Tag Archives: According

New Mirai variant attacks Apache Struts vulnerability

New variants of the Mirai and Gafgyt botnets are targeting unpatched enterprise devices, according to new research.

Palo Alto Networks’ Unit 42 found the variants affect vulnerabilities in Apache Struts and in SonicWall’s Global Management System (GSM). The Mirai variant exploits the same vulnerability in Apache Struts that was behind the 2018 Equifax data breach, while the Gafgyt variant exploits a newly uncovered vulnerability in unsupported, older versions of SonicWall’s GSM.

The Unit 42 research team noted the Mirai variant involves taking advantage of 16 different vulnerabilities. And while that’s not unusual, it is the first known instance of Mirai or any of its variants targeting an Apache Struts vulnerability.

The research also found the domain that hosts the Mirai samples had resolved to a different IP address in August, which also hosted Gafgyt samples at that time. Those samples exploited the SonicWall GSM vulnerability, which is tracked as CVE-2018-9866. Unit 42’s research did not say whether the two botnets were the work of a single threat group or actor, but it did say the activity could spell trouble for enterprises.

“The incorporation of exploits targeting Apache Struts and SonicWall by these IoT/Linux botnets could indicate a larger movement from consumer device targets to enterprise targets,” the Palo Alto researchers wrote.

The Apache Struts vulnerability exploited by the new Mirai variant was patched last year before it was used in the Equifax breach. But systems that have not been updated are still susceptible to these types of exploits.

The Mirai botnet first emerged in the fall of 2016, and it has since affected hundreds of thousands of IoT and connected devices. The botnet’s malware had primarily targeted consumer devices, and it was responsible for massive distributed denial-of-service attacks on the German teleco Deutsche Telekom and on the domain name server provider Dyn, which took down websites such as Airbnb, Twitter, PayPal, GitHub, Reddit, Netflix and others.

The Unit 42 researchers discovered the Gafgyt and Mirai variant on Aug. 5, and they alerted SonicWall about its GMS vulnerability. The public disclosure was posted by Palo Alto on Sept. 9.

Google location tracking continues even when turned off

Turning off Google location tracking may not be as simple as changing one setting to “off,” according to new research.

The unexpected Google location tracking behavior on Android and iOS devices was revealed by an Associated Press (AP) investigation and confirmed by computer science researchers at Princeton University. The issue was first raised in a blog post by K. Shankari, a graduate researcher at UC Berkley, in May 2018. Shankari kept note of prompts sent by Google to rate places or submit pictures to Google Maps, even though Google Location History was turned off on her device.

The AP investigation found that even with Google location tracking turned off, certain apps will take a timestamped snapshot of the user’s location and store that data when the user performs a search, opens Google Maps, or checks the weather.

The confusion stems from the different ways users have to control Google location tracking services. The Google Location History support page claims, “With Location History off, the places you go are no longer stored.” However, when turning off the Location History setting via a user’s Google My Activity page, a pop-up notes, “This setting does not affect other location services on your device, like Google Location Services and Find My Device. Some location data may be saved as part of your activity on other Google services, like Search and Maps.”

Turning off Google Location Services on a mobile device can cause apps to misbehave, so Google told the AP that the real fix for users would be to also turn off location tracking in Google’s “Web and App Activity” settings.

“Location History is a Google product that is entirely opt in, and users have the controls to edit, delete, or turn it off at any time. As the story notes, we make sure Location History users know that when they disable the product, we continue to use location to improve the Google experience when they do things like perform a Google search or use Google for driving directions,” a Google spokesperson wrote in an email.

Tim Mackey, technology evangelist at Synopsys, said this was an issue akin to saying “if my mother can’t figure out what it does, or how to turn it off, it’s too complicated.”

“The expectation of the consumer for an off switch is what matters most. Users wish their location be kept private indicate this preference through the Location History setting. That any given application might have independent settings for location related data is how an application developer or vendor approaches the problem,” Mackey wrote via email. “When we recognize that our digital footprint is effectively a personally identifying attribute, access to that attribute becomes more valuable. This is true for malicious actors who can use location information to determine not only patterns of behavior for their targets, but know when to best commit their crime. This is also true for law enforcement seeking to identify suspects following the commission of a crime. In each of these examples, the same location and identity data can be used for good or for ill to identify an individual.”

Report on Alexa-enabled devices puts spotlight on voice commerce

Will voice commerce catch on? It hasn’t yet, according to a new report by The Information, but experts said that won’t slow the growth of voice computing.

According to the report, which cites two people briefed on Amazon’s internal figures, only about 2% of the people who own Alexa-enabled devices — mainly Amazon’s Echo line of speakers — have made a purchase with their voices so far in 2018. Of the people who did buy something using Alexa voice shopping, about 90% didn’t try it again, the report states.

An Amazon spokesperson disputed the figures presented in The Information, but previous reports also conveyed less-than-stellar numbers when it comes to consumers using smart speaker devices for voice commerce. The Information’s numbers also jibe with a report released last fall by technology consulting firm Activate that found the majority of smart speaker owners use their devices for relatively simple functions like playing music, getting the weather or setting alarms. In fact, shopping wasn’t even on the list of things users said they do with their devices.

Zeus Kerravala, founder and principal analyst at ZK ResearchZeus Kerravala

“I’m not surprised,” said Zeus Kerravala, founder and principal analyst at ZK Research. “I think voice has a lot of potential; I just think there’s a lot of trust issues around it right now. It’s not dissimilar to what happened with online purchasing. A lot of people were cautious with that until they tried it a couple of times and they gained some confidence in it.”

Julie Ask, principal analyst at ForresterJulie Ask

Beyond that, using voice alone to shop is simply not practical, said Julie Ask, principal analyst at Forrester.

“It’s simply too hard [to purchase things via voice only] beyond replenishment of simple goods,” Ask said. “There are easier ways to buy. It’s hard to browse, you can’t see images and you can’t realistically listen to product descriptions — and who would want to.”

She added that although Amazon is number one in market share, retailers are wary of partnering with the company, which could also have played a role in the lackluster figures on shopping via Alexa-enabled devices.

Voice in the enterprise

Given all that, should the enterprise back off from pursuing voice computing? Not at all, said Werner Goertz, research director at Gartner. Just because “mom and pop” are not buying goods through Alexa-enabled devices today doesn’t say much about the value of the voice AI category as a whole — or about  consumer shopping habits going forward. Voice commerce will undoubtedly evolve, he said, and, in any case, people’s current disinclination to use Alexa-enabled devices for shopping shouldn’t dissuade CIOs from investing in voice computing.

Companies are definitely trying to reinvent brand experience and they’re doing that with smart speakers and with multimodal voice interactions as well.
Werner Goertzresearch director, Gartner

Goertz said there will be an organic growth in e-commerce capabilities and usage, with the hospitality industry, restaurants and chain stores already developing proofs of concepts and use cases that incorporate different transactions using voice AI technology.

An example Goertz gave was Amazon partnering with Marriott International to start bringing Amazon Echo smart speakers into hotels as part of the tech giant’s Alexa for Hospitality initiative. Hotel guests will be able to use the Alexa-enabled devices to order room service, call for more towels, order entertainment and more.

“Companies are definitely trying to reinvent brand experience and they’re doing that with smart speakers and with multimodal voice interactions as well,” Goertz said.

By multimodal voice interactions, Goertz means voice assistants with screens, like Amazon’s Echo Show. He said these kinds of devices lend themselves better to functions like voice commerce — and alleviate some of the issues with voice-only shopping raised by Forrester’s Ask.

Gartner analyst Ranjit Atwal agreed that multimodal voice devices using voice, video, chat and screens will eventually allow for more frequent and complex purchases — and a more integrated customer experience — but admits there’s still “a long way to go” for voice commerce.

As Kerravala said, “I think there will be a day when voice is the dominant interface … we just need to take baby steps in getting there.”

What’s the takeaway for CIOs, according to Ask?

“CIOs should use [voice technology] and pilot it, but in scenarios that make sense — easy information retrieval, control, et cetera,” she said. “Don’t stretch it beyond what it does easily.”

Bugcrowd CTO explains crowdsourced security benefits and challenges

Crowdsourced security can provide enormous value to enterprises today, according to Casey Ellis, but the model isn’t without its challenges.

In this Q&A, Ellis, chairman, founder and CTO of San Francisco-based crowdsourced security testing platform Bugcrowd Inc., talks about the growth of bug bounties, the importance of vulnerability research and the evolution of his company’s platform. According to the Bugcrowd “2018 State of Bug Bounty Report,” reported vulnerabilities have increased 21% to more than 37,000 submissions in the last year, while bug bounty payouts have risen 36%.

In part one of this interview, Ellis expressed his concerns that the good faith that exists between security researchers and enterprises is eroding and discussed the need for better vulnerability disclosure policies and frameworks. In part two, he discusses the benefits of crowdsourced security testing, as well as some of the challenges, including responsible disclosure deadlines and the accurate vetting of thousands of submissions.

Editor’s note: This interview has been edited for clarity and length.

When it comes to responsible vulnerability disclosure, do you think companies are at a point now where they generally accept the 90-day disclosure period?

Casey Ellis: No. No, I think technology companies are, but it’s very easy working in technology to see adoption by technology companies and assume that it’s normal now. I see a lot of people do that and I think it’s unwise, frankly.

I think that’s where we’ll end up eventually, and I think we’re moving toward that type of thing. But there are caveats in terms of, for example, complex supply chain products or vehicles or medical devices — the stuff that takes longer than 90 days to refresh and test, patch, and deploy out to the wild. The market is not used to that kind of pressure on public disclosure yet, but I think the pressure is a good thing.

The bigger problem is in terms of general vulnerability disclosure; that’s not accepted outside of the tech sector yet — at all, frankly.

There’s been a lot of talk about security automation and machine learning at RSA Conference again this year. Where do you see that going?

Ellis: It depends on your definition of automation at that point. Is it automation of decision-making or is it automation of leverage and reaching that decision?

For the customers, they just want to know what they need to go and fix. But we have to prioritize the submissions.
Casey EllisBugcrowd

Using Bugcrowd as an example, we’re heavy users of machine [learning] and automation within our platform, but we’re not doing it to replace the hackers. We’re doing it to understand which of the conversations we’re having as these submissions come in are most important. And we’re trying to get to the point where we can say, ‘Okay, this bug is less likely to be important than this other bug. We should focus on that first.’

For the customers, they just want to know what they need to go and fix. But we have to prioritize the submissions. We have to sit in front of that customer and have these conversations at scale with everyone who’s submitting, regardless of whether they’re very, very valuable in terms of the information or they’re getting points for enthusiasm but not for usefulness. It’s actually a fun and a valuable problem to solve, but it’s difficult.

How do you prioritize and rank all of the submissions you receive? What’s that process like?

Ellis: There’s a bunch of different things because the bug bounty economic model is this: The first person to find each unique issue is the one who gets rewarded for it. And then, the more critical it is, the more they get paid. And this is what we’ve been doing since day one because the premise was these are two groups of people that historically suck at talking to each other.

So we said we’re going to need to pull together a human team to help out, and then what we’ll do is we’ll learn from that team to build the product and make the product more effective as we go. It’s a learning loop that we’ve got internally, as well. And what they’re doing is, basically, understanding what’s a duplicate [submission], what’s out of scope and things like that. There are simple things that we can do from a filtering standpoint.

Duplicates get interesting because you have pattern matching and Bayesian analysis and different things like that to understand what the likelihood of a duplicate is. Those are the know things. Then there’s the heavy stuff — the critical importance, wake up the engineering team stuff.

There’s also a bunch of stuff we do in terms of analyzing the vulnerability against the corpus [of known vulnerabilities] to understand what that is, as well as who the submitter is. Because if they’re a notorious badass who comes in and destroys stuff and has a really high signal-to-noise ratio then, yes, that’s probably something that we should pay attention to.

There’s a bunch of really simple stuff or comparatively simple stuff that we can do, but then there’s a bunch of much more nuanced, complicated stuff that we have to work out. And then we’ve got the human at the end of [the process] because we can’t afford to get it wrong. We can’t say, no to something that’s actually a yes. The whole thing gets basically proofed, and then those learnings go back into the system and it improves over time.

Do you receive a lot of submissions that you look at and say, ‘Oh, this is nonsense, someone’s trying to mess with us and throw the process off’?

Ellis: Yes. There’s a lot of that. As this has grown, there are a bunch of people that are joining in for the first time, and some of them are actively trolling. But then, for every one of those, there are 10 that are just as noisy, but it’s because they think they’re doing the right thing even though they’re not.

If someone runs Nessus and then uploads a scan and says, ‘That’s a bug!’ then what we do at that point is we say, ‘No, it’s not. By the way, here are some different communities and education initiatives that we’ve got.’

We try to train them to see if they can get better because maybe they can. And if they’ve initiated that contact with us, then they’re clearly interested and enthusiastic, which is a great starting point because just because they don’t know how to be useful right now doesn’t mean they can’t be in the future. We give the benefit of the doubt there, but obviously, we have to protect the customer from having to deal with all of that noise.

When it comes to that noise in crowdsourced bug hunting, do you think those people are looking more at the reward money or the reputation boost?

Ellis: It’s usually both. Money is definitely a factor in bug bounties, but reputation is a huge factor, too. And it goes in two directions.

There’s reputation for the sake of ego, and they’re the ones that can get difficult pretty quickly, but then there’s also reputation for the sake of career development. And that’s something that we actually want to help them with. That’s been an initiative that we’ve had from day one, and a bunch of our customers actually have people in their security teams that they hired off the platform.

Jason Haddix [Bugcrowd vice president of trust and security] was number one on the platform before we hired him. We think this is actually a good thing in terms of helping address the labor shortage.

But, to your point, if someone comes in and says, ‘Oh, this is a quick way to get a high-paying career in cybersecurity,’ then we have to obviously temper that. And it does happen.

Last question: What activity on your platform has stood out to you lately?

Ellis: There’s a real shift toward people scaling up in IoT. We have more customers coming onboard to test IoT. I think the issue of IoT security and awareness around the fact that it’s something that should actually be addressed is in a far better state now than it was when IoT first kicked off years ago.

And the same thing that happened in web and mobile and automotive is happening in IoT. With IoT, it was ‘We don’t have the people [for security testing]. Okay, where are we going to get them?’ I think the crowd is reacting to that opportunity now and starting to dig into the testing for IoT.

And here’s the thing with IoT security: For starters, bugs that are silicon level or at a hardcoded level are probably out there, but the cost to find them and the value of having them [reported] hasn’t justified the effort being put in yet.

That’s usually not what people are talking about when they’re talking about IoT bugs. It’s usually either bugs that are CVEs [Common Vulnerabilities and Exposures] in the supply chain software that forms the operating system or bugs that are in the bespoke stuff that sits on top. And, usually, both of those things can be flushed and changed.

We’re not at the point where you’ve got a more common issue and you’re not able to change it ever. I assume that will happen at some point but, hopefully by the time we get there, people are going to be thinking about design with security more in mind for the first place, and all that older stuff will be at end-of-life anyway.

For Sale – MSI GL72M 7RDX 844UK gaming laptop

I’ve bought this laptop for my son last week. Unfortunately according to him, is not good enough. So there we have it for sale MSI gaming laptop in perfect condition. Model number is GL72M 7RDX 844UK. Boxed, comes with the msi mouse and a charger.
Spec:
17.3″ FHD, i7 7700HQ, 8GB DDR4, 256GB M.2 SATA SSD+1TB HDD, 2GB GTX 1050, USB 3.0 Type-C, Win10
I’d prefer cash on collection or meet up with someone half way. Will reduce the price accordingly.

Price and currency: 560
Delivery: Delivery cost is included within my country
Payment method: BT, PPG
Location: Manchester
Advertised elsewhere?: Not advertised elsewhere
Prefer goods collected?: I prefer the goods to be collected

______________________________________________________
This message is automatically inserted in all classifieds forum threads.
By replying to this thread you agree to abide by the trading rules detailed here.
Please be advised, all buyers and sellers should satisfy themselves that the other party is genuine by providing the following via private conversation to each other after negotiations are complete and prior to dispatching goods and making payment:

  • Landline telephone number. Make a call to check out the area code and number are correct, too
  • Name and address including postcode
  • Valid e-mail address

DO NOT proceed with a deal until you are completely satisfied with all details being correct. It’s in your best interest to check out these details yourself.

For Sale – MSI GL72M 7RDX 844UK gaming laptop

I’ve bought this laptop for my son last week. Unfortunately according to him, is not good enough. So there we have it for sale MSI gaming laptop in perfect condition. Model number is GL72M 7RDX 844UK. Boxed, comes with the msi mouse and a charger.
Spec:
17.3″ FHD, i7 7700HQ, 8GB DDR4, 256GB M.2 SATA SSD+1TB HDD, 2GB GTX 1050, USB 3.0 Type-C, Win10
I’d prefer cash on collection or meet up with someone half way. Will reduce the price accordingly.

Price and currency: 560
Delivery: Delivery cost is included within my country
Payment method: BT, PPG
Location: Manchester
Advertised elsewhere?: Not advertised elsewhere
Prefer goods collected?: I prefer the goods to be collected

______________________________________________________
This message is automatically inserted in all classifieds forum threads.
By replying to this thread you agree to abide by the trading rules detailed here.
Please be advised, all buyers and sellers should satisfy themselves that the other party is genuine by providing the following via private conversation to each other after negotiations are complete and prior to dispatching goods and making payment:

  • Landline telephone number. Make a call to check out the area code and number are correct, too
  • Name and address including postcode
  • Valid e-mail address

DO NOT proceed with a deal until you are completely satisfied with all details being correct. It’s in your best interest to check out these details yourself.

For Sale – MSI GL72M 7RDX 844UK gaming laptop

I’ve bought this laptop for my son last week. Unfortunately according to him, is not good enough. So there we have it for sale MSI gaming laptop in perfect condition. Model number is GL72M 7RDX 844UK. Boxed, comes with the msi mouse and a charger.
Spec:
17.3″ FHD, i7 7700HQ, 8GB DDR4, 256GB M.2 SATA SSD+1TB HDD, 2GB GTX 1050, USB 3.0 Type-C, Win10
I’d prefer cash on collection or meet up with someone half way. Will reduce the price accordingly.

Price and currency: 560
Delivery: Delivery cost is included within my country
Payment method: BT, PPG
Location: Manchester
Advertised elsewhere?: Not advertised elsewhere
Prefer goods collected?: I prefer the goods to be collected

______________________________________________________
This message is automatically inserted in all classifieds forum threads.
By replying to this thread you agree to abide by the trading rules detailed here.
Please be advised, all buyers and sellers should satisfy themselves that the other party is genuine by providing the following via private conversation to each other after negotiations are complete and prior to dispatching goods and making payment:

  • Landline telephone number. Make a call to check out the area code and number are correct, too
  • Name and address including postcode
  • Valid e-mail address

DO NOT proceed with a deal until you are completely satisfied with all details being correct. It’s in your best interest to check out these details yourself.

Researchers discover Android apps spying on users’ screens

The good news, according to academic researchers, is that your phone most likely isn’t secretly listening to your conversations. The bad news is that fears of Android apps spying on users aren’t totally unfounded.

Computer science researchers at Northeastern University in Boston conducted a massive study of 17,260 Android apps from the Google Play store, as well as third-party marketplaces AppChina, Mi.com and Anzhi. The study, which was published this week in a research paper titled “Panoptispy: Characterizing Audio and Video Exfiltration from Android Applications,” found no evidence that apps were secretly enabling device microphones to record and exfiltrate audio data. However, the research team did find evidence of “several” Android apps spying on users by recording video and images of users’ screens.

“Our study reveals several alarming privacy risks in the Android app ecosystem, including apps that over-provision their media permissions and apps that share image and video data with other parties in unexpected ways, without user knowledge or consent,” the researchers wrote. “We also identify a previously unreported privacy risk that arises from third-party libraries that record and upload screenshots and videos of the screen without informing the user and without requiring any permissions.”

The research team, which used a combination of static and dynamic code analysis, didn’t specify the number of Android apps found spying on users, but the paper did say it was “few” compared to the total number of apps reviewed. “On the one hand, this is good news: a very large fraction of apps are not abusing the ability to record media,” the researchers wrote. “On the other hand, it could also indicate that our analysis missed other cases of media leaks.”

The Northeastern University team cited several examples of popular apps that engaged in unauthorized recording of users’ screens, including GoPuff, a food delivery app. The researchers discovered the app sent captured video via the internet to a domain belonging to web analytics firm Appsee, and that the video recording could include personally identifiable information such as ZIP codes. The researchers said that Appsee’s software required no permissions to record the video and did not issue notifications to users.

The researchers noted that GoPuff was notified of the issue and has since removed the Appsee SDK from its iOS and Android apps and revised its privacy policy, which previously did not disclose any recording or exfiltration of video. The researchers also notified Google, which, according to the paper, said it “took the appropriate actions.” Google Play’s privacy policy requires that app developers disclose to users how their data is collected, shared and used.

Northeastern University’s “Panoptispy” research comes as Google has increased its efforts to curb potential Android app spying. The company previewed the security features of Android P, the newest version of the mobile OS, at the Google I/O conference in May. Android P will only grant access to device sensors such as microphones and cameras to apps in the foreground, preventing potentially harmful apps from running covertly in the background and using sensors to spy on users. However, that particular feature wouldn’t prevent apps like GoPuff from performing unauthorized video exfiltration.

In other news

  • A former employee of NSO Group Technologies, an Israeli company that specializes in spyware and iPhone hacking tools, has reportedly landed in hot water. According to an indictment, Israeli authorities claim an unnamed NSO employee stole the company’s Pegasus spyware product and tried to sell it for $50 million in cryptocurrency. According to reports, the indictment states the disgruntled employee began working for NSO last year as a senior programmer and was granted access to the company’s source code. The indictment also claims the employee posed as a hacker and tried to sell the Pegasus code to other hackers on the dark web; one potential buyer notified NSO of the matter, which investigated the individual with the assistance of law enforcement.
  • Computer scientists from the University of California, Irvine, published research regarding a new attack technique they call “Thermanator,” which records thermal residue on keyboard keys to determine users’ passwords and other sensitive information such as PINs. According to the researchers, a midrange thermal imaging camera could allow threat actors to observe and record keystroke. “Results show that entire sets of key-presses can be recovered by non-expert users as late as 30 seconds after initial password entry, while partial sets can be recovered as late as 1 minute after entry,” the research paper states. While attackers would need to have a clear view of a target’s keyboard, the researchers say the Thermanator attack shows that “using external keyboards to enter (already much-maligned) passwords is even less secure than previously recognized.”
  • A newly discovered update of malware descended from an old Trojan is now equipped with a downloader that can decide whether to mine cryptocurrencies or encrypt files for ransom on victim systems. Kaspersky Lab researchers Egor Vasilenko and Orkhan Mamedov wrote that the new version of the malware, which is related to the Rakhni family of ransomware that Kaspersky Lab uncovered in 2013, checks system attributes before downloading its malicious payload, specifically looking at whether there is a folder named %AppData%Bitcoin. If the folder is present, then the downloader selects the ransomware cryptor; “If the folder doesn’t exist and the machine has more than two logical processors, the miner will be downloaded. If there’s no folder and just one logical processor, the downloader jumps to its worm component,” to continue propagating the malware locally, the researchers wrote. The cryptomining malware mines for the Monero, Monero Original and Dashcoin cryptocurrencies.

Three capabilities all leaders of innovation possess

Being a leader is never an easy job, but the job is getting harder, according to Linda Hill. To be a leader today, traditional management is not enough, you also have to help foster company-wide innovation — or risk being left in the dust.

Hill, the Wallace Brett Donham professor of business administration at the Harvard Business School and co-author of the book Collective Genius: The Art and Practice of Leading Innovation, is in a good position to know that. She and her colleagues have spent the last decade observing leaders of innovation around the globe, trying to understand what makes them successful and searching for commonalities.

Speaking to an audience of IT leaders at the recent LiveWorx event in Boston, Mass., Hill said that even though there’s a lot of research on leadership and a lot of research on innovation, there’s actually very little research that looks at the connections between the two.

In her research on leaders of innovation — studying successful people at companies like Google, HCL Technologies, Volkswagen and Pixar, to name a few — Hill and her team certainly found differences in how these people went about their work, including cultural differences, organizational differences and varying leadership styles, she said. But they also found real commonalities in what these people did and why they did it.

Whether these leaders of innovation were working at an Islamic bank in Dubai, a social enterprise in east Africa or a luxury product brand in Korea — they all championed three types of creativity that became part of their organizations’ cultures and a key to their organizations’ capacity to innovate. Hill dubbed them “creative abrasion,” “creative agility” and “creative resolution.”

Hill detailed these three capabilities and encouraged IT leaders to find ways to incorporate them into their own organizational cultures to foster innovation.

linda hill, liveworx, innovation
Leadership expert Linda Hill speaks to IT leaders at the recent LiveWorx event in Boston, Mass.

Creative abrasion

The ability to generate a marketplace of ideas through discourse and debate.

“You rarely get innovation without diversity and conflict,” Hill said.

Organizations may do brainstorming sessions in which people can say whatever is on their mind without judgment, but it can’t all be sunshine, rainbows and pleasantries. You need some abrasion and pushback to not only refine ideas but also develop a robust pipeline of ideas, Hill said.

“What you see in these [innovation-forward] organizations is people know how to inquire and they know how to actively listen, but, guess what — they also know how to advocate for their point of view,” Hill said. One of the organizations she and her team looked at actually taught their employees how to advocate for their point of view to help push creative abrasion.

Good leaders of innovation also understand that one of their key roles is to make sure that they — and everyone else — hear the minority voice, Hill said. “That does not mean you do what that minority voice says, but if you don’t know what it is, then you haven’t been doing things properly.”

Creative agility

The ability to test and refine ideas through quick pursuit, reflection and adjustment.

In order to refine your pipeline of ideas even more, Hill said you need to go through the process of actually testing it, getting feedback and making the necessary adjustments — and in a timely manner. Hill finds that many companies put in place lean startup or design thinking approaches to help organizations become better at being agile.

One of the organizations Hill observed decided not to run pilots anymore because if you run a pilot and it doesn’t work, someone or something was “wrong.” Instead, they run experiments.

“When you run an experiment, you learn something one way or the other and you move on to the next one,” Hill said. “But if you do a pilot and it doesn’t work, then usually there are politics around that. People often ignore the feedback they’re getting or somebody pays the price because it ‘failed.'”

Creating a culture that makes people feel comfortable running experiments and putting themselves out there without fear of retribution is crucial.

“So many people report feeling that they are, in fact, punished when they speak out, fail or have a misstep,” Hill said. “If that is the case, there is not enough psychological safety in that environment for you to unleash the kinds of conversations necessary to hone your ideas.”

Creative resolution

The ability to make integrative decisions.

Most innovations are really a combination of ideas; very rarely is the innovation all new, Hill said. It could be a new idea and an old idea combined to solve an old problem, or two old ideas that together solve a new problem, or some other amalgam of new and old.

“Unless you do decision-making in a way that you can actually combine ideas, you rarely get the innovative solution,” Hill said.

As a result, what Hill sees in these innovation-forward organizations is they’re very clear about who has decision-making rights, but they still do it in a more “inclusive and patient” way. By that she means they won’t allow one group to dominate. They won’t let the experts dominate — something she notes Steve Jobs was particularly worried about because he often felt that this group was the least likely to want to see change because then their expertise wouldn’t be as valuable as it was before. And these organizations don’t let the bosses dominate either.

“They will also not compromise, which is what we often do in these situations — go along to get along,” Hill said. “Instead, they will have, if you will, a fight. They will actually go through the creative abrasion process again and they will design the next experiment to get more data in order to move forward.”

Microsoft making progress on quantum computer ‘every day’

Microsoft is “all-in” on building a quantum computer and is making advancements “every day”, according to one of the company’s top experts on the technology.

Julie Love (above), Director of Quantum Computing, called the firm’s push to build the next generation of computer technology “one of the biggest disruptive bets we have made as a company”.

Quantum computing has the potential to help humans tackle some of the world’s biggest problems in areas such as materials science, chemistry, genetics, medicine and the environment. It uses the physics of qubits to create a way of computing that can work on specific kinds of problems that are impossible with today’s computers. In theory, a problem that would take today’s machines billions of years to solve could be completed by a quantum computer in minutes, hours or days.

While Microsoft has noted that no one has yet built a working quantum computer, Love said the company has the right team in place to make progress and eventually create a system and software that can tackle real-world issues. Over the past decade, Microsoft has built a team comprised of some of the greatest minds in quantum physics, mathematics, computer science and engineering. It is also working with some of the leading experts in universities across the world.

“Quantum computers could solve a set of problems that are completely intractable to humans at this time, and it could do so in 100 seconds,” she said during a speech at London Tech Week. “Microsoft’s enterprise customers are interested in changing their businesses using this technology, and we have set our sights beyond the hype cycle. We have a good understanding of what’s needed.

“Microsoft is working on the only scalable solution, one that will run seamlessly on the Azure cloud, and be much more immune to errors. The truth is that not all qubits are equal; most are inherently unstable and susceptible to error-creating noise from the environment. Our approach uses topological qubits specifically for their higher accuracy, lower cost and ability to perform long enough to solve complex real-world problems.”

Microsoft is the only major company attempting to build topological qubits, which aims to significantly reduce any interference at a subatomic level that might affect the machine. With this approach, the computational qubits will be “corrected” by the other qubits.

“When we run systems, there are trade-offs in power, because they have to be very cold. However, we get higher compute capabilities,” said Love, who started studying quantum computing in the late-1990s.

Last year, Microsoft released a Quantum Development Kit, which includes its Q# programming language for people who want to start writing applications for a quantum computer. These can be tested in Microsoft’s online simulator. Q# is designed for developers who are keen to learn how to program on these machines whether or not they are experts in the field of quantum physics.

“We have released the Quantum Development Kit so developers can learn to program a quantum computer and join us on this journey,” Love added.

Tags: , , , ,