Ocado to build robotic fulfilment centre in Japan in new deal with retail chain Aeon

By Graeme Burton | News | 29 November 2019
Aeon will get a warehouse just like this, off-the-shelf from Ocado, to fuel its online expansion in Japan

Ocado has signed another technology deal - this time taking its advanced warehouses and robotics technology to Aeon in Japan

Ocado has signed a deal with Japan's largest retailer Aeon to build advanced warehouses and supply ecommerce technology for the ¥1 trillion (£7bn) turnover chain.

The company will build a series of highly automated customer fulfilment centres to facilitate Chiba, Japan-based Aeon's belated drive towards home delivery services. Analysts at investment bank Morgan Stanley suggested that the deal would be of a similar size to Ocado's agreement with Kroger in the US.

There will come a day when entering China is sensible, but not yet

The deal - as with all of Ocado's overseas deals - will be exclusive to Aeon, in this case, in Japan. However, the retailer also has operations across Asia in China, Hong Kong, Indonesia, Malaysia and Thailand, which could provide further opportunities in the future for Ocado.

While Japanese retail networks have been known, in the past, for being somewhat sclerotic and inefficient, they are belatedly embracing automation as a means of overcoming acute labour shortages, partly due to the country's ageing population profile. In recent years, too, the sector has been shaken up by the removal of trade barriers.

Japan's online shopping market is the fourth largest in the world, according to analysts, behind the US, China and UK. Aeon, in particular, has also struggled to replicate its dominance in Japanese shopping malls and High Streets into online retail.

"Aeon is the leading mass merchandiser not only in Japan but in Asia-Pacific as a whole. However, the company is struggling to establish itself in internet retailing," notes analyst group Euromonitor.

Aeon operates more than 21,000 stores, including supermarkets, convenience outlets, fashion chains and general retailers. It operates in 14 countries in total, and has recently been expanding into Vietnam.

Ocado now has deals in five countries across the world, including the US, with Kroger; Canada, with Sobeys; Coles in Australia; and, Groupe Casino in France - as well as Ocado in the UK, of course. In a conference call today, according to Bloomberg, chief financial officer Duncan Tatton-Brown suggested that Ocado could conceivably strike a deal in China - but not any time soon.

"There will come a day when entering China is sensible, but not yet," said Tatton-Brown.

The deal will further support Ocado's strategic move of selling a 50 per cent stake in the UK home delivery grocery business to Marks & Spencer earlier this year, which provided a further £750 million that can be ploughed into technology development.

Oyster card accounts locked with users asked to reset passwords

By Graeme Burton | News | 29 November 2019
Oyster cards were introduced almost 20 years ago

TfL acts for a second time following August security breach - again blaming the risk of credential stuffing

Oyster card users with online accounts have had their passwords reset by Transport for London - an indication that the August admission of a data breach might be far larger than originally suggested.

TfL chief technology officer Shashi Verma described it as a "precautionary measure due to earlier reported instances of a very small number of accounts being accessed maliciously using data obtained from non-TfL website. This is a routine step to enhance the security of our online accounts."

Password resets are typically forced on users to mitigate the risks of a credential stuffing attack. Oyster card users with accounts will need to reset their passwords, with the password being sent to the user's registered email address.

With TfL admitting a security breach in August, but only forcing a wider password reset this week, it raises questions over what has happened in the interim to persuade the organisation to act now.

The August data breach entailed the compromise of around 1,200 customer accounts - not large by the standards of data breaches today.

At the time, the breach only came to light after the online service enabling users to check their balance or top-up their cards was taken down. TfL said that was due to "performance affecting issues", but only later admitted that a compromise had occurred.

It then provided the bare minimum of public information about the breach.

"We believe that a small number of customers have had their Oyster online account accessed after their login credentials were compromised when using non-TfL websites," a TfL spokesperson said in a statement at the time.

"No customer payment details have been accessed, but as a precautionary measure and to protect our customers' data, we have temporarily suspended online contactless and Oyster accounts while we put additional security measures in place."

'Magnetic domain wall' circuit design could enable magnetic wave-based computing - little or no electricity required

By Dev Kundaliya | News | 29 November 2019
Researchers at MIT have created a novel circuit design to enable practical magnetic waves-based computing. Image credit: MIT.

Creating a practical magnetic-waves-based device requires efficient modulation of spin-wave propagation

Researchers at MIT claim to have created a novel circuit design that, they believe, could enable practical magnetic waves-based computing, requiring little to no electricity.

According to researchers, this circuit can modulate the magnitude and phase of a spin wave with the help of a nanometre-wide "magnetic domain wall."

For the past several years, researchers have been working on magnetic-based "spintronic" devices, which are said to require relatively little power to run. In addition, they generate nearly zero heat as a result of their operation.

Such "spintronic" devices work by leveraging the "spin waves" in magnetic materials with a lattice structure.

Spin waves are propagating disturbances in the ordering of magnetic materials. These collective excitations happen in magnetic lattices with continuous symmetry.

Creating a practical spintronic device requires efficient modulation of spin-wave propagation. This modulation results in a measurable output that can be used to carry out some sort of computation.

In the current study, the research team used a pattern of nickel/cobalt nanofilms and layered it with some specific magnetic properties to enable it to handle a large volume of spin waves.

The team then placed a customised "magnetic domain wall" in the middle of the magnetic material. The "wall" served as a nanometre-sized barrier between the two neighbouring magnetic structures. The entire system was then incorporated into a circuit.

In the next phase of their experiment, the researchers excited constant spin waves in the magnetic material on one side of the circuit, which caused the waves to pass through the "wall" and eventually spinning of its magnons (a collective excitation of the electrons' spin structure) in the opposite direction.

As a result of this spinning of magnons, a dramatic shift was observed in the wave's angle (phase) and a little drop in its magnitude (power).

The team was able to detect the output using an antenna on other side of the circuit.

The researchers believe such innovative circuit designs could allow creating practical spin wave-based computing devices for certain tasks, such as, signal-processing. The team is now planning to build a functional wave circuit that would be able to perform basic computations.

The detailed findings of the study are published in journal Science.

This is, however, not the first study attempting to exploit magnetic properties of materials to design low-power computing devices.

Last year, researchers at MIT and Brookhaven National Laboratory said that they had devised a new approach to control magnetism in thin-film materials, which could eventually enable CPUs with much lower power demands.

Earlier in 2016, Durham University landed a £7m grant to conduct research into 'nanosize magnetic whirlpools' or 'magnetic skyrmions', a branch of quantum mechanics that could drastically improve data storage capacities and processing speeds.

Magento Marketplace suffers data breach exposing confidential details of users

By Dev Kundaliya | News | 29 November 2019
Adobe has disclosed a security breach affecting Magento Marketplace users

Magento's platform has been targeted in the past by Magecart scammers, but it claims its core products and services were not exposed in this latest incident

Adobe has disclosed a security breach that exposed confidential information of a number of Magento Marketplace users.

In an email to customers, the company admitted that hackers unknown had exploited a security flaw on the Magento website to access the account details of registered users - buyers as well as sellers (developers). 

Magento provides widely used ecommerce software on both an open source and commercial basis. However, it has been repeatedly targeted by scammers following a string of security alerts in recent years - the latest coming only in November

The information compromised included usernames, phone number, email addresses, MageID (store usernames), billing addresses, shopping addresses, and limited commercial information. But, Magento's core products and services were not exposed in the incident, the company assured.

While the company didn't reveal when the Magento marketplace website was compromised, it did confirm that the breach was discovered by its security team on 21st November.

"On November 21, we became aware of a vulnerability related to Magento Marketplace," said Jason Woosley, VP of Commerce Product and Platform at Adobe, in a statement.

"We temporarily took down the Magento Marketplace in order to address the issue. The Marketplace is back online. This issue did not affect the operation of any Magento core products or services," he added.

The company didn't share the total number of affected accounts. It just stated that it had notified all affected account holders directly.

Magento, which was bought by Adobe last year, is one of the most popular e-commerce platforms in the world. Its Marketplace portal is used by thousands of people to buy, sell, and download themes and plugins for Magento-based online stores.

The popularity of Magento has also led to it being persistently targeted by cyber criminals of late.

In May, the cyber security firm RiskIQ said that e-commerce stores running Magento were the prime target for hacking groups running web skimming attacks. Such attacks are typically carried out by installing malicious scripts in web pages to steal payment card details of the customers.

Earlier this month, Magento advised its users to apply the latest security update to protect their ecommerce sites from potential attacks exploiting a remote code execution (RCE) security flaw.

The company said that the vulnerability, indexed as CVE-2019-8144, could allow attackers to inject a malicious payload into a merchant's website site through PageBuilder template methods and then execute the payload.

Earlier in March, researchers at security firm Sucuri found a critical vulnerability in Magento, which left nearly 300,000 online retailers at risk of card-skimming attacks. The researchers said this PRODSECBUG-2198 SQL injection vulnerability could allow cyber-crooks to launch devastating attacks and hijack accounts without authentication.

Jony Ive finally out at Apple

By Computing News | News | 29 November 2019
Jony Ive back in 2015, following promotion to chief design officer at Apple

Apple's (former) chief design officer becomes unperson as his name is removed from corporate pages

Jony Ive has finally left Apple with his name, picture and bio expunged from the company's corporate pages. 

The company's iconic (fomer) chief design officer had revealed plans to leave the company in the summer, with the aim of setting up shop on his own. Now, it appears that he's served his notice period and is out the door. 

That almost certainly means that Ive's new business isn't far from officially opening its doors. Called LoveForm, Ive's new business - predictably enough - will focus on design. 

Unlike most people starting their own business, Ive won't have to hustle for new clients right away. Client number one will be Apple, according to the press release that announced Ive's exit in June

For Ive, it will reportedly be something of a relief. While Ive and Steve Jobs's design philosophies appeared to be in sync', his relationship with Jobs's successor Tim Cook had become strained. 

Not long after he handed in his notice in the summer, reports emerged that he was "dispirited" by life at Apple as accountant-turned-CEO Tim Cook "showed little interest in the product development process".

Not that you'd know that from the corporate quote he gave the Apple newsroom at the time, where he described the company as "stronger, more vibrant and more talented than at any point in Apple's history". 

Ive's design capabilities have been mythologised over his 27 years at the company, so we'll now see just how influential he really was. However, the company is increasingly focusing on services over hardware, with initiatives like Apple Arcade gaming and the Apple TV+ streaming video service. 

Ocado to open mini customer fulfilment centre in Bristol

By Graeme Burton | News | 28 November 2019
A standard Ocado warehouse

Ocado's mini-CFC is expected to achieve productivity similar to the company's full-size warehouses

Ocado is planning to build a mini-customer fulfilment centre in Bristol in a facility offering less than half the capacity of its standard warehouses.

The automated warehouse will have the capacity for just over 30,000 orders per week compared to around 85,000 orders per week that the company's Purfleet customer fulfilment centre will be able to serve.

"This facility is being built in an existing warehouse and is expected to go live at the end of 2020 or early 2021, so bringing new capacity into operation significantly faster than for purpose-built standard-sized CFCs. Despite its smaller size, we expect the Bristol mini-CFC to achieve productivity close to that in our standard facilities," the company claimed in a statement.

The Ocado Smart Platform is constantly evolving as we innovate to adapt to changing customer needs

It will be Ocado's first mini-CFC. In addition to serving the area around Bristol, it will also serve as a demonstration for the company's technology arm, which sells complete ecommerce solutions - both the automated warehouses and the supply-chain software - to supermarkets around the world.

The warehouse will be able to provide same-day delivery for customers in the area. "It will also mean saving the cost of spoke sites, offsetting most of the additional costs of the supply chain," the company added.

Underscoring its value as a show-case of the company's technology prowess, CEO Tim Steiner said: "The Ocado Smart Platform is constantly evolving as we innovate to adapt to changing customer needs.

"We can now deliver the best customer experience across a whole range of customer missions, through CFCs, mini-CFCs, and micro fulfilment centres. Ocado's technology is dynamic and constantly improving, delivered through tried and tested solutions with proven and attractive economics."

That shift towards technology was reflected by the sale of a 50 per cent share of Ocado.com, the customer facing online supermarket element of the company, to Marks & Spencer. Since it was founded, Ocado has sought to use technology to cut costs, and increasingly to sell its technology to other supermarket retailers around the world.

It currently has deals with US grocer Kroger, Canadian supermarket chain Sobeys, Australia's Coles, and France's Groupe Casino. Its deals in each territory are exclusive to the supermarket chains involved, meaning that Ocado will not sign deals with their rivals.

Splunk warning over Y2K-style bug set to hit all versions on 1st January 2020

By Dev Kundaliya | News | 28 November 2019
A bug in Splunk platform would keep users from getting correct results when they query threat data for crucial information

Splunk users urged to patch immediately

Splunk has disclosed a flaw in its platform that would cause timestamp recognition of dates with two-digit years to fail - starting on New Year's Day.

The issue affects all unpatched Splunk instances, including Splunk Light, Enterprise, and Cloud, on all operating systems. According to Splunk, it would keep users from getting correct results when they query threat data for crucial information.

"Beginning on January 1, 2020, un-patched Splunk platform instances will be unable to recognise timestamps from events where the date contains a two-digit year," the company warned in an advisory released this week.

The issue affects all unpatched Splunk instances, including Splunk Light, Enterprise, and Cloud, on all operating systems

"This means data that meets this criteria will be indexed with incorrect timestamps," the advisory added.

The bug disclosed by Splunk draws similarities to the infamous Year 2000 (Y2K) issue that was associated with the roll over of year in computer systems from 1999 to 2000. At that time, it was widely believed that the bug would result in collapse of computer systems infrastructure around the world.

According to Splunk, the bug in its platform will mark the change in system date to 1st January 2020 as invalid. It will then either default back to a 2019 date or add some incorrect "misinterpreted date".

The issue stems from a flawed file called datetime.xml, which is used to determine correct timestamps based on incoming data.

There is no technique to correct the timestamps after the Splunk platform ingests the data. If an unpatched platform instance ingests the data, the user will need to first patch the instance and then ingest the data again for timestamps to be correct.

According to Splunk, the bug for all operating systems can be patched in three ways:

Splunk also revealed that starting 13th September 2020 at 12:26:39 PM UTC, all unpatched Splunk instances will stop recognising timestamps for events with dates based on Unix time.

Splunk is a data analytics platform provider based in San Francisco. The company focuses on business analytics and software monitoring services and has a customer base of nearly 19,000 users worldwide.

Women in IT Excellence Awards 2019 - here are your winners

By Tom Allen | News | 28 November 2019
More than 600 people attended this year's Women in IT Excellence Awards

Another night celebrating the amazing women smashing biases - and the glass ceiling - in tech

The technology industry has a problem with gender. That fact is, finally, starting to be widely acknowledged - although not by the Steve-Daves of the world: a term that Holly Brockwell, who hosted last night's incredible Women in IT Excellence Awards, uses to describe all the men who tell her that sexism is over.

Now in its third year, the Women in IT Excellence Awards aim to raise the profile of all women working in the technology industry, whether they are personally shortlisted for the event or not. Only by speaking up and showing that women are perfectly capable of coding, innovating and leading can we dispel some of the archaic notions that still waft around the industry.

Our charity partner PEAS builds self-sustaining schools in Uganda and Zambia

With an inspiring message shared by our charity partner, PEAS (Promoting Equality in African Schools), and uplifiting comedy from Suzi Ruffell - who got her start from misreading the word "organism" out loud - the night was a great success.

So, who were the winners?

Women in IT Excellence Awards 2019 winners

Digital Leader of the Year Winner: Sarika Soni, HSBC Diversity and Inclusion Initiative of the Year Winner: Joanne Miklo, Leeds City Council Highly Commended: Anna Somaiya - KPMG Diversity Employer of the Year Winner: Microgaming Diversity Project of The Year Winner: Faye Pressly - Vanti/DiD Fest Highly Commended: Code First: Girls  Entrepreneur of the Year Winner: Kim Aviv, Pathfinder Software Ltd Graduate of the Year Winner: Mary Kirby, Atos Runner up: Smruthi Chandrasekar, Just Eat Hero of the Year - (ENT) Winner: Holly Steele, Sweaty Betty Ltd Hero of the Year - (SME) Winner: Laura Turner - Mudano Innovator of the Year Winner: Patty Kostkova, University College London Highly Commended: Jasmina Mularska, BT IT Leader of the Year Winner: Tamara Castelli, UNiDAYS Outstanding Returner Award Winner: Holly Steele, Sweaty Betty Highly Commended: Lyndsey Parry - Keoghs  Outstanding Transformation Winner: Jo Steel, Vodafone UK Rising Star of the Year - (ENT) Winner: Krittika D'Silva, Cambridge University Rising Star of the Year - (SME) Winner: Alice Little - CENTURY Tech Rising Star of the Year (ENT) - Financial Services Winner: Siobhan Stevenson, First Derivatives Highly Commended: Donna Wayman, Zurich Insurance Rising Star of the Year (ENT) - Tech Industry Winner: Priya Kanda - Atos Role Model of the Year - (ENT) Winner: Juliet Parab, Deutsche Bank Role Model of the Year - (SME) Winner: Rebecca Harrop, University of Bedfordshire and Open University Role Model of the Year (ENT) - Tech Industry Winner: Gemma Emmett, Ladies be Archtect & The Architech Club Role Model of the Year (SME) - Tech Industry Winner: Gaia Caruso - Sparta Global  Security Leader of the Year Winner: Katy Hinchcliff, Littlefish Software Engineer of the Year Winner: Yuliya Maksimchyk, Godel Technologies Team Leader of the Year - (ENT) Winner: Sarah Cockrill, Coventry University  Team Leader of the Year - (SME) Winner: Kathy Bloomfield, Salford Royal NHS Foundation Trust Transformation Leader - (ENT) Winner: Lesley Bunting, Pearson Plc Transformation Leader - (SME) Winner: Naseem Golamgouse - Westminster City Council  Woman of the Year - (ENT) Winner: Sue Lees, Agilisys Woman of the Year (SME) Winner: Jacqueline de Rojas CBE, techUK Highly Commended: Sabrina Castiglione, Tessian CIO of the Year Winner: Nimisha Patel, RSA Sustainability Leader of the Year (Special Award) Winner: Mattie Yeta, DEFRA

Apple caves in to demands to show Crimea as part of Russia

By Dev Kundaliya | News | 28 November 2019
Apple meets Russian demands to show Crimea as part of Russia in its apps - at least in Russia

Apple's concession to Russian government demands follows on from its cave-in to China over apps used by Hong Kong pro-democracy protesters

Apple has caved in to Russian demands to show Crimea as part of Russia on its Maps and Weather apps. 

"Today, with Apple, the situation is closed - we have received everything we wanted," said Vasily Piskarev, the head of the State Duma (lower house of the Russian parliament) Committee on Security and Corruption Control, according to BBC News.

"Crimea and Sevastopol now appear on Apple devices as Russian territory," he added.

Ukraine has criticised Apple's decision, saying it did not "give a damn" about its pain. "Let me explain in your terms, Apple," Ukraine's foreign minister, Vadym Prystaiko, wrote on Twitter.

"Imagine you're crying out that your design and ideas, years of work and piece of your heart are stolen by your worst enemy, but then somebody ignorant doesn't give a damn about your pain.

"That's how it feels when you call Crimea a Russian land."

Crimea lies on the north side of the Black Sea and has a largely Russian-speaking population. In 2014, Russia annexed the peninsula from Ukraine and brought it under its own control following a confirmatory referendum. 

The international community claim that Russia instigated the unrest in Crimea by arming separatists and sending in special forces under cover, in order to provide justification for invasion and annexation. 

Following annexation of Crimea, a separate conflict started in Luhansk and Donetsk, where Russian separatists demanded separation from Ukrainian state. Again, the international community claims that the separatists have been materially supported by Russia. 

These conflicts have led to the deaths of more than 13,000 people in the region in recent years. 

Apple was discussing the issue with Russia for several months, and was hoping to fudge it by leaving Crimea as an undefined territory. However, Russia insisted that Apple showing Crimea as part of Ukraine would amount to a criminal offence under Russian law. 

Apple's decision to label Crimea as a Russian territory is the latest example of the tech giant kneeling down to foreign governments' demands to keep doing business in those countries.

Last month, Apple faced intense criticism for conceding to China's demands and removing the Taiwanese flag emoji from the iOS keyboard in the semiautonomous city.

The company also blocked two apps that helped pro-Democracy protesters in Hong Kong. Both moves were seen as an effort to appease the government in China, where Apple sells products worth billions of dollars. 

Tracking the threat actors: NCSC's Eleanor Fairford on the evolving threats to the UK's critical infrastructure

By John Leonard | News | 28 November 2019
Eleanor Fairford speaking at Cybersecurity Live

'We're seeing ransomware increasingly deployed against utility providers, law enforcement and emergency response units'

For a few days 18 months ago, the UK and many other countries appeared to be in danger of grinding to a halt. This was during the early stages of the WannaCry crisis which forced a number of NHS trusts to close facilities and crippled large infrastructure, transport and shipping companies like Maersk. Had WannaCry continued on its trail of destruction, we would have soon been in a "category one" (C1) situation, according to NCSC head of cyber assessment Eleanor Fairford, speaking at Computing's Cybersecurity Live event last week.

A C1 event is defined by NCSC as "a cyberattack which causes sustained disruption of UK essential services or affects UK national security, leading to severe economic or social consequences or to loss of life," which could mean an A&E department being severely disrupted or, as a worst-case scenario, a hybrid assault combining a cyber incident with multiple terrorist attacks or similar, Fairford explained.

Fortunately, the destructive WannaCry and NotPetya attacks of 2017 did not attain C1 status and so far have not been repeated, but that certainly doesn't mean that we can rest easy. In fact, the number of ransomware attacks has doubled since 2017.

However, unlike the uncontrolled scatterguns of WannaCry, which NCSC attributes to North Korea's Lazarus Group, and NotPetya, for which Russia is the prime suspect, more recent attacks have been much more targeted, using strains like Ryuk, SamSam and RobbinHood whose infections can be harder to prevent as they propagate via multiple vectors but which don't tend to spread uncontrollably. The motive is generally financial (or disguised as such), and to maximise returns perpetrators calibrate the level of the ransom demand to the perceived ability of the victim to pay. They spend time beforehand researching and identifying targets least likely to have adequate defences and most likely to pay up, such as providers of vital services for whom any downtime is unacceptable. The tools may be more precise, but the targets are still big.

We're seeing ransomware increasingly deployed against critical infrastructure

"We're seeing ransomware increasingly deployed against critical infrastructure entities like utility providers, law enforcement and emergency response units, as well as private citizens, educational institutions and other targets," said Fairford.

The ideal target is an organisation providing important services whose extensive supply chains and complex internal structures make it vulnerable. In the US, victims this year have included healthcare providers and local authorities. In August, organisations connected to local government in the US state of Texas were hit by ransomware. This attack on the authorities' managed service providers using Sodinokibi ransomware took out online payment systems and email among other services in 22 municipalities; in November, Louisiana was hit by Ryuk.

In a globalised economy, the impact of cyberattacks is not confined by national boundaries. When the Brussels-based scientific materials supplier Eurofins was hit by ransomware in June, it turned out that this company was responsible for 60 per cent of forensics supplies to the UK police forces.

"An attack not targeting specifically the UK, but on a company that happened to support services in the UK, had potentially a major impact on court cases and police cases going through the system," said Fairford. "So for us, this was a really important shift, where the sorts of targets may not necessarily represent a direct attack on a UK interest, but where the UK nonetheless can be massively impacted."

Another shift, as cybersecurity has become a geopolitical rather than merely a technical concern, is a blurring of organised crime and state actors with each borrowing the methods, and quite possibly the personnel, of the other. This, together with the ready availability of exploits online, makes attribution of attacks, one of NCSC's functions, more difficult. Currently, attribution requires an average of three weeks of evidence gathering.

NCSC mainly tracks the high-level threat actors based in Russia, China, Iran and North Korea.

It is about not just tolerating or sleepwalking into increasingly bad behaviour by states

Publishing attribution for serious attacks is a fairly recent strategic tactic adopted by the UK, in concert mainly with the US. Previously, this sort of information would have been restricted to diplomatic channels, but state-sponsored threat actors like China's APT10 group, Russia's Cozy Bear, Iran's APT39 are now publicly named and, if not shamed, at least identified when the weight of evidence permits.

"This has really been designed to shift the public debate. It is about not just tolerating or sleepwalking into increasingly bad behaviour by states," Fairford said.

While it's debatable whether public naming lessens the incidence or severity of such attacks, attribution at least forces state actors to factor potentially adverse publicity into their thinking. It also reduces the silo effect that can sometimes impede defensive response, said Fairford.

"It enables my technical colleagues on the other side of NCSC to put out material that enables network defenders to bolster their defences alongside the political activities we're doing. You can do the two together in a way that we may not have been able to do if we hadn't gone public."