Firebase, says Comparitech. That would work out to roughly 24,000 apps.

The article says Google was notified on April 22nd.  In response, Google said it’s “reaching out to affected developers to help them address these issues.”

Of the analyzed vulnerable apps, 24 per cent were games, 14,7 per cent were categorized as educational, six per cent related to entertainment, just under 5.3 per cent were business-related and 4.3 per cent were described as travel or local related.

A common Firebase misconfiguration allows attackers to easily find and steal data from storage, according to the article. By simply appending “.json” to the end of a Firebase URL, the attacker can view and download the contents of vulnerable databases. Google scrubs these vulnerable database URLs from its search results. However,  the article adds, they are still indexed by other search engines like Bing.

App developers can use Firebase for a wide range of functions including authentication, hosting, cloud storage and as a real-time database. Google offers developers guidance on securing data.

AMD Zen 3 processors will be incompatible with 400 series and older motherboards

Robert Hallock, AMD technical market lead, confirmed that AMD’s upcoming Zen 3 processors will not work with motherboards with 400 series chipsets and older.

In a blogpost, Hallock confirmed that Zen 3 processors will continue to use the AM4 socket, but will only be backwards compatible with AMD’s X570 and B550 motherboards. While 500 series motherboards would only require a BIOS update to enable compatibility, users on older platforms would need to purchase a new motherboard.

“AMD has no plans to introduce ‘Zen 3’ architecture support for older chipsets,” Hallock wrote. “While we wish could enable full support for every processor on every chipset, the flash memory chips that store BIOS settings and support have capacity limitations. Given these limitations, and the unprecedented longevity of the AM4 socket, there will inevitably be a time and place where a transition to free up space is necessary—the AMD 500 Series chipsets are that time.”

AMD’s processor and platform support roadmap thus far.

the AM4 socket was announced alongside the first generation Ryzen processors in 2016. When it was released, AMD had promised to support the AM4 socket until 2020. Because the socket has yet to reach end-of-life, users of AMD’s older platforms hoped to be able to upgrade to AMD’s 4th generation Ryzen processors once they arrive. Zen 3 will be the first time where a Ryzen processor isn’t backwards compatible with all three generations of AMD’s platforms (assuming the motherboard vendor provides the BIOS that supports them as well). Up until now, all AMD motherboards are compatible with most processors from all three generations of Ryzen processors.

Although AM4 is nearing its obsolescence, AMD has yet to announce its retirement or successor. The company is looking to cement its future processor development before making an announcement.