New Cyanide and Happiness Comic

Security updates for Friday

2023-02-03

Post Syndicated from original https://lwn.net/Articles/922112/

Security updates have been issued by Fedora (chromium and vim), Slackware (openssh), and Ubuntu (lrzip and tiff).

Manage and control the use of dedicated egress IPs with Cloudflare Zero Trust

2023-02-03 Ankur Aggarwal

Post Syndicated from Ankur Aggarwal original https://blog.cloudflare.com/gateway-egress-policies/

Manage and control the use of dedicated egress IPs with Cloudflare Zero Trust

Before identity-driven Zero Trust rules, some SaaS applications on the public Internet relied on the IP address of a connecting user as a security model. Users would connect from known office locations, with fixed IP address ranges, and the SaaS application would check their address in addition to their login credentials.

Many systems still offer that second factor method. Customers of Cloudflare One can use a dedicated egress IP for this purpose as part of their journey to a Zero Trust model. Unlike other solutions, customers using this option do not need to deploy any infrastructure of their own. However, not all traffic needs to use those dedicated egress IPs.

Today, we are announcing policies that give administrators control over when Cloudflare uses their dedicated egress IPs. Specifically, administrators can use a rule builder in the Cloudflare dashboard to determine which egress IP is used and when, based on attributes like identity, application, IP address, and geolocation. This capability is available to any enterprise-contracted customer that adds on dedicated egress IPs to their Zero Trust subscription.

Why did we build this?

In today’s hybrid work environment, organizations aspire for more consistent security and IT experiences to manage their employees’ traffic egressing from offices, data centers, and roaming users. To deliver a more streamlined experience, many organizations are adopting modern, cloud-delivered proxy services like secure web gateways (SWGs) and deprecating their complex mix of on-premise appliances.

One traditional convenience of these legacy tools has been the ability to create allowlist policies based on static source IPs. When users were primarily in one place, verifying traffic based on egress location was easy and reliable enough. Many organizations want or are required to maintain this method of traffic validation even as their users have moved beyond being in one place.

So far, Cloudflare has supported these organizations by providing dedicated egress IPs as an add-on to our proxy Zero Trust services. Unlike the default egress IPs, these dedicated egress IPs are not shared amongst any other Gateway accounts and are only used to egress proxied traffic for the designated account.

As discussed in a previous blog post, customers are already using Cloudflare’s dedicated egress IPs to deprecate their VPN use by using them to identify their users proxied traffic or to add these to allow lists on third party providers. These organizations benefit from the simplicity of still using fixed, known IPs, and their traffic avoids the bottlenecks and backhauling of traditional on-premise appliances.

When to use egress policies

The Gateway Egress policy builder empowers administrators with enhanced flexibility and specificity to egress traffic based on the user’s identity, device posture, source/destination IP address, and more.

Traffic egressing from specific geolocations to provide geo-specific experiences (e.g. language format, regional page differences) for select user groups is a common use case. For example, Cloudflare is currently working with the marketing department of a global media conglomerate. Their designers and web experts based in India often need to verify the layout of advertisements and websites that are running in different countries.

However, those websites restrict or change access based on the geolocation of the source IP address of the user. This required the team to use an additional VPN service for just this purpose. With egress policies, administrators can create a rule to match the domain IP address or destination country IP geolocation and marketing employees to egress traffic from a dedicated egress IP geo-located to the country where they need to verify the domain. This allows their security team to rest easy as they no longer have to maintain this hole in their perimeter defense, another VPN service just for marketing, and can enforce all of their other filtering capabilities to this traffic.

Another example use case is allowlisting access to applications or services maintained by a third party. While security administrators can control how their teams access their resources and even apply filtering to their traffic they often can’t change the security controls enforced by third parties. For example, while working with a large credit processor they used a third party service to verify the riskiness of transactions routed through their Zero Trust network. This third party required them to allowlist their source IPs.

To meet this goal, this customer could have just used dedicated egress IPs and called it a day, but this means that all of their traffic is now being routed through the data center with their dedicated egress IPs. So if a user wanted to browse any other sites they would receive a subpar experience since their traffic may not be taking the most efficient path to the upstream. But now with egress policies this customer can now only apply this dedicated egress IP to this third party provider traffic and let all other user traffic egress via the default Gateway egress IPs.

Building egress policies

To demonstrate how easy it is for an administrator to configure a policy let’s walk through the last scenario. My organization uses a third-party service and in addition to a username/password login they require us to use a static source IP or network range to access their domain.

To set this up, I just have to navigate to Egress Policies under Gateway on the Zero Trust dashboard. Once there I can hit ‘Create egress policy’:

For my organization most of my users accessing this third-party service are located in Portugal so I’ll use my dedicated egress IPs that are assigned to Montijo, Portugal. The users will access example.com hosted on 203.0.113.10 so I’ll use the destination IP selector to match all traffic to this site; policy configuration below:

Once my policy is created, I’ll add in one more as a catch-all for my organization to make sure they don’t use any dedicated egress IPs for destinations not associated with this third-party service. This is key to add in because it makes sure my users receive the most performant network experience while still maintaining their privacy by egress via our shared Enterprise pool of IPs; policy configuration below:

Taking a look at the egress policy list we can see both policies are enabled and now when my users try to access example.com they will be using either the primary or secondary dedicated IPv4 or the IPv6 range as the egress IP. And for all other traffic, the default Cloudflare egress IPs will be used.

Next steps

We recognize that as organizations migrate away from on-premise appliances, they want continued simplicity and control as they proxy more traffic through their cloud security stack. With Gateway egress policies administrators will now be able to control traffic flows for their increasingly distributed workforces.

If you are interested in building policies around Cloudflare’s dedicated egress IPs, you can add them onto a Cloudflare Zero Trust Enterprise plan or contact your account manager.

Get notified about the most relevant events with Advanced HTTP Alerts

2023-02-03 Justin Raczak

Post Syndicated from Justin Raczak original https://blog.cloudflare.com/custom-alert-features-anomaly-detection/

Get notified about the most relevant events with Advanced HTTP Alerts

Today we’re excited to be announcing more flexibility to HTTP alerting, enabling customers to customize the types of activity they’re alerted on and how those alerts are organized.

Prior to today, HTTP alerts at Cloudflare have been very generic. You could choose which Internet properties you wanted and what sensitivity you wanted to be alerted on, but you couldn’t choose anything else. You couldn’t, for example, exclude the IP addresses you use to test things. You couldn’t choose to monitor only a specific path. You couldn’t choose which HTTP statuses you wanted to be alerted on. You couldn’t even choose to monitor your entire account instead of specific zones.

Our customers leverage the Cloudflare network for a myriad of use cases ranging from decreasing bandwidth costs and accelerating asset delivery with Cloudflare CDN to protecting their applications against brute force attacks with Cloudflare Bot Management. Whether the reasons for routing traffic through the Cloudflare network are simple or complex, one powerful capability that comes for free is observability.

With traffic flowing through the network, we can monitor and alert customers about anomalous events such as spikes in origin error rates, enabling them to investigate further and mitigate any issues as necessary. But to date, our HTTP alerting capabilities have been too simple, offering only a narrow set of options for filtering alongside predefined service level objective (SLO) targets. By exposing more of the metadata already available with each request as filtering options, customers can create more sophisticated monitoring schemes to answer important questions about their traffic.

Which HTTP errors are crossing my SLO threshold? Is the sudden spike in traffic caused by my own internal testing? These questions and more can be answered with the new advanced HTTP alerts.

Alerts can be filtered and organized based on the values of the following properties: origin response status codes, edge response status codes, alert sensitivity/SLO, client IPv4/IPv6 addresses, and specific zones.

The new notifications are available to all Enterprise customers today and can be created and managed by anyone with account-level privileges.

How to get started

To get started setting up an advanced HTTP alert, navigate to your account’s notification management and select the Advanced HTTP Alert type.

Next, name your new notification and select how you want notifications to be delivered and to whom.

Lastly, select the domains for which this notification should be sent and configure the desired filters, groupings, and SLO.

Monitoring and alerting are critical practices in effectively managing an application or website, and today we’re excited to make it easier to do with Cloudflare.

If you’re not already an Enterprise customer and would like to take advantage of the new advanced HTTP alerts, get in touch.

The Pirate Monk and Robin Hood

2023-02-03 The History Guy: History Deserves to Be Remembered

Post Syndicated from The History Guy: History Deserves to Be Remembered original https://www.youtube.com/watch?v=_fLY9MJWGXQ

What’s Up, Home? – Baby, Don’t Cry

2023-02-03 Janne Pikkarainen

Post Syndicated from Janne Pikkarainen original https://blog.zabbix.com/whats-up-home-baby-dont-cry/25354/

Can you detect a crying baby with Zabbix? Of course, you can! By day, I am a monitoring tech lead in a global cyber security company. By night, I monitor my home with Zabbix & Grafana and do some weird experiments with them. Welcome to my blog about the project.

Time really flies. Our little baby girl at home is already about three and a half months old, and that shows in so many ways. If during her first month or two she cried quite a lot and quite easily due gassy stomach and whatnot, she nowadays mostly is a chill mini-human just observing the world.

Which then raised the question for me — how often she cries? Could I monitor that? Oh yes. And oh no. We’ll get to no part later, but let’s start with the good bits.

Hey Siri, help me

As I pretty much always have my iPhone with or near me, and wear my Apple Watch nearly 24×7, I thought I would give their sound recognition abilities a try.

To start, I opened the Settings on my iPhone and went to Accessibility → Sound recognition → Baby crying and enabled that.

Next, I opened Shortcuts and created a new Personal automation.

Here’s the advanced CRYENGINE in action.

So, every time my iDevice thinks that our baby is crying, it appends to a text file stored on my iCloud account.

Zabbix Time!

How to get that data to Zabbix?

I have a MacBook Pro and a Zabbix agent running on that, so the next natural step was to make it monitor that particular text file. There would be so many ways to detect if this file has been changed; as I’m appending to the text file, I just made Zabbix keep an eye on the file size.

How does that look like on my graphs? Not so surprisingly, the value changes.

I also set up a simple trigger that screams if the file size has changed since the last check.

The result? Well, here’s some alert history.

Sleep Learn Adapt reporting

I also added our baby as a Service to my Zabbix, just because it was too fun to skip as the terminology involves child services, parent services and such.

And here’s a totally inaccurate and unmeaningful SLA report about her.

The wobbly bits

Just like our baby is still clumsy and has a lot to learn, it seems that Siri is like that too when it comes to detecting emotions. Yes, Siri can detect if our baby is crying, but it also easily gets worried whenever our baby makes loud joyful sounds. It reminds me of the golden times when T-800 practiced smiling. It just doesn’t know or understand human feelings. At least, not yet.

Then the other odd part is that about one day after I enabled the cry detection on my iPhone, it’s not doing it anymore. Did the detection process crash? Probably. I have not restarted my iPhone yet, because I just could not bother to do that yet. But, in theory, we can detect a crying baby, or many more usual sounds like a doorbell, a dog barking just by using Siri and Zabbix.

I have been working at Forcepoint since 2014 and I think my human skills still beat the ones Siri has. — Janne Pikkarainen

This post was originally published on the author’s LinkedIn account.

Manipulating Weights in Face-Recognition AI Systems

2023-02-03 Bruce Schneier

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2023/02/manipulating-weights-in-face-recognition-ai-systems.html

Interesting research: “Facial Misrecognition Systems: Simple Weight Manipulations Force DNNs to Err Only on Specific Persons“:

Abstract: In this paper we describe how to plant novel types of backdoors in any facial recognition model based on the popular architecture of deep Siamese neural networks, by mathematically changing a small fraction of its weights (i.e., without using any additional training or optimization). These backdoors force the system to err only on specific persons which are preselected by the attacker. For example, we show how such a backdoored system can take any two images of a particular person and decide that they represent different persons (an anonymity attack), or take any two images of a particular pair of persons and decide that they represent the same person (a confusion attack), with almost no effect on the correctness of its decisions for other persons. Uniquely, we show that multiple backdoors can be independently installed by multiple attackers who may not be aware of each other’s existence with almost no interference.

We have experimentally verified the attacks on a FaceNet-based facial recognition system, which achieves SOTA accuracy on the standard LFW dataset of 99.35%. When we tried to individually anonymize ten celebrities, the network failed to recognize two of their images as being the same person in 96.97% to 98.29% of the time. When we tried to confuse between the extremely different looking Morgan Freeman and Scarlett Johansson, for example, their images were declared to be the same person in 91.51% of the time. For each type of backdoor, we sequentially installed multiple backdoors with minimal effect on the performance of each one (for example, anonymizing all ten celebrities on the same model reduced the success rate for each celebrity by no more than 0.91%). In all of our experiments, the benign accuracy of the network on other persons was degraded by no more than 0.48% (and in most cases, it remained above 99.30%).

It’s a weird attack. On the one hand, the attacker has access to the internals of the facial recognition system. On the other hand, this is a novel attack in that it manipulates internal weights to achieve a specific outcome. Given that we have no idea how those weights work, it’s an important result.

Имаше такъв парламент. Защо?

2023-02-03 Емилия Милчева

Post Syndicated from Емилия Милчева original https://www.toest.bg/imashe-takyv-parlament-zashto/

Имаше такъв парламент. Защо?

Само след няколко месеца единственото паметно за 48-мото Народно събрание е, че върна хартиената бюлетина в изборната игра и се провали в приемането на механизъм за разследване на главния прокурор. Хартиената бюлетина беше първата му работа, а със съдебната реформа парламентът се зае в условията на предизвестен край – броени дни преди да бъде разпуснат. Изглежда, че са успели „да продадат и мача за еврозоната“ (по израза на вицепремиера Атанас Пеканов), саботирайки промените в Кодекса за застраховането.

За тези незаличими дела в 48-мия парламент мнозинство се намери: фундаментът му бяха ГЕРБ–ДПС–БСП, формиращи при необходимост плаващи мнозинства с „Български възход“ и „Възраждане“. Въпреки наличие на такива… болшинства Народното събрание се провали и в трите опита за съставяне на правителство.

Голата истина

Парадоксално, нали? Само на пръв поглед. По-лесно е да се съберат биячи на реформите, отколкото кандидати да управляват заедно. ГЕРБ може и да се разбере с „Възраждане“ за общи действия в парламента, но не и за нещо повече. Не защото в политиката има срам и свян, а защото войната на Русия срещу Украйна и политическите и човешките избори, които налага, правят немислими коалициите с партии, симпатизиращи на режима на Путин и виждащи евразийският избор като верния път.

Коалициите на ГЕРБ с патриотични формации, каквито имаше при второто и третото правителство на Бойко Борисов, едва ли ще бъдат повторени. Ако БСП продължава да изглежда като мек вариант на „Възраждане“, също може да бъде изключена от кръга на приемливите партньори – независимо от анонсите на Борисов след срещата в парламента, на която се отзова по покана на Корнелия Нинова.

Това напълно устройва „Възраждане“ и драматичния театър на антисистемните българи-юнаци, които не искат да се коалират с никого и декларират, че ще управляват сами. А и техните избиратели не се интересуват дали партията, за която гласуват, е нечий пудел и се заиграва с политическите сили на статуквото, стига да бие „евробабаитите“ – с подписка за референдум, насочен срещу еврото, с юмруците на сина на партийния лидер, с гръмовните речи на Костадин Костадинов.

„Най-лошото от всичко обаче е, че хората, които полагат клетва да се ръководят във всяко свое действие от интересите на народа ни, в голямата си част са напълно лишени от срам и съвест“, каза самият той в първата си реч в парламента. Голата истина – достатъчно е да погледнем колко срамни части лъснаха в пленарната зала.

В евро-атлантизма обаче 48-мият парламент се отсрами. С гласовете на ГЕРБ, „Продължаваме промяната“, ДПС, „Демократична България“ и „Български възход“ беше решено България да предостави безвъзмездна военна помощ на Украйна. Става въпрос за въоръжение, техника и боеприпаси за 20 млн. лв., след като за 2022 г. българската оръжейна индустрия е изнесла стоки с краен получател Полша и Чехия за 5 млрд. лв. – и експортът продължава. Същото „евро-атлантическо мнозинство“, с известна редукция откъм депутати на ПП, одобри и сделка за още 8 американски изтребителя F-16 Block 70. Пак то обяви за геноцид Гладомора в Украйна от 1932–1933 г., предизвикан от съветския режим и погубил над 4 млн. души.

И при трите гласувания БСП и „Възраждане“ бяха против. Не може да се отрече последователността в редиците на БСП – и корнелниновистите, и вътрешнопартийната опозиция са единни, когато въпросът опре до Русия и защитата на нейните интереси. В Европейския парламент петимата евродепутати на БСП начело с доскорошния председател на ПЕС Сергей Станишев изобщо не участваха във вота на резолюцията, осъждаща Гладомора, като се измъкваха, въздържаха или бяха против при гласувания по други „руски въпроси“.

Въпреки това социалистите може отново да се озоват във властта. Не е ясно дали ще ги карат да се отрекат трижди от Путин и Кремъл – или ще е достатъчно просто да покажат прогресивно мислене в духа на интервюто по bTV на Андрей Гюров (ПП):

В ръцете на БСП е да реши зад кои принципи и идеи за управление на страната да застане – зад тези на новата „тройна коалиция“ или на прогресивните реформаторски сили.

Какво мисли останалата част от прогресивните сили – „Демократична България“ – за съюз с БСП, засега е неизвестно. Все пак социалистите подкрепиха законопроекта на ДБ при крайна необходимост държавата да може да поеме оперативен контрол над активите на „Лукойл“ в България, както и на всички други оператори на нефт и нефтопродукти.

Стендбай за еврото

Евро-атлантици в българската версия не значи и европейци. Европейската интеграция например беше опраскана по всички неписани уйдурми на българската парламентарна демокрация. Тези, които се кълняха в пътя към еврото, на практика го отрязаха. Законопроектите, подготвени от Министерството на финансите, които трябваше да бъдат гласувани – за промени в Кодекса за застраховане, за мерките срещу изпирането на пари и промени в Търговския закон – не минаха въпреки предупрежденията на финансовия министър Росица Велкова.

„Проблемът със „Зелена карта“ до такава степен е ескалирал, че е поставен като изискване за приемането ни в еврозоната“, каза Велкова. От 2018 г. на България е наложен мониторинг и виси заплахата да бъде изключена от системата „Зелена карта“, действаща в 48 държави, тъй като не плаща искания по „Гражданска отговорност“ срещу местни застрахователи заради пътни инциденти в чужбина.

Но въпреки че промяната в Кодекса за застраховане задължава бюрото „Зелена карта“ да спазва своя принцип „първо плащай, после оспорвай“, тя не мина. Тихата коалиция между ГЕРБ, ДПС, БСП, „Възраждане“ и „Български възход“ провали заседанието на Комисията по икономическа политика въпреки перманентни уверения на първите две партии, че са радетели за еврото.

Това се прави от хора, които не искат на този пазар да има европейска регулация… заради интересите на Алексей Петров („Лев Инс“, б.а.) и невъзможността на Бойко Борисов да се откъсне от своята биография плащаме данък минало, заяви по bTV съпредседателят на ДБ Христо Иванов.

Промените в Търговския закон, свързани с несъстоятелността – процес, с чиято тромавост и продължителност България се слави в Европа, също не се класираха за окончателно приемане в дневния ред на депутатите. През декември парламентът прие на първо четене законопроекта, който урежда и процедурата за фалит на лицата, които се занимават със стопанска дейност, но не са търговци. До второ не се стигна.

Възпрян за второ четене беше и законопроектът за мерките срещу изпирането на пари, срещу който възразиха някои работодателски организации и застрахователни компании, тъй като въвежда механизъм за идентифициране на лицата, предоставящи услуги по дружествено управление, и процедури за проверката им (адвокати, счетоводители, данъчни съветници и др.), както и допълнителни изисквания към прокуристи, управители, членове на управителни или контролни органи.

През април България трябва да поиска оценка на готовността си за присъединяване към еврозоната от 1 януари 2024 г., тоест да бъде оценено изпълнението на критериите. Но законодателните пропуски няма как да бъдат наваксани дотогава: парламентът се разпуска, изборите са на 2 април, 49-тото Народно събрание ще се конституира след седмица, има и великденски празници. Така че дори твърде високата инфлация в България да се охлади и задържи (критериите за дълга и дефицита са дерогирани), пакета закони, който се изисква, го няма. Влияние ще окаже и липсата на бюджет за 2023 г., с който върви и тригодишната бюджетна прогноза, необходими за конвергентен доклад.

Това е най-големият провал на 48-мия парламент – че направи всичко, за да осуети следващата стъпка за европейска интеграция на България, независимо от декларативните заявки и решение, с което задължи служебното правителство да ускори процеса и да започне информационна кампания (каквато правителството изобщо не начена въпреки подписката за референдум на „Възраждане“, разпалваща страховете от единната европейска валута).

Трохи за избирателите

Няма как да се мине без трохи за избирателите в година на поне два сигурни вота – предсрочни парламентарни, пети поред за две години, и местни избори наесен. Безплатни учебници, но от учебната 2024-та/2025-та, ще има и за по-големите ученици от VIII до ХII клас, а не само за тези от I до VII клас. Пак от догодина минималната работна заплата ще стане 50% от средната брутна работна заплата за предходните 12 месеца.

Парламентът успя да поправи и една несправедливост спрямо хората с увреждания – решенията на ТЕЛК ще важат до явяването на гражданите пред комисия, за да запазят правата си и инвалидната пенсия, която получават до преосвидетелстване. Сега НОИ спираше парите и в продължение на месеци, докато траеше процедурата, хората с увреждания бяха лишени от пенсии.

С огромно закъснение и ДПС предложи принудителният престой в затвори и места за задържане да се признава за трудов и осигурителен стаж при пенсиониране. Така стотици български мюсюлмани, репресирани по време на насилствената смяна на имената, ще получат, макар и незначително, увеличение на пенсиите си.

В последния момент парламентът гласува да има финансова помощ от държавата и за аптеки в отдалечени места, както и за единствените денонощни за даден район, които отпускат лекарства по Здравна каса през нощта. Тази мярка обаче може да се задейства, когато има нов бюджет.

Същото важи и за друга мярка – регулиране на възнагражденията на медиците в болниците, които не трябва да са по-ниски от договореното в колективния трудов договор. Причината е, че съдът отмени КТД от 2022 г., в който бяха заложени минимални заплати от 1500 лв. за медицинска сестра и 2000 лв. за лекар без специалност, и сестрите продължиха да получават мизерни възнаграждения.

В същото време служебното правителство на президента бележеше успех след успех. Пусна в експлоатация интерконектора с Гърция. Осигури количества втечнен газ и запълни газохранилището в Чирен. Получи от Европейската комисия първия транш от 1,2 млрд. евро по Плана за възстановяване и устойчивост – докато парламентът провали втория от 724 млн. евро, тъй като не успя да приеме необходимите закони начело с този за разследването на главния прокурор. Намери над 776 млн. лв., за да плати на пътни фирми за изграждане и поддръжка на пътищата в страната, от които близо 440 милиона са по договори, сключени още при третия кабинет на Бойко Борисов. Удължи енергийните помощи за бизнеса до март.

Президентът Радев и сръбският му колега Вучич поставиха началото на газовата връзка със Сърбия. Служебният кабинет се опитва да постави на енергийната карта нефтопровода Бургас–Александруполис заедно с гръцкото правителство. А същевременно извърши куп назначения на препоръчани неизвестно от кого хора на възлови места и с това бетонира кръга президентски назначения, започнал със смените в спецслужбите. Докато нито 47-мият, нито 48-мият парламент успя да изпълни задълженията си, обновявайки състава на регулатори, комисии и органи на съдебната власт с изтекъл от години мандат.

Същинската вреда от работата на 48-мото Народно събрание е именно в принизяването на парламентарната демокрация и инструментализирането ѝ от президента. Това покушение ще има дългосрочни последици.

Заглавно изображение: Сградата на парламента в деня, в който депутатите от 48-мото Народно събрание положиха клетва. Снимка: parliament.bg

Имаше такъв парламент. Защо?

2023-02-03 Емилия Милчева

Post Syndicated from Емилия Милчева original https://www.toest.bg/imashe-takyv-parlament-zashto/

Имаше такъв парламент. Защо?

Голата истина

В ръцете на БСП е да реши зад кои принципи и идеи за управление на страната да застане – зад тези на новата „тройна коалиция“ или на прогресивните реформаторски сили.

Стендбай за еврото

Това се прави от хора, които не искат на този пазар да има европейска регулация… заради интересите на Алексей Петров („Лев Инс“, б.а.) и невъзможността на Бойко Борисов да се откъсне от своята биография плащаме данък минало, заяви по bTV съпредседателят на ДБ Христо Иванов.

Трохи за избирателите

„Частит“ да бъде този ден

2023-02-03

Post Syndicated from original https://www.toest.bg/chastit-da-bude-tozi-den/

„Частит“ да бъде този ден

Наскоро прочетох някъде, че януари е най-пълният с празници месец и май наистина се оказва така. Започва се от първия ден, още с настъпването на новата година: на 1-ви е Васильовден, следват Йордановден и Ивановден (6-ти и 7-ми), към средата на месеца идват Антоновден и Атанасовден (17-ти и 18-ти), а към края му се падат имените дни на Григор и Живко (25-ти и 26-ти). Справка с календара показва, че буквално всеки втори ден от месеца се отбелязва нечий имен ден. Освен гореспоменатите, празнуващите също включват и много не толкова широко известни именици, като Силвия, Калчо, Евтим, Агнеса, Ксения, Тимотей и много други.

Освен имени дни, през януари се падат и други знайни и незнайни празници: Богоявление, Петльовден (Денят на мъжката рожба), Бабинден (Денят на родилната помощ), Събор на Седемдесетте апостоли, Кръстовден, Средзимие. Като добавим към тях и рождените дни и личните празници, неочаквани щастливи събития и придобивки, успех с някое и друго новогодишно решение, през целия януари пада едно голямо, почти всекидневно честване. Така че може би неслучайно през същия този месец се отбелязват и празниците на двете дейности, които най-често придружават честитенето: на 11-ти януари е Международният ден на думата „благодаря“, а на 21-ви е Денят на прегръдката.

Цялото това честитене и честване ме кара да се замисля за думата „честито“.

Макар на практика самата тя да е почти невидима, тъй като обикновено вниманието ми се концентрира върху празника, който придружава, думата „честито“ сама по себе си се оказва доста любопитна – както с употребата и приложенията си, така и с изненадващия си семантичен произход.

Българският тълковен речник дефинира „честит“ като: „1. Щастлив. Честито семейство. Царю честити! 2. При поздрави и благопожелания – да носи радост, да е на добро. Честита Нова година! Честит рожден ден!“ Това, което може би не става ясно от речниковата дефиниция, е

изключително широката приложимост на думата.

На български я използваме като благопожелание както за всеобщи празници (Честита Нова година! Честита Коледа! Честита Баба Марта! Честит 8 март!) и лични чествания (Честит рожден ден! Честит имен ден!), така и за персонални постижения и придобивки (Честито дипломиране! Честита награда! Честита книга! Честита сватба! Честито бебе! Честита нова кола!), а даже и за събития, за които нямаме никаква заслуга (Честит първи сняг! Честита пролет!), или пък като похвала за разни ежедневни дейности, които не заслужават внимание, а още по-малко поздравления (Честита баня! Честита прическа!). (Онзи ден дори видях във Facebook, че един познат е честитил на друг постижението, че се е сдобил с „евтини“ билети за представлението с Джон Малкович.)

За разлика от голямата разпространеност на думата „честито“ на български, в много други езици честитенето е доста по-нюансирано, така че различните случаи изискват различни думи.

Дори и в не особено софистицирания в това отношение английски се използват поне четири различни фрази за гореизброените случаи (Merry Christmas! Happy birthday! Congratulations! Best wishes!). Ситуацията във френския и немския не е много по-различна: Joyeux Noël ! Bon anniversaire ! Félicitations ! Meilleurs vœux ! / Frohe Weihnachten! Alles Gute zum Geburtstag! Herzlichen Glückwunsch!

На испански освен обичайните Felicidades (и производните им Feliz cumpleaños/Navidad/año nuevo) има и един интересен израз, за който научих неотдавна: Enhorabuena. Имайки предвид, че на испански съществителното обикновено се поставя преди модифициращото го прилагателно, буквалното значение на думата, разделена на отделните си съставки, е „на добър час“. Всъщност обаче тя чисто и просто означава „честито“, както я дефинира и речникът. Или не съвсем чисто и просто – според испаноговорещи приятели изразът се използва като поздравление за нещо, което човек е постигнал и за което има заслуга (нова работа, успешно взет изпит или пък раждането на дете), за разлика от обичайните felicitaciones, които се използват на рождени дни и други подобни, случващи се редовно и от само себе си празници. Проверка в речника показва, че „На добър час!“ на испански се превежда като Buena suerte, което пък обърнато в обратната посока се връща като „Kъсмет!“.

Идеята за късмет е заложена и в думата за „честито“ на македонски и сръбски (съответно „среќно“ и „срећно“), която се използва почти идентично като в българския език¹ и произлиза от думата „среќа“/„срећа“ (‘късмет, щастие’), а от своя страна тя е етимологично свързана със „среща“ (от праславянското *sъręťa, през старобългарското „сърѧща“)².

За съжаление, Институтът за български език при БАН все още не е стигнал до буквата Ч в изготвянето на многотомния „Български етимологичен речник“, но на няколко други места откривам потвърждение на широко разпространеното предположение, че

прилагателното „честито“ е семантично свързано с думата „чест“.

В „Словообразувателен речник на съвременния български книжовен език“ (1999) например думата „честит“ се появява в гнездото с връх „чест“. В това твърдение има някаква логика, ако гледаме на празника като на честване или случай за отдаване на чест – било то към рожденика, към някой светец или към определено събитие. Другатa възможна връзка, която откривам, е с думата „чест“, но като прилагателно, означаващо ‘редовен, повтарящ се през малки интервали’. Тази връзка, имайки предвид редовния характер на много от празниците, които си честитим, също ми се струва логична.

Тези предполагаеми етимологии обаче са отхвърлени от уважавания преподавател и изследовател по обща лингвистика и сравнително славянско и балканско езикознание проф. Людвиг Селимски, който твърди, че

думата „честит“ всъщност произлиза не от „чест“ (която на свой ред произлиза от старобългарското „чьсть“), а от „част“ (от старобългарското „чѧсть“, също означаващо ‘участ, съдба, дял’)³.

Според Селимски „поради претърпени с времето звукови промени основното чест- от състава на честит [като производно от думата честь ‘част; pars’] се е оказало в омонимно отношение спрямо днешното книжовно чест ‘honor’, с което го и смесваме“⁴. Като доказателство за аргумента си той използва, от една страна, разминаването в дефинициите: „… ако интересуващото ни честит е свързано по семантика с чест ‘honor’, неговото значение можеше да бъде дефинирано като „такъв, който има чест, honor“, както напр. именит ‘известен, прочут, с голямо име’.“ А то не е – както показва дефиницията, която цитирам по-горе. От друга страна, връзката с „част“ става ясно видима, когато помислим за „честит“ като синоним на „щастлив“: в своя „Речник на български език с тълкувание на български и руски думи“ (1895–1904) Найден Геров дефинира „честь“ като ‘добър случай, делба, среща, благотба, благополучие, щастие, късмет, бахт’ и – на руски – като ‘счастье, благополучие, судьба’.

Тъй като не съм лингвист, не мога да преценя доколко теорията на Селимски е достоверна, но така или иначе ми звучи убедително и със сигурност ми е интересна заради неочаквания ъгъл, който представя. Най-малкото – както забелязах вчера, докато честитях рождения ден на майка си – ме кара да се замисля върху вградените в думата „честит“ щастливи, а не честолюбиви пожелания, макар и те често да остават засенчени от празника, към който са прикрепени.

А накрая не ми остава друго, освен да пожелая честит рожден ден на „Тоест“ и много поводи за чествания на читателите му. За мен е чест да съм част от това начинание.

¹ Любопитно е, че докато „среќно/среќна/среќен“ се използва за честитене на рождени дни или празници като Нова година, на македонски постиженията или придобивките се честитят с „Честито…!“ или с „Честитки!“.

² Още нещо любопитно: за разлика от българския, сръбският и македонският имат различни думи за случайна среща („сусрек“/„средба“) и нарочна, уговорена среща („састанак“/„состанок“).

³ Освен произхода на думата „честит“, в публикацията си „Словообразуване и етимология“ (В: Ѕѣло, е-списание в областта на хуманитаристиката за българистични изследвания в периода Х–ХХI век, 2016, №7) Людвиг Селимски оспорва и широко приетите етимологии на думите „сцепление“ и „сношение“.

⁴ В умалителната на сръбски и македонски честица ‘частица’ е запазена непроменената гласна е.

В рубриката „От дума на дума“ Екатерина Петрова търси актуални, интересни или новопоявили се думи от нашето ежедневие и проследява често изненадващия им произход, развитието на значенията им във времето и взаимовръзките им с близки и далечни езици.

„Частит“ да бъде този ден

2023-02-03

Post Syndicated from original https://www.toest.bg/chastit-da-bude-tozi-den/

„Частит“ да бъде този ден

Цялото това честитене и честване ме кара да се замисля за думата „честито“.

изключително широката приложимост на думата.

На български я използваме като благопожелание както за всеобщи празници (Честита Нова година! Честита Коледа! Честита Баба Марта! Честит 8 март!) и лични чествания (Честит рожден ден! Честит имен ден!), така и за персонални постижения и придобивки (Честито дипломиране! Честита награда! Честита книга! Честита сватба! Честито бебе! Честита нова кола!), а даже и за събития, за които нямаме никаква заслуга (Честит първи сняг! Честита пролет!), или пък като похвала за разни ежедневни дейности, които не заслужават внимание, а още по-малко поздравления (Честита баня! Честита прическа!). (Онзи ден дори видях във Facebook, че един познат е честитил на друг постижението, че се е сдобил с „евтини“ билети за представлението с Джон Малкович.)

прилагателното „честито“ е семантично свързано с думата „чест“.

думата „честит“ всъщност произлиза не от „чест“ (която на свой ред произлиза от старобългарското „чьсть“), а от „част“ (от старобългарското „чѧсть“, също означаващо ‘участ, съдба, дял’)³.

Според Селимски „поради претърпени с времето звукови промени основното чест- от състава на честит [като производно от думата честь ‘част; pars’] се е оказало в омонимно⁴ отношение спрямо днешното книжовно чест ‘honor’, с което го и смесваме“⁵. Като доказателство за аргумента си той използва, от една страна, разминаването в дефинициите: „… ако интересуващото ни честит е свързано по семантика с чест ‘honor’, неговото значение можеше да бъде дефинирано като „такъв, който има чест, honor“, както напр. именит ‘известен, прочут, с голямо име’.“ А то не е – както показва дефиницията, която цитирам по-горе. От друга страна, връзката с „част“ става ясно видима, когато помислим за „честит“ като синоним на „щастлив“: в своя „Речник на български език с тълкувание на български и руски думи“ (1895–1904) Найден Геров дефинира „честь“ като ‘добър случай, делба, среща, благотба, благополучие, щастие, късмет, бахт’ и – на руски – като ‘счастье, благополучие, судьба’.

⁴ Тоест написано и произнасяно по един и същ начин, но с различно значение.

⁵ В умалителната на сръбски и македонски честица ‘частица’ е запазена непроменената гласна е.

Size Comparisons

2023-02-03

Post Syndicated from original https://xkcd.com/2733/

If you shrank the Solar System to the size of Texas, the Houston metro area would be smaller than a grasshopper in Dallas.

The Document Foundation announces LibreOffice 7.5 Community

2023-02-02

Post Syndicated from original https://lwn.net/Articles/922051/

Version 7.5 of the LibreOffice Community edition is now available. LibreOffice is, of course, the FOSS desktop office suite; version 7.5 brings new features to multiple parts of the tool, including major improvements to dark mode, better PDF exports, improved bookmarks in Writer, data tables for charts in Calc, better interoperability with Microsoft Office, and lots more.
Check out the release notes for further information.

LibreOffice 7.5 Community’s new features have been developed by 144
contributors: 63% of code commits are from the 47 developers employed by
three companies sitting in TDF’s Advisory Board – Collabora, Red Hat and
allotropia – or other organizations, 12% are from 6 developers at The
Document Foundation, and the remaining 25% are from 91 individual
volunteers.

Other 112 volunteers – representing hundreds of other people providing
translations – have committed localizations in 158 languages. LibreOffice
7.5 Community is released in 120 different language versions, more than any
other free or proprietary software, and as such can be used in the native
language (L1) by over 5.4 billion people worldwide. In addition, over 2.3
billion people speak one of those 120 languages as their second language
(L2).

Analyze Amazon S3 storage costs using AWS Cost and Usage Reports, Amazon S3 Inventory, and Amazon Athena

2023-02-02 Dagar Katyal

Post Syndicated from Dagar Katyal original https://aws.amazon.com/blogs/big-data/analyze-amazon-s3-storage-costs-using-aws-cost-and-usage-reports-amazon-s3-inventory-and-amazon-athena/

Since its launch in 2006, Amazon Simple Storage Service (Amazon S3) has experienced major growth, supporting multiple use cases such as hosting websites, creating data lakes, serving as object storage for consumer applications, storing logs, and archiving data. As the application portfolio grows, customers tend to store data from multiple application and different business functions in a single S3 bucket, which can grow the storage in S3 buckets to hundreds of TBs. The AWS Billing console provides a way to look at the total storage cost of data stored in Amazon S3, but sometimes IT organizations need to understand the breakdown of costs of a particular S3 bucket by various prefixes or objects corresponding to a particular user or application. There are various reasons to analyze the costs of S3 buckets, such as to identify the spend breakdown, do internal chargebacks, understand the cost breakdown by business unit and application, and many more. As of this writing, there is no easy way to do a cost breakdown of S3 buckets by objects and prefixes.

In this post, we discuss a solution using Amazon Athena to query AWS Cost and Usage Reports and Amazon S3 Inventory reports to analyze the cost by prefixes and objects in an S3 bucket.

Overview of solution

The following figure shows the architecture for this solution. First, we enable the AWS Cost and Usage Reports (AWS CUR) and Amazon S3 Inventory features, which save the output into two separate pre-created S3 buckets. We then use Athena to query these S3 buckets for AWS CUR data and S3 object inventory data to correlate and allocate the cost breakdown at the object or prefix level.

architecture diagram

To implement the solution, we complete the following steps:

Create S3 buckets for AWS CUR, S3 object inventory, and Athena results. Alternatively, you can create these respective buckets when enabling the respective individual features, but for the purpose of this post, we create all of them at the beginning.
Enable the Cost and Usage Reports.
Enable Amazon S3 Inventory configuration.
Create AWS Glue Data Catalog tables for the CUR and S3 object inventory to query using Athena.
Run queries in Athena.

Prerequisites

For this walkthrough, you should have the following prerequisites:

An AWS account.
AWS Identity and Access Management (IAM) permissions for the following services:
- Amazon S3 – Create and manage S3 buckets.
- AWS Billing and Cost Management – Create Cost and Usage Reports.
- Athena – Create tables and run queries. AWS Glue Data Catalog permissions are needed to create tables.

Create S3 buckets

Amazon S3 is an object storage service offering industry-leading scalability, data availability, security, and performance. Customers of all sizes and industries can store and protect any amount of data for virtually any use case, such as data lakes, cloud-native applications, and mobile apps. With cost-effective storage classes and easy-to-use management features, you can optimize costs, organize data, and configure fine-tuned access controls to meet specific business, organizational, and compliance requirements.

For this post, we use the S3 bucket s3-object-cost-allocation as the primary bucket for cost allocation. This S3 bucket is conveniently modeled to contain several prefixes and objects of different sizes for which cost allocation needs to be done based on the overall cost of the bucket. In a real-world scenario, you should use a bucket that has data for multiple teams and for which you need to allocate costs by prefix or object. Going forward, we refer to this bucket as the primary object bucket.

The following screenshot shows our S3 bucket and folders.

example Folders created

Now let’s create the three additional operational S3 buckets to store the datasets generated to calculate costs for the objects. You can create the following buckets or any existing buckets as needed:

cur-cost-usage-reports-<account_number> – This bucket is used to save the Cost and Usage Reports for the account.
S3-inventory-configurations-<account_number> – This bucket is used to save the inventory configurations of our primary object bucket.
athena-query-bucket-<account_number> – This bucket is used to save the query results from Athena.

Complete the following steps to create your S3 buckets:

On the Amazon S3 console, choose Buckets in the navigation pane.
Choose Create bucket.
For Bucket name, enter the name of your bucket (cur-cost-usage-reports-<account_number>).
For AWS Region, choose your preferred Region.
Leave all other settings at default (or according to your organization’s standards).
Choose Create bucket.
Repeat these steps to create s3-inventory-configurations-<account_number> and athena-query-bucket-<account_number>.

Enable the Cost and Usage Reports

The AWS Cost and Usage Reports (AWS CUR) contains the most comprehensive set of cost and usage data available. You can use Cost and Usage Reports to publish your AWS billing reports to an S3 bucket that you own. You can receive reports that break down your costs by the hour, day, or month; by product or product resource; or by tags that you define yourself.

Complete the following steps to enable Cost and Usage Reports for your account:

On the AWS Billing console, in the navigation pane, choose Cost & Usage Reports.
Choose Create report.
For Report name, enter a name for your report, such as account-cur-s3.
For Additional report details, select Include resource IDs to include the IDs of each individual resource in the report.Including resource IDs will create individual line items for each of your resources. This can increase the size of your Cost and Usage Reports files significantly, which can affect the S3 storage costs for your CUR, based on your AWS usage. We need this feature enabled for this post.
For Data refresh settings, select whether you want the Cost and Usage Reports to refresh if AWS applies refunds, credits, or support fees to your account after finalizing your bill.When a report refreshes, a new report is uploaded to Amazon S3.
Choose Next.
For S3 bucket, choose Configure.
For Configure S3 Bucket, select an existing bucket created in the previous section (cur-cost-usage-reports-<account_number>) and choose Next.
Review the bucket policy, select I have confirmed that this policy is correct, and choose Save. This default bucket policy provides Cost and Usage Reports access to write data to Amazon S3.
For Report path prefix, enter cur-data/account-cur-daily.
For Time granularity, choose Daily.
For Report versioning, choose Overwrite existing report.
For Enable report data integration for, select Amazon Athena.
Choose Next.
After you have reviewed the settings for your report, choose Review and Complete.

The Cost and Usage reports will be delivered to the S3 buckets within 24 hours.

The following sample CUR in CSV format shows different columns of the Cost and Usage Report, including bill_invoice_id, bill_invoicing_entity, bill_payer_account_id, and line_item_product_code, to name a few.

sample cost and usage report

Enable Amazon S3 Inventory configuration

Amazon S3 Inventory is one of the tools Amazon S3 provides to help manage your storage. You can use it to audit and report on the replication and encryption status of your objects for business, compliance, and regulatory needs. Amazon S3 Inventory provides comma-separated values (CSV), Apache Optimized Row Columnar (ORC), or Apache Parquet output files that list your objects and their corresponding metadata on a daily or weekly basis for an S3 bucket or a shared prefix (objects that have names that begin with a common string).

Complete the following steps to enable Amazon S3 Inventory on the primary object bucket:

On the Amazon S3 console, choose Buckets in the navigation pane.
Choose the bucket for which you want to configure Amazon S3 Inventory.
This will be the existing bucket in your account that has data that needs to be analyzed. This could be your data lake or application S3 bucket. We created the bucket s3-object-cost-allocation with some sample data and folder structure.
Choose Management.
Under Inventory configurations, choose Create inventory configuration.
For Inventory configuration name, enter s3-object-cost-allocation.
For Inventory scope, leave Prefix blank.
This is to ensure that all objects are covered for the report.
For Object Versions, select Current version only.
For Report details, choose This account.
For Destination, choose the destination bucket we created (s3-inventory-configurations-<account_number>).
For Frequency, choose Daily.
For Output format, choose as Apache Parquet.
For Status, choose Enable.
Keep server-side encryption disabled. To use server-side encryption, choose Enable and specify the encryption key.
For Additional fields, select the following to add to the inventory report:
- Size – The object size in bytes.
- Last modified date – The object creation date or the last modified date, whichever is the latest.
- Multipart upload – Specifies that the object was uploaded as a multipart upload. For more information, see Uploading and copying objects using multipart upload.
- Replication status – The replication status of the object. For more information, see Using the S3 console.
- Encryption status – The server-side encryption used to encrypt the object. For more information, see Protecting data using server-side encryption.
- Bucket key status – Indicates whether a bucket-level key generated by AWS KMS applies to the object.
- Storage class – The storage class used for storing the object.
- Intelligent-Tiering: Access tier – Indicates the access tier of the object if it was stored in Intelligent-Tie
Choose Create.

It may take up to 48 hours to deliver the first report.

Create AWS Glue Data Catalog tables for CUR and Amazon S3 Inventory reports

Wait for up to 48 hours for the previous step to generate the reports. In this section, we use Athena to create and define AWS Glue Data Catalog tables for the data that has been created using Cost and Usage Reports and Amazon S3 Inventory reports.

Athena is a serverless, interactive analytics service built on open-source frameworks, supporting open-table and file formats. Athena provides a simplified, flexible way to analyze petabytes of data where it lives.

Complete the following steps to create the tables using Athena:

Navigate to the Athena console.
If you’re using Athena for the first time, you need to set up a query result location in Amazon S3. If you preconfigured this in Athena , you can skip this step.
- Choose View settings.
- Choose Manage.
- In the section Query result location and encryption, choose Browse S3 and choose the bucket that we created (athena-query-bucket-<account_number>).
- Choose Save.
- Navigate back to the Athena query editor.

Run the following query in Athena to create a table for Cost and Usage Reports. Verify and update the section for <<LOCATION>> at the end of the query and point it to the correct S3 bucket and location. Note that the new table name should be account_cur.

CREATE EXTERNAL TABLE `account_cur`(
`identity_line_item_id` string,
`identity_time_interval` string,
`bill_invoice_id` string,
`bill_billing_entity` string,
`bill_bill_type` string,
`bill_payer_account_id` string,
`bill_billing_period_start_date` timestamp,
`bill_billing_period_end_date` timestamp,
`line_item_usage_account_id` string,
`line_item_line_item_type` string,
`line_item_usage_start_date` timestamp,
`line_item_usage_end_date` timestamp,
`line_item_product_code` string,
`line_item_usage_type` string,
`line_item_operation` string,
`line_item_availability_zone` string,
`line_item_resource_id` string,
`line_item_usage_amount` double,
`line_item_normalization_factor` double,
`line_item_normalized_usage_amount` double,
`line_item_currency_code` string,
`line_item_unblended_rate` string,
`line_item_unblended_cost` double,
`line_item_blended_rate` string,
`line_item_blended_cost` double,
`line_item_line_item_description` string,
`line_item_tax_type` string,
`line_item_legal_entity` string,
`product_product_name` string,
`product_availability` string,
`product_description` string,
`product_durability` string,
`product_event_type` string,
`product_fee_code` string,
`product_fee_description` string,
`product_free_query_types` string,
`product_from_location` string,
`product_from_location_type` string,
`product_from_region_code` string,
`product_group` string,
`product_group_description` string,
`product_location` string,
`product_location_type` string,
`product_message_delivery_frequency` string,
`product_message_delivery_order` string,
`product_operation` string,
`product_platopricingtype` string,
`product_product_family` string,
`product_queue_type` string,
`product_region` string,
`product_region_code` string,
`product_servicecode` string,
`product_servicename` string,
`product_sku` string,
`product_storage_class` string,
`product_storage_media` string,
`product_to_location` string,
`product_to_location_type` string,
`product_to_region_code` string,
`product_transfer_type` string,
`product_usagetype` string,
`product_version` string,
`product_volume_type` string,
`pricing_rate_code` string,
`pricing_rate_id` string,
`pricing_currency` string,
`pricing_public_on_demand_cost` double,
`pricing_public_on_demand_rate` string,
`pricing_term` string,
`pricing_unit` string,
`reservation_amortized_upfront_cost_for_usage` double,
`reservation_amortized_upfront_fee_for_billing_period` double,
`reservation_effective_cost` double,
`reservation_end_time` string,
`reservation_modification_status` string,
`reservation_normalized_units_per_reservation` string,
`reservation_number_of_reservations` string,
`reservation_recurring_fee_for_usage` double,
`reservation_start_time` string,
`reservation_subscription_id` string,
`reservation_total_reserved_normalized_units` string,
`reservation_total_reserved_units` string,
`reservation_units_per_reservation` string,
`reservation_unused_amortized_upfront_fee_for_billing_period` double,
`reservation_unused_normalized_unit_quantity` double,
`reservation_unused_quantity` double,
`reservation_unused_recurring_fee` double,
`reservation_upfront_value` double,
`savings_plan_total_commitment_to_date` double,
`savings_plan_savings_plan_a_r_n` string,
`savings_plan_savings_plan_rate` double,
`savings_plan_used_commitment` double,
`savings_plan_savings_plan_effective_cost` double,
`savings_plan_amortized_upfront_commitment_for_billing_period` double,
`savings_plan_recurring_commitment_for_billing_period` double,
`resource_tags_user_bucket_name` string,
`resource_tags_user_cost_tracking` string)
PARTITIONED BY (
`year` string,
`month` string)
ROW FORMAT SERDE
'org.apache.hadoop.hive.ql.io.parquet.serde.ParquetHiveSerDe'
STORED AS INPUTFORMAT
'org.apache.hadoop.mapred.TextInputFormat'
OUTPUTFORMAT
'org.apache.hadoop.hive.ql.io.HiveIgnoreKeyTextOutputFormat'
LOCATION
'<<LOCATION>>'

Run the following query in Athena to create the table for Amazon S3 Inventory. Verify and update the section for <<LOCATION>> at the end of the query and point it to the correct S3 bucket and location.

To get the exact value of the location, navigate to the bucket where inventory configurations are stored and navigate to the folder path Hive . Use the S3 URI to replace <<LOCATION>> in the query. query path location

CREATE EXTERNAL TABLE s3_object_inventory(
         bucket string,
         key string,
         version_id string,
         is_latest boolean,
         is_delete_marker boolean,
         size bigint,
         last_modified_date bigint,
         storage_class string,
         is_multipart_uploaded boolean,
         replication_status string,
         encryption_status string,
         intelligent_tiering_access_tier string,
         bucket_key_status string
) PARTITIONED BY (
        dt string
)
ROW FORMAT SERDE 'org.apache.hadoop.hive.ql.io.parquet.serde.ParquetHiveSerDe'
  STORED AS INPUTFORMAT 'org.apache.hadoop.hive.ql.io.SymlinkTextInputFormat'
  OUTPUTFORMAT 'org.apache.hadoop.hive.ql.io.IgnoreKeyTextOutputFormat'
  LOCATION '<<LOCATION>>';

We need to refresh the partitions and add new inventory lists to the table. Use the following commands to add data to the CUR table and Amazon S3 Inventory table:
```
MSCK REPAIR TABLE `account_cur`;

MSCK REPAIR TABLE s3_object_inventory;
```

Run queries in Athena to allocate the cost of objects in an S3 bucket

Now we can query the data we have available to get a cost allocation breakdown at the prefix level.

We need to provide some information in the following queries:

Update <<YYYY-MM-DD>> with the date for which you want to analyze the data
Update <<prefix>> with the prefix values for your bucket that needs to be analyzed
Update <<bucket_name>> with the name of the bucket that needs to be analyzed

We use the following part of the query to calculate the size of storage being used by the target prefix that we want to calculate the cost for:

select date_parse(dt,'%Y-%m-%d-%H-%i') dt, cast (sum(size) as double) targetPrefixBytes
from s3_object_inventory
where date_parse(dt,'%Y-%m-%d-%H-%i') = cast('<<YYYY-MM-DD>>' as timestamp)
and key like '<<prefix>>/%'
group by dt

Next, we calculate the total size of the bucket on that particular date:

select date_parse(dt,'%Y-%m-%d-%H-%i') dt, cast (sum(size) as double) totalBytes
from s3_object_inventory
where date_parse(dt,'%Y-%m-%d-%H-%i') = cast('<<YYYY-MM-DD>>' as timestamp)
group by dt

We query the CUR table to get the cost of a particular bucket on a particular date:

select line_item_usage_start_date as dt, sum(line_item_blended_cost) as line_item_blended_cost
from "account_cur"
where line_item_product_code = 'AmazonS3'
and product_servicecode = 'AmazonS3'
and line_item_operation = 'StandardStorage'
and line_item_resource_id = '<<bucket_name>>'
and line_item_usage_start_date = cast('<<YYYY-MM-DD>>' as timestamp)
group by line_item_usage_start_date

Putting all of this together, we can calculate the cost of a particular prefix (folder or a file) on a specific date. The complete query is as follows:

with
cost as (select line_item_usage_start_date as dt, sum(line_item_blended_cost) as line_item_blended_cost
from "account_cur"
where line_item_product_code = 'AmazonS3'
and product_servicecode = 'AmazonS3'
and line_item_operation = 'StandardStorage'
and line_item_resource_id = '<<bucket_name>>'
and line_item_usage_start_date = cast('<<YYYY-MM-DD>>' as timestamp)
group by line_item_usage_start_date),
total as (select date_parse(dt,'%Y-%m-%d-%H-%i') dt, cast (sum(size) as double) totalBytes
from s3_object_inventory
where date_parse(dt,'%Y-%m-%d-%H-%i') = cast('<<YYYY-MM-DD>>' as timestamp)
group by dt),
target as (select date_parse(dt,'%Y-%m-%d-%H-%i') dt, cast (sum(size) as double) targetPrefixBytes
from s3_object_inventory
where date_parse(dt,'%Y-%m-%d-%H-%i') = cast('<<YYYY-MM-DD>>' as timestamp)
and key like '<<prefix>>/%'
group by dt)
select target.dt,
(target.targetPrefixBytes/ total.totalBytes * 100) percentUsed,
cost.line_item_blended_cost totalCost,
cost.line_item_blended_cost*(target.targetPrefixBytes/ total.totalBytes) as prefixCost
from target, total, cost
where target.dt = total.dt
and target.dt = cost.dt

The following screenshot shows the results table for the sample data we used in this post. We get the following information:

dt – Date
percentUsed – The percentage of prefix space compared to overall bucket space
totalCost – The total cost of the bucket
prefixCost – The cost of the space used by the prefix

Clean up

To stop incurring costs, be sure to disable Amazon S3 Inventory and Cost and Usage Reports when you’re done.

Delete the S3 buckets created for the Amazon S3 Inventory reports and Cost and Usage Reports to avoid storage charges.

Other methods for Amazon S3 storage analysis

Amazon S3 Storage Lens can provide a single view of object storage usage and activity across your entire Amazon S3 storage. With S3 Storage Lens, you can understand, analyze, and optimize storage with over 29 usage and activity metrics and interactive dashboards to aggregate data for your entire organization, specific accounts, Regions, buckets, or prefixes. All of this data is accessible on the Amazon S3 console or as raw data in an S3 bucket.

S3 Storage Lens doesn’t provide cost analysis based on an object or prefix in a single bucket. If you want visibility of storage usage and trends across the entire storage footprint along with recommendations on cost efficiency and data protection best practices, S3 Storage Lens is the right option. But if you want a cost analysis of specific S3 buckets and looking for ways to get cost allocation of S3 objects at the object or prefix level, the solution in this post would be the best fit.

Conclusion

In this post, we detailed how to create a cost breakdown model at the object or prefix level for S3 buckets that contains data for multiple business units and applications. We used Athena to query the reports and datasets produced by the AWS CUR and Amazon S3 Inventory features that, when correlated, give us the cost allocation at the object and prefix level. This solution gives you an easy way to calculate costs for independent objects and prefixes, which can be used for internal chargebacks or just to know the per-object or per-prefix spending in a shared S3 bucket.

About the Authors

Dagar Katyal is a Senior Solutions Architect at AWS, based in Chicago, Illinois. He works with customers and provides guidance for key strategic initiatives important for their business. Dagar has an MBA and has spent years over 15 years working with customers on projects on analytics strategy, roadmap, and using data as a key differentiator. When not working with customers, Dagar spends time with his family and doing home improvement projects.

Saiteja Pudi is a Solutions Architect at AWS, based in Dallas, Tx. He has been with AWS for more than 3 years now, helping customers derive the true potential of AWS by being their trusted advisor. He comes from an application development background, interested in Data Science and Machine Learning.

Troubleshooting InsightAppSec Authentication Issues

2023-02-02 Shane Queeney

Post Syndicated from Shane Queeney original https://blog.rapid7.com/2023/02/02/troubleshooting-insightappsec-authentication-issues/

Troubleshooting InsightAppSec Authentication Issues

For complete visibility into the vulnerabilities in your environment, proper authentication to web apps in InsightAppSec is essential. In this article, we’ll look at issues you might encounter with macro, traffic, and selenium authentication and how to troubleshoot them. Additionally, you’ll get practical and actionable tips on using InsightAppSec to its full potential.

The first step to troubleshooting InsightAppSec authentication is to look over the scan logs. The scan logs can be located under the scan in the upper left hand corner. The logs can give you useful information such as if the authentication fails, the website is unavailable, or if any other problems arose during the scan.

Event log will give you information about the scan itself.
Platform event log will give you information about the scan engine and if it encountered any issues during the scan.
Download additional logs: If you wanted to dive even deeper into what happened during the scan, you can to to look into the full scan logs.

Troubleshooting InsightAppSec Authentication Issues

Let’s look at some of the specific issues you might encounter with the different types of authentication noted above.

Macro Authentication

When a macro fails, the logs will give you the specific step where the macro had trouble. For example, in the image below, we can see that the macro failed on step 4, where it could not click on the specific object on the page. This could be caused by the page not loading quick enough, the name or ID of the element path changing, or the web app UI being different.

If you determine that the macro failed because the page isn’t loading fast enough, there are two ways you can slow the macro down.

The first way is to manually add a delay between the steps that are running too quickly. You can copy any of the delays that are currently in the macro, paste them into the spot that you want to slow down, and then change the step numbers. This way you can also set the specific duration for any delays you add into your macro.

The second way is to add additional delays throughout the macro, and change the Min Duration so the delays last longer. This is controlled via the export settings menu on the right. The default minimum duration is set to 3,000 milliseconds (3 seconds). Increasing the duration or adding delays will cause the macro to take longer to authenticate, but when running a scan overnight an extra few minutes to ensure the login works is a good tradeoff.

One other potential problem when recording a macro is when you have a password manager autofill the username and password. Anything that is automatically filled in will not be recorded by the macro. It is recommended to either turn off any password managers when recording a macro, or recording in Incognito/private browsing with all other plugins disabled to ensure nothing can modify or mess with the recording.

Lastly, if you have any events on your web app, such as a prompt to join a mailing list, that does not happen every time, you can mark that macro event as optional. If the event is not marked optional, then the macro will fail as it is unable to see the element on the page. Simply change the optional flag in the macro recording from 0 to 1 and you’re all set.

Traffic Authentication

While traffic authentication is usually successful when the login is working, there could still be some problems with playback. When traffic authentication fails, the scan logs don’t give you specific information like with macro authentication. Instead, the traffic authentication fails with the LoggedInRegex did not detect logged in state error. If you can’t get the traffic authentication working in the Rapid7 Appsec Plugin, you can always record the authentication within your browser.

For Chrome:

Click on the hamburger menu in the upper right.
Go to More Tools → Developer Options
Click on Network in the top tab
Make sure the dot in the upper left is red to signify you are recording.
Log in to your web app and when complete, right click on the recorded traffic and click Save all as HAR with content.

This will download the same .HAR file that the Appsec Plugin records, allowing you to use it for scanning.

Depending on how your web app responds, you might need to change the Use agent setting for how InsightAppsec interacts with your app.

Under your scan configuration, if you go to advanced options → HTTP Headers → User agent, you can then change what user agent is used to reach out to your web app. The latest version of Chrome should be fine for most modern web apps, but if you’re scanning a mobile app or an app that hasn’t been updated in a few years it might benefit from being changed.

Additional information can be found here.

Selenium Authentication

The third primary type of authentication is selenium. Selenium is similar to the macro authentication where you record all the actions to log in to your web app. Selenium is similar to traffic authentication where you will usually receive the LoggedInRegex did not detect logged in state error in the scan logs rather than specific information about the failure.

If the Selenium script could not find specific elements on the web page, you could also receive the Could not execute Selenium script error. This means there’s a problem with the script itself, the page didn’t load fast enough, or it couldn’t find the specific element on the web page. If this happens, try re-recording the script or adding a delay.

Using the plugin to record selenium scripts:

Click on the selenium plugin and Record a new test in a new project.
Give the project a name and enter in the base URL where you want recording to start.
In the new window that appears, log in to your web app. Once complete, close out of the window.
Before saving, you can click on the play icon to replay and test your selenium script.
Review the recording and then click on the save button in the upper right. You can then upload the .side file into InsightAppSec.

Just like macro authentication, if your website takes a while to load and the selenium script is running too fast, you can add additional delays to slow it down. There are implicit waits built into the IDE commands but if those don’t work for you, after running the authentication, you can add in wait for element commands to your selenium script.

Right click on the selenium recording and click insert new command
Set the command to wait for element visible
Set the target to the element you want to wait for. In this case, we’re waiting for id=email
By default the value is set to wait for 30,000 milliseconds (30 seconds)

Alternatively, you can use the pause command and set the value to how long you want the script to pause for. However, it is recommended to use the wait for element visible command if the web app responds at different times.

Additional information can be found here.

Logged-In Regex Errors

After ensuring the macro, traffic, and selenium files are working correctly, the next step in the authentication process is the logged-in regex. After the login is complete, InsightAppSec will look at the web page to find a logout button or look at the browser header for a session cookie. This can be modified by clicking into the scan configuration, navigating to the Authentication tab, and clicking on Additional Settings on the left.

Logged-in Regex

By default, the logged-in regex looks for sign out, sign off, log out and log off, with and without spaces between the words, on the web page.

One common problem is logged-in regex not seeing the logout button on the page before ending the authentication recording. If the logout button is on another page, or sometimes under a dropdown menu, the logged-in regex won’t detect it on the page, causing the authentication to fail.

Another common issue is if the logout button is an image or otherwise can’t be detected on the page. As the field is looking for a regular expression, you can use other words on the page to determine that the login was successful. You have to ensure that the word only appears on the page after logging in, such as the username. Otherwise the login might not actually be successful.

Logged-in Header Regex

Depending on how your web app is structured, you might need to use the logged-in header regex instead. For example, if there is no logout button, or if you have a single page web app that calls javascript files, the logged-in regex is more likely to fail. What you can do instead is grab the session ID cookie from the web browser, and if that is detected, then the regex will be successful.

In Chrome:

Click on the three dots in the upper right corner
Then go to more tools and then developer options.
Click on the application tab at the top, then cookies on the left, and finally the web app cookie.
From there you want to find the session information cookie that only appears after logging in to the web app. Grab the name of the cookie and place that in the logged-in header regex.

The logged-in regex and logged-in header regex use AND logic, so if you put information in both fields, it will then need both to be successful in order for the login to work. Alternatively, if you remove the regex from both fields, it won’t run any post authentication checks, assuming the login is successful. It is recommended to do that as a last resort, you won’t be alerted if the login does start failing or if there are any other problems.

Other common issues and tricks

One issue you might encounter is where you start the authentication recording. For example, starting the recording after a page redirect. If your web app redirects to another page or SSO, and you start the authentication recording after the redirect, InsightAppSec won’t have the session information to properly redirect back to the target web app when it gets replayed during the scan. It is recommended to always start your recording on the root web app directory wherever possible.

You can also choose specific directories for scanning versus the entire web app. You want to remove the URL from the app Target URLs, and add it in specifically under the scan config. You can then set the target directory in the crawl and attack configs as literal, and then add a /* wildcard to hit any subdirectories.

Lastly, there is a way to restrict certain elements on a web page from being scanned. Under advanced options → CrawlConfig and AttackerConfig, there’s an option called ScopeConstraintList. This is where you can explicitly include or exclude specific pages from being scanned. You can take it a step further by adding a httpParameterList to explicitly exclude certain elements on the page from being scanned. For example, if you have a contact us page and you don’t want the scanner to hit the submit button, you can add it to the httpParameterList so it won’t be touched.

Below is an example of what the fields look like in the web page source code, and how it can be configured in IAS.

Email field source code: input type="email" name="contact_email"

Submit button source code: <button id="form-submit"

The entire site is in scope, and we are telling IAS not to hit the submit button or the email field.

You can find the Selenium and AppSec plugins below:

Enabling branch deployments through IssueOps with GitHub Actions

2023-02-02 Grant Birkinbine

Post Syndicated from Grant Birkinbine original https://github.blog/2023-02-02-enabling-branch-deployments-through-issueops-with-github-actions/

At GitHub, the branch deploy model is ubiquitous and it is the standard way we ship code to production, and it has been for years. We released details about how we perform branch deployments with ChatOps all the way back in 2015.

We are able to use ChatOps to perform branch deployments for most of our repositories, but there are a few situations where ChatOps simply won’t work for us. What if developers want to leverage branch deployments but don’t have a full ChatOps stack integrated with their repositories? We wanted to set out to find a way for all developers to be able to take advantage of branch deployments with ease, right from their GitHub repository, and so the branch-deploy Action was born!

Gif demonstrating how to us the branch-deploy Action.

How Does GitHub use this Action?

GitHub primarily uses ChatOps with Hubot to facilitate branch deployments where we can. If ChatOps isn’t an option, we use this branch-deploy Action instead. The majority of our use cases include Infrastructure as Code (IaC) repositories where we use Terraform to deploy infrastructure changes. GitHub uses this Action in many internal repositories and so does npm. There are also many other public, open source, and corporate organizations adopting this Action, as well, to help ship their code to production!

Understanding the branch deploy model

Before we dive into the branch-deploy Action, let’s first understand what the branch deploy model is and why it is so useful.

To really understand the branch deploy model, let’s first take a look at a traditional deploy → merge model. It goes like this:

Create a branch.
Add commits to your branch.
Open a pull request.
Gather feedback plus peer reviews.
Merge your branch.
A deployment starts from the main branch.

Diagram outlining the steps of the traditional deploy model, enumerated in the numbered list above.

Now, let’s take a look at the branch deploy model:

Create a branch.
Add commits to your branch.
Open a pull request.
Gather feedback plus peer reviews.
Deploy your change.
Validate.
Merge your branch to the main / master branch.

Diagram outlining the steps of the branch deploy model, enumerated in the list above.

The merge deploy model is inherently riskier because the main branch is never truly a stable branch. If a deployment fails, or we need to roll back, we follow the entire process again to roll back our changes. However, in the branch deploy model, the main branch is always in a “good” state and we can deploy it at any time to revert the deployment from a branch deploy. In the branch deploy model, we only merge our changes into main once the branch has been successfully deployed and validated.

Note: this is sometimes referred to as the GitHub flow.

Key concepts

Key concepts of the branch deploy model:

The main branch is always considered to be a stable and deployable branch.
All changes are deployed to production before they are merged to the main branch.
To roll back a branch deployment, you deploy the main branch.

By now you may be sold on the branch deploy methodology. How do we implement it? Introducing IssueOps with GitHub Actions!

IssueOps

The best way to define IssueOps is to compare it to something similar, ChatOps. You may be familiar with the concept, ChatOps, already; if not, here is a quick definition:

ChatOps is the process of interacting with a chat bot to execute commands directly in a chat platform. For example, with ChatOps you might do something like .ping example.org to check the status of a website.

IssueOps adopts the same mindset but through a different medium. Rather than using a chat service (Discord, Slack, etc.) to invoke the commands we use comments on a GitHub Issue or pull request. GitHub Actions is the runtime that executes our desired logic when an IssueOps command is invoked.

GitHub Actions

How does it work? This section will go into detail about how this Action works and hopefully inspire you to leverage it in your own projects. The full source code and further documentation can be found on GitHub.

Let’s walk through the process using the demo configuration of a branch-deploy Action below.

1. Create this file under `.github/workflows/branch-deploy.yml` in your GitHub repository:

name: "branch deploy demo"

# The workflow will execute on new comments on pull requests - example: ".deploy" as a comment
on:
  issue_comment:
    types: [created]

jobs:
  demo:
    if: ${{ github.event.issue.pull_request }} # only run on pull request comments (no need to run on issue comments)
    runs-on: ubuntu-latest
    steps:
      # Execute IssueOps branch deployment logic, hooray!
      # This will be used to "gate" all future steps below and conditionally trigger steps/deployments
      - uses: github/[email protected] # replace X.X.X with the version you want to use
        id: branch-deploy # it is critical you have an id here so you can reference the outputs of this step
        with:
          trigger: ".deploy" # the trigger phrase to look for in the comment on the pull request

      # Run your deployment logic for your project here - examples seen below

      # Checkout your project repository based on the ref provided by the branch-deploy step
      - uses: actions/[email protected]
        if: ${{ steps.branch-deploy.outputs.continue == 'true' }} # skips if the trigger phrase is not found
        with:
          ref: ${{ steps.branch-deploy.outputs.ref }} # uses the detected branch from the branch-deploy step

      # Do some fake "noop" deployment logic here
      # conditionally run a noop deployment
      - name: fake noop deploy
        if: ${{ steps.branch-deploy.outputs.continue == 'true' && steps.branch-deploy.outputs.noop == 'true' }} # only run if the trigger phrase is found and the branch-deploy step detected a noop deployment
        run: echo "I am doing a fake noop deploy"

      # Do some fake "regular" deployment logic here
      # conditionally run a regular deployment
      - name: fake regular deploy
        if: ${{ steps.branch-deploy.outputs.continue == 'true' && steps.branch-deploy.outputs.noop != 'true' }} # only run if the trigger phrase is found and the branch-deploy step detected a regular deployment
        run: echo "I am doing a fake regular deploy"

2. Trigger a noop deploy by commenting `.deploy noop` on a pull request.

A noop deployment is detected so this action outputs the noop variable to true. If you have the correct permissions to execute the IssueOps command, the action outputs the continue variable to true as well. The step named fake noop deploy runs, while the fake regular deploy step is skipped.

3. After your noop deploy completes, you would typically run `.deploy` to execute the actual deployment, `fake regular deploy`.

Features

The best part about the branch-deploy Action is that it is highly customizable for any deployment targets and use cases. Here are just a few of the features that this Action comes bundled with:

Detects when IssueOps commands are used on a pull request.
Configurable: choose your command syntax, environment, noop trigger, base branch, reaction, and more.
Respects your branch protection settings configured for the repository.
Comments and reacts to your IssueOps commands.
Triggers GitHub deployments for you with simple configuration.
Deploy locks to prevent multiple deployments from clashing.
Configurable environment targets.

The repository also comes with a usage guide, which can be referenced by you and your team to quickly get familiar with available IssueOps commands and how they work.

Examples

The branch-deploy Action is customizable and suited for a wide range of projects. Here are a few examples of how you can use the branch-deploy Action to deploy to different services:

Conclusion

If you are looking to enhance your DevOps experience, have better reliability in your deployments, or ship changes faster, then branch deployments are for you!

Hopefully, you now have a better understanding of why the branch deploy model is a great option for shipping your code to production.

By using GitHub plus Actions plus IssueOps you can leverage the branch deploy model in any repository!

Source code: GitHub

Shooting for the Clouds: How One Photo Storage Service Moved Beyond Physical Devices

2023-02-02 Barry Kaufman

Post Syndicated from Barry Kaufman original https://www.backblaze.com/blog/shooting-for-the-clouds-how-one-photo-storage-service-moved-beyond-physical-devices/

The sheer number of creative and unique ways our customers and partners utilize Backblaze B2 Cloud Storage never ceases to amaze us. Whether it’s pairing our storage with a streaming platform to deliver seamless video or protecting research data that is saving lives, we applaud their ingenuity. From time to time, we like to put the spotlight on one of these inspired customers, which brings us to the company we’re highlighting today: Monument, a photo management service with a strong focus on security and privacy.

The TL;DR

Situation: The Monument story started with a physical device where customers could securely save photos, but they saw the winds shifting to the cloud. They wanted to offer users the flexibility and automation that the cloud provides while maintaining their focus on privacy and security.

Solution: Monument launched their cloud-based offering, Monument Cloud, with Backblaze as its storage backbone. User photos are encrypted and stored in Backblaze B2 Cloud Storage, and are accessible via the Monument Cloud app.

Result: Monument Cloud eliminates the need for users to maintain a physical device at their homes or offices. Users just install the Monument Cloud app on their devices and their photos and videos are automatically backed up, fully encrypted, organized, and shareable.

What Is Monument?

Monument was founded in 2016 by a group of engineers and designers who wanted an easy way to back up and organize their photos without giving up their privacy and security. Since smartphones saturated the market, the average person’s digital photo archive has grown exponentially. The average user has around 2,100 photos on their smartphone at any given time, and that’s not even counting the photos stashed away on various old laptops, hard drives, USBs, and devices.

Photo management services like Google Photos stepped in to help folks corral all of those memories. But, most photo management services are a black box—you don’t know how they’re using your data or your images. Monument wanted to give folks the same functionality as something like iCloud or Google Photos while also keeping their private data private.

“There are plenty of photo storage solutions right now, but they come with limitations and fail to offer transparency about their privacy policies—how photos are being used or processed” said Monument’s co-founder Ercan Erciyes. “At Monument, we reimagined how we store and access our photos and provided a clutter-free experience while keeping users in the center, not their personal data.”

They launched their first generation product in 2017—a physical storage device with advanced AI software that helps users manage photo libraries between devices and organize photos by faces, scenery, and other properties. The hardware side was fueled by two rounds of Kickstarter funding, each helping create new versions of the company’s smart storage device powered by a neural processing unit (NPU) that lived on-device and allowed access from anywhere.

An Eye for Secure Photo Storage

That emphasis on privacy fueled the software side of Monument’s offering, an AI-driven approach that allows easy searchability of photos without processing any of the metadata on Monument’s end. Advanced image recognition couples with slick de-duplication features for an experience that catalogs photos without exposing photographers’ data to algorithms that influence their choices. No ads, no profiling, no creepy trackers, and Monument doesn’t use or sell customers’ personal data.

We were getting a lot of questions along the lines of, “What happens if my house catches fire?” or “What if there is physical damage to the device?” so we could see there was a lot of interest in a cloud solution.”

—Ercan Erciyes, Co-Founder, Monument Labs, Inc.

The Gathering Cloud

With the rise of cloud storage, Monument saw their typical consumer shifting away from on-prem solutions. “We were getting a lot of questions along the lines of, ‘What happens if my house catches fire?’ or ‘What if there is physical damage to the device?’ so we could see there was a lot of interest in a cloud solution,” said Ercan. “Plus there were a lot of users that didn’t want a physical device in their home.”

Their answer: Offer the same privacy-first service through a comprehensive cloud solution.

Using Free Credits Wisely

Launching a cloud-based storage service built around their philosophy of privacy and security was a clear necessity for the company’s future. To kick off their move to the cloud, Monument utilized free startup credits from AWS. But, they knew free credits wouldn’t last forever. Rather than using the credits to build a minimum viable product as fast as humanly possible, they took a very measured approach. “The credits are sweet,” Ercan said, “But you need to pay attention to your long-term vision. You need to have a backup plan, so to speak.” (We think so, too.)

Ercan ran the numbers with success in mind and realized they’d ultimately lose money if they built the infrastructure for Monument Cloud on AWS. He also didn’t want to accumulate tech debt and become locked in to AWS.

They ended up using the credits to develop the AI model, but not to build their infrastructure. For that they turned to specialized cloud providers.

Integrating Backblaze B2 Cloud Storage

Monument created a lean tech stack that incorporated Backblaze B2 for long-term encrypted storage. They run their AI software on Vultr, a Backblaze compute partner that offers free egress fees between the two services. And, they use another specialized cloud provider to store thumbnails that are displayed in the Monument Cloud app. The cloud service has quickly become the company’s flagship offering, drawing 25,000 active users.

Group Photos: Serving New Customers

With infrastructure that will scale without cutting into their margins, Monument is poised to serve an increasing number of customers who care about what happens to their personal data. More and more, customers are seeking out alternatives to big name cloud providers, using services like DuckDuckGo instead of Google Search or WhatsApp instead of garden variety text messaging apps. With a distributed, multi-cloud system, they can serve these types of customers with a cloud option while keeping data privacy front and center. And the customers that gravitate to this value proposition are wide-ranging.

Of course, the first ones you might think of would be prolific photo takers or even amateur photographers, but Ercan pointed out some surprising use cases for their technology. “We are seeing a lot of different use cases coming up from schools, real estate companies, and even elder care systems,” he said. With Monument’s new cloud solution, classrooms are exploring new online frontiers in education, and families scattered around the world are able to share photos with their elderly relatives.

A Monument to Security

Challenging monster brands like Google is no small task as a small team of just five people. Monument does it by keeping a laser focus on their core values and their customers’ needs. “If you keep the user’s needs in the center, building a solution doesn’t require an army of engineers,” Ercan said. Without having to worry about how to use customer data to build algorithms that keep advertisers happy, Monument can focus on serving their customers what they actually need—a photo management solution that just works.

Monument Co-founders Semih Hazar (left) and Ercan Erciyes (right)

Monument and Backblaze

Whether you’re the family photographer, the office party chronicler, or you just have a convoluted system of hard drives stickered and slotted onto a shelf somewhere that you’d like to get rid of, first and foremost: Make sure you’re availing yourself of the very reasonable storage available from Backblaze for archiving or backing up your data.

After you’re done with that: Check out Monument.

The post Shooting for the Clouds: How One Photo Storage Service Moved Beyond Physical Devices appeared first on Backblaze Blog | Cloud Storage & Cloud Backup.

Automating your workload deployments in AWS Local Zones

2023-02-02 Sheila Busser

Post Syndicated from Sheila Busser original https://aws.amazon.com/blogs/compute/automating-your-workload-deployments-in-aws-local-zones/

This blog post is written by Enrico Liguori, SA – Solutions Builder , WWPS Solution Architecture.

AWS Local Zones are a type of infrastructure deployment that places compute, storage,and other select AWS services close to large population and industry centers.

We now have a total of 32 Local Zones; 15 outside of the US (Bangkok, Buenos Aires, Copenhagen, Delhi, Hamburg, Helsinki, Kolkata, Lagos, Lima, Muscat, Perth, Querétaro, Santiago, Taipei, and Warsaw) and 17 in the US. We will continue to launch Local Zones in 21 metro areas in 18 countries, including Australia, Austria, Belgium, Brazil, Canada, Colombia, Czech Republic, Germany, Greece, India, Kenya, Netherlands, New Zealand, Norway, Philippines, Portugal, South Africa, and Vietnam.

Customers using AWS Local Zones can provision the infrastructure and services needed to host their workloads with the same APIs and tools for automation that they use in the AWS Region, included the AWS Cloud Development Kit (AWS CDK).

The AWS CDK is an open source software development framework to model and provision your cloud application resources using familiar programming languages, including TypeScript, JavaScript, Python, C#, and Java. For the solution in this post, we use Python.

Overview

In this post we demonstrate how to:

Programmatically enable the Local Zone of your interest.
Explore the supported APIs to check the types of Amazon Elastic Compute Cloud (Amazon EC2) instances available in a specific Local Zone and get their associated price per hour;
Deploy a simple WordPress application in the Local Zone through AWS CDK.

Prerequisites

To be able to try the examples provided in this post, you must configure:

Enabling a Local Zone programmatically

To get started with Local Zones, you must first enable the Local Zone that you plan to use in your AWS account. In this tutorial, you can learn how to select the Local Zone that provides the lowest latency to your site and understand how to opt into the Local Zone from the AWS Management Console.

If you prefer to interact with AWS APIs programmatically, then you can enable the Local Zone of your interest by calling the ModifyAvailabilityZoneGroup API through the AWS CLI or one of the supported AWS SDKs.

The following examples show how to opt into the Atlanta Local Zone through the AWS CLI and through the Python SDK:

AWS CLI:

aws ec2 modify-availability-zone-group \
  --region us-east-1 \
  --group-name us-east-1-atl-1 \
  --opt-in-status opted-in

Python SDK:

ec2 = boto3.client('ec2', config=Config(region_name='us-east-1'))
response = ec2.modify_availability_zone_group(
                  GroupName='us-east-1-atl-1',
                  OptInStatus='opted-in'
           )

The opt in process takes approximately five minutes to complete. After this time, you can confirm the opt in status using the DescribeAvailabilityZones API.

From the AWS CLI, you can check the enabled Local Zones with:

aws ec2 describe-availability-zones --region us-east-1

Or, once again, we can use one of the supported SDKs. Here is an example using Phyton:

ec2 = boto3.client('ec2', config=Config(region_name='us-east-1'))
response = ec2.describe_availability_zones()

In both cases, a JSON object similar to the following, will be returned:

{
"State": "available",
"OptInStatus": "opted-in",
"Messages": [],
"RegionName": "us-east-1",
"ZoneName": "us-east-1-atl-1a",
"ZoneId": "use1-atl1-az1",
"GroupName": "us-east-1-atl-1",
"NetworkBorderGroup": "us-east-1-atl-1",
"ZoneType": "local-zone",
"ParentZoneName": "us-east-1d",
"ParentZoneId": "use1-az4"
}

The OptInStatus confirms that we successful enabled the Atlanta Local Zone and that we can now deploy resources in it.

How to check available EC2 instances in Local Zones

The set of instance types available in a Local Zone might change from one Local Zone to another. This means that before starting deploying resources, it’s a good practice to check which instance types are supported in the Local Zone.

After enabling the Local Zone, we can programmatically check the instance types that are available by using DescribeInstanceTypeOfferings. To use the API with Local Zones, we must pass availability-zone as the value of the LocationType parameter and use a Filter object to select the correct Local Zone that we want to check. The resulting AWS CLI command will look like the following example:

aws ec2 describe-instance-type-offerings --location-type "availability-zone" --filters 
Name=location,Values=us-east-1-atl-1a --region us-east-1

Using Python SDK:

ec2 = boto3.client('ec2', config=Config(region_name='us-east-1'))
response = ec2.describe_instance_type_offerings(
      LocationType='availability-zone',
      Filters=[
            {
            'Name': 'location',
            'Values': ['us-east-1-atl-1a']
            }
            ]
      )

How to check prices of EC2 instances in Local Zones

EC2 instances and other AWS resources in Local Zones will have different prices than in the parent Region. Check the pricing page for the complete list of pricing options and associated price-per-hour.

To access the pricing list programmatically, we can use the GetProducts API. The API returns the list of pricing options available for the AWS service specified in the ServiceCode parameter. We also recommend defining Filters to restrict the number of results returned. For example, to retrieve the On-Demand pricing list of a T3 Medium instance in Atlanta from the AWS CLI, we can use the following:

aws pricing get-products --format-version aws_v1 --service-code AmazonEC2 --region us-east-1 \
--filters 'Type=TERM_MATCH,Field=instanceType,Value=t3.medium' \
--filters 'Type=TERM_MATCH,Field=location,Value=US East (Atlanta)'

Similarly, with Python SDK we can use the following:

pricing = boto3.client('pricing',config=Config(region_name="us-east-1")) response = pricing.get_products(
         ServiceCode='AmazonEC2',
         Filters= [
          {
          "Type": "TERM_MATCH",
          "Field": "instanceType",
          "Value": "t3.medium"
          },
          {
          "Type": "TERM_MATCH",
          "Field": "regionCode",
          "Value": "us-east-1-atl-1"
          }
        ],
         FormatVersion='aws_v1',
)

Note that the Region specified in the CLI command and in Boto3, is the location of the AWS Price List service API endpoint. This API is available only in us-east-1 and ap-south-1 Regions.

Deploying WordPress in Local Zones using AWS CDK

In this section, we see how to use the AWS CDK and Python to deploy a simple non-production WordPress installation in a Local Zone.

Architecture overview

The AWS CDK stack will deploy a new standard Amazon Virtual Private Cloud (Amazon VPC) in the parent Region (us-east-1) that will be extended to the Local Zone. This creates two subnets associated with the Atlanta Local Zone: a public subnet to expose resources on the Internet, and a private subnet to host the application and database layers. Review the AWS public documentation for a definition of public and private subnets in a VPC.

The application architecture is made of the following:

A front-end in the private subnet where a WordPress application is installed, through a User Data script, in a type T3 medium EC2 instance.
A back-end in the private subnet where MySQL database is installed, through a User Data script, in a type T3 medium EC2 instance.
An Application Load Balancer (ALB) in the public subnet that will act as the entry point for the application.
A NAT instance to allow resources in the private subnet to initiate traffic to the Internet.

Clone the sample code from the AWS CDK examples repository

We can clone the AWS CDK code hosted on GitHub with:

$ git clone https://github.com/aws-samples/aws-cdk-examples.git

Then navigate to the directory aws-cdk-examples/python/vpc-ec2-local-zones using the following:

$ cd aws-cdk-examples/python/vpc-ec2-local-zones

Before starting the provisioning, let’s look at the code in the following sections.

Networking infrastructure

The networking infrastructure is usually the first building block that we must define. In AWS CDK, this can be done using the VPC construct:

import aws_cdk.aws_ec2 as ec2
vpc = ec2.Vpc(
            self,
            "Vpc",
            cidr=”172.31.100.0/24”,
            subnet_configuration=[
                ec2.SubnetConfiguration(
                    name = 'Public-Subnet',
                    subnet_type = ec2.SubnetType.PUBLIC,
                    cidr_mask = 26,
                ),
                ec2.SubnetConfiguration(
                    name = 'Private-Subnet',
                    subnet_type = ec2.SubnetType.PRIVATE_ISOLATED,
                    cidr_mask = 26,
                ),
            ]      
        )

Together with the VPC CIDR (i.e. 172.31.100.0/24), we define also the subnets configuration through the subnet_configuration parameter.

Note that in the subnet definitions above there is no specification of the Availability Zone or Local Zone that we want to associate them with. We can define this setting at the VPC level, overwriting the availability_zones method as shown here:

@property
def availability_zones(self):
   return [“us-east-1-atl-1a”]

As an alternative, you can use a Local Zone Name as the value of the availability_zones parameter in each Subnet definition. For a complete list of Local Zone Names, check out the Zone Names on the Local Zones Locations page.

Specifying ec2.SubnetType.PUBLIC in the subnet_type parameter, AWS CDK automatically creates an Internet Gateway (IGW) associated with our VPC and a default route in its routing table pointing to the IGW. With this setup, the Internet traffic will go directly to the IGW in the Local Zone without going through the parent AWS Region. For other connectivity options, check the AWS Local Zone User Guide.

The last piece of our networking infrastructure is a self-managed NAT instance. This will allow instances in the private subnet to communicate with services outside of the VPC and simultaneously prevent them from receiving unsolicited connection requests.

We can implement the best practices for NAT instances included in the AWS public documentation using a combination of parameters of the Instance construct, as shown here:

nat = ec2.Instance(self, "NATInstanceInLZ",
                 vpc=vpc,
                 security_group=self.create_nat_SG(vpc),
                 instance_type=ec2.InstanceType.of(ec2.InstanceClass.T3, ec2.InstanceSize.MEDIUM),
                 machine_image=ec2.MachineImage.latest_amazon_linux(),
                 user_data=ec2.UserData.custom(user_data),
                 vpc_subnets=ec2.SubnetSelection(availability_zones=[“us-east-1-atl-1a”], subnet_type=ec2.SubnetType.PUBLIC),
                 source_dest_check=False
                )

In the previous code example, we specify the following as parameters:

vpc – the VPC object created before.
security group – the Security Group containing the rules to allow HTTP and HTTPS traffic. The Security Group is created in create_nat_SG function provided in the code that we copied from the repository.
instance_type – the instance type, in our case a T3 Medium.
user_data – it contains the required OS configuration for the NAT instance that will be performed at instance start up.
vpc_subnets – the public subnet.
source_dest_check – False to disable the source/destination check.

The final required step is to update the route table of the private subnet with the following:

priv_subnet.add_route("DefRouteToNAT",
            router_id=nat_instance.instance_id,
            router_type=ec2.RouterType.INSTANCE,
            destination_cidr_block="0.0.0.0/0",
            enables_internet_connectivity=True)

The application stack

The other resources, including the front-end instance managed by AutoScaling, the back-end instance, and ALB are deployed using the standard AWS CDK constructs. Note that the ALB service is only available in some Local Zones. If you plan to use a Local Zone where ALB isn’t supported, then you must deploy a load balancer on a self-managed EC2 instance, or use a load balancer available in AWS Marketplace.

Stack deployment

Next, let’s go through the AWS CDK bootstrapping process. This is required only for the first time that we use AWS CDK in a specific AWS environment (an AWS environment is a combination of an AWS account and Region).

$ cdk bootstrap

Now we can deploy the stack with the following:

$ cdk deploy

After the deployment is completed, we can connect to the application with a browser using the URL returned in the output of the cdk deploy command:

The WordPress install wizard will be displayed in the browser, thereby confirming that the deployment worked as expected:

Note that in this post we use the Local Zone in Atlanta. Therefore, we must deploy the stack in its parent Region, US East (N. Virginia). To select the Region used by the stack, configure the AWS CLI default profile.

Cleanup

To terminate the resources that we created in this post, you can simply run the following:

$ cdk destroy

Conclusion

In this post, we demonstrated how to interact programmatically with the different AWS APIs available for Local Zones. Furthermore, we deployed a simple WordPress application in the Atlanta Local Zone after analyzing the AWS CDK code used for the deployment.

We encourage you to try the examples provided in this post and get familiar with the programmatic configuration and deployment of resources in a Local Zone.

Ekstrand: Exploring Rust for Vulkan drivers, part 1

2023-02-02

Post Syndicated from original https://lwn.net/Articles/922008/

Faith Ekstrand begins
an exploration of using the Rust language to write Vulkan graphics
drivers.

Whenever a Vulkan object is created or destroyed, the parent object
is passed to both the create and destroy functions. This ensures
that the lifetime of the child object is contained within the
lifetime of the parent object. In Rust terms, this means it’s safe
for the child object to contain a non-mutable reference to the
parent object. Vulkan also defines which entrypoint parameters must
be externally synchronized by the client. Externally synchronized
objects follow the same rules as mutable references in Rust.

Why did we build this?

When to use egress policies

Building egress policies

Next steps

How to get started

Hey Siri, help me

Zabbix Time!

Sleep Learn Adapt reporting

The wobbly bits

Голата истина

Стендбай за еврото

Трохи за избирателите

Заглавно изображение: Сградата на парламента в деня, в който депутатите от 48-мото Народно събрание положиха клетва. Снимка: parliament.bg

Голата истина

Стендбай за еврото

Трохи за избирателите

Цялото това честитене и честване ме кара да се замисля за думата „честито“.

изключително широката приложимост на думата.

прилагателното „честито“ е семантично свързано с думата „чест“.

Цялото това честитене и честване ме кара да се замисля за думата „честито“.

изключително широката приложимост на думата.

прилагателното „честито“ е семантично свързано с думата „чест“.

Overview of solution

Prerequisites

Create S3 buckets

Enable the Cost and Usage Reports

Enable Amazon S3 Inventory configuration

Create AWS Glue Data Catalog tables for CUR and Amazon S3 Inventory reports

Run queries in Athena to allocate the cost of objects in an S3 bucket

Clean up

Other methods for Amazon S3 storage analysis

Conclusion

About the Authors

How Does GitHub use this Action?

Understanding the branch deploy model

Key concepts

IssueOps

GitHub Actions

1. Create this file under .github/workflows/branch-deploy.yml in your GitHub repository:

2. Trigger a noop deploy by commenting .deploy noop on a pull request.

3. After your noop deploy completes, you would typically run .deploy to execute the actual deployment, fake regular deploy.

Features

Examples

Conclusion

The TL;DR

What Is Monument?

An Eye for Secure Photo Storage

The Gathering Cloud

Using Free Credits Wisely

Integrating Backblaze B2 Cloud Storage

Group Photos: Serving New Customers

A Monument to Security

Monument and Backblaze

Overview

Prerequisites

Enabling a Local Zone programmatically

How to check available EC2 instances in Local Zones

How to check prices of EC2 instances in Local Zones

Deploying WordPress in Local Zones using AWS CDK

Architecture overview

The application architecture is made of the following:

Clone the sample code from the AWS CDK examples repository

Networking infrastructure

The application stack

Stack deployment

Cleanup

Conclusion

The collective thoughts of the interwebz

1. Create this file under `.github/workflows/branch-deploy.yml` in your GitHub repository:

2. Trigger a noop deploy by commenting `.deploy noop` on a pull request.

3. After your noop deploy completes, you would typically run `.deploy` to execute the actual deployment, `fake regular deploy`.