Researchers discovered incompetence when handling AWS RDS database backups, exposing them on the public network for anyone to take
File this under “Disheartening that we are still seeing this“. AWS has this feature where you can make your RDS backups public, making it easy to share them with other AWS accounts to spin up new database instances. Doesn’t mean you should though.
Research team over at MITIGA have published a very exhaustive look at their analysis on how they discovered not only a huge amount of publicly available data backups, but of those, an alarmingly large amount of them that had Personally Identifiable Information (PII) data.
We wouldn’t even call this hacking. Incompetent cloud engineers have packaged up the complete database, and left it out on the doorstep for anyone, passing by, who is interested in it. No need to worry about breaching firewalls, network layers, or even guessing at username/password combinations.
The article’s statistics are demoralizing to anyone in the cloud and security space.
The total number of snapshots seen in this month (Oct 22) was 2,783
Of those 2,783 snapshots, 810 snapshots were exposed during the analyzed timeframe
Additionally, 1,859 snapshots of the 2,783 were exposed for just 1-to-2 days
There simply is no excuse for this sloppy and incompetent practice. It demonstrates a complete lack of respect for security and instead of going down the path of securing with IAM roles, they just thought it easier to make it public. Ease of use I am sure, they said to themselves, convincing themselves no one will know.
As the old saying, with great power comes great responsibility. Learn the tools. We need more name and shaming so people start taking this more serious. Don’t just name the company, but the head of security or cloud that allowed this to happen under their watch.
What makes a great product by AWS guru James Hamilton
James Hamilton, a true computing legend who has architected many revolutionary things over at AWS that us mere mortals can only dream and be in awe of. I have followed him for many years, and have always taken the attitude – when James talks, you listen.
I have come across many product managers in our portfolios over the years, some good, some poor, and some that shouldn’t be anywhere near the product. This is a hard role to get right or even define properly, but you know it, when you see it done right.
James has a great take on what it takes to be a great product manager especially inside of AWS. I would caution though, that I am going to assume he is referring to the great managers that design their core AWS products, and not the ones in charge of the AWS Console (it is getting better, but it still feels like an after thought, a reluctant layer put on top of what is already a great API).
If you ever find yourself with some time on your hands, and would like to get a peak under the covers at AWS, then do a YouTube search for the sessions that James has given at re:Invent over the years. Mind blowing some of the things they have done to get the performance, scale and uptime out of AWS that we all rely on.
Amazon has closed the gap between Lambda and processing events directly from SQS, opening up a world of possibilities.
This week Amazon announced that they finally closed the gap between it’s oldest service, Simple Queue Service (SQS) and their push into serverless computing, Lambda. In other words, you can now write Lambda functions (Java, JavaScript, Go, Python, C#), point them at an SQS queue and have them processing events off the queue all without worrying about supporting a complex server environment.
Anyone in the cloud architecture or microservices business will be excited at this long overdue evolution of the Lambda ecosystem. When Lambda was first introduced, the idea of having functions hanging out there in the cloud, just waiting to be executing based on some sort of condition was very exciting.
An aside
As any seasoned architect will tell you, one of the secret tools of a good scalable architecture is liberal but strategic use of queues.
A queue allows you to decouple components from one another to the point of where downstream execution can be many magnitudes later, making the overall resilience of the platform much stronger at the same time as far more scalable. For the sake of a quick illustration, imagine two components that are tied together. One has to process an order, and the other is responsible for emailing out the confirmation. You may split these up into two different services and when the order has been completed, you could make a RESTlet call to the service to send out the email. But what happens if that email service is no longer there, or returns an error? Now you have to start developing retry logic and figure out what state you want to leave that order with respect to the customer.
Instead of a strong coupling like this, the better solution would be a queue between both components, where the ordering service would place a message on the queue that the email service would pick up at a later date to process, resulting in an email going out. If the email service is down, then no problems, the queue can still accept events and will store them until such times the email service can process them.
dreaming
When I first started dreaming of using Lambda it was for queue processing. There was many times that the amount of business logic required to process queue’s would have fitted wonderfully well within the Lambda environment, all without having to worry about standing up containers or EC2 instances. However, I had to keep dreaming because this was not available at the time of Lambda launch – one of the most obvious use-cases of Lambda and Amazon made us wait nearly 4 years for it.
The wait is over and now we can start using Lambda for some serious queue related applications. Yes, you can put some quite meaty processing behind each event on a queue and that will make architectures much easier to manage and scale, but the real power behind this development is actually in making some quite sophisticated event routing applications.
Imagine taking a source event from a given queue and then deciding, based on its contents, which additional queues it should be placed on for parallel processing. Take the example of the order system in the sidebar; the email service is not the only service that should know about an order being complete, there could many others in the enterprise that could benefit from that information, for example fulfillment, accounting, warehouse to name a few. A Lambda function could take that order from the queue, and decide quickly which other queues should have a copy of that event.
Such routing design patterns are common and historically you’ve either had to use some non-cloud technology to perform these, or grown your own. This Lambda tie-up simply reduces the amount of infrastructure required to support such a design.
but wait
While the wait is over, Amazon has not made it as clean as I would have hoped. There is a little sting in the tail and it gives a little clue as to how they are providing this service under the covers.
One of the shortcomings (though I understand why) of SQS is that it requires the client to do a long-poll to determine if there is events on the queue to be processed. In other words, you had to keep making an HTTPS call “do you have any events for me?” and while the call would wait for a period of time before returning back, you had to do this all the time. Each call to SQS, yes, you were getting charged for it.
For large systems that have a constant stream of messages coming through, this cost is negligible, but for systems with sporadic bursts, this overhead could be costly and above else, in-efficient. Traditional messaging systems, would keep a constant connection to the messaging service and events would be delivered down the wire instantly.
To minimize this overhead, it is not uncommon to have one consumer of a queue who would do the polling and then pass out the work to a battery of internal threads. This is an environment where you would have a server handling queue event processing that was capable of executing multiple threads at once.
The Lambda world however, is serverless, so you have to forget about the underlying platform of real servers that Amazon manages for you to give you this illusion of serverless computing. Since they charge only for the function execution, as far as you are concerned you are allowed to forget the underlying server.
SQS has not changed its behavior. You still have to poll to retrieve messages and this is what Lambda is doing under the covers for you. However this time, you have no real control over the amount of consumers that will be running up that SQS bill for you, particularly if you have come off of a very large volume of events that Lambda scaled out to execute in parallel all those events.
No doubt Amazon have thought of this and will be monitoring the situation and taking the necessary steps to reduce this overhead. In an ideal world, they would figure out a way for the Lambda service to have a continuous direct connection (think websocket for queues) to the SQS service so when an event came in, they could instantaneously hand it over to a Lambda function for execution.
in the meantime
Until that time, this is a huge step forward and makes the use of serverless computing even more attractive as design out the next generation of cloud solutions.
Amazon have launched a waterproof Kindle. Speaking as someone that has lost many a device to the aqua gods I should welcome this. But I am going back to the printed page.
I have been trending away from the digital book world of late. My biggest criticism is the lack of a second hand market. Many books I read, are a one-time hit, then I am done with them. I either want to give the book away to a friend, or resell it. I am disappointed at how much money I have spent on my Kindle library to have it locked away in a digital universe where they could all be taken away at the whine of a corporate license policy change.
The last book I read (a technical book on microservices), I bought second hand from Amazon, spent 2 weeks reading it, then resold it back on Amazon for the same price I paid. The whole thing only cost me a few dollars (the sellers fee that Amazon charges), effectively renting the book.
Though, I will confess to buying the Kindle version of Dan Brown’s latest book Origin. While it was only $3 cheaper than the hardback version, it was impatience that drove that purchase. I do regret it now though, as I would have liked to have gifted it to others after my reading of it.
Did you see that Amazon have launched a waterproof Kindle? Speaking as someone that has lost many a device to the aqua gods I should welcome this.
Their top end e-reader, Oasis, which is launching at the end of this month (31st Oct) comes with a number of goodies, including Bluetooth connectivity and a larger battery (which makes it weigh 30% heavier than previous models). But the main feature is that it is waterproof – you can submerge this bad boy for up to an hour.
This all comes at a very hefty price – $249! That is a lot coin. Too much coin for an e-reader in my opinion.
Given my newfound love of the printed page, my poor Kindle reader is getting further away from my device orbit. If I do find myself in the Kindle world, I use the app on my phone and tablet which are always with me.
So while I applaud this move, which should have been there from the start, I for one will not be investing any more in the Kindle hardware universe.
Amazon’s Alexa ecosystem is far more than just novelty voice activated devices. Do not underestimate the vision to which Amazon is painting for us.
You have to hand it to Amazon, for a company whose net worth is over $450B, they sure as hell do not act like a big slow bureaucratic corporate; but have a speed that leaves most startups with their heads spinning. Amazon this week done it again, outflanked the industry, and announced a brand new device to its hardware lineup; Echo Show – Alexa now has a face.
The device had only been leaked literally 48hrs before Amazon officially started taking orders – a level of secrecy the likes of Samsung or Apple can only dream of. Why is this? Because Amazon is a company we all underestimate. Many write them off too quickly as simply an online retailer. They are not scared to fail. They fail fast, which is a fancy way of saying, they don’t dwell on their mistakes, and simply dust off the experience and move on.
Echo is the hardware ecosystem around the Alexa AI intelligent voice-activated service. It gives a body to Alexa.
Yet the Echo range is part of a much longer game that most people have not yet realized.
First came the voice activated 2001 esq cylindrical monolith that would sit in your room listening for commands to serve you. Things like the weather status, daily news briefings and then of course controlling your music collection. You could of course have Alexa add things to your Amazon shopping cart – after all, Amazon is your consummate retailer and it needs to see those tills ring.
Though Alexa Echo had it’s shortcomings, something I detailed back in January of this year, it still found a place in my life, namely the bathroom where it provides me with my acoustic diet each morning in the shower.
But Amazon have bigger plans for Alexa than just being my shower buddy – this week they introduced a touchscreen with it, to make things a little bit easier. Many assume that the screen is there to help with some of the issues that voice-activated devices pose. Oh you are so wrong. Amazon is already ahead of you.
Amazon is well on it’s way to integrating into all of our daily lives. Alexa is already starting to pop up on cars and other devices, all linked back to your Amazon account. She can follow you around, like the Ship’s Computer in Star Trek, ever present to help you out.
But why the screen? Well, as part of the experience is the video calling. Amazon wants to make it as simple as possible to make hands-free video calling a real thing, and this goes a long way to make that happen. A couple of days after announcing this new device, they announced that anyone with the Echo device or even just the app, can enjoy voice calling for free to another Echo user.
Now this is where it is getting interesting. Amazon is now going to be making it real easy for us to connect to each other, not just Amazon. Instead of fumbling for our phone in our pocket, looking up contacts, we can easily say “Call mom”, up to my arms in either the kitchen, bathing a child, and get a helpful voice (or video call) all without detracting from what we are doing.
For the record; many a time, I have been knee deep in a project, hands busy with other stuff, loving to be able to call in help for some assistance, on the task at hand.
Think about that for a minute … what seems a simple movie-like feature is actually a very powerful game changer.
It isn’t a huge leap to think Amazon will connect this voice network to the public PSTN network and be able to dial up anyone in the world. Amazon AWS recently started offering build-your-own call center technology as part of its cloud offering. So you know they have the ingredients to easily and quickly add to the Alexa universe.
The Sony Dash – epilogue
For those of you that feel there is something a little familiar with the Amazon Echo Show, then allow me to help you there. Sony, in 2010, tried building an Internet helper device to sit somewhere in your house many years ago; the Sony Dash. I had one of these devices, and as soon as the novelty wore off (which took all of 2 weeks) it was relegated to the cupboard and never used again.
Sony creates and sells good devices, and outside of the Playstation, sucks at creating communities. The Dash suffered from a drought of updates, widgets and general features. It was also horribly slow and often locked up.
Sony is officially killing off all support and updates this July 2017.
Amazon, I believe will succeed where Sony failed, because it is more about just the physical device, but the overall story and vision. You are not buying a voice activated device when you jump into the Alexa/Echo world, but a fast paced evolving world of experimentation as we figure out just exactly what it is we want from such a device in our normal daily mundane lives.
Second week of December and we see Yahoo in more security problems, malware that tests our morality, Cisco bails on their cloud, Verizon puts out the Samsung fire, Slack gains video calling, virtual assistant gets a hologram to keep us company and Henry Heimlich dies.
Second week of December and we see Yahoo in more security problems, malware that tests our morality, Cisco bails on their cloud, Verizon puts out the Samsung fire, Slack gains video calling, virtual assistant gets a hologram to keep us company and Henry Heimlich dies.
New ransomware tests the morality of those infected This is a new twist in the cyber extortion world. We all know about how malware can target a machine and start deleting files if they do not pay a given amount of money to the hackers. Well there is a way to sidestep this payment – that is to infect 2 other people and if they succumb you will get an unlock key and you are off the hook.
This will be an interesting test of people’s honesty and faith. Would you pass?
Verizon will disable Samsung’s Note 7 this month Verizon who previously said they wouldn’t get involved in the deactivation of Samsung’s infamous flame bursting phone have reversed their decision and in an upcoming software update they will disable people from charging the phone. This will effectively render them useless.
Only 7% of handsets are still out there after the vast majority exchanged them. This will hopefully push the last few over the line and stop the airlines from having to issue warnings on each flight.
This is another big casualty in the cloud war, and while I am a huge AWS supporter, I don’t want it to be the only player in town. We need competition in this space.
Slack has added video calling to its app Slack, the very popular corporate chat system, has finally added video calling to its suite. This brings it inline with pretty much every other chat system. You can do one-2-one video calling, or group calling.
Once they add desktop sharing, then this will be one of the best tools for teams and really take a huge chunk away from the likes of GoTo Meeting.
Yahoo admits to another earlier attack; 1 billion accounts at risk The oldest property on the Internet block is just not having a good time of it. They have released details of an earlier attack, circa 2013, where over 1 billion accounts were compromised. This is in addition to the 2014 hack where 500 million accounts were abused.
As you know Verizon are trying to close a deal to purchase Yahoo, and while this probably won’t make Verizon to step away, it gives them yet another excuse to drive down the asking price from the $4.7B.
Tech titans, minus one, met with Trump this week
The country’s new President-elect met with all the tech titans this week in a summit to discuss various things. The big players were there, Google, Facebook, Microsoft, Tesla, etc. However one player was noticeably absent from this group – namely Jack Dorsey from Twitter.
The very company that arguably won him the election, was left out because Trump felt they were too small a player. What do you even say to that?!?
Girl in a box is the face of a virtual assistant We are all starting to get use to the faceless helpers such as Amazon’s Echo, or Apple’s Siri. Well GateBox have upped the ante here and offered up a hologram to respond to your every move. While this may first appear creepy, it does make a lot of sense, to have something more contextual to react to instead of just a voice. The avatar can feedback using actions which will speed up the interactions.
This I believe is the future of this style AI functions and I can see us all having our own customized avatar that will be with us for life. Watch this space – more to come here I am sure.
Henry Heimlich, yes that one, has sadly died The man that invented one of the most famous anti-choking moves in the world, has sadly passed away at the age of 96. Henry invented the technique in 1974 when he discovered an alarming number of people died while eating out. He died of natural causes, as opposed to choking himself – the irony would have been too much.
In honor of the man that saved many, I give you an excellent clip from Eddie Izzard as he performs a stand-up routine around on the technique.
.. the countdown to Christmas day is in full swing and I discovered this seasonal tune from ColdPlay. I am a big Chris Martin fan, so surprised this one slipped by me a couple of years ago.