People are leaking their RDS database backups

Researchers discovered incompetence when handling AWS RDS database backups, exposing them on the public network for anyone to take

File this under “Disheartening that we are still seeing this“. AWS has this feature where you can make your RDS backups public, making it easy to share them with other AWS accounts to spin up new database instances. Doesn’t mean you should though.

Research team over at MITIGA have published a very exhaustive look at their analysis on how they discovered not only a huge amount of publicly available data backups, but of those, an alarmingly large amount of them that had Personally Identifiable Information (PII) data.

We wouldn’t even call this hacking. Incompetent cloud engineers have packaged up the complete database, and left it out on the doorstep for anyone, passing by, who is interested in it. No need to worry about breaching firewalls, network layers, or even guessing at username/password combinations.

The article’s statistics are demoralizing to anyone in the cloud and security space.

  • The total number of snapshots seen in this month (Oct 22) was 2,783
  • Of those 2,783 snapshots, 810 snapshots were exposed during the analyzed timeframe
  • Additionally, 1,859 snapshots of the 2,783 were exposed for just 1-to-2 days

There simply is no excuse for this sloppy and incompetent practice. It demonstrates a complete lack of respect for security and instead of going down the path of securing with IAM roles, they just thought it easier to make it public. Ease of use I am sure, they said to themselves, convincing themselves no one will know.

As the old saying, with great power comes great responsibility. Learn the tools. We need more name and shaming so people start taking this more serious. Don’t just name the company, but the head of security or cloud that allowed this to happen under their watch.

To read the full report head on over to MITIGA

What makes a great product manager by James Hamilton

What makes a great product by AWS guru James Hamilton

James Hamilton, a true computing legend who has architected many revolutionary things over at AWS that us mere mortals can only dream and be in awe of. I have followed him for many years, and have always taken the attitude – when James talks, you listen.

I have come across many product managers in our portfolios over the years, some good, some poor, and some that shouldn’t be anywhere near the product. This is a hard role to get right or even define properly, but you know it, when you see it done right.

James has a great take on what it takes to be a great product manager especially inside of AWS. I would caution though, that I am going to assume he is referring to the great managers that design their core AWS products, and not the ones in charge of the AWS Console (it is getting better, but it still feels like an after thought, a reluctant layer put on top of what is already a great API).

If you ever find yourself with some time on your hands, and would like to get a peak under the covers at AWS, then do a YouTube search for the sessions that James has given at re:Invent over the years. Mind blowing some of the things they have done to get the performance, scale and uptime out of AWS that we all rely on.

Read his take on Product Managers here.

Isolation – things I have discovered

Now on my 6th week of isolation (self after a trip to Scotland, then forced isolation), I have discovered a few things about myself.

Now on my 6th week of isolation (self after a trip to Scotland, then forced isolation), I have discovered a few things about myself.

  1. I was under the impression I was not a people person, but I miss people (hopefully a temporary side effect)
  2. Being continually with ones loved one has not been anywhere as bad as some have it; we purposely keep apart during the day and make a point of pretending to come from work around 6ish to keep some normality
  3. Doing laundry way more often than I probably need to
  4. Reduced monthly credit-card spend dramatically by getting rid of a lot of unnecessary subscriptions
  5. Netflix, Amazon Prime and YouTubeTV are great online services, but very easy to get fatigued by each, so need the variety to rotate around them all is required
  6. On that, Star Trek TNG is as old to me now, as the original series was when TNG came out; (play the spot the Picard memes game)
  7. Deleting and not listening to downloaded podcasts does not make you a bad person
  8. Not watching as many movies as I would have hoped; can’t seem to concentrate on them as well as I use to
  9. BBC is one of the few news sources that does not sensationalize the news
  10. Find myself doing a lot more DIY jobs around the house (cleaned the gutters the other day)
  11. Nibbling from the kitchen has to stop, but not found an effective way to curtail that activity (Cadbury’s chocolate supply is perilously close to zero)
  12. Finally using all those soaps/shampoos collected from hotels over the years (don’t need to worry about that running low anytime soon)
  13. Video calls is way quicker and easier than writing an email
  14. Speaking of that, double chins are a fact of life (thank you video calls)
  15. Enjoying listening to the good old fashioned radio again (bandwidth free), reminds me there still is a world outside
  16. Saving a small fortune by not eating out for lunch
  17. Reading books again; dusted off my old kindle and enjoying the ideas being sparked
  18. Now that I am home, find myself talking to the dog while she spends the morning with me. (she then goes and spends afternoon with my loved one, so maybe I am talking too much. Noted).
  19. Invest in a good headset; makes said video calls way easier
  20. Amazon Chime really does blow chunks; yet another half-a-release from Amazon, I am sure it will be good in 18 months like most of their AWS offerings
  21. Google Meet continually impresses; it just works, no software required
  22. Jackbox.tv has been a surprise amusement for remote family time
  23. While video calls are great it is way harder to multi-task like you use to on conference calls
  24. Everyone wants to be your connection on LinkedIn (clearly a lot of random ‘connect’ clicking going on as people are either bored or desperate for leads)
  25. Tiger King on Netflix (no more than that needs to be said – only in America eh?)
  26. “Hello, I am your man Steve Harvey” seem to be addicted to our lunchtime show; (YouTubeTV archives has a lot to answer for)

Let us see how this looks at the 12th week mark.

3 simple guidelines to protect our ever connected ‘smart’ device universe

As we become more beholden to companies to keep our smart devices functioning long after purchase date, I propose 3 guidelines to address this imbalance and risk.

Smart devices. They are everywhere. Even if you don’t read a single online article, a walk around your local BestBuy, Target or Walmart you can’t but help seeing the growing aisles of devices promising to make your life that little bit easier.

From thermostats, garage doors, security (?) cameras, door locks, bulbs, wall outlets, dimmer switches, drip-monitors to even smoke-alarms they are all vying for our attention in our Internet connected world. This is before we get to the countless consumer devices, like the swarm of voice activated plastic towers (yes, i am looking at you Amazon and Google), baby-monitors to pet-monitors (and one where you can play laser tag with your kitty while you are away). I could go on, but I think you get my point — everything is getting the Internet-Of-Things treatment.

smart-home-2769239_640

Back in the day, we bought a device, plugged it in, and it performed the duty it said on the box. No fuss no nonsense. No apps to install, no Wi-Fi to configure, no 3rd party service to sign-up to and blindly agree to the terms’n’conditions. No matter what happened to that company or to the network, the device would still do what it was meant to do. I still have the same music deck that I went to university with over 28 years ago. However, as I look around at the various devices I have been seduced into buying, I wonder if they will make it past the year, let alone generational.

We are increasingly relying on a whole ecosystem to stay alive for our devices to be useful. Alexa becomes an ornament when the Internet or Amazon is down. Nest is just a wall-light when Google has a problem. It is not limited to the company staying in profit, we also have to be nice to the company, just in-case they lock us out as a punishment (see the story of the Garadgetsmart locking out a poor reviewer from their own home).

What if a company changes direction? Your investment in all these gadgets are now at risk (Logitech has decided that Harmony Hub is no longer viable bricking a whole bunch of universal remotes).

I have my own personal story — I was locked out of my own home because Tesla put out a software upgrade and broke the garage opener functionality that I was relying on. Two weeks later it was all back to normal after a fix to fix the fix.

Every morning I wake up and if things are still working then it is a good morning — it could all change in a second as each device relies on power, network, service and reliable software. Way too many factors — it is amazing the bloody thing works at all.

binding-contract-948442_640

We need far more redundancy and stability in this ecosystem. We need confidence in the devices we are buying.

With that I am proposing are the following three guidelines for a consumer charter:

  1. Initial cost $0
    Hardware that relies on a back-end to function, should be free ($0) to purchase. Charge a small monthly subscription to cover all costs.
  2. Minimum 5 year life from date of purchase
    Full refund if the device stops performing it’s duty within 5 years due to a company changing direction. This should be backed by an insurance policy that the company takes out to cover in-case of insolvency.
  3. Open Platform
    Let devices be controlled by a 3rd party solution. Open up your API’s to allow alternatives to take over should you fail to do yours. Allow me to manage everything from one portal.

We need to get a handle on this. We are investing huge sums of money into an industry that is predicated on obsolescent and we’re being held hostage to the whims of a corporate entity whose only goal is to squeeze as much profit from us as possible.

Next time you are about to buy that smart device, read the small print, see what relationship you are entering into, the risk you are taking on and ask yourself if the brand you see before you will still be around in 2, 5, 10 years time.

Otherwise, you just might be buying a pretty piece of plastic art.

Update 5th Dec: Google have disabled YouTube on Amazon’s Alexa Show product.  YouTube on Alexa was a heavily marketed reason to purchase the voice-activated assistant.  Another area where the consumer has little to no recourse on the functionality disappearing from their product.  Imagine your microwave suddenly refusing to reheat your pizza because of a legal dispute.  This is our new world.

The browser war is over; guess who won?

There is no more browser war. We’ve already traded our data and privacy which yields us unable to fight in the war. Like our music, movies and photos, our browsing has fallen, the powerful internet corporation’s have quietly taken another scalp.

Tomorrow, 14th November 2017, Firefox releases their new browser version, Quantum.  Among other great additions, it has a huge reduction in memory usage compared to its old rival Chrome.  A great achievement for sure, but who cares?

The browser race has all but gone.  Fizzled out.  They all do basically the same thing.  No one browser has any huge must-have feature that would entice us to switch.   From the feature point of view, the incentives to change is becoming increasingly harder to justify.

That isn’t the reason though why the browser race has lost interest.

User lock-in is the reason.

Our online lives are viewed through our browser.  URL’s are steadily becoming the telephone numbers of the modern era – no one bothers remembering them, but instead we are increasingly reliant on our bookmarks to keep the link.  I think I would be completely off-the-grid if my contacts was ever lost; my bookmarks are starting to get to that state too.  What of the passwords to access the sites behind the bookmarks?  Yup most of us rely on the browser to manage and store those for us too.

In addition to our bookmarks, we have our collection of extensions that we’ve added to our browser toolbar.  From notification apps (GMail, LinkedIn, Innoreader) to can’t live with out apps (password managers) this rich ecosystem enhances the browsing experience.

Then we have to throw in multiple devices there.  I don’t want to have manually sync bookmarks/apps/history across my desktop, tablet, phone and Chromebook.  I expect them all to just work together in a beautiful symphony of digital harmony.

And this is why the browser war is now null’n’void – profiles.

Chrome, Opera, Firefox, Safari, and Edge all have their version of the profile.  Login from multiple devices to sync up your world.   Just sit down at anyone’s browser, login and your world comes with you.   This is the dream Internet sold to us.

Chrome does this particularly well, bringing everything with it and then allowing me to remove it as quickly.  I can sit down at any Chrome browser or Chromebook, login, have my world come up (and then when I am done, delete it again if I am on a shared or friends device).    Firefox does this pretty well as well, but not as good in my opinion as Google.

When new versions of other browsers drop, I don’t care anymore.   My life is invested too much in Google to be bothered to migrate on the off-chance I may like the new browser.   Most users will be in the same boat, with their loyalty laying with the browser ecosystem they have invested the most in.

It is the same reason we can’t move away from most of the services we invest in.  Whether it is music (Amazon, Google, iTunes etc.), photos (Google, Amazon, Flickr etc.) movies or documents it is increasingly harder to migrate our data.   Particularly data that has only been licensed to us; you can’t export your iTunes movies to .mp4 and use them how you see fit for example.

The browsers are now in the same place.   Google/Apple/Microsoft/Firefox have us by the short and cURLies.   We can’t interchange our browser profiles.  We’re locked in.

We’ve once again traded ownership for convenience.

peterdudley_

We’re each living our own online version of the classic Peter Cook and Dudley Moore  movie, Bedazzled.  Except we’re not trading our souls to the devil, but our privacy and personal data and the devil here is the corporations that yield more power than Governments.

Maybe it is not all progress eh?