„Понеделник беше, ситен дъжд валеше. Вторник си замина влажен през комина“. Ето така, като в детско стихотворение, започна седмицата след Сирни заговезни: с неделната изцепка на ГЕРБ, която на моменти изглеждаше като кьорфишек, но постепенно набра скорост и доведе до голямо бум. При което отдавна разхлопаната сглобка се разпадна на ръждясали винтчета и гайки със слаби шансове за повторно сглобяване.
На фона на това бум-тряс падна голямо замазване с добре познатата ни гербаджийска маламашка. То не бяха ритуални разходки с папки до Президентството, напред-назад, иди ми – дойди ми и дай си ми куклите, мои са си! То не бяха сръдни и обиди, ти мен уважаваш ли ме, тук ме почеши, там ме погъделичкай, а сега да се извиниш, ама много трябва да се извиниш, пу – ти гониш и пр. Политически цирк, който всички сме арестувани да гледаме от първия ред вече шести ден… А междувременно ротацията става все по-голям мираж. С всички производни от него миражи.
В такива моменти не ни остава друго, освен да си кажем като Волтеровия Кандид: „… но трябва да работим градината си“. Това и продължаваме да правим в новия ни брой… Макар да сме напълно убедени, че не живеем – пак по Волтер – в „най-добрия от възможните светове“.
На тази простряна пред очите ни и все още неизсъхнала от дъжда и преговорните плюнки политическа седмица е посветен анализът на Емилия Милчева „Ще се сглобяват ли? Кой е на ход?“. Текст, в който се проследява алогическата нишка, свързваща действията на преговарящите политически „мъже“ и особения статут на жените папкоприносителки.
Светла Енчева продължава „мигрантската тема“ от предишния брой със статията си „Как думата „мигрант“ стана дехуманизираща“. Този път Светла ни представя не конкретен казус, а по-скоро разисква юридическите параметри на понятия като „мигрант“, „бежанец“, „търсещ убежище“ и прочее, включително социалния и политическия пълнеж, с който раздуваме и деформираме значенията им в България. Истински образователен текст – струва си да го прочетем внимателно, преди да формулираме позицията си по горещата в последните седмици тема.
Оставаме с проблемите на образованието в поредното интервю на Надежда Цекулова „От промяна в училищната среда към промяна в обществената“. Този път се срещаме с Мария Стайнова и Виолетка Славова от архитектурно студио „Лусио“, които се занимават с проектиране на съвременни образователни пространства в контекста на училищните сгради. Ключов процес в реформирането на цялата система, невъзможен без активното участие на ученици и учители.
След прочитането на поредната доза „научни новини“ от Михаил Ангелов, както обикновено, се чувстваме малко по-умни и обнадеждени за бъдещето. Този път това се дължи на данните от „Вояджър 1“, според които има шанс комуникацията с апарата да бъде подновена; на възможността да се произвежда човешки инсулин от крави; на иновациите в сферата на соларните панели и прочее градивни вести от светлата страна на човешката деятелност.
Още едно продължение тази седмица – „Малайзия по стените“ от Петя Кокудева. Пътешествието продължава сред градски рисунки по стените, из пъстри будистки храмове, нощни пазари, разкошни дърворезби и местни обичаи и легенди. Поражда спонтанни желания за незабавно отпътуване натам!
„Госпожо, Вие май сте били затруднена от учтивата форма“ е новата статия на Павлина Върбанова, сервирана в рубриката ѝ „Порция език“. Главната буква и съгласуването понякога се оказват препъникамък дори и за най-грамотните, особено в случаите, когато решенията на кодификатора са несистемни и лишени от логика.
„Ще полети ли България в Космоса?“ пита Александър Нуцов, докато „всичката Мара втасала“ в страната. Във въпроса му обаче има резон предвид факта, че в световен мащаб високотехнологичната космическа индустрия формира все по-голям дял от бизнеса. Една от първите стъпки в тази посока е създаването на космическа агенция в България – има шанс това да се случи до края на годината. Планира се и магистърска програма в областта на космическите изследвания в поне три университета у нас.
В крайна сметка се оказва, че изучаването на Космоса често разрешава напълно земни проблеми, свързани със същата онази градина, която Кандид ни призовава да обработваме. А и кой знае, един ден градината може да се окаже част от съвсем друг пейзаж – марсиански или лунен?
Приятно четене!
P.S. В края на тази седмица дойде пролетта и си отиде големият писател Алек Попов. Ще го помним. Ще го помни езикът ни. Светъл път и памет!
Trino is an open source distributed SQL query engine designed for interactive analytic workloads. On AWS, you can run Trino on Amazon EMR, where you have the flexibility to run your preferred version of open source Trino on Amazon Elastic Compute Cloud (Amazon EC2) instances that you manage, or on Amazon Athena for a serverless experience. When you use Trino on Amazon EMR or Athena, you get the latest open source community innovations along with proprietary, AWS developed optimizations.
Starting from Amazon EMR 6.8.0 and Athena engine version 2, AWS has been developing query plan and engine behavior optimizations that improve query performance on Trino. In this post, we compare Amazon EMR 6.15.0 with open source Trino 426 and show that TPC-DS queries ran up to 2.7 times faster on Amazon EMR 6.15.0 Trino 426 compared to open source Trino 426. Later, we explain a few of the AWS-developed performance optimizations that contribute to these results.
Benchmark setup
In our testing, we used the 3 TB dataset stored in Amazon S3 in compressed Parquet format and metadata for databases and tables is stored in the AWS Glue Data Catalog. This benchmark uses unmodified TPC-DS data schema and table relationships. Fact tables are partitioned on the date column and contained 200-2100 partitions. Table and column statistics were not present for any of the tables. We used TPC-DS queries from the open source Trino Github repository without modification. Benchmark queries were run sequentially on two different Amazon EMR 6.15.0 clusters: one with Amazon EMR Trino 426 and the other with open source Trino 426. Both clusters used 1 r5.4xlarge coordinator and 20 r5.4xlarge worker instances.
Results observed
Our benchmarks show consistently better performance with Trino on Amazon EMR 6.15.0 compared to open source Trino. The total query runtime of Trino on Amazon EMR was 2.7 times faster compared to open source. The following graph shows performance improvements measured by the total query runtime (in seconds) for the benchmark queries.
Many of the TPC-DS queries demonstrated performance gains over five times faster compared to open source Trino. Some queries showed even greater performance, like query 72 which improved by 160 times. The following graph shows the top 10 TPC-DS queries with the largest improvement in runtime. For succinct representation and to avoid skewness of performance improvements in the graph, we’ve excluded q72.
Performance enhancements
Now that we understand the performance gains with Trino on Amazon EMR, let’s delve deeper into some of the key innovations developed by AWS engineering that contribute to these improvements.
Choosing a better join order and join type is critical to better query performance because it can affect how much data is read from a particular table, how much data is transferred to the intermediate stages through the network, and how much memory is needed to build up a hash table to facilitate a join. Join order and join algorithm decisions are typically a function performed by cost-based optimizers, which uses statistics to improve query plans by deciding how tables and subqueries are joined.
However, table statistics are often not available, out of date, or too expensive to collect on large tables. When statistics aren’t available, Amazon EMR and Athena use S3 file metadata to optimize query plans. S3 file metadata is used to infer small subqueries and tables in the query while determining the join order or join type. For example, consider the following query:
SELECT ss_promo_sk FROM store_sales ss, store_returns sr, call_center cc WHERE
ss.ss_cdemo_sk = sr.sr_cdemo_sk AND ss.ss_customer_sk = cc.cc_call_center_sk
AND cc_sq_ft > 0
The syntactical join order is store_sales joins store_returns joins call_center. With the Amazon EMR join type and order selection optimization rules, optimal join order is determined even if these tables don’t have statistics. For the preceding query if call_center is considered a small table after estimating the approximate size through S3 file metadata, EMR’s join optimization rules will join store_sales with call_center first and convert the join to a broadcast join, speeding-up the query and reducing memory consumption. Join reordering minimizes the intermediate result size, which helps to further reduce the overall query runtime.
With Amazon EMR 6.10.0 and later, S3 file metadata-based join optimizations are turned on by default. If you are using Amazon EMR 6.8.0 or 6.9.0, you can turn on these optimizations by setting the session properties from Trino clients or adding the following properties to the trino-config classification when creating your cluster. Refer to Configure applications for details on how to override the default configurations for an application.
With Amazon EMR 6.8.0 and later, you can run queries on Trino significantly faster than open source Trino. As shown in this blog post, our TPC-DS benchmark showed a 2.7 times improvement in total query runtime with Trino on Amazon EMR 6.15.0. The optimizations discussed in this post, and many others, are also available when running Trino queries on Athena where similar performance improvements are observed. To learn more, refer to the Run queries 3x faster with up to 70% cost savings on the latest Amazon Athena engine.
In our mission to innovate on behalf of customers, Amazon EMR and Athena frequently release performance and reliability enhancements on their latest versions. Check the Amazon EMR and Amazon Athena release pages to learn about new features and enhancements.
About the Authors
Bhargavi Sagi is a Software Development Engineer on Amazon Athena. She joined AWS in 2020 and has been working on different areas of Amazon EMR and Athena engine V3, including engine upgrade, engine reliability, and engine performance.
Sushil Kumar Shivashankar is the Engineering Manager for EMR Trino and Athena Query Engine team. He has been focusing in the big data analytics space since 2014.
Author: Erik Wynter
Type: Exploit
Pull request: #18618 contributed by ErikWynter
Path: linux/http/opennms_horizon_authenticated_rce
AttackerKB reference: CVE-2023-0872
Description: This module exploits built-in functionality in OpenNMS Horizon in order to execute arbitrary commands as the opennms user. For versions 32.0.2 and higher, this module requires valid credentials for a user with ROLE_FILESYSTEM_EDITOR privileges and either ROLE_ADMIN or ROLE_REST. For versions 32.0.1 and lower, credentials are required for a user with ROLE_FILESYSTEM_EDITOR, ROLE_REST, and/or ROLE_ADMIN privileges.
Enhancements and features (5)
#18838 from SickMcNugget – This adds support for Debian and includes a number of fixes and improvements for the runc_cwd_priv_esc module. Prior to this fix, the module would incorrectly report some of the versions that the patch had been back ported to as vulnerable.
#18841 from randomstr1ng – This PR updates the sap_icm_paths.txt wordlist with the newest entries.
#18885 from errorxyz – Enhances the sessions command so that both Meterpreter and the top level Metasploit prompt support sessions -i -1.
#18978 from dwelch-r7 – This PR updates several login modules to now display some messaging to the end of scans to tell the user how many credentials and/or sessions were successful.
#18980 from zgoldman-r7 – Improves the help command wording when interacting with basic shells.
Bugs fixed (2)
#18947 from molecula2788 – Fixes an issue with exploits/windows/local/wmi_persistence module when Powershell obfuscation was applied.
#18974 from zeroSteiner – Fixes a typo in the help menu of the dns command.
Documentation added (1)
#18965 from adfoster-r7 – This PR updates our README.md to remove a stale documentation link.
You can always find more documentation on our docsite at docs.metasploit.com.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
This year to mark the occasion, we’re revisiting some tales of bullets dodged and backup victories. You’ll find no scary monsters here—no, these tales end happily. We like to call them ReStories—heartwarming sagas of folks who found a data lifeline. And we’re throwing in some tips and tricks to help you protect your data, too.
Let’s take a walk down ReStory lane.
Rising From the Ashes of the Marshall Fire Crisis
In 2021, the Marshall Fire left many in despair, but for Christopher G., it was a test of foresight. “A lifetime of memories were kept in my data, and years before this I decided to get a permanent backup solution,” Christopher shared. When disaster struck, Christopher lost his data—including his on-site backup copies—but he remembered he had an off-site backup stored in the cloud with Backblaze. He initiated a restore, and we sent hard drives with everything he needed to get his precious memories back.
Tip 1: Mitigate Risks With 3-2-1 Backups
Christopher’s story is a powerful testament to being prepared with a 3-2-1 backup strategy, which means keeping three copies of your data on two different media with one stored off-site (and preferably in the cloud). When two copies of his data were wiped out by the Marshall fire, he could rely on his third copy to restore all of the data, including years of photos and important documents.
School District Protects Data for 23,000 Students
Bethel School District had 200 servers and 125TB of data backed up by Rubrik, a backup software provider, to Amazon S3, but high costs were straining their budget—so much so that they had to shorten needed retention periods. They moved their backup copies from Amazon S3 to Backblaze B2, resulting in savings of 75%, which allowed them the budget flexibility to reinstate longer retention times and better protect their data from the threat of ransomware.
It was really a couple clicks, about five minutes worth of work, and we were pointed to Backblaze.
—Patrick Emerick, Senior Systems Engineer, Bethel School District
Tip 2: Plan for a Ransomware Attack Before It Happens
Ransomware attacks specifically targeting school districts and universities are on the rise—79% of institutions reported they were hit with ransomware in the past year. A ransomware attack is not a matter of if, but when, and that’s true whether you’re a school, university, business, or just someone who has data they care about. Take a cue from Bethel School District and take proactive measures to protect your business data from ransomware, like establishing retention periods that allow you to recover adequately in the event of an attack.
Backing Up Years of Research
The Caesar Kleberg Wildlife Research Institute at Texas A&M–Kingsville needed an endpoint backup solution to protect data on researchers’ laptops in the field and on-site, knowing researchers in the field don’t always follow protocols to the letter when it comes to saving their data. The Institute’s IT manager implemented Backblaze Computer Backup which gave him the ability to remotely manage faculty and staff backups. And he knows that, with no added fees, recoveries won’t be cost prohibitive.
Tip 3: Manage Backups Centrally
Whether you’re a remote employee or managing them, it can help to have tools like silent install, fine-grained access permissions, and management controls (at Backblaze, you can access all of these via Enterprise Control for Computer Backup). That way you can stay focused on what matters most instead of updating backup clients and fiddling with settings. Plus, you don’t have to worry about backups being accidentally deleted or tampered with.
Glenda B.’s Emotional Rescue: 20 Years of Memories Reclaimed
Losing decades of family photos can be devastating, a sentiment echoed by Glenda B.: “Several years ago my photos were all inexplicably deleted from my computer—20 years of family photos gone in an instant!” Some of them were on iCloud, but there were years of older photos that were only stored on her computer. Fortunately, she had very recently installed Backblaze Computer Backup, so all of her photos were safely backed up in the cloud. Glenda initiated a restore with Backblaze, restoring her files and her invaluable memories.
Tip 4: Sync Is Not Backup
If you’re like Glenda, your digital life is probably scattered across your computer, external hard drives, and multiple sync services from iCloud to Google Drive. Glenda’s story is an important lesson that sync is not backup. Sync services are great for sharing data and accessing it on multiple devices, but that doesn’t help you when you lose data that’s only stored on your computer or when you accidentally delete a file and don’t realize it. One of the drawbacks of using sync services as a backup is that data outside those services is vulnerable. And the fix for that vulnerability is to use a true backup service to protect all of your data.
What Happens When One-Third of Your Employees’ Machines Crash?
BELAY Solutions is a staffing company that connects organizations with virtual assistants, bookkeepers, website specialists, and social media managers. While performing scheduled system updates across BELAY’s fleet of Macs, nearly a third of the company’s machines crashed. After shipping out replacement laptops, the IT team empowered BELAY employees to use Backblaze Business Backup to recover their own data independently in a matter of minutes.
Our work is very time intensive, so our team can’t be offline for long—you always need reliable technical assets to support virtual assistants in the field.
—Cam Cox, IT Systems Administrator, BELAY Solutions
AJ’s Tech Misadventure: Averting a Digital Disaster
Upgrading your computer’s operating system is routine until it results in an accidental wipeout, as AJ found out. “In summer 2020, I accidentally wiped my external hard drive while downloading a copy of Windows 10,” he recounts. But thanks to Backblaze, AJ could redownload everything, salvaging irreplaceable files.
Rob D.’s Professional Life: Recovering Years of Work
For Rob D., a graphic designer, losing years of work to a computer crash was catastrophic. He woke up to the “dreaded blue screen of death” and despite efforts, only scattered metadata could be salvaged. But, Backblaze came to the rescue. “As a graphic designer, YEARS of design projects were gone in a flash. Clients…were not too pleased…Enter Backblaze,” Rob said. With a new hard drive filled with his backed up data, he experienced immense relief. “Can’t quite describe the feeling of relief I felt at that moment knowing that I was going to be ok. THANK YOU Backblaze!! I’m a customer for life!”
Tip 5: Reduce Downtime With Self-Serve Backup Solutions
Even tech savvy folks like AJ, Rob D., and the staff at BELAY solutions can get flustered when they suddenly lose their data or ability to work, so an easy restore process everyone can use themselves no matter their level of IT knowledge is essential for those high-stress situations. BELAY initially chose Backblaze for its simplicity and ease of use. “I’ve been able to help someone get their data back within five minutes. I don’t think that ever would have happened using our previous tool,” said Cam Cox, IT Systems Administrator. And, Backblaze user AJ relayed that having Backblaze was “worth every penny for the rapid restore process.”
Take the World Backup Day Pledge This Year
As we celebrate World Backup Day, let’s take a moment to recognize the critical role that data backup plays in safeguarding our digital assets against unforeseen threats. Whether you’re a business owner, an IT director, or an individual user, investing in robust backup solutions is an investment in resilience and peace of mind. By embracing proactive measures and leveraging technology to fortify our defenses, we can navigate the complexities of the digital age with confidence and resilience. We encourage you to take the World Backup Day pledge, feel free to reach out to us on socials, and check back in June to see the newest results of our yearly backup survey.
AWS Private CA provides a highly available private certificate authority (CA) service without the upfront investment and ongoing maintenance costs of operating your own private CA. Using the APIs that AWS Private CA provides, you can create and deploy private certificates programmatically. You also have the flexibility to create private certificates for applications that require custom certificate lifetimes or resource names. With AWS Private CA, you can create your own CA hierarchy and issue certificates for authenticating internal users, computers, applications, services, servers, and devices and for signing computer code.
Use cases for certificate services that integrate with Active Directory
AD CS is commonly used in enterprise environments because it integrates certificate management with Active Directory authentication, authorization, and policy management. A common use case for AD CS is certificate auto-enrollment. Using AD Group Policies, you can configure certificates to automatically be created for users as they log in to the domain, or you can configure computer certificates, which are associated with each workstation or server that joins the domain. You can then use these certificates for authentication or digital signature purposes. A common use case is for authentication of devices to protected networks, such as wired networks that require 802.1x authentication or wireless networks that are protected by WPA2/3 with EAP-TLS authentication. Auto-enrolled computer and user certificates are also commonly used to authenticate VPN connections.
In addition to certificate auto-enrollment, AD CS also integrates with Active Directory to publish certificate information directly to the user and computer objects in Active Directory. In this way, you can integrate the lifecycle management of the certificates directly into your existing processes for managing the lifecycle of AD users and computers that are joined to the domain.
Options to deploy certificate services that integrate with Active Directory on AWS
To migrate your Windows environment to the cloud, you probably want to retain the capabilities of a CA that integrates with Active Directory. Although you can migrate AD CS directly to AWS and run it on an Amazon Elastic Compute Cloud (Amazon EC2) instance running Windows, we will show you how to use AWS Private CA with the Connector for AD to provide an Active Directory integrated CA that offers the benefits of AD CS without the need to manage AD CS or hardware security modules (HSMs).
Why migrate your on-premises CA to AWS Private CA?
Migrating AD CS to AWS Private CA has several benefits. With AWS Private CA, you get simplified certificate management, eliminating the need for an on-premises CA infrastructure and reducing operational complexity. AWS Private CA provides a managed service, reducing the operational burden and providing high availability and scalability. Additionally, it integrates with other AWS services, so it’s simpler to manage and deploy certificates across your infrastructure. The centralized management, enhanced security features, and simplified workflows in AWS Private CA can streamline certificate issuance and renewal processes, enabling you to more efficiently achieve your security goals.
AWS manages the underlying infrastructure, which can help reduce costs, and automation features help prevent disruptions that expired certificates could cause. AWS Private CA operates as a Regional service with an SLA of 99.9% availability. For environments that require the highest level of availability, you can deploy CAs in multiple AWS Regions by following the guidance on redundancy and disaster recovery in the documentation.
AWS Private CA Connector for AD extends the certificate management of Private CA to AD environments. With the Connector for AD, you can use Private CA to issue certificates for AD users and computers joined to your domain. This includes integration with Windows Group Policy for certificate autoenrollment.
How do I migrate to the Connector for AD?
Transitioning from an existing AD CS server to the Connector for AD involves several steps.
Assessment and planning
Before you begin, identify the use cases for your existing AD CS server and how certificates are issued. In this post, we focus on certificates that are auto-enrolled by using a Group Policy, but you might have other use cases where you must manually enroll certificates by using the Web Enrollment server or APIs. These might include use cases for signing software packages or web server certificates for intranet applications. Start by creating a certificate inventory from your existing AD CS server.
To create a certificate inventory from your existing AD CS server
In the Microsoft CA console, select Issued Certificates.
From the Action menu, select Export List.
Figure 1: Export a list of existing certificates
This produces a CSV file of the certificates that the server issued. To determine which certificates were created as part of an auto-enrollment policy and to identify special cases that require manual attention, sort this file by Certificate Template.
Depending on where you put the new private CA in your organization’s public key infrastructure (PKI) hierarchy, you might want to make sure that its certificate is imported into all of the client trust stores before you issue new certificates using the CA. For Windows devices, creation of the Connector for AD imports the CA certificate into Active Directory, and automatically distributes it to the trust stores of domain-joined computers.
For non-Windows devices, you need to evaluate other use cases for issued certificates on the network and follow vendor instructions for updating trust stores. For example, if you use client certificates for wired 802.1x and Wi-Fi Protected Access (WPA) enterprise authentication, you need to import the new root CA certificate into the trust stores of the RADIUS servers that you use for authentication.
For import into an Active Directory Group Policy Object (GPO), name the exported file with a .cer file extension.
Figure 2: Export the CA certificate
Transition certificate enrollment to the new CA
After you configure AWS Private CA and the Connector for AD and update your trust stores as necessary, you can begin to transition certificate enrollment to the new CA. In Active Directory domains, certificates are typically created automatically by using an auto-enrollment Group Policy. To migrate enrollment to your new CA, you need to configure certificate templates with the appropriate properties to match your requirements, assign permissions to the templates, and configure the Group Policy to point the enrollment client on Windows devices to the new CA.
Configure certificate templates
Certificate templates define the enrollment policy on a CA. An Active Directory CA only issues certificates that conform to the templates that you have configured. Using the certificate inventory that you collected from your existing AD CS server, you should have a list of certificate templates that are in active use in your environment and that you need to replicate in the Connector for AD.
Start by noting the properties of these certificate templates on your existing AD CS server.
To note the properties of the certificate templates
Open the Certificate Authority console on your AD CS server.
Navigate to the Certificate Templates folder.
From the Action menu, select Manage. This opens the Certificate Templates console, which shows a list of the certificate templates available in Active Directory.
Figure 3: Identify certificate templates
For each certificate that is in active use, open it and take note of its settings, particularly the following:
Template name, validity period, and renewal period from the General tab.
Certificate recipient compatibility from the Compatibility tab.
Certificate purpose and associated checkboxes in addition to whether a private key is allowed to be exported from the Request Handling tab.
Cryptography settings from the Cryptography tab.
The extensions configured from the Extensions tab.
Settings for certificate subject and subject alternate name from the Subject Name tab.
Review the Security tab for the list of Active Directory users and groups that have Enroll or AutoEnroll permissions. The other permission settings, which control which AD principals have the ability to modify or view the template itself, don’t apply to AWS Private CA because IAM authorization is used for these purposes.
Figure 4: Certificate template properties
After you gather the configuration details for the certificate templates that are in active use, you need to configure equivalent templates within the Connector for AD.
Figure 5: Certificate template configuration in the Connector for AD
You can then begin configuring your certificate template by using the settings that you obtained from your existing AD CS server. For a complete description of the settings that are available in the certificate template, see Creating a connector template.
Figure 6: Certificate template settings
Assign permissions to the template.
You must manually enter the Active Directory Security Identifier (SID) of the user or group that you are assigning the Enroll or Auto-enroll permission to. For instructions on how to use PowerShell to obtain the SID of an Active Directory object, see Managing AD groups and permissions for templates.
We recommend that you initially assign your certificate templates to a small test group that contains a set of Active Directory computers or users that will be used to test the new CA. When you are confident that the new CA issues certificates correctly, you can modify the permissions to include the full set of Active Directory user and computer groups that were assigned to the template on your original AD CS server.
Configure Group Policy for automatic certificate enrollment
With the Connector for AD configured with the required certificate templates, you are ready to configure the AD Group Policy to enable automatic enrollment of user and computer certificates. We suggest that you start with a test organizational unit (OU) in Active Directory, where you can put user and computer objects to make sure that enrollment is working properly. The existing AD CS server and the Connector for AD can continue to coexist until you are ready to replace the certificates.
In this example, you configure a new Group Policy object that is linked to an OU called Test OU, where you will place computer objects for testing.
To configure a new Group Policy object
Within the Group Policy object, locate the settings for controlling enrollment under Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies.
Figure 7: Active Directory Group Policy Editor
Configure the Certificate Services Client – Certificate Enrollment Policy to point clients at the URL of the Connector for AD:
Set the Configuration Model to Enabled.
Add a new item to the Certificate enrollment policy list.
Figure 8: Certificate Services Client Group Policy settings
Enter the URL of your connector and leave the Authentication mode set to Windows Integrated. Then choose Validate.
Note: You can find the URL of your connector in the AWS Private CA Connector for AD console under Certificate enrollment policy server endpoint.
Figure 9: Connector details
After you save your configuration, remove the Active Directory Enrollment Policy from the list so that the Group Policy only references the Connector for AD. A completed configuration will look similar to the following:
Figure 10: Certificate services client settings with Active Directory enrollment policy removed
From within the Group Policy editor, open the Certificate Services Client – Auto-enrollment policy to configure auto-enrollment of computer certificates. Set Configuration Model to Enabled, and select the following:
Renew expired certificates, update pending certificates, and remove revoked certificates
Update certificates that use certificate templates
After you configure the Group Policy, computers in OUs that the Group Policy is linked to will start automatically enrolling certificates by using AWS Private CA, subject to the permissions defined on the certificate templates. To review the progress of certificate enrollment, use private CA audit reports.
When you complete testing and gain confidence in your certificate roll-out, extend the scope of the GPO and Active Directory permissions on the certificate templates to cover additional users and computers.
Revocation and decommissioning
You can continue to review the Private CA audit reports to confirm progress with auto-enrollment of certificates from the new CA. If you have computers that infrequently connect to the network, this can take some time. As part of this process, address your use cases that aren’t covered by auto-enrollment, which you identified from your initial certificate inventory. These might include web server certificates for internal applications or code-signing certificates for distributing software packages. You can issue replacement certificates for these use cases by using the AWS Private CA APIs or CLI without depending on the Active Directory integration. For more information, see Issuing private end-entity certificates.
After the required certificates have been enrolled and you have confirmed that the services that depend upon those certificates are functioning correctly, it’s time to revoke issued certificates and decommission your existing AD CS server. Microsoft provides detailed documentation for properly revoking certificates and decommissioning an Enterprise CA, including clean-up of related AD objects.
Conclusion
In this post, we covered some use cases for Active Directory integrated certificate management in Windows environments and introduced the new AWS Private CA Connector for Active Directory. AWS Private CA and the Connector for AD can help you reduce operational overhead, enabling you to simplify the process of provisioning certificates while maintaining the Active Directory integration that you are accustomed to in a Microsoft AD CS environment. You learned how to evaluate your existing Microsoft CA and migrate to AWS Private CA with the Connector for AD, with a specific focus on auto-enrollment of certificates, which is commonly used in enterprise environments for device and end-user authentication.
If you have feedback about this post, submit comments in the Comments section below. If you have questions about this post, start a new thread on the AWS Certificate Manager re:Post or contact AWS Support.
ПП–ДБ и ГЕРБ–СДС търсят път едни към други, въпросът е на каква цена, след като политиците се изчерпаха откъм оскърбления, а анализаторите – откъм метафори. И двете коалиции сигнализират, че са готови да продължат преговорите помежду си въпреки „счупеното доверие“, констатирано от премиера в оставка Николай Денков (ПП) в Брюксел, където е за Европейския съвет.
От Брюксел дойде и публично насърчение към властите в София да продължат с усилията за съставяне на кабинет. За първи път България беше спомената в изявление, прието на срещата на върха на страните от еврозоната.
Приветстваме постигнатия напредък от България по пътя ѝ към приемането на еврото и я насърчаваме да продължи усилията си до изпълнението на всички критерии за конвергенция.
В „превод“ това означава, че редовен кабинет ще продължи тези усилия, така че от 1 януари 2025 г. България да приеме еврото. Предупреждението, че политическата нестабилност ще попречи, се чете между редовете.
В последната седмица отношенията между двете политически сили, управлявали 9 месеца чрез общ кабинет, рязко се изостриха. Въпреки договорената през май миналата година ротация, ПП–ДБ вече не приемат Габриел за премиер, след като тя еднолично внесе при президента изпълнен първи мандат със списък на несъгласувани с тях министри. ГЕРБ пък настоява за смяна на министъра на финансите Асен Василев, който обяви, че действайки през главата им, Габриел е провалила шанса за кабинет с първия мандат. И я нарече „най-новото и най-красивото лице на мафията в България“. (Без да уточнява кого определя като „мафия“.)
Кой ще мигне пръв
Ротацията на премиерския пост между Денков (ПП) и Мария Габриел (ГЕРБ) засече заради споровете за конкретни министерства, механизма за назначения в регулатори и контролни органи, сроковете за реформи на службите, промените в Закона за съдебната власт, отпадането на следствената тайна. И мястото на ДПС в цялата схема. Ако досега съвместното управление се основаваше на кратка декларация с шест основни приоритета и програма за 18 месеца, предизвикателствата вече са много по-големи и начертани в едно така и неподписано споразумение. Предстоят смени на повече от 110 високи позиции и амбиции за осъществяване на съдебната реформа. В случай че ПП–ДБ и ГЕРБ не се разберат за управленски съюз, доминацията на ГЕРБ и ДПС се запазва неизвестно докога.
След задочните разговори тази седмица през телевизии и пресконференции, съпроводени с ултиматуми за крайни срокове и подкани за извинения, дойде ред и на декларациите. „Вие сте на ход – се обърнаха ПП–ДБ в декларация към партията на Бойко Борисов, – поемете отговорност за действията си и предложете конкретен план, адекватен на кризата, която създадохте.“
Ние оставаме отговорни към съдбата на страната и готови да споделим отговорността за общо управление. Това може да стане само при възстановяване на формулата на доверие и гарантиране на реалната реализация на реформите. Това може да стане само със споделен екип…
„Вие сте на ход“, отвърнаха пак с декларация от ГЕРБ.
Поемете отговорност за действията на Асен Василев, разграничете се от него и нека заедно изработим план, адекватен на кризата, която умишлено създавате и към момента.
„Що не се уууважа’ате?“
Откъм ПП–ДБ вече се чуват гласове, че първият мандат е пропилян, но преговорите ще продължат и правителство в 49-тия парламент отново ще има. Изглежда, смятат, че отново могат да реализират кабинет със своя втори мандат въпреки категоричната заявка на лидера на ГЕРБ Бойко Борисов, че няма да подкрепят такъв вариант. Съпредседателят на ПП Асен Василев обяви, че първият мандат е изчерпан и гледа към втория.
Президентът Румен Радев вече издаде указа, с който предлага на 49-тото Народно събрание да избере за премиер кандидата, излъчен от най-голямата парламентарна група – на ГЕРБ–СДС, и предложеното от него правителство. Кога обаче тази точка ще влезе в дневния ред, зависи от председателя на парламента Росен Желязков (ГЕРБ). А той не бърза. Докато точката все още не е в дневния ред, кандидатът за министър-председател може да прави промени в състава на правителството, обявено при президента; може дори да го подмени цялото. Практически мандатът може да си стои внесен неограничено време, тъй като Конституцията не предвижда срок.
Едва ли лидерът на ГЕРБ е вярвал, че ПП–ДБ безпрекословно ще се подчини и съгласи с едностранното (му) решение за състава на кабинета, представен от Габриел. Скандалът беше неизбежен, а значи и предопределен. Вероятно Борисов е пресметнал, че при една нова ескалация на напрежението ще постигне по-лесно целите си за конкретни назначения, жертвайки дори репутацията на европейското лице на партията си. Пестеливата информация, изпусната и от двете страни, показва, че са били близо до постигане на съгласие за много от назначенията. Например дори и да бъде свален министърът на енергетиката Румен Радев и мястото му да заеме Жечо Станков, Радев щял да оглави Българския енергиен холдинг (БЕХ).
Сега мишена отново е Асен Василев, за когото ПП–ДБ няма да приемат да напусне Министерството на финансите. Следователно ГЕРБ и ДПС, присъединили се в атаката, могат да поискат друго в замяна. Няма свян в политиката, когато се разпределя власт. За да засилят натиска, ГЕРБ и ДПС обединиха всички политически сили в парламента (без ПП–ДБ, разбира се) срещу Василев, гласувайки до 31 март министърът на финансите в оставка да покрие 1 млрд. лв. дефицит в енергетиката.
Точката беше вкарана като извънредна с гласовете на ГЕРБ и ДПС и така Асен Василев разполага с по-малко от десет дни, за да разреши ликвидните проблеми на фонд „Сигурност на електроенергийната система“. (Фондът беше създаден през юли 2015 г., за да покрива разходите на обществения доставчик НЕК, произтичащи от задълженията му за изкупуване на ток по преференциални цени.) Парламентарното решение е и предупредителен знак от мафията към Василев и ПП–ДБ – нещо като увита във вестник мъртва риба или куршум в плик.
Моралът – начин на употреба
Употребата на морала от българския политически елит е омерзителна. Бойко Борисов, който се е разделял с политически съратници при най-малкия признак за имиджова щета, унизи Мария Габриел. Няма съмнение, че тя не би се решила да представи папката с имената на министрите, ако не ѝ беше наредено. Сега същият Борисов иска извинение от Василев, задето е обидил Габриел, въпреки че публичното унижение, на което я подложи собствената ѝ партия, е много по-голямо. Асен Василев се извини на Мария Габриел в качеството ѝ на жена, което беше още една обида за нея поради явния сексизъм на посланието. Нима самият Василев не управлява със същата тази мафия, за която твърди, че е зад Габриел?
Дългото мълчание на ГЕРБ и ПП–ДБ след публикуваните декларации означава, че зад кулисите и извън обективите някаква комуникация тече и най-късно през уикенда решение ще бъде обявено. При едни нови предсрочни парламентарни избори кампанията няма да е лесна за ПП–ДБ – няма как да нахъсват избиратели с „изчегъртване“ на ГЕРБ, с изваждане на ДПС, след като няма на кого друг да разчитат за партньорство. За ГЕРБ ситуацията няма да е така усложнена.
Петъчният парламентарен ден мина без внесен отказ от позицията на кандидатката за премиер на ГЕРБ Мария Габриел. Министър-председателят в оставка Денков пък предупреди от Брюксел партньорите си в управлението да не внасят за гласуване само премиера без състав на правителството. Изглежда, че са го послушали. Съгласно Решение №20 на Конституционния съд от 1992 г. най-напред парламентът избира министър-председателя, а със следващо решение – и състава на правителството. Но какъвто и да е редът за гласуване, ПП–ДБ и ГЕРБ–СДС трябва да са постигнали разбирателство за сглобяване 2.0. Коалиция едва ли ще се получи, а изразените в първоначалните документи намерения и от двете политически сили за пълен мандат също няма да се реализират. Най-вероятно ще се опитат да изкарат тази година, за да изберат перманентната власт.
После – предсрочни избори и този път може и да се получи коалиция. Едва ли като тази в Германия и нейните над 800 страници коалиционно споразумение, публично известно, но не и сглобка по балкански.
This post is written by André Stoll, Solution Architect.
Chaos engineering is a popular practice for building confidence in system resilience. However, many existing tools assume the ability to alter infrastructure configurations, and cannot be easily applied to the serverless application paradigm. Due to the stateless, ephemeral, and distributed nature of serverless architectures, you must evolve the traditional technique when running chaos experiments on these systems.
This blog post explains a technique for running chaos engineering experiments on AWS Lambda functions. The approach uses Lambda extensions to induce failures in a runtime-agnostic way requiring no function code changes. It shows how you can use the AWS Fault Injection Service (FIS) to automate and manage chaos experiments across different Lambda functions to provide a reusable testing method.
Overview
Chaos experiments are commonly applied to cloud applications to uncover latent issues and prevent service disruptions. IT teams use chaos experiments to build confidence in the robustness of their systems. However, the traditional methods used in server-based chaos engineering do not easily translate to the serverless world since many existing tools are based on altering the underlying infrastructure configurations, such as cluster nodes or server instances of your applications.
In serverless applications, AWS handles the undifferentiated heavy lifting of managing infrastructure, so you can focus on delivering business value. But this also means that engineering teams have limited control over the infrastructure, and must rely on application-level tooling to run chaos experiments. Two techniques commonly used in the serverless community for conducting chaos experiments on Lambda functions are modifying the function configuration or using runtime-specific libraries.
Changing the configuration of a Lambda function allows you to induce rudimentary failures. For example, you can set the reserved concurrency of a Lambda function to simulate invocation throttling. Alternatively, you might change the function execution role permissions or the function policy to simulate IAM access denial. These types of failures are easy to implement, but the range of possible fault injection types is limited.
The other technique—injecting chaos into Lambda functions through purpose-built, runtime-specific libraries—is more flexible. There are various open-source libraries that allow you to inject failures, such as added latency, exceptions, or disk exhaustion. Examples of such libraries are Python’s chaos_lambda and failure-lambda for Node.js. The downside is that you must change the function code for every function you want to run chaos experiments on. In addition, those libraries are runtime-specific and each library comes with a set of different capabilities and configurations. This reduces the reusability of your chaos experiments across Lambda functions implemented in different languages.
Injecting chaos using Lambda extensions
Implementing chaos experiments using Lambda extensions allows you to address all of the previous concerns. Lambda extensions augment your functions by adding functionality, such as capturing diagnostic information or automatically instrumenting your code. You can integrate your preferred monitoring, observability, or security tooling deeply into the Lambda environment without complex installation or configuration management. Lambda extensions are generally packaged as Lambda layers and run as a separate process in the Lambda execution environment. You may use extensions from AWS, AWS Lambda partners, or build your own custom functionality.
With Lambda extensions, you can implement a chaos extension to inject the desired failures into your Lambda environments. This chaos extension uses the Runtime API proxy pattern that enables you to hook into the function invocation request and response lifecycle. Lambda runtimes use the Lambda Runtime API to retrieve the next incoming event to be processed by the function handler and return the handler response to the Lambda service.
The Runtime API HTTP endpoint is available within the Lambda execution environment. Runtimes get the API endpoint from the environment variable AWS_LAMBDA_RUNTIME_API. During the initialization of the execution environment, you can modify the runtime startup behavior. This lets you change the value of AWS_LAMBDA_RUNTIME_API to the port the chaos extension process is listening on. Now, all requests to the Runtime API go through the chaos extension proxy. You can use this workflow for blocking malicious events, auditing payloads, or injecting failures.
The chaos extension intercepts incoming events and outbound responses, and injects failures according to the chaos experiment configuration.
The extension accesses environment variables to read the chaos experiment configuration.
A wrapper script configures the runtime to proxy requests through the chaos extension.
When intercepting incoming events and outbound responses to the Lambda Runtime API, you can simulate failures such as introducing artificial delay or generate an error response to return to the Lambda service. This workflow adds latency to your function calls:
All Lambda runtimes support extensions. Since extensions run as a separate process, you can implement them in a language other than the function code. AWS recommends you implement extensions using a programming language that compiles to a binary executable, such as Golang or Rust. This allows you to use the extension with any Lambda runtime.
Extensions provide you with a flexible and reusable method to run your chaos experiments on Lambda functions. You can reuse the chaos extension for all runtimes without having to change function code. Add the extension to any Lambda function where you want to run chaos experiments.
Automating with AWS FIS experiment templates
According to the Principles of Chaos Engineering, you should “automate your experiments to run continuously”. To achieve this, you can use the AWS Fault Injection Service (FIS).
This service allows you to generate reusable experiment templates. The template specifies the targets and the actions to run on them during the experiment, and an optional stop condition that prevents the experiment from going out of bounds. You can also execute AWS Systems Manager Automation runbooks which support custom fault types. You can write your own custom Systems Manager documents to define the individual steps involved in the automation. To carry out the actions of the experiment, you define scripts in the document to manage your Lambda function and set it up for the chaos experiment.
To use the chaos extension for your serverless chaos experiments:
Set up the Lambda function for the experiment. Add the chaos extension as a layer and configure the experiment, for example, by adding environment variables specifying the fault type and its corresponding value.
Pause the automation and conduct the experiment. To do this, use the aws:sleep automation action. During this period, you conduct the experiment, measure and observe the outcome.
Clean up the experiment. The script removes the layer again and also resets the environment variables.
Running your first serverless chaos experiment
This sample repository provides you with the necessary code to run your first serverless chaos experiment in AWS. The experiment uses the chaos-lambda-extension extension to inject chaos.
The sample deploys the AWS FIS experiment template, the necessary SSM Automation runbooks including the IAM role used by the runbook to configure the Lambda functions. The sample also provisions a Lambda function for testing and an Amazon CloudWatch alarm used to roll back the experiment.
Prerequisites
You have the chaos extension already deployed as a Lambda layer in your AWS account.
Ensure you have sufficient permissions to interact with the AWS FIS, Lambda, and CloudWatch alarms.
Running the experiment
Follow the steps outlined in the repository to conduct your first experiment. Starting the experiment triggers the automation execution.
This automation includes adding the extension and configuring the experiment, pausing the execution and observing the system and reverting all changes to the initial state.
If you invoke the targeted Lambda function during the second step, failures (in this case, artificial latency) are simulated.
Security best practices
Extensions run within the same execution environment as the function, so they have the same level of access to resources such as file system, networking, and environment variables. IAM permissions assigned to the function are shared with extensions. AWS recommends you assign the least required privileges to your functions.
Always install extensions from a trusted source only. Use Infrastructure as Code (IaC) and automation tools, such as CloudFormation or AWS Systems Manager, to simplify attaching the same extension configuration, including AWS Identity and Access Management (IAM) permissions, to multiple functions. IaC and automation tools allow you to have an audit record of extensions and versions used previously.
When building extensions, do not log sensitive data. Sanitize payloads and metadata before logging or persisting them for audit purposes.
Conclusion
This blog post details how to run chaos experiments for serverless applications built using Lambda. The described approach uses Lambda extension to inject faults into the execution environment. This allows you to use the same method regardless of runtime or configuration of the Lambda function.
To automate and successfully conduct the experiment, you can use the AWS Fault Injection Service. By creating an experiment template, you can specify the actions to run on the defined targets, such as adding the extension during the experiment. Since the extension can be used for any runtime, you can reuse the experiment template to inject failures into different Lambda functions.
Visit this repository to deploy your first serverless chaos experiment, or watch this video guide for learning more about building extensions. Explore the AWS FIS documentation to learn how to create your own experiments.
For more serverless learning resources, visit Serverless Land.
Security updates have been issued by Debian (firefox-esr, pillow, and thunderbird), Fedora (apptainer, chromium, ovn, and webkitgtk), Mageia (apache-mod_auth_openidc, ffmpeg, fontforge, libuv, and nodejs-tough-cookie), Oracle (kernel, libreoffice, postgresql-jdbc, ruby:3.1, squid, and squid:4), Red Hat (go-toolset:rhel8 and libreoffice), SUSE (firefox, jbcrypt, trilead-ssh2, jsch-agent-proxy, kernel, tiff, and zziplib), and Ubuntu (linux-aws and openssl1.0).
BleepingComputer has the details. It’s $2M less than in 2022, but it’s still a lot.
The highest reward for a vulnerability report in 2023 was $113,337, while the total tally since the program’s launch in 2010 has reached $59 million.
For Android, the world’s most popular and widely used mobile operating system, the program awarded over $3.4 million.
Google also increased the maximum reward amount for critical vulnerabilities concerning Android to $15,000, driving increased community reports.
During security conferences like ESCAL8 and hardwea.io, Google awarded $70,000 for 20 critical discoveries in Wear OS and Android Automotive OS and another $116,000 for 50 reports concerning issues in Nest, Fitbit, and Wearables.
Google’s other big software project, the Chrome browser, was the subject of 359 security bug reports that paid out a total of $2.1 million.
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
