The Samsung PM9E1 can hit 14.5GB/s as a PCIe Gen5 M.2 drive. We hope the new SSD helps drive down pricing of 4TB SSDs

The post Samsung PM9E1 M.2 SSD Hits 4TB of Capacity and Full PCIe Gen5 Speeds appeared first on ServeTheHome.

2View: The Self-Erasing VHS tape hacked with a paperclip

2024-10-05 Techmoan

Post Syndicated from Techmoan original https://www.youtube.com/watch?v=iH4UFUdlmSo

Данни за имотния пазар и сделките на данъчна оценка

2024-10-05 Bozho

Post Syndicated from Bozho original https://blog.bozho.net/blog/4385

В отговор на поискана от мен справка, Агенция по вписванията ми предостави изключително интересни данни за имотните сделки в страната. Ето няколко числа за София и Варна, като градове с активен пазар:

Само 30% от имотните сделки в София са с ипотека, т.е. останалите 70% са с налични пари. Във Варна 18% са с ипотека и 72% без.

При сделките с ипотека, 11% са „на данъчна оценка“, т.е. данъчната оценка и обявнета стойност съвпадат или се разминават с до 5 хил лв.

При сделките без ипотека, 33% са „на данъчна оценка“.

Във Варна при тези числа има още повече разминаване – 5% са на данъчна оценка, когато са с ипотека, и 40% – без ипотека.

Т.е. когато сделката не минава през банка, е 3 пъти по-вероятно някой да даде едни пари без да декларира това пред агенцията. Тези пари може на теория може да са по банков път, а целта да е „просто“ спестяване на данъка, но има вероятно и да са просто в кеш, и с неясен произход (поради което да се ибягва минаването през банковата система).

Напълно закономерно, средната разлика между стойността на сделката и данъчната оценка е: 105 000 при сделки без ипотека и 226 000 при сделки с ипотека. Т.е. тези 120 хиляди средно на сделка са скритите пари. Във Варна числата са 123 000 срещу 350 000.

Интересно би било да се види и кои са банките, които допускат сделки на данъчна оценка, защото подозирам, че ще има концентрация.

Видно е от тези данни, че укриването на данъци и евентуално прането на пари е много по-вероятно, когато не се мине през проверките на банките.

Именно заради нуждата от установяване на пране на пари, през 2022 г. добавихме допълнителните полета в Имотния регистър, за да може горната справка да бъде възможна и съответно да се идентифицира потенциално пране на пари. Не всяко укриване на данъци при имотни сделки е пране на пари, и не всяко плащане с налични средства „на данъчна оценка“ е закононарушение, но е индикация за риск от такова.

Тези явления влияят и на имотния пазар – ако напр. има изпиране на левове преди да влезе еврото, това надува цените на имотите.

Трябва мерките срещу това да бъдат обсъдени задълбочено в следващия парламент, за да се прецени кой да прави допълнителните проверки за произход на средства и риск от пране на пари, когато банките не участват в сделката (какъвто изглежда е по-масовият случай). Дали това да са съдиите по вписванията, нотариусите, НАП, или всеки да прави част от нещата в рамките на своята компетентност.

Материалът Данни за имотния пазар и сделките на данъчна оценка е публикуван за пръв път на БЛОГодаря.

Седмицата (30 септември – 5 октомври)

2024-10-05 Надежда Радулова

Post Syndicated from Надежда Радулова original https://www.toest.bg/sedmitsata-30-septemvri-5-oktomvri-2/

Седмицата (30 септември – 5 октомври)

Миналата събота израелската армия ликвидира лидера на „Хизбула“ Хасан Насрала. Ден по-късно крайнодесните спечелиха изборите в Австрия с почти 30% от гласовете. И макар че съставянето на правителство изобщо не им е в кърпа вързано, самата мисъл, че ще имат най-много депутати в парламента, е смразяваща. Междувременно Израел бомбардира пристанище в Йемен, контролирано от хутите, и започна сухопътна операция в Ливан, насочена срещу „Хизбула“. В отговор на това във вторник вечерта Иран изстреля над 100 балистични ракети към военни цели в района на Тел Авив.

На фона на мрачните международни новини и на поредната ескалация на напрежението в Близкия изток, у нас наследниците на ДПС се ръфат до кръв преди приближаващите избори, докато държавни институции им устройват зрелищни мачове. А на нас не ни остава нищо друго, освен да се молим на 27 октомври някой изобщо да отиде да гласува, защото при очакваната ниска избирателна активност „Възраждане“ ще станат втори… А това значи още и още недемократични, дискриминационни и направо дебилни закони и законови промени на наш гръб и на гърба на горките ни деца.

Посред този тежък военен (и не само) екшън, който тече на все повече фронтове и обсебва и екраните, и умовете ни, празнувахме Mеждународния ден на преводача и Световния ден на музиката и поезията. Само как звучи това след всичко изброено по-горе?! Като несвоевременен, дори някак циничен клубен купон на чудаци?

Но не, това не са различни светове. Никога не са били… Без Ане Франк, Примо Леви, Паул Целан, Солженицин, Шаламов, Алексиевич, Херта Мюлер и много други зверствата на демоничните режими през ХХ век биха останали зад хладната музейна витрина, безопасно отделени от нас. Не биха се превърнали в разказ. В наточено острие, което да разкъсва ципата на комфорта ни всеки път, когато се опитаме да забравим. В ненаучен урок, който обаче лесно може да бъде припомнен, щом забие камбаната.

Според проекта „Недописанi“ 195 украински писатели, поети и изобщо хора на литературата са загинали от началото на войната с Русия. И броят им расте… Затова на такива дни като 30 септември и 1 октомври не просто се поздравяваме с постигнатото и си раздаваме награди, а празнуваме дългата памет на думите, която надживява телата ни и не може да бъде прекъсната от никоя и ничия война.

И тъй като напоследък думата „война“ изниква от всеки ъгъл на картата, в този брой подновяваме украинската ни поредица с вести от фронта и от тила благодарение на Николета Атанасова. Тя ни разказва за поредното си пътуване до „Несломимата Украйна“ и отново ни среща с вече познатите ни Алла и Володимир, които продължават да вярват в добрия изход.

На домашния фронт Емилия Милчева пита „Кой бърка в джигера“ и насочва прожекторите към политическия ринг, където Пеевски продължава да вика „Дръжте крадеца!“ и да млати доскорошния си ментор Доган не без помощта на крепостните си институции.

Светла Енчева пък ни запознава с едно чисто ново понятие, свързано с гражданската регистрация – „служебен адрес“. Благодарение на въвеждането му в закона, гражданите без постоянен адрес и следователно без лични документи най-сетне получават право на такива. Става дума за страшно много хора – роми, бездомни, българи, живеещи в чужбина, и дори чужденци, пребиваващи в България. „Служебен адрес. Как парламентът върна гражданските права на десетки хиляди души“ – прочетете тази статия и ако имате близки или познати в такова положение, известете ги за промяната.

Колко често ви се случва убедеността ви в собствената ви грамотност да се разклати при вида на странно правописно решение или на дразнеща езиковата ви чувствителност граматична употреба? В „Има ли душа отборът?“ Павлина Върбанова ни поднася поредната жилава „порция език“, обилно гарнирана с местоименията от мъжки род „кой“/„кого“ и поръсена с противоречащи на интуицията ни правила за тяхната употреба.

В рубриката „На второ четене“ Стефан Иванов ни представя книгата на руския писател и емигрант Гайто Газданов „Завръщането на Буда“, в която един студент фланьорства из Париж и открива многото дъна на реалността. Както всъщност всеки от нас всеки ден…

Желаем ви приятно четене, слънчево време и здрави нерви, за да посрещнем предстоящото, каквото и да е то! Разделяме се с поезия и музика – шест песни на Майкъл Наймън по стихотворения на споменатия по-горе Паул Целан, изпълнени от Уте Лемпер. Четвъртата песен е Corona:

От ръката ми хрупа есента своя лист: ние сме приятели.
Измъкваме времето от орехите и го учим да ходи:
времето пак се завръща в черупката.

P.S. И докато крачите в меката есен, не забравяйте, че съществуваме само благодарение на вашата подкрепа.

Подкрепете ни

There’s Sad News Here

2024-10-05 The History Guy: History Deserves to Be Remembered

Post Syndicated from The History Guy: History Deserves to Be Remembered original https://www.youtube.com/watch?v=3s_rYN51--Y

Comic for 2024.10.05 – Leg Day

2024-10-05 Explosm.net

Post Syndicated from Explosm.net original https://explosm.net/comics/leg-day

New Cyanide and Happiness Comic

How to identify inactive users of Amazon Q Developer

2024-10-05 Brian Beach

Post Syndicated from Brian Beach original https://aws.amazon.com/blogs/devops/how-to-identify-inactive-users-of-amazon-q-developer/

Generative AI is leading to many new features and capabilities. As a result, your employees may not know about all the new tools you are deploying. I was recently working with a customer that had deployed Amazon Q Developer for all their software developers. However, many developers didn’t know they had access to the productivity companion. In this post, I will show you how to retrieve the list of users that have not yet activated their subscription, so you can reach out to them individually and remind them of the value using a tool like Q can bring to their daily work.

Amazon Q recently launched a feature that provides administrators more details about user subscriptions and usage. This capability provides insight into which users are adopting the service, their subscription status (e.g., active, pending, under free trial, canceled), and their corresponding associations. To get started, I will navigate to the Amazon Q console.

Note: I am navigating to the Amazon Q console, rather than Amazon Q Developer console. The Amazon Q console is used to manage subscriptions for both Amazon Q Business and Amazon Q Developer. The Amazon Q Developer console is used to configure features unique to Q Developer, such as customizations.

Once in the Amazon Q console, I select Subscriptions from the navigation options on the left. Then I select the Users tab. This view lists all the users that have access to Amazon Q. In the following example, I am viewing the organization instance. Therefore, the report includes users from all the accounts in my organization. Notice that the subscription status column tells me if a user is active, pending, or canceled. A pending user is one that has been invited, but has not yet activated a subscription. A user is active if they have configured the Amazon Q Developer extension or plugin in their integrated development environment (IDE).

While I could filter the view using the search box, I prefer to click the Download the total users report button. This creates a comma-separated value (CSV) file that I will use in a mail merge. With the CSV file downloaded, I next create an email template used to send an email to all the pending users. Of course, I’ll use Generative AI to write the email. Amazon Q Business helped me create the following template that articulates the value proposition and includes a link to the Amazon Q Developer documentation to help the developer get started. You might prefer to include links to your internal wiki rather than the public documentation.

Subject: Activate Your Amazon Q Developer Subscription Today!

Dear Developer,

We hope this email finds you well. We noticed that you have an Amazon Q Developer subscription that hasn’t been activated yet. We wanted to remind you about this powerful tool and encourage you to start using it today!

Why Use Amazon Q Developer? Amazon Q Developer offers numerous benefits to streamline your development process:

AI-Powered Coding Assistance: Get real-time code suggestions and completions.

Intelligent Code Reviews: Receive automated feedback on your code quality and security.

Natural Language Query: Ask questions about your codebase in plain English.

Seamless Integration: Works with popular IDEs and the command line.

To get started, check out Installing the Amazon Q Developer extension. You will need the following AWS IAM Identity Center start URL and region.

Start URL: <insert start URL>.

Region: <insert region>.

Don’t miss out on the opportunity to enhance your development workflow and increase your productivity. Activate your Amazon Q Developer subscription today and experience the future of AI-assisted coding!

If you have any questions or need assistance, please don’t hesitate to reach out to our support team at <insert email address>.

Happy coding!

Best regards, The Cloud Center of Excellence Team

Now, I can run a simple mail merge to inform users that they have access to an Amazon Q Developer subscription. Before I close, I want to note that this post only briefly describes the reporting available in Amazon Q Developer. If you would like to learn more, you can read about the developer dashboard, Amazon CloudWatch Metrics and AWS CloudTrail telemetry events provided by Amazon Q Developer.

Conclusion

Your employees may not know about all the new tools you are deploying. Amazon Q gives you the power you to discover which users have activated their subscription. In this post, I showed you how to download the list of users who are not actively using the productivity tool, so you can contact the users to increase subscription activation. To learn how to activate Amazon Q Developer for your developers, read managing subscriptions in the user guide.

Friday Squid Blogging: Map of All Colossal Squid Sightings

2024-10-05 Bruce Schneier

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2024/10/friday-squid-blogging-map-of-all-colossal-squid-sightings.html

Interesting map, from this paper.

Blog moderation policy.

Use the latest AWS innovations with the new AWS Cloud Control provider for Pulumi

2024-10-04 Marina Novikova

Post Syndicated from Marina Novikova original https://aws.amazon.com/blogs/devops/use-the-latest-aws-innovations-with-the-new-aws-cloud-control-provider-for-pulumi/

We are pleased to announce the general availability of the AWS Cloud Control provider for Pulumi, an modern infrastructure management platform, which allows our customers to adopt AWS innovations faster than ever before. AWS has consistently expanded its range of services to support any cloud workload, supporting over 200 fully featured services and introducing more than 3,400 significant new features in 2024. This growth meant that Pulumi customers needed to wait for the community to add support for the new service or feature in the Classic provider. The AWS Cloud Control provider offers Day 1 support for new AWS capabilities, allowing customers to accelerate time-to-market by building cloud infrastructure with the latest AWS innovations using Pulumi. Customers can now use the AWS Cloud Control provider in Pulumi to adopt best practices to provision and manage new AWS capabilities at scale.

The AWS Cloud Control provider leverages AWS Cloud Control API to automatically generate support for hundreds of AWS resource types, such as Amazon EC2 instances and Amazon S3 buckets. Since this provider is automatically generated, new features and services on AWS can be supported as soon as they are available in the AWS Cloud Control API, complementing capabilities that might not be immediately available in the standard Pulumi AWS Provider. Today, the AWS Cloud Control provider supports 1,000+ AWS resources and data sources, with more support being added as AWS continues to adopt the Cloud Control API standard. At launch, the AWS Cloud Control provider supports 550+ AWS capabilities which are not available in the Pulumi’s standard AWS provider, such as Amazon Q Business and Amazon Keyspaces (for Apache Cassandra).

The AWS Cloud Control provider is now generally available and can be used by customers to access newly launched AWS features and services using Pulumi. We plan to continue to add support for more resources and improve our user guide. You can start using this new provider alongside your existing AWS Classic provider. To learn more about the AWS Cloud Control provider, please check the provider documentation. For more examples, or if you run into any issues with the new provider, please don’t hesitate to submit your issue in the Pulumi AWS CC provider GitHub repository.

Comic for 2024.10.04 – Gun To Your Head 4

2024-10-04 Explosm.net

Post Syndicated from Explosm.net original https://explosm.net/comics/gun-to-your-head-4

New Cyanide and Happiness Comic

Metasploit Weekly Wrap-Up 10/04/2024

2024-10-04 Jacquie Harris

Post Syndicated from Jacquie Harris original https://blog.rapid7.com/2024/10/04/metasploit-weekly-wrap-up-10-04-2024/

New module content (3)

cups-browsed Information Disclosure

Metasploit Weekly Wrap-Up 10/04/2024

Authors: bcoles and evilsocket
Type: Auxiliary
Pull request: #19510 contributed by bcoles
Path: scanner/misc/cups_browsed_info_disclosure

Description: Adds scanner module to retrieve CUPS version and kernel version information from cups-browsed services.

Acronis Cyber Infrastructure default password remote code execution

Authors: Acronis International GmbH and h00die-gr3y
Type: Exploit
Pull request: #19463 contributed by h00die-gr3y
Path: linux/http/acronis_cyber_infra_cve_2023_45249
AttackerKB reference: CVE-2023-45249

Description: This module exploits a default password vulnerability in Acronis Cyber Infrastructure (ACI) which allows an attacker to access the ACI PostgreSQL database and gain administrative access to the ACI Web Portal. This allows for the attacker to upload ssh keys that enables root access to the appliance/server. This attack can be remotely executed over the WAN as long as the PostgreSQL and SSH services are exposed to the outside world.

VICIdial Authenticated Remote Code Execution

Authors: Jaggar Henry of KoreLogic, Inc. and Valentin Lobstein
Type: Exploit
Pull request: #19456 contributed by Chocapikk
Path: unix/webapp/vicidial_agent_authenticated_rce
AttackerKB reference: CVE-2024-8504

Description: This adds a module to exploit CVE-2024-8504 an authenticated RCE in VICIdial.

Enhancements and features (3)

#19466 from jvoisin
#19471 from zeroSteiner – This adds a plugin that offers the fzuse command to offer a different UI for the selection of modules. It requires fzf to be present.
#19480 from jvoisin – This updates exploits/linux/local/service_persistence.rb to work on systems that are running OpenRC. This module will create a service on the box, and mark it for auto-restart.

Bugs fixed (2)

#19523 from adfoster-r7
#19526 from sjanusz-r7 – Reverts the Readline to Reline library upgrade, to fix an issue where users could not input Chinese characters correctly.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Summer 2024 SOC 1 report now available in Japanese, Korean, and Spanish

2024-10-04 Brownell Combs

Post Syndicated from Brownell Combs original https://aws.amazon.com/blogs/security/summer-2024-soc-1-report-now-available-in-japanese-korean-and-spanish/

Japanese | Korean | Spanish

At Amazon Web Services (AWS), we continue to listen to our customers, regulators, and stakeholders to understand their needs regarding audit, assurance, certification, and attestation programs. We are pleased to announce that the AWS System and Organization Controls (SOC) 1 report is now available in Japanese, Korean, and Spanish. This translated report will help drive greater engagement and alignment with customer and regulatory requirements across Japan, Korea, Latin America, and Spain.

The Japanese, Korean, and Spanish language versions of the report do not contain the independent opinion issued by the auditors, but you can find this information in the English language version. Stakeholders should use the English version as a complement to the Japanese, Korean, or Spanish versions.

Going forward, the following reports in each quarter will be translated. Spring and Fall SOC 1 controls are included in the Spring and Fall SOC 2 reports, so this translation schedule will provide year-round coverage of the English versions.

Report	Period covered
Spring SOC 2	April 1–March 31
Summer SOC 1	July 1–June 30
Fall SOC 2	October 1–September 30
Winter SOC 1	January 1–December 31

Customers can download the translated Summer 2024 SOC 1 reports in Japanese, Korean, and Spanish through AWS Artifact, a self-service portal for on-demand access to AWS compliance reports. Sign in to AWS Artifact in the AWS Management Console, or learn more at Getting Started with AWS Artifact.

The Summer 2024 SOC 1 report includes a total of 177 services in scope. For up-to-date information, including when additional services are added, see the AWS Services in Scope by Compliance Program webpage and choose SOC.

AWS strives to continuously bring services into scope of its compliance programs to help you meet your architectural and regulatory needs. Please reach out to your AWS account team if you have questions or feedback about SOC compliance.

To learn more about our compliance and security programs, see AWS Compliance Programs. As always, we value your feedback and questions; reach out to the AWS Compliance team through the Contact Us page.

Japanese version

Summer 2024 SOC 1 レポートの日本語、韓国語、スペイン語版の提供を開始

当社はお客様、規制当局、利害関係者の声に継続的に傾聴し、Amazon Web Services (AWS) における監査、保証、認定、認証プログラムに関するそれぞれのニーズを理解に努めています。この度、AWS System and Organization Controls (SOC) 1 レポートが、日本語、韓国語、スペイン語で利用可能になりました。この翻訳版のレポートは、日本、韓国、ラテンアメリカ、スペインのお客様および規制要件との連携と協力体制を強化するためのものです。

本レポートの日本語、韓国語、スペイン語版には監査人による独立した第三者の意見は含まれていませんが、英語版には含まれています。利害関係者は、日本語、韓国語、スペイン語版の補足として英語版を参照する必要があります。

今後、四半期ごとの以下のレポートで翻訳版が提供されます。SOC 1 統制は、Spring および Fall SOC 2 レポートに含まれるため、英語版と合わせ、1 年間のレポートの翻訳版すべてがこのスケジュールで網羅されることになります。

レポート	対象期間
春季SOC 2	4 月 1 日〜3 月 31 日
夏季SOC 1	7 月 1 日〜6 月 30 日
秋季SOC 2	10 月 1 日〜9 月 30 日
冬季SOC 1	1 月 1 日〜12 月 31 日

Summer 2024 SOC 1 レポートの日本語、韓国語、スペイン語版は AWS Artifact (AWS のコンプライアンスレポートをオンデマンドで入手するためのセルフサービスポータル) を使用してダウンロードできます。AWS マネジメントコンソール内の AWS Artifact にサインインするか、AWS Artifact の開始方法ページで詳細をご覧ください。

Summer 2024 SOC 1 レポートの対象範囲には合計 177 のサービスが含まれます。その他のサービスが追加される時期など、最新の情報については、コンプライアンスプログラムによる対象範囲内の AWS のサービスで [SOC] を選択してご覧いただけます。

AWS では、アーキテクチャおよび規制に関するお客様のニーズを支援するため、コンプライアンスプログラムの対象範囲に継続的にサービスを追加するよう努めています。SOC コンプライアンスに関するご質問やご意見については、担当の AWS アカウントチームまでお問い合わせください。

コンプライアンスおよびセキュリティプログラムに関する詳細については、AWS コンプライアンスプログラムをご覧ください。当社ではお客様のご意見・ご質問を重視しています。お問い合わせページより AWS コンプライアンスチームにお問い合わせください。

Korean version

2024년 하계 SOC 1 보고서가 한국어, 일본어, 스페인어로 제공됩니다.

Amazon은 고객, 규제 기관 및 이해관계자의 의견을 지속적으로 경청하여 Amazon Web Services (AWS)의 감사, 보증, 인증 및 증명 프로그램과 관련된 요구사항을 파악하고 있습니다. AWS System and Organization Controls(SOC) 1 보고서가 이제 한국어, 일본어, 스페인어로 제공됨을 알려 드립니다. 이 번역된 보고서는 일본, 한국, 중남미, 스페인 전역의 고객의 참여도를 높이고 규제 요건을 준수하는 데 도움이 될 것입니다.

보고서의 일본어, 한국어, 스페인어 버전에는 감사인의 독립적인 의견이 포함되어 있지 않지만, 영어 버전에서는 해당 정보를 확인할 수 있습니다. 이해관계자는 일본어, 한국어 또는 스페인어 버전을 보완하기 위해 영어 버전을 사용해야 합니다.

앞으로 분기마다 다음 보고서가 번역본으로 제공됩니다. SOC 1 통제 조치는 춘계 및 추계 SOC 2 보고서에 포함되어 있으므로, 이 일정은 영어 버전과 함께 모든 번역된 언어로 연중 내내 제공됩니다.

보고	대상 기간
춘계 SOC 2	4월 1일~3월 31일
하계 SOC 1	7월 1일~6월 30일
추계 SOC 2	10월 1일~9월 30일
동계 SOC 1	1월 1일~12월 31일

고객은 AWS 규정 준수 보고서를 필요할 때 이용할 수 있는 셀프 서비스 포털인 AWS Artifact를 통해 일본어, 한국어, 스페인어로 번역된 2024년 하계 SOC 1 보고서를 다운로드할 수 있습니다. AWS Management Console의 AWS Artifact에 로그인하거나 Getting Started with AWS Artifact(AWS Artifact 시작하기)에서 자세한 내용을 알아보세요.

2024년 하계 SOC 1 보고서에는 총 177개의 서비스가 포함됩니다. 추가 서비스가 추가되는 시기 등의 최신 정보는 AWS Services in Scope by Compliance Program(규정 준수 프로그램별 범위 내 AWS 서비스)에서 SOC를 선택하세요.

AWS는 고객이 아키텍처 및 규제 요구사항을 충족할 수 있도록 지속적으로 서비스를 규정 준수 프로그램의 범위에 포함시키기 위해 노력하고 있습니다. SOC 규정 준수에 대한 질문이나 피드백이 있는 경우 AWS Account 팀에 문의하시기 바랍니다.

규정 준수 및 보안 프로그램에 대한 자세한 내용은 AWS 규정 준수 프로그램을 참조하세요. 언제나 그렇듯이 AWS는 여러분의 피드백과 질문을 소중히 여깁니다. 문의하기 페이지를 통해 AWS 규정 준수 팀에 문의하시기 바랍니다.

Spanish version

El informe SOC 1 verano 2024 se encuentra disponible actualmente en japonés, coreano y español

Seguimos escuchando a nuestros clientes, reguladores y partes interesadas para comprender sus necesidades en relación con los programas de auditoría, garantía, certificación y acreditación en Amazon Web Services (AWS). Nos enorgullece anunciar que el informe de controles de sistema y organización (SOC) 1 de AWS se encuentra disponible en japonés, coreano y español. Estos informes traducidos ayudarán a impulsar un mayor compromiso y alineación con los requisitos normativos y de los clientes en Japón, Corea, Latinoamérica y España.

Estas versiones del informe en japonés, coreano y español no contienen la opinión independiente emitida por los auditores, pero se puede acceder a esta información en la versión en inglés del documento. Las partes interesadas deben usar la versión en inglés como complemento de las versiones en japonés, coreano y español.

De aquí en adelante, los siguientes informes trimestrales estarán traducidos. Dado que los controles SOC 1 se incluyen en los informes de primavera y otoño de SOC 2, esta programación brinda una cobertura anual para todos los idiomas traducidos cuando se la combina con las versiones en inglés.

de AWS IAM	Período cubierto
SOC 2 primavera	Del 1 de abril al 31 de marzo
SOC 1 verano	Del 1 de julio al 30 de junio
SOC 2 otoño	Del 1 de octubre al 30 de septiembre
SOC 1 invierno	Del 1 de enero al 31 de diciembre

Los clientes pueden descargar los informes SOC 1 verano 2024 traducidos al japonés, coreano y español a través de AWS Artifact, un portal de autoservicio para el acceso bajo demanda a los informes de conformidad de AWS. Inicie sesión en AWS Artifact mediante la Consola de administración de AWS u obtenga más información en Introducción a AWS Artifact.

El informe SOC 1 verano 2024 incluye un total de 177 servicios que se encuentran dentro del alcance. Para acceder a información actualizada, que incluye novedades sobre cuándo se agregan nuevos servicios, consulte los Servicios de AWS en el ámbito del programa de conformidad y seleccione SOC.

AWS se esfuerza de manera continua por añadir servicios dentro del alcance de sus programas de conformidad para ayudarlo a cumplir con sus necesidades de arquitectura y regulación. Si tiene alguna pregunta o sugerencia sobre la conformidad de los SOC, no dude en comunicarse con su equipo de cuenta de AWS.

Para obtener más información sobre los programas de conformidad y seguridad, consulte los Programas de conformidad de AWS. Como siempre, valoramos sus comentarios y preguntas; de modo que no dude en comunicarse con el equipo de conformidad de AWS a través de la página Contacte con nosotros.

REAL Macro Lenses VS ‘Close Up’ VS Extension Tubes

2024-10-04 Matt Granger

Post Syndicated from Matt Granger original https://www.youtube.com/watch?v=5ECBj1t9BoU

MikroTik CRS304-4XG-IN 4-port 10Gbase-T Switch Launched

2024-10-04 Rohit Kumar

Post Syndicated from Rohit Kumar original https://www.servethehome.com/mikrotik-crs304-4xg-in-4-port-10gbase-t-switch-launched/

The MikroTik CRS304-4XG-IN is the company’s 4-port 10Gbase-T switch for fanless low power 10GbE networking with a hint of funkiness

The post MikroTik CRS304-4XG-IN 4-port 10Gbase-T Switch Launched appeared first on ServeTheHome.

[$] Smart pointers for the kernel

2024-10-04 daroc

Post Syndicated from daroc original https://lwn.net/Articles/992055/

Rust has a plethora of smart-pointer types, including reference-counted
pointers, which have special support in the compiler to make them
easier to use. The Rust-for-Linux project would like to reap those same benefits
for its smart pointers, which need to be written by hand to conform to
the

Linux kernel
memory model. Xiangfei Ding
presented at Kangrejos about the work to enable custom
smart pointers to function the same as built-in smart pointers.

The Main Components of an Attack Surface Management (ASM) Strategy

2024-10-04 Jon Schipp

Post Syndicated from Jon Schipp original https://blog.rapid7.com/2024/10/04/the-main-components-of-an-attack-surface-management-asm-strategy/

The Main Components of an Attack Surface Management (ASM) Strategy

In part one of this blog series, we looked at some of the core challenges that are driving the demand for a new approach to Attack Surface Management. In this second blog I explore some of the key technology approaches to ASM and also some of the core asset types we need to understand. We can break the attack surface down into two key perspectives (or generalized network locations), each of which covers hybrid environments (Cloud, On-Premise):

External (EASM) – Public facing, internet exposed cyber assets
Internal – Private network accessible cyber assets

External (EASM)

Today, most available ASM solutions are focused on External Attack Surface Management (EASM) which provides an attacker’s perspective of an organization, an outside-in view. In fact, it’s common for organizations, and some analyst firms, to refer to EASM as ASM. However, while this is important, it is only a small, and partial view of the attack surface in most organizations.

EASM seeks to understand an organization’s external attack surface by collecting telemetry about an organization’s internet exposed, public facing assets. This telemetry is derived from different data sources such as vulnerability & port scans, system fingerprinting, domain name searches, TLS certificate analysis and more. It provides valuable insights into the low hanging fruit that attackers will target. Core EASM capability is the equivalent of pointing a vulnerability scanner at your known external IP address range.However, unless your external environment is most of your business, this visibility alone is not enough and leaves organization’s with a limited, partial view of their attack surface.

Internal

The internal attack surface is often the largest portion of an organization’s digital footprint. Attackers frequently gain footholds in organization’s through identity, ransomware, and supply-chain attacks, among many other attack vectors. Organization’s need visibility into their internal attack surface to gain real insight into their digital estate and to be able to reduce their risk by understanding how their most vulnerable and business critical systems are connected, monitored, and protected.

Today, most organizations that have adopted an ASM approach are manually correlating asset information in spreadsheets from various sources to combine business context with the security controls deployed on those assets so they can answer basic questions about their security tool coverage & deployment gaps, and measure their compliance adherence.

The data sources in these spreadsheets typically include their directory services such as Active Directory, combined with outputs from common security controls such as EDR or vulnerability scanning.. Not only is this manual process time-consuming but the information is often out of date by the next morning.

Organization’s need a more scalable solution to this problem, which has led to the development of CAASM solutions to address this challenge..

Introducing CAASM, a new approach to attack surface and exposure management

Over the last few years an approach has emerged to address the attack surface discovery & visibility problem in a scalable, holistic way. It’s a long acronym that stands for Cyber Asset Attack Surface Management (CAASM).

CAASM is the security team’s take on asset management, but it’s much more than that. It addresses the internal visibility problem by aggregating and correlating asset information across an organization’s security and IT tools, providing a clearer, more accurate picture of an organization’s attack surface. Foundational to CAASM is a correlation engine and data model that builds relationships across different types of assets, controls, exposures and more. This technology is able to provide the best representation of an asset with full context from IT and security tools. It enables IT, SecOps, DevOps, and CloudOps teams to operate with the same information by breaking tool sprawl and data silos, enabling better visibility, communication, prioritization, and remediation of risk.

CAASM solutions work by ingesting data from IT, business applications, and security tools through simple API integrations that pull in asset data from each respective tool on a continuous basis, identifying unique assets through aggregation, de-duplication and correlation. This provides the best picture of your digital estate by breaking down the data silos and tool deployment gaps. The more data you ingest from your environment the more accurate the picture of your attack surface becomes.

These solutions are continuing to evolve today to treat identities as assets, create software inventories, and map SaaS applications as part of the attack surface. When seeking a holistic attack surface solution, you should ensure it includes the following key features for optimal visibility:

External Attack Surface Management
Internal Attack Surface Management
Unified data correlation engine
Cloud resource aware
Identities
Software Inventory

Key Asset Types to Drive Attack Surface Visibility

NIST has a definition of asset that is very broad but will suffice for this article:

“An item of value to stakeholders…the value of an asset is determined by stakeholders in consideration of loss concerns across the entire system life cycle. Such concerns include but are not limited to business or mission concerns.

Based on this definition, we will further narrow down the scope to focus on types of cyber assets that add the most value in understanding the Attack Surface. Let’s start with the most basic: machines.

Traditional Assets (Machines)

Often referred to simply as “assets,” these primarily include your employee and business application compute devices, such as workstations and servers. Due to the fast paced evolution of digital infrastructure, this definition is quickly expanding to include infrastructure like virtual machines, containers, and object stores, or new asset categories are being created in Attack Surface Management solutions. The important thing is to make sure you have visibility into the cyber assets in your organization, however they’re defined.

Identities

Identities are the new perimeter, as some say, and are valuable assets to the business because they grant access to the business’s resources. Identity data suffers from the same data silo problems as other assets. Your company email address, for example, is typically used to authenticate and access many different business services and applications. If we can correlate data from sources like Active Directory, Okta, Google Suite, Office 365, KnowBe4 security training, we can provide security and IAM teams with visibility into not just the identities within the organization, but also key challenges in the identity attack surface, such as identities that have MFA disabled but also have Administrator access to key services.

A common challenge with identity discovery and attack surface management is that security teams attempt to map it using threat data. There is a significant difference in accuracy between detection rules and the identity source. For example, a service account that is actively enabled may be missed by aSIEM/XDR solution due to a lack of recent log activity, therefore excluding it from reports. By inventorying identities as assets, we can gather the status of the service account directly from the data source’s API. Both the identity telemetry data from the source (e.g. Okta, AD) and threat data (e.g SIEM/XDR) can be leveraged to give a more accurate picture of the state of the environment.

Software Inventory

With the rise of supply-chain attacks and the increased presence of unapproved or outdated software, visibility into software has become a key part of understanding your attack surface. Inventorying all software installed and running on an assets, combined with security context around that software from vulnerability scanners, NGAV and Threat Intelligence, gives teams the best visibility into understanding and measuring the risks posed by unapproved or unauthorized code. A software inventory helps answer questions like:

Which of my machines are running software that has a new, high-risk vulnerability?
Which machines are running legacy or outdated software?
What is the most vulnerable software in my environment that we should prioritize for remediation?
Am I over utilizing an application license?

Other types of ‘software adjacent’ assets include SaaS applications and web applications.

Now that we have identified the three major types of business assets to monitor in your attack surface, in the next blog we will explore how ASM solutions discover the assets in your environment and what to watch out for to ensure you have the best discovery capabilities so that you’re not missing large portions of your attack surface.

Three Friday kernel updates