Post Syndicated from Patrick Kennedy original https://www.servethehome.com/marvell-silicon-photonics-light-engine-for-ai-marvell-analyst-day-2023/
Marvell just showed off its next-generation silicon photonics light engine for future pluggable modules and co-packaged optics
The post Marvell Silicon Photonics Light Engine for AI appeared first on ServeTheHome.
Post Syndicated from jake original https://lwn.net/Articles/953738/
The Common Vulnerabilities and Exploits
(CVE) system is the main mechanism for tracking various security
flaws,
using the omnipresent CVE number—even vulnerabilities with fancy names and
web sites
have CVE numbers. But the CVE system is not without its critics and, in
truth, the incentives between the reporting side and those responsible for
handling the bugs have always been misaligned, which leads to abuse of
various kinds. There have been efforts to
combat some of those abuses along the way; a newly announced
“!CVE” project is meant to track vulnerabilities “that are not
“.
acknowledged by vendors but
still are serious security issues
Post Syndicated from Harman Singh Dhodi original https://aws.amazon.com/blogs/big-data/how-hra-uses-amazon-redshift-spatial-analytics-on-amazon-redshift-serverless-to-measure-digital-equity-in-states-across-the-us/
In our increasingly digital world, affordable access to high-speed broadband is a necessity to fully participate in our society, yet there are still millions of American households without internet access. HR&A Advisors—a multi-disciplinary consultancy with extensive work in the broadband and digital equity space is helping its state, county, and municipal clients deliver affordable internet access by analyzing locally specific digital inclusion needs and building tailored digital equity plans.
The first step in this process is mapping the digital divide. Which households don’t have access to the internet at home? Where do they live? What are their specific needs?
Public data sources aren’t sufficient for building a true understanding of digital inclusion needs. To fill in the gaps in existing data, HR&A creates digital equity surveys to build a more complete picture before developing digital equity plans. HR&A has used Amazon Redshift Serverless and CARTO to process survey findings more efficiently and create custom interactive dashboards to facilitate understanding of the results. HR&A’s collaboration with Amazon Redshift and CARTO has resulted in a 75% reduction in overall deployment and dashboard management time and helped the team achieve the following technical goals:
In this post, we unpack how HR&A uses Amazon Redshift spatial analytics and CARTO for cost-effective geo-spatial measurement of digital inclusion and internet access across multiple US states.
Before we get to the architecture details, here is what HR&A and its client, Colorado’s Office of the Future of Work, has to say about the solution.
“Working with the team at HR&A Advisors, Colorado’s Digital Equity Team created a custom dashboard that allowed us to very effectively evaluate our reach while surveying historically marginalized populations across Colorado. This dynamic tool, powered by AWS and CARTO, provided robust visualizations of which regions and populations were interacting with our survey, enabling us to zoom in quickly and address gaps in coverage. Ensuring we were able to seek out data from those who are most impacted by the digital divide in Colorado has been vital to addressing digital inequities in our state.”
— Melanie Colletti, Digital Equity Manager at Colorado’s Office of the Future of Work
“AWS allows us to securely house all of our survey data in one place, quickly scrub and analyze it on Amazon Redshift, and mirror the results through integration with data visualization tools such as CARTO without the data ever leaving AWS. This frees up our local computer space, greatly automates the survey cleaning and analysis step, and allows our clients to easily access the data results. Following the proof of concept and development of first prototype, almost all of our state clients showed interest in using the same solution for their states.”
— Harman Singh Dhodi, Analyst at HR&A Advisors, Inc.
Storing and analyzing large survey datasets
HR&A used Redshift Serverless to store large amounts of digital inclusion data in one place and quickly transform and analyze it using CARTO’s analytical toolkit to extend the spatial capabilities of Amazon Redshift and integrate with CARTO’s data visualization tools—all without the data ever leaving the AWS environment. This cut down significantly on analytical turnaround times.
The CARTO Analytics Toolbox for Redshift is composed of a set of user-defined functions and procedures organized in a set of modules based on the functionality they offer.
The following figure shows the solution and workflow steps developed during the proof of concept with a virtual private cloud (VPC) on Amazon Redshift.
Figure 1: Workflow illustrating data ingesting, transformation, and visualization using Redshift and CARTO.
In the following sections, we discuss each phase in the workflow in more detail.
HR&A receives survey data as wide CSV files with hundreds of columns in each file and related spatial data in hexadecimal Extended Well-Known Binary (EWKB) in the form of shape files. These files are stored in Amazon Simple Storage Service (Amazon S3).
The Redshift COPY command is used to ingest the spatial data from shape files into the native GEOMETRY data type supported in Amazon Redshift. A combination of Amazon Redshift Spectrum and COPY commands are used to ingest the survey data stored as CSV files. For the files with unknown structures, AWS Glue crawlers are used to extract metadata and create table definitions in the Data Catalog. These table definitions are used as the metadata repository for external tables in Amazon Redshift.
For files with known structures, a Redshift stored procedure is used, which takes the file location and table name as parameters and runs a COPY command to load the raw data into corresponding Redshift tables.
Multiple stored procedures are used to split the raw table data and load it into corresponding target tables while applying the user-defined transformations.
These transformation rules include transformation of GEOMETRY data using native Redshift geo-spatial functions, like ST_Area and ST_length, and CARTO’s advanced spatial functions, which are readily available in Amazon Redshift as part of the CARTO Analytics Toolbox for Redshift installation. Furthermore, all the data ingestion and transformation steps are automated using an AWS Lambda function to run the Redshift query when any dataset in Amazon S3 gets updated.
The HR&A team used CARTO’s Redshift connector to connect to the Redshift Serverless endpoint and built dashboards using CARTO’s SQL interface and widgets to assist mapping while performing dynamic calculations of the map data as per client needs.
The following are sample screenshots of the dashboards that show survey responses by zip code. The counties that are in lighter shades represent limited survey responses and need to be included in the targeted data collection strategy.
The first image shows the dashboard without any active filters. The second image shows filtered map and chats by respondents who took the survey in Spanish. The user can select and toggle between features by clicking on the respective category in any of the bar charts.
Figure 2: Illustrative Digital Equity Survey Dashboard for the State of Colorado. (© HR&A Advisors)
Figure 3: Illustrative Digital Equity Survey Dashboard for the State of Colorado, filtered for respondents who took the survey in Spanish language. (© HR&A Advisors)
After developing the first interactive dashboard prototype with this methodology, five of HR&A’s state clients (CA, TX, NV, CO, and MA) showed interest in the solution. HR&A was able to implement it for each of them within 2 months—an incredibly quick turnaround for a custom, interactive digital inclusion dashboard.
HR&A also realized about a 75% reduction in overall deployment and dashboard management time, which meant the consulting team could redirect their focus from manually analyzing data to helping clients interpret and strategically plan around the results. Finally, the dashboard’s user-friendly interface made survey data more accessible to a wider range of stakeholders. This helped build a shared understanding when assessing gaps in each state’s digital inclusion landscape and allowed for a targeted data collection strategy from areas with limited survey responses, thereby supporting more productive collaboration overall.
In this post, we showed how HR&A was able to analyze geo-spatial data in large volumes using Amazon Redshift Serverless and CARTO.
With HR&A’s successful implementation, it’s evident that Redshift Serverless, with its flexibility and scalability, can be used as a catalyst for positive social change. As HR&A continues to pave the way for digital equity, their story stands as a testament to how AWS services and its partners can be used in addressing real-world challenges.
We encourage you to explore Redshift Serverless with CARTO for analyzing spatial data and let us know your experience in the comments.
Harman Singh Dhodi is an Analyst at HR&A Advisors, Harman combines his passion for data analytics with sustainable infrastructure practices, social inclusion, economic viability, climate resiliency, and building stakeholder capacity. Harman’s work often focuses on translating complex datasets into visual stories and accessible tools that help empower communities to understand the challenges they’re facing and create solutions for a brighter future.
Kiran Kumar Tati is an Analytics Specialist Solutions Architect based out of Omaha, NE. He specializes in building end-to-end analytic solutions. He has more than 13 years of experience with designing and implementing large scale Big Data and Analytics solutions. In his spare time, he enjoys playing cricket and watching sports.
Sapna Maheshwari is a Sr. Solutions Architect at Amazon Web Services. She helps customers architect data analytics solutions at scale on AWS. Outside of work she enjoys traveling and trying new cuisines.
Washim Nawaz is an Analytics Specialist Solutions Architect at AWS. He has worked on building and tuning data warehouse and data lake solutions for over 15 years. He is passionate about helping customers modernize their data platforms with efficient, performant, and scalable analytic solutions. Outside of work, he enjoys watching games and traveling.
Post Syndicated from Talks at Google original https://www.youtube.com/watch?v=3Ykm0MMtjRY
Post Syndicated from BeardedTinker original https://www.youtube.com/watch?v=V1tcSl1D4lc
Post Syndicated from Rapid7 original https://blog.rapid7.com/2023/12/05/a-trusted-voice-in-a-crowded-market-meet-joanne-guariglia-senior-channel-account-manager-at-rapid7/
When you’re a seller, it’s important to represent a reputable brand and products you can stand behind. For many companies, their partners act as an extension of the sales team to help identify and engage new customers. As a Senior Channel Account Manager, Joanne Guariglia shares what she loves most about her role, Rapid7, and why now is a great time to join the team.
In my previous role, I was with a company that had an integration with Rapid7 so I had been working in tandem with some of the leadership team. They were always down to earth, very genuine,open and honest about the great things happening, and what some of the challenges were. My partners also enjoyed working with the Rapid7 team and I could see they were making waves in the partner community.
Aside from that, Rapid7 is not just a single solution. Our products can meet customers where they are in their security journey, and grow and scale with them. So having that ability to grow alongside customers was something that I was really interested in.
I wouldn’t necessarily say a cyber background is a must have before joining Rapid7. We have a comprehensive onboarding program that can help give you a strong foundation in cyber security knowledge as well as our products and services. What’s most important is your ability to grow relationships with our partners and to bring the best technology and solutions to the customer. This is a role where you have to be an effective communicator and a bridge between cross functional teams including Sales, Marketing, Customer Success, Sales Operations, Finance, and the Renewals team to make sure we are aligned on business decisions moving forward. Having that collaboration between teams and knowing we are all working towards the same goal has been really rewarding.
When it comes to the landscape, cyber criminals are always evolving their tactics and continue to increase efforts against businesses of all sizes. Security is not a ‘nice to have’; It’s a priority for all businesses and industries, so it’s a field that’s very stable and always growing.
Cybersecurity can also be challenging because it is a crowded market but where Rapid7 has a competitive advantage is in consolidation. Our customers don’t have to work with multiple vendors to satisfy all aspects of their security needs, we can consolidate multiple products and offerings into one cost with one vendor. We’ve come a long way in growing our portfolio and responding to the customers needs, and we are well positioned to continue that growth into 2024 and beyond.
What I enjoy most is being able to build lasting relationships with our partners. Partners want to work with trusted brands that are leaders in the space and we have that here at Rapid7. Being that trusted voice and growing the relationship, while educating them about our offerings, enables me to have a positive impact.
Another thing I find rewarding is the ability to create change and outcomes that our partners find valuable. We are a large company, but we are still agile enough to pivot when needed and our culture is one that is supportive of asking questions and sharing new ideas that we can bring to fruition.
2024 is exciting because our channel team is at the forefront of impacting growth across the organization. We are investing heavily in our partnerships and partner programs, and are making strides with the channel community more than ever. Our company strategy and goals are really clear, and we’re all excited to execute and drive positive impact for the business.
With incredible product offerings and an opportunity to foster and grow partner relationships, there is no better time to be a part of this journey. 2024 is going to be a huge year for us!
Interested in learning more about working for Rapid7? Click here for our careers page, or view all open sales opportunities.
Post Syndicated from John Lee original https://www.servethehome.com/intel-xeon-ee-with-vran-boost-sku-list/
We get into the Intel Xeon EE with vRAN Boost SKUs and see how these 5G infrastructure products use different dies
The post Intel Xeon EE with vRAN Boost SKU List appeared first on ServeTheHome.
Post Syndicated from jake original https://lwn.net/Articles/953783/
Security updates have been issued by Debian (roundcube), Fedora (java-latest-openjdk), Mageia (libqb), SUSE (python-Django1), and Ubuntu (request-tracker4).
Post Syndicated from The History Guy: History Deserves to Be Remembered original https://www.youtube.com/watch?v=4xWiqZkP6_0
Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2023/12/ai-and-mass-spying.html
Spying and surveillance are different but related things. If I hired a private detective to spy on you, that detective could hide a bug in your home or car, tap your phone, and listen to what you said. At the end, I would get a report of all the conversations you had and the contents of those conversations. If I hired that same private detective to put you under surveillance, I would get a different report: where you went, whom you talked to, what you purchased, what you did.
Before the internet, putting someone under surveillance was expensive and time-consuming. You had to manually follow someone around, noting where they went, whom they talked to, what they purchased, what they did, and what they read. That world is forever gone. Our phones track our locations. Credit cards track our purchases. Apps track whom we talk to, and e-readers know what we read. Computers collect data about what we’re doing on them, and as both storage and processing have become cheaper, that data is increasingly saved and used. What was manual and individual has become bulk and mass. Surveillance has become the business model of the internet, and there’s no reasonable way for us to opt out of it.
Spying is another matter. It has long been possible to tap someone’s phone or put a bug in their home and/or car, but those things still require someone to listen to and make sense of the conversations. Yes, spyware companies like NSO Group help the government hack into people’s phones, but someone still has to sort through all the conversations. And governments like China could censor social media posts based on particular words or phrases, but that was coarse and easy to bypass. Spying is limited by the need for human labor.
AI is about to change that. Summarization is something a modern generative AI system does well. Give it an hourlong meeting, and it will return a one-page summary of what was said. Ask it to search through millions of conversations and organize them by topic, and it’ll do that. Want to know who is talking about what? It’ll tell you.
The technologies aren’t perfect; some of them are pretty primitive. They miss things that are important. They get other things wrong. But so do humans. And, unlike humans, AI tools can be replicated by the millions and are improving at astonishing rates. They’ll get better next year, and even better the year after that. We are about to enter the era of mass spying.
Mass surveillance fundamentally changed the nature of surveillance. Because all the data is saved, mass surveillance allows people to conduct surveillance backward in time, and without even knowing whom specifically you want to target. Tell me where this person was last year. List all the red sedans that drove down this road in the past month. List all of the people who purchased all the ingredients for a pressure cooker bomb in the past year. Find me all the pairs of phones that were moving toward each other, turned themselves off, then turned themselves on again an hour later while moving away from each other (a sign of a secret meeting).
Similarly, mass spying will change the nature of spying. All the data will be saved. It will all be searchable, and understandable, in bulk. Tell me who has talked about a particular topic in the past month, and how discussions about that topic have evolved. Person A did something; check if someone told them to do it. Find everyone who is plotting a crime, or spreading a rumor, or planning to attend a political protest.
There’s so much more. To uncover an organizational structure, look for someone who gives similar instructions to a group of people, then all the people they have relayed those instructions to. To find people’s confidants, look at whom they tell secrets to. You can track friendships and alliances as they form and break, in minute detail. In short, you can know everything about what everybody is talking about.
This spying is not limited to conversations on our phones or computers. Just as cameras everywhere fueled mass surveillance, microphones everywhere will fuel mass spying. Siri and Alexa and “Hey Google” are already always listening; the conversations just aren’t being saved yet.
Knowing that they are under constant surveillance changes how people behave. They conform. They self-censor, with the chilling effects that brings. Surveillance facilitates social control, and spying will only make this worse. Governments around the world already use mass surveillance; they will engage in mass spying as well.
Corporations will spy on people. Mass surveillance ushered in the era of personalized advertisements; mass spying will supercharge that industry. Information about what people are talking about, their moods, their secrets—it’s all catnip for marketers looking for an edge. The tech monopolies that are currently keeping us all under constant surveillance won’t be able to resist collecting and using all of that data.
In the early days of Gmail, Google talked about using people’s Gmail content to serve them personalized ads. The company stopped doing it, almost certainly because the keyword data it collected was so poor—and therefore not useful for marketing purposes. That will soon change. Maybe Google won’t be the first to spy on its users’ conversations, but once others start, they won’t be able to resist. Their true customers—their advertisers—will demand it.
We could limit this capability. We could prohibit mass spying. We could pass strong data-privacy rules. But we haven’t done anything to limit mass surveillance. Why would spying be any different?
This essay originally appeared in Slate.
Post Syndicated from Claire Johnson original https://www.raspberrypi.org/blog/culturally-relevant-pedagogy-areas-opportunity-adapting-lessons/
Underrepresentation in computing is a widely known issue, in industry and in education. To cite some statistics from the UK: a Black British Voices report from August 2023 noted that 95% of respondents believe the UK curriculum neglects black lives and experiences; fewer students from working class backgrounds study GCSE Computer Science; when they leave formal education, fewer female, BAME, and white working class people are employed in the field of computer science (Kemp 2021); only 21% of GCSE Computer Science students, 15% at A level, and 22% at undergraduate level are female (JCQ 2020, Ofqual 2020, UCAS 2020); students with additional needs are also underrepresented.
Such statistics have been the status quo for too long. Many Computing teachers already endeavour to bring about positive change where they can and engage learners by including their interests in the lessons they deliver, so how can we support them to do this more effectively? Extending the reach of computing so that it is accessible to all also means that we need to consider what formal and informal values predominate in the field of computing. What is the ‘hidden’ curriculum in computing that might be excluding some learners? Who is and who isn’t represented?
In a recent research seminar, Katharine Childs from our team outlined a research project we conducted, which included a professional development workshop to increase primary teachers’ awareness of and confidence in culturally relevant pedagogy. In the workshop, teachers considered how to effectively adapt curriculum materials to make them culturally relevant and engaging for the learners in their classrooms. Katharine described the practical steps teachers took to adapt two graphics-related units, and invited seminar participants to apply their learning to a graphics activity themselves.
Culturally relevant pedagogy is a teaching framework which values students’ identities, backgrounds, knowledge, and ways of learning. By drawing on students’ own interests, experiences and cultural knowledge educators can increase the likelihood that the curriculum they deliver is more relevant, engaging and accessible to all.
The idea of culturally relevant pedagogy was first introduced in the US in the 1990s by African-American academic Gloria Ladson-Billings (Ladson-Billings 1995). Its aim was threefold: to raise students’ academic achievement, to develop students’ cultural competence and to promote students’ critical consciousness. The idea of culturally responsive teaching was later advanced by Geneva Gay (2000) and more recently brought into focus in US computer science education by Kimberly Scott and colleagues (2015). The approach has been localised for England by Hayley Leonard and Sue Sentance (2021) in work they undertook here at the Foundation.
Katharine began her presentation by explaining that the professional development workshop in the Primary culturally adapted resources for computing project built on two of our previous research projects to develop guidelines for culturally relevant and responsive computing and understand how teachers used them in practice. This third project ran as a pilot study funded by Cognizant, starting in Autumn 2022 with a one-day, in-person workshop for 13 primary computing teachers
Katharine then introduced us to the 10 areas of opportunity (AO) our research at the Raspberry Pi Computing Education Research Centre had identified for culturally relevant pedagogy. These 10 areas were used as practical prompts to frame the workshop discussions:
At first glance it is easy to think that you do most of those things already, or to disregard some items as irrelevant to the computing curriculum. What would your own cultural identity (see AO2) have to do with computing, you might wonder. But taking a less complacent perspective might lead you to consider all the different facets that make up your identity and then to think about the same for the students you teach. You may discover that there are many areas which you have left untapped in your lesson planning.
Katharine explained how this is where the professional development workshop showed itself as beneficial for the participants. It gave teachers the opportunity to reflect on how their cultural identity impacted on their teaching practices — as a starting point to learning more about other aspects of the culturally relevant pedagogy approach.
Our researchers were interested in how they could work alongside teachers to adapt two computing units to make them more culturally relevant for teachers’ specific contexts. They used the Computing Curriculum units on Photo Editing (Year 4) and Vector Graphics (Year 5).
Katharine illustrated some of the adaptations teachers and researchers working together had made to the emoji activity above, and which areas of opportunity (AO) had been addressed; this aspect of the research will be reported in later publications.
Although the numbers of participants in this pilot study was small, the findings show that the professional development workshop significantly increased teachers’ awareness of culturally relevant pedagogy and their confidence in adapting resources to take account of local contexts:
These quantitative shifts in perspective indicate a positive effect of the professional development pilot.
Katharine described that in our qualitative interviews with the participating teachers, they expressed feeling that their understanding of culturally relevant pedagogy had increased and they recognized the many benefits to learners of the approach. They valued the opportunity to discuss their contexts and to adapt materials they currently used with other teachers, because it made it a more ‘authentic’ and practical professional development experience.
The seminar ended with breakout sessions inviting viewers to consider possible adaptations that could be made to the graphics activities which had been the focus of the workshop.
In the breakout sessions, attendees also discussed specific examples of culturally relevant teaching practices that had been successful in their own classrooms, and they considered how schools and computing educational initiatives could support teachers in their efforts to integrate culturally relevant pedagogy into their practice. Some attendees observed that it was not always possible to change schemes of work without a ‘whole-school’ approach, senior leadership team support, and commitment to a research-based professional development programme.
The seminar reminds us that the education system is not culture neutral and that teachers generally transmit the dominant culture (which may be very different from their students’) in their settings (Vrieler et al, 2022). Culturally relevant pedagogy is an attempt to address the inequities and biases that exist, which result in many students feeling marginalised, disenfranchised, or underachieving. It urges us to incorporate learners’ cultures and experiences in our endeavours to create a more inclusive computing curriculum; to adopt an intersectional lens so that all can thrive.
As a pilot study, the workshop was offered to a small cohort of 13, yet the findings show that the intervention significantly increased participants’ awareness of culturally relevant pedagogy and their confidence in adapting resources to take account of local contexts.
Of course there are many ways in which teachers already adapt resources to make them interesting and accessible to their pupils. Further examples of the sort of adaptations you might make using these areas of opportunity include:
Can you see an opportunity for integrating culturally relevant pedagogy in your classroom? We would love to hear about examples of culturally relevant teaching practices that you have found successful. Let us know your thoughts or questions in the comments below.
You can watch Katharine’s seminar here:
You can download her presentation slides on our ‘previous seminars’ page, and you can read her research paper.
To get a practical overview of culturally relevant pedagogy, read our 2-page Quick Read on the topic and download the guidelines we created with a group of teachers and academic specialists.
Tomorrow we’ll be sharing a blog about how the learners who engaged with the culturally adapted units found the experience, and how it affected their views of computing. Follow us on social media to not miss it!
On 12 December we’ll host the last seminar session in our series on primary (K-5) computing. Anaclara Gerosa will share her work on how to design and structure early computing activities that promote and scaffold students’ conceptual understanding. As always, the seminar is free and takes place online at 17:00–18:30 GMT / 12:00–13:30 ET / 9:00–10:30 PT / 18:00–19:30 CET. Sign up and we’ll send you the link to join on the day.
In 2024, our new seminar series will be about teaching and learning programming, with and without AI tools. If you’re signed up to our seminars, you’ll receive the link to join every monthly seminar.
The post Engaging primary Computing teachers in culturally relevant pedagogy through professional development appeared first on Raspberry Pi Foundation.
Post Syndicated from Matthew Garrett original https://mjg59.dreamwidth.org/68537.html
There’s a decent number of laptops with fingerprint readers that are supported by Linux, and Gnome has some nice integration to make use of that for authentication purposes. But if you log in with a fingerprint, the moment you start any app that wants to access stored passwords you’ll get a prompt asking you to type in your password, which feels like it somewhat defeats the point. Mac users don’t have this problem – authenticate with TouchID and all your passwords are available after login. Why the difference?
Fingerprint detection can be done in two primary ways. The first is that a fingerprint reader is effectively just a scanner – it passes a graphical representation of the fingerprint back to the OS and the OS decides whether or not it matches an enrolled finger. The second is for the fingerprint reader to make that determination itself, either storing a set of trusted fingerprints in its own storage or supporting being passed a set of encrypted images to compare against. Fprint supports both of these, but note that in both cases all that we get at the end of the day is a statement of “The fingerprint matched” or “The fingerprint didn’t match” – we can’t associate anything else with that.
Apple’s solution involves wiring the fingerprint reader to a secure enclave, an independently running security chip that can store encrypted secrets or keys and only release them under pre-defined circumstances. Rather than the fingerprint reader providing information directly to the OS, it provides it to the secure enclave. If the fingerprint matches, the secure enclave can then provide some otherwise secret material to the OS. Critically, if the fingerprint doesn’t match, the enclave will never release this material.
And that’s the difference. When you perform TouchID authentication, the secure enclave can decide to release a secret that can be used to decrypt your keyring. We can’t easily do this under Linux because we don’t have an interface to store those secrets. The secret material can’t just be stored on disk – that would allow anyone who had access to the disk to use that material to decrypt the keyring and get access to the passwords, defeating the object. We can’t use the TPM because there’s no secure communications channel between the fingerprint reader and the TPM, so we can’t configure the TPM to release secrets only if an associated fingerprint is provided.
So the simple answer is that fingerprint unlock doesn’t unlock the keyring because there’s currently no secure way to do that. It’s not intransigence on the part of the developers or a conspiracy to make life more annoying. It’d be great to fix it, but I don’t see an easy way to do so at the moment.
comments
Post Syndicated from original https://www.toest.bg/za-festivalite-skandalite-i-shablonite-v-literaturata-razgovor-s-amelia-licheva/
Днес започва Софийският международен литературен фестивал, на който сте програмен директор. Какво да очакваме от тазгодишното му издание, какви смели хоризонти си поставя той?
Най-смелата амбиция на програмния ни екип, в който тази година сме с Дария Карапеткова, е привличането на истински звезди. България е малък пазар с лош имидж и е доста трудно, но не се отказваме лесно – и тази година имаме резултат. Българската публика ще може да слуша на живо Франко Морети, Лейла Слимани, Дача Мараини, Стефан Хертманс, Ия Йенберг, Агустина Бастерика. И още нещо. Надяваме се да култивираме вкус у публиката към една световна проблематика и да накараме повече хора да дойдат на тези срещи. Ако успеем, това ще е успех не просто за фестивала, а за ролята на литературата в съвремието ни.
Съгласна ли сте, че в българския контекст обаче значимо литературно събитие може да бъде създадено само и единствено отвън навътре и че това в някаква степен говори за провинциализъм, за несигурност и нужда от припознаване?
Нормално е големият успех навън да генерира събитие вътре, така че, ако вземем успехите на Георги Господинов в чужбина например, намирам за съвсем редно това, че в България най-после много хора разбраха за „Времеубежище“, че се редяха на опашки, че младите се припознават в Господинов и в успеха му и виждат модел за подражание. Още повече че в случая става дума за реален успех, а не е просто хвалбата, която разтръбява всеки, оказал се с две-три стихотворения или един разказ, преведени и публикувани някъде.
Това, разбира се, не отменя факта, че събития според мен се произвеждат и на родна почва, при автори, които събират големи групи читатели и за чиито книги се говори много – като Милен Русков, Захари Карабашлиев, Здравка Евтимова…
Честно да Ви кажа, мен ме притеснява друг наш провинциализъм – че не успяваме да видим събитията около преводите на съвременни чужди автори, които казват много за днешното. Маргарет Атууд не е звезда у нас. И Салман Рушди не е. Или поне са звезди за малцина. И не отиваме да слушаме големите, когато са тук – не се редим на опашка за Марио Варгас Льоса или за Иън Макюън. Знаете ли, че когато Ерве льо Телие гостува във Френския институт, имаше не повече от трима български писатели в публиката?!
В тази връзка ще обърна смисъла на това, което казвате, и ще Ви задам един от въпросите, подготвени за по-късно. Кой тип родна литература и автори бихте искала да видите повече представени пред света? Имаме ли и други готови за световната сцена имена, за които и родната ни публика (понякога), и чуждата не подозират?
На първо място, да се върна отново към това – българските писатели трябва да са по-малко провинциални и повече световни. Но не да вземат популярни сюжети и истории, които изглеждат като кръпки и в които липсва автентичност, а да се опитват да създават глобални сюжети на добър език, които да успяват да пречупят през родното.
Ще дам пример с един роман, около който не се вдигна шум – „Симулацията“ на Паулина Георгиева. Той задава добър път за излизане от регионалното и прицелване в по-широка публика. Силна книга – в жанра на философско-авантюрното писане, малко тип роман на израстването, пък е „Хагабула“ на Тодор П. Тодоров, която е великолепна и като език. Не искам да кажа, че българските писатели трябва да спрат да разказват български истории, но нека не е само това. Така че очаквам с интерес следващите книги на Момчил Миланов, Йоанна Елми, Радослав Бимбалов, Тодор П. Тодоров, Валентин Калинов, Вашите…
Вземам повод от един Ваш стих, за да попитам: устои на властта ли са клишетата? Има ли – и в споменатите горе имена ли я виждате – реална съпротива срещу клишетата в днешната ни литература?
Да, устои са, доколкото мисленето в клишета, писането през клишета, утвърждава модели, които подхранват баналното, лесното, държат обществото в ступора на апатията и примирението. Не казвам, че литературата трябва да представя настоящето по един публицистичен начин, за да генерира бунт срещу безобразията, на които сме ежедневни свидетели. Не е идеята Пеевски да се превърне в литературен герой, за да осъзнаят читателите, че нещо с морала не е наред. Ролята на литературата е да бъде територия на съпротива срещу моделите, за да помогне на всички ония, които се задъхват от настоящето ни. От появилите се наскоро романи виждам такава съпротива в новия роман на Теодора Димова „Не ви познавам“. Може би и затова той се посреща с едно странно мълчание от страна на критиката.
А способен ли е изобщо литературният истаблишмънт у нас днес да открои различното, задаващото нови, неусвоени, неподозирани дори посоки? Не става ли така, че всяка година (напомням тук, че самата Вие участвате в литературни журита) се препотвърждава утъпканото, сигурното, „отличниците“, изявили се в утвърдените модели?
Не мога да отговоря еднозначно. Понякога само някой от членовете на журито отличава или номинира автори, които не са толкова известни. Лаская се да мисля, че аз не се ограничавам до утвърдените имена, когато журирам, а съм склонна да отлича доброто писане. Опитвала съм в такива конкурси да отлича и Вас, и Йоанна Елми… Понякога и цели журита отличават книги, които са нестандартни, но нови като нагласи, език, теми – както беше с „Хагабула“. Като цяло смятам, че опираме до личния вкус и личната съвест на всеки един от хората, поели ангажимента за публичността на българската литература.
Особено големи литературни скандали като че ли не са типични за нашето поколение (може би за разлика от определени настроения и нагласи в социалните мрежи, които са крайно поляризирани), но напоследък нашумя историята около финансирането на преводи на български книги от НФК. Чуха се противоречиви, но като че ли еднакво легитимни мнения. Къде според Вас се крие зародишът на проблема и кой е правилният подход за разрешаването му?
Да, скандалът всъщност беше голям и имаше идея преводачите да бойкотират изцяло кандидатстването, защото не може да ограничиш езиците, които да подпомагаш, още повече когато голям процент от преводите на българска литература излизат в региона на Балканите. Така че идеята за подпомагане на преводите само в държавите в Европейския съюз не е коректна, а и не е разумна. Не говоря за техническите параметри на кандидатстването, които ни правят смешни. И разбира се, стои големият проблем с малката сума, която се отпуска за подпомагане на преводи на българска литература.
Ако няма масирана политика от страна на държавата, няма как да очакваме да ни четат. Докато не се промени това, появата на български заглавия ще продължи да зависи от личните усилия на преводачите, които трябва да преодоляват всички бариери с непознаването ни. България не е страна с добър публичен образ по света, тъкмо напротив, и през литературата ние бихме могли да го променим, ако държавата го проумее и ако писателите ни започнат да пишат и по теми, които вълнуват хората по принцип, а не засягат единствено нас.
Предвид обвързаността Ви с магистърската програма за преводачи/редактори в СУ „Св. Климент Охридски“ – оформя ли се изцяло ново поколение качествени преводачи и какво е характерно за подхода и работата му?
Магистърската програма „Преводач-редактор“ всяка година събира много интересни млади хора с хъс и желание за работа. Те учат при някои от най-добрите практици в полето на филологическото и неслучайно част от най-добрите нови преводачи са възпитаници на програмата – Майре Буюклиева, Стефан Русинов, Мая Ненчева, Радостин Желев, Радослав Папазов…
На скорошна среща дискусия между издатели беше отбелязана въпиещата нужда от качествени редактори на съвременна българска и преводна литература. Споделяте ли мнението, че това е слабо място в книгоиздаването ни? И тъй като има различни подходи към редактирането – в какво се състои и докъде трябва да се простира то според вас?
Да, смятам, че дефицитите в тази посока са огромни. Редакторите на преводни книги трябва да владеят езика, на който е оригиналът, за да не редактират българския в посока изглаждане или украсяване. Много често обаче те просто шлифоват българския, а това не е професионално. Що се отнася до редакторите на българска литература, те трябва да имат авторитет, за да бъдат чувани. Много книги биха спечелили, ако значително намалят бъбривостта си. Но трябва всички пишещи да се научим да слушаме.
Като декан на Факултета по славянски филологии какви са за Вас перспективите пред хуманитарните дисциплини у нас?
Знаете ли, в кампанията на кандидат-ректорите трайно се чу идеята за нуждата от интердисциплинарност. Смятам, че вече всички узряхме за това. А интердисциплинарността е първата крачка към връщане на авторитета на хуманитаристиката. Защото ще стане ясно, че без нея няма как да си обясним ставащото нито в генетиката, нито с изкуствения интелект. Защото тя говори за смисъла на човешкото, без който никоя наука няма да ни помогне да вървим напред.
В заключение, многополюсен или еднополюсен ви се струва българският литературен модел, ако използваме геополитическото клише?
По-скоро ми стои еднополюсен. Няма да се уморя да говоря за това, че големите теми на днешното не присъстват в съвременното българско писане – политически и екологични катаклизми, бежански вълни, сблъсък на цивилизации, съдбата на Европа… Ние още дълбаем Прехода, мутрите, социалистическото живеене. Е, не че последните не са важни, но нека малко се надскочим, за да усетят читателите, че и нещо небългарско вълнува българската литература. Докога тезата, че сме граждани на света, ще бъде куха?
Post Syndicated from Patrick Nemeroff original http://blog.cloudflare.com/latest-copyright-decision-in-germany-rejects-blocking-through-global-dns-resolvers/
A recent decision from the Higher Regional Court of Cologne in Germany marked important progress for Cloudflare and the Internet in pushing back against misguided attempts to address online copyright infringement through the DNS system. In early November, the Court in Universal v. Cloudflare issued its decision rejecting a request to require public DNS resolvers like Cloudflare’s 1.1.1.1. to block websites based on allegations of online copyright infringement. That’s a position we’ve long advocated, because blocking through public resolvers is ineffective and disproportionate, and it does not allow for much-needed transparency as to what is blocked and why.
To see why the Universal decision matters, it’s important to understand what a public DNS resolver is, and why it’s not a good place to try to moderate content on the Internet.
The DNS system translates website names to IP addresses, so that Internet requests can be routed to the correct location. At a high-level, the DNS system consists of two parts. On one side sit a series of nameservers (Root, TLD, and Authoritative) that together store information mapping domain names to IP addresses; on the other side sit DNS resolvers (also called recursive resolvers), which query the nameservers to answer where a particular website is located. The nameservers are like the telephone book listing names and phone numbers, while recursive resolvers are like the phone operator looking up a number.
While authoritative nameservers are managed and used directly by website operators, recursive resolvers are selected and used by those browsing the Internet. If you’re reading this at work, you may have navigated to this webpage using a DNS resolver chosen by your employer. If you’re reading it on a personal device at home, it’s possible you used your ISP’s default resolver. Alternatively, with a little technical know-how, you might have built your own DNS resolver and run it yourself or you might have chosen to use one of many public DNS resolvers available on the Internet.
Cloudflare launched its public DNS resolver, 1.1.1.1 in April 2018, because we wanted to provide a fast and private way to navigate the Internet. While Cloudflare’s resolver regularly scores as the fastest around, it is one of a number of options. Other well known public resolvers include Google’s 8.8.8.8, Cisco’s OpenDNS, and Quad9. Users might choose a public DNS resolver for privacy reasons, for added safety or security, or simply because they want the best performing option available. Whatever their reason, individuals can switch their DNS resolver at any time.
Like other links in the Internet connection chain, DNS resolvers have sometimes been used as a way to try to prevent access to content. Blocking at the resolver level is like removing a listing from a phone book. By refusing to return an IP address in response to requests for a particular website, a DNS resolver can make it appear like an entire website has effectively disappeared from the Internet to an individual using that resolver. Unlike removing the content at the hosting provider, however, the content is still accessible online, just a bit harder to find. Much as having an unlisted phone number didn’t prevent a phone number from being found through other channels and called, a block in a resolver doesn’t preclude an Internet user from navigating to a website in a myriad of other ways. A user can use an alternative resolver, build their own resolver, or simply type in the website’s IP address.
Because DNS returns IP addresses for entire domains, blocking through DNS resolvers can only be done at a domain-wide level; it is not possible to block specific pieces of content, individual webpages, or even subdomains without blocking the entire website. So a blocking order seeking to remove a copyrighted image through DNS blocking — especially for a website with many contributors or user-generated content — would result in blocking all content on the entire domain. That means that unless the entire website is a problem, applying a block through DNS is likely to block access to content that has not been identified by a court as infringing or otherwise problematic.
The way DNS blocking works — declining to return an IP address — also means there is no explanation provided to an individual as to why they were unable to access the website at issue. There is no notice or transparency. Although there have been proposals for protocols that would allow an error code to be returned in such cases, nothing has yet been implemented.
Internet Service Providers (ISPs) located in particular jurisdictions have sometimes instituted blocks through their DNS resolvers as one way to try to comply with orders that apply in that jurisdiction directing them to make certain websites inaccessible to their users. For example, a German ISP that serves only German users might have its DNS resolver refuse to return an IP address for a website when provided an order by a German court to block that entire site.
Rightsholders have recently sought to extend such blocking to public DNS resolvers. But public DNS resolvers aren’t the same as DNS resolvers operated by a local ISP. Public DNS resolvers typically operate the same way around the globe. That means that if a public resolver applied the block the way an ISP does, it would apply everywhere. So the German court ordering the block would be dictating what information is available to the resolver’s users in India, the United States, Argentina and every other country the resolver is used. Attempting to apply blocks in a more geographically targeted way based on the location of individual resolver users raises serious technical hurdles not faced by local ISPs, and it also raises privacy issues worth taking seriously.
Cloudflare built 1.1.1.1 to allow Internet users an option for DNS resolution that would be fast and wouldn’t collect their personal information. Many DNS operators have historically sold information about users based on the websites they have queried – 1.1.1.1 is designed to prevent such information from ever being collected. Blocking orders directed at public resolvers would require the collection of information about where the requests are coming from in order to limit these negative impacts while demonstrating compliance. That would be bad for personal privacy and bad for the Internet.
These core features of public resolvers present fundamental obstacles to using such resolvers to block content.
Consider what you would expect if a website you were trying to visit had been blocked due to legal order. First, you would expect that the blocked content is genuinely prohibited by law. You would not expect an entire website to be unavailable merely because some portion of the website violated copyright, and you also would not expect a website to be blocked to a visitor in one country by virtue of an order issued in an entirely different country on the other side of the world.
Second, you would expect to be told why the website is unavailable. Rather than a blank screen or no response, you would want a message explaining that the website has been ordered blocked, and identifying the legal authority for that action.
Finally, you would expect that whatever blocking mechanism was instituted is actually effective. We should not be changing fundamental ways about how the Internet operates if it will not even have the intended effect.
Blocking through public resolvers fails all of these requirements. As discussed above, it cannot be applied narrowly to particular content or particular geographies. Unlike ISP blocking that is necessarily limited to the geographic region in which the ISP operates, blocking through global public resolvers can only be implemented in a way that extends across borders to jurisdictions that might never have sought to block the same content. That is, unless we collect more personal information than we need to about the user.
It’s also not transparent. A user does not know that they have been blocked from seeing content by a court order. They only know that they cannot access the website.That makes it hard for the public to hold government officials accountable for errors or overblocking.
And it’s not even effective. Traditionally, website operators or hosting providers are ordered to remove infringing or illegal content, which is an effective way to make sure that information is no longer available. A DNS block works only as long as the individual continues to use the resolver, and the content remains available and will become accessible again as soon as they switch to another resolver, or build their own.
Despite these problems, some rightsholders have insisted that public resolvers can be ordered to block websites based on online infringement. Cloudflare, along with others like Quad9 and Google, have pushed back. While there have been a limited number of preliminary rulings on this issue, the Higher Regional Court’s decision in Universal marks the first time that an appellate court in Europe has ruled on public resolver blocking in the main proceedings.
Originally filed in 2019, the Universal case was one of the first attempts by a rightsholder to obtain an order requiring blocking through a public DNS resolver. The case concerns an allegedly copyright infringing music album posted on a website that, at the time the case was filed, was using Cloudflare’s pass-through security and CDN services. The Cologne Regional Court issued a preliminary ruling directing Cloudflare to block the website through both our CDN service and our public resolver. Cloudflare has no mechanism for blocking websites through 1.1.1.1., and we have never blocked a website through our public resolver. But Cloudflare did take steps to block access to the website in Germany through our CDN and pass-through security service. The website subsequently went offline and is no longer available on the Internet. Recognizing the importance of the underlying legal principles at stake, we nonetheless continued to litigate the case.
The Higher Regional Court’s recent decision makes clear that public DNS resolvers are not an appropriate tool for seeking to address online infringement, or moderate content more generally. The court explained that “with the DNS resolver, the defendant provides a tool that is accessible to everyone free of charge, is in the public interest and is approved, and which participates purely passively, automatically and neutrally in the connection of Internet domains.” It further noted that blocking through a public resolver is not effective, because individuals can easily change resolvers.
Importantly, the court held that DNS services are protected by the EU’s Digital Services Act (DSA), which was enacted last year. Like the e-Commerce Directive before it, the DSA recognizes that different types of services have different abilities to address content issues, and it distinguishes “mere conduit” and “caching” services from “hosting” services in their roles in addressing infringing content. Helpfully, the DSA expressly lists DNS and CDN services as non-hosting services subject to different obligations than hosting services. The Higher Regional Court recognized that DNS resolvers are entitled to the same protections from liability as other “mere conduits,” and it rejected the plaintiff’s request for DNS blocking in this case.
While the Higher Regional Court’s decision represents important progress on the DNS issue, the fight over how best to address online infringement continues. Rightsholders have filed lawsuits against other DNS providers and in other jurisdictions seeking similar blocking orders. We will continue to advocate against that outcome, because we think it is bad for the Internet. We hope that the Higher Regional Court’s reasoning on the DNS issue will help persuade other courts.
At the same time, while the Universal decision on DNS is the headline, there were other parts of the opinion that raise concerns. The court affirmed the lower court judgment requiring Cloudflare to block access to the website at issue through our CDN and pass-through security service. That decision has no immediate practical effect, because the website at issue is no longer available online and Cloudflare was already in compliance with the judgment. But to the extent the decision can be read to imply a broader obligation by pass-through security and CDN services to address online content, that is inconsistent with the nature of our services and with the DSA, which expressly identifies CDN services as among the caching services entitled to a liability privilege. Cloudflare therefore plans to appeal that aspect of the decision.
We appreciate the efforts of thoughtful judges to learn about how the Internet works and make sure their decisions are consistent with the larger public benefits of a well-functioning Internet, including security, reliability, and privacy. This decision marks further progress in Cloudflare’s fight to ensure that efforts to address online infringement are compatible with the technical nature of various Internet services, and with important legal and human rights principles around due process, transparency, and proportionality. We will continue that battle both through public advocacy and, as necessary, through litigation, as one more part of helping build a better Internet.
Post Syndicated from Patrick Nemeroff original http://blog.cloudflare.com/latest-copyright-decision-in-germany-rejects-blocking-through-global-dns-resolvers-fr-fr/
Une récente décision rendue par la Haute Cour régionale de Cologne, en Allemagne, représente un progrès important pour Cloudflare et l’Internet dans la lutte contre les tentatives malavisées d’utiliser le système DNS pour remédier aux violations de droits d’auteur en ligne. Au début du mois de novembre, le tribunal a rendu sa décision dans l’affaire Universal contre Cloudflare, rejetant une demande exigeant que les résolveurs DNS publics, tels que le service 1.1.1.1 de Cloudflare, bloquent des sites web sur le fondement d’allégations de violation du droit d’auteur en ligne. C’est une position que nous défendons depuis longtemps ; en effet, le blocage par les résolveurs publics est une mesure inefficace et disproportionnée, et n’offre pas la transparence indispensable concernant la nature des contenus bloqués et les raisons du blocage.
Pour comprendre l’importance de la décision dans l’affaire Universal, il est important de comprendre ce qu’est un résolveur DNS public et pourquoi ce service se prête difficilement aux tentatives de modération des contenus sur Internet.
Le système DNS traduit les noms de sites web en adresses IP, afin que les requêtes Internet puissent être acheminées vers le bon endroit. À un niveau élevé, le système DNS est composé de deux parties. D’un côté, on trouve une série de serveurs de noms (racine, TLD et de référence) qui, ensemble, stockent les informations qui établissent une correspondance entre les noms de domaine et les adresses IP. De l’autre, on trouve les résolveurs DNS (également appelés résolveurs récursifs), qui interrogent les serveurs de noms afin de déterminer où se trouve un site web particulier. Les serveurs de noms s’apparentent à un annuaire téléphonique qui répertorie les noms et les numéros de téléphone, tandis que les résolveurs récursifs s’apparentent à l’opérateur téléphonique qui recherche un numéro.
Tandis que les serveurs de noms de référence sont gérés et utilisés directement par les exploitants de sites web, les résolveurs récursifs sont sélectionnés et utilisés par les internautes. Si vous lisez cet article sur votre lieu de travail, peut-être avez-vous accédé à cette page web en utilisant un résolveur DNS choisi par votre employeur. Si vous le lisez sur un appareil personnel à votre domicile, il est possible que vous ayez utilisé le résolveur par défaut de votre fournisseur d’accès. Vous pouvez également, avec un peu de savoir-faire technique, avoir développé votre propre résolveur DNS et le gérer vous-même ou avoir choisi d’utiliser l’un des nombreux résolveurs DNS publics disponibles sur Internet.
Cloudflare a inauguré 1.1.1.1, son résolveur DNS public, en avril 2018 ; son objectif était d’offrir un moyen rapide et privé de naviguer sur Internet. Bien que le résolveur de Cloudflare soit régulièrement https://www.dnsperf.com/ – !dns-resolversévalué comme étant le plus rapide, il s’agit d’une option parmi d’autres. Parmi les autres résolveurs publics reconnus figurent le service 8.8.8.8 de Google, OpenDNS par Cisco et Quad9. Les utilisateurs peuvent choisir un résolveur DNS public pour des raisons de confidentialité, pour plus de sécurité, ou simplement parce qu’ils recherchent l’option la plus performante qui soit. Les utilisateurs particuliers peuvent changer de résolveur DNS à tout moment, quelle que soit la raison de leur choix.
À l’instar d’autres maillons de la chaîne de connexion Internet, les résolveurs DNS ont parfois été utilisés pour tenter d’interdire l’accès à des contenus. La mise en œuvre d’un blocage au niveau du résolveur est comparable à la suppression d’une entrée dans un annuaire téléphonique. En refusant de renvoyer une adresse IP en réponse à des requêtes concernant un site web particulier, un résolveur DNS peut donner l’impression à un internaute utilisant ses services qu’un site web entier a effectivement disparu d’Internet. Contrairement à la suppression d’un contenu au niveau du fournisseur d’hébergement, le contenu reste accessible en ligne ; toutefois, il devient un peu plus difficile à trouver. De même que l’absence d’un numéro de téléphone dans l’annuaire n’empêchait pas une personne de trouver ce numéro par d’autres moyens et même de l’appeler, le blocage d’un résolveur n’empêche pas un internaute d’accéder à un site web par une myriade d’autres moyens. L’utilisateur peut opter pour un autre résolveur, développer son propre résolveur ou simplement saisir l’adresse IP du site web.
Étant donné que le DNS renvoie des adresses IP correspondant à des domaines entiers, le blocage par le biais de résolveurs DNS peut uniquement être mis en œuvre à l’échelle d’un domaine. Il est impossible de bloquer des contenus spécifiques, des pages web individuelles ou même des sous-domaines sans bloquer l’ensemble d’un site web. Par conséquent, une ordonnance de blocage demandant la suppression d’une image protégée par le droit d’auteur par le biais du blocage DNS (en particulier dans le cas d’un site web réunissant de nombreux contributeurs ou contenus générés par l’utilisateur) entraînerait le blocage de la totalité des contenus sur l’ensemble du domaine. Cela signifie que sauf dans la mesure où un site web pose problème dans son ensemble, l’application d’un blocage par le biais du résolveur DNS est susceptible d’interdire l’accès à des contenus n’ayant pas été identifiés comme contrefaisants ou autrement problématiques par un tribunal.
Le mode de fonctionnement du blocage DNS (c’est-à-dire le refus de renvoyer une adresse IP) signifie également que l’internaute ne reçoit aucune explication concernant la raison pour laquelle il n’a pas pu accéder au site web en question. Cette approche n’offre aucune notification, ni aucune transparence. Bien que des propositions aient été formulées concernant des protocoles qui, dans de tels cas de figure, permettraient de renvoyer un code d’erreur, rien n’a encore été mis en œuvre.
Les fournisseurs d’accès Internet (FAI) situés dans des juridictions particulières ont parfois mis en œuvre des blocages par le biais de leurs résolveurs DNS afin d’essayer de se conformer à des ordonnances applicables dans cette juridiction, qui leur enjoignaient de rendre certains sites web inaccessibles à leurs utilisateurs. Par exemple, un fournisseur d’accès allemand servant uniquement des utilisateurs allemands pourrait, suite à l’ordonnance d’un tribunal ordonnant un blocage de l’intégralité d’un site web, configurer son résolveur DNS afin qu’il refuse de renvoyer l’adresse IP de ce site.
Des détenteurs de droits ont récemment cherché à étendre ce blocage aux résolveurs DNS publics. Toutefois, les résolveurs DNS publics ne sont pas comparables aux résolveurs DNS gérés par un fournisseur d’accès Internet local. Les résolveurs DNS publics fonctionnent généralement de la même manière dans le monde entier ; par conséquent, si un résolveur public appliquait ce blocage de la même manière qu’un FAI, ce blocage s’appliquerait partout. Un tribunal allemand ordonnant le blocage dicterait donc quelles informations sont accessibles aux utilisateurs du résolveur situés en Inde, aux États-Unis, en Argentine et dans tous les autres pays où est utilisé ce résolveur. Tenter d’appliquer des blocages de manière plus ciblée sur le plan géographique, en fonction de la localisation des utilisateurs de résolveurs individuels, pose de sérieux problèmes techniques auxquels ne sont pas confrontés les FAI locaux ; cette approche comporte également, au regard de la confidentialité, des problématiques qu’il convient de prendre au sérieux.
Cloudflare a créé 1.1.1.1 avec l’objectif de fournir aux internautes un service de résolution DNS rapide, qui ne collecte pas leurs informations personnelles. Historiquement, de nombreux opérateurs de DNS ont revendu des informations concernant leurs utilisateurs, sur la base des sites web qu’ils interrogeaient ; or, 1.1.1.1 est conçu pour empêcher la collecte de telles informations. Les ordonnances de blocage visant les résolveurs publics nécessiteraient la collecte d’informations concernant l’origine des requêtes, afin de limiter ces effets délétères, tout en démontrant la conformité aux ordonnances. Cette situation serait préjudiciable à la fois à la confidentialité et à l’Internet.
Ces fonctionnalités essentielles des résolveurs publics constituent des obstacles fondamentaux à leur utilisation aux fins du blocage de contenus.
Réfléchissons aux implications du blocage, suite à une décision de justice, d’un site web que vous essayez de consulter. D’abord, vous supposeriez que les contenus bloqués soient réellement interdits par la loi. Vous ne supposeriez pas que l’intégralité d’un site web puisse être indisponible simplement parce qu’une partie du site web enfreint le droit d’auteur. Vous ne supposeriez pas non plus qu’un site web puisse être bloqué pour un visiteur situé dans un pays en vertu d’une ordonnance émise dans un tout autre pays, à l’autre bout du monde.
Ensuite, vous supposeriez que l’on vous informerait des raisons pour lesquelles le site est indisponible. Plutôt qu’un écran vide ou l’absence de réponse, vous souhaiteriez recevoir un message expliquant que le site web a été bloqué, et que ce message identifie l’autorité légale à l’origine de cette action.
Enfin, vous vous attendriez à ce que le mécanisme de blocage mis en place soit réellement efficace. Nous devrions nous abstenir de modifier des aspects fondamentaux du fonctionnement d’Internet si cette approche n’a même pas l’effet escompté.
Or, le blocage par le biais de résolveurs publics ne satisfait pas à toutes ces exigences. Comme nous l’avons expliqué plus haut, il ne peut pas être appliqué de manière restreinte à des contenus ou des secteurs géographiques particuliers. Contrairement au blocage par les FAI, qui se limite nécessairement à la région géographique dans laquelle le FAI opère, le blocage par l’intermédiaire des résolveurs publics mondiaux peut uniquement être mis en œuvre d’une manière qui s’étend au-delà des frontières, à des juridictions qui n’auraient peut-être jamais cherché à bloquer ce même contenu – sauf si nous recueillons plus d’informations personnelles que nécessaire sur l’utilisateur.
Par ailleurs, cette approche n’est pas non plus transparente ; un utilisateur ne saurait pas qu’il lui est interdit de consulter un contenu en raison d’une décision de justice. Il saurait uniquement qu’il ne peut pas accéder au site web. Il serait donc difficile pour le public de tenir les autorités gouvernementales responsables d’erreurs ou de blocages excessifs.
Enfin, cette approche n’est même pas efficace. Traditionnellement, les exploitants de sites web ou les hébergeurs reçoivent l’ordre de supprimer des contenus illicites ou illégaux, ce qui constitue un moyen efficace d’assurer que les informations concernées ne sont plus disponibles. Un blocage DNS ne fonctionne que tant que l’internaute continue à utiliser le résolveur ; le contenu reste disponible et redevient accessible dès qu’il utilise un autre résolveur ou développe son propre résolveur.
Malgré ces problèmes, certains détenteurs de droits ont insisté sur le fait que les résolveurs publics peuvent être contraints, par le biais d’ordonnances, de bloquer des sites web à la suite d’une violation en ligne. Cloudflare, ainsi que d’autres opérateurs tels que Quad9 et Google, a contesté cette déclaration. Un nombre limité de décisions préliminaires ont été rendues au regard de cette problématique ; cependant, la décision rendue par la Haute Cour régionale dans l’affaire Universal représente la première fois qu’une cour d’appel en Europe se prononce, dans le cadre de la procédure principale, sur la pratique du blocage par le biais des résolveurs publics.
L’affaire Universal, qui a débuté en 2019, est l’une des premières tentatives, par un détenteur de droits, d’obtenir une ordonnance exigeant le blocage par le biais d’un résolveur DNS public. L’affaire concerne un album de musique qui aurait prétendument enfreint le droit d’auteur et aurait été mis à disposition sur un site web qui, au moment où l’affaire a été portée devant les tribunaux, utilisait les services de sécurité intermédiaire et de réseau CDN de Cloudflare. La Haute Cour régionale de Cologne a rendu une décision préliminaire ordonnant à Cloudflare de bloquer le site web par l’intermédiaire de son service de réseau CDN et de son résolveur public. Cloudflare ne dispose d’aucun mécanisme permettant de bloquer les sites web via 1.1.1.1, et n’a jamais bloqué aucun site web par le biais de son résolveur public. Cependant, Cloudflare a pris des dispositions afin de bloquer l’accès au site web en Allemagne par le biais de son réseau CDN et de son service de sécurité intermédiaire. Le site a ensuite été mis hors ligne, et n’est désormais plus accessible sur Internet. Reconnaissant l’importance des principes juridiques sous-jacents en jeu, nous avons néanmoins continué à plaider l’affaire.
La récente décision rendue par la Haute Cour régionale indique clairement que les résolveurs DNS publics n’incarnent pas un outil approprié pour lutter contre les violations du droit d’auteur en ligne ou, plus généralement, modérer des contenus. Le tribunal a expliqué « qu’avec le résolveur DNS, le défendeur fournit un outil accessible à tous gratuitement, d’intérêt public et agréé, qui participe de manière purement passive, automatique et neutre à la connexion des domaines Internet ». Il a également noté que le blocage par le biais d’un résolveur public ne constitue pas une mesure efficace, car les individus peuvent facilement changer de résolveur.
Il est important de noter que le tribunal a estimé que les services DNS sont protégés par le règlement européen sur les services numériques (DSA, Digital Services Act), qui a été adopté l’année dernière. À l’instar de la directive européenne sur le commerce électronique qui le précède, le règlement DSA reconnaît que les différents types de services présentent différentes capacités pour traiter les problèmes relatifs aux contenus, et distingue les services de « simple transport » et de « mise en cache » des services « d’hébergement » au regard de leur rôle dans le traitement des contenus illicites. Une caractéristique du règlement DSA est qu’il stipule expressément que les services DNS et de réseau CDN ne sont pas des services d’hébergement, et sont donc soumis à des obligations différentes de ces derniers. La Haute Cour régionale a reconnu que les résolveurs DNS ont droit aux mêmes protections contre la responsabilité que d’autres services de « simple transport », et a rejeté la demande concernant le blocage DNS formulée par le plaignant dans cette affaire.
Bien que la décision de la Haute Cour régionale représente un progrès important au regard de la problématique des DNS, le conflit relatif à la meilleure façon de remédier aux violations en ligne se poursuit. Des détenteurs de droits ont intenté des actions en justice contre d’autres fournisseurs de DNS, dans d’autres juridictions, afin d’obtenir des ordonnances de blocage similaires. Nous continuerons à nous opposer à ce résultat, car nous considérons qu’il est préjudiciable pour l’Internet. Nous espérons que le raisonnement de la Haute Cour régionale concernant la problématique des DNS contribuera à convaincre d’autres tribunaux.
Dans le même temps, bien que la décision concernant les DNS dans l’affaire Universal fasse la une, d’autres aspects de l’avis rendu par le tribunal suscitent des inquiétudes. La Haute Cour régionale a confirmé le jugement du tribunal de première instance exigeant que Cloudflare bloque l’accès au site web concerné par l’intermédiaire de notre réseau CDN et de notre service de sécurité intermédiaire. Cette décision n’a guère d’effet concret immédiat, car le site web concerné n’est plus disponible en ligne, et Cloudflare s’était déjà conformée à l’arrêt. Cependant, cette décision peut être interprétée comme entraînant une obligation plus étendue pour les services de sécurité intermédiaire et de réseau CDN de traiter les problèmes liés aux contenus en ligne ; elle est, par conséquent, incompatible avec la nature de nos services et avec le règlement DSA, qui identifie expressément les services de réseau CDN comme faisant partie des services de mise en cache bénéficiant d’une clause de non-responsabilité. Cloudflare a donc l’intention d’interjeter appel concernant cet aspect de la décision.
Nous sommes reconnaissants aux magistrats réfléchis pour les efforts qu’ils font afin de s’informer sur le fonctionnement d’Internet et de s’assurer que leurs décisions sont cohérentes avec les avantages étendus qu’offre au public un Internet fonctionnel, notamment au regard de la sécurité, de la fiabilité et de la confidentialité. Cette décision marque un nouveau progrès dans le combat mené par Cloudflare afin d’assurer que les efforts mis en œuvre pour lutter contre les violations en ligne sont compatibles avec la nature technique des différents services Internet, ainsi qu’avec les importants principes juridiques et relatifs aux droits de l’homme que constituent l’équité procédurale, la transparence et la proportionnalité. Nous continuerons à mener ce combat à la fois par la sensibilisation du public et, le cas échéant, par la voie judiciaire, afin de contribuer à bâtir un Internet meilleur.
Post Syndicated from Explosm.net original https://explosm.net/comics/31628
New Cyanide and Happiness Comic
Post Syndicated from Eric Smith original https://www.servethehome.com/kioxia-cm7-pcie-gen5-nvme-ssd-review/
In our Kioxia CM7 review, we see how this PCIe Gen5 NVMe SSD performs as we test the drive on 20 different PCIe Gen4/ Gen5 server platforms
The post Kioxia CM7 PCIe Gen5 NVMe SSD Review appeared first on ServeTheHome.
Post Syndicated from Achraf Moussadek-Kabdani original https://aws.amazon.com/blogs/security/iam-access-analyzer-simplifies-inspection-of-unused-access-in-your-organization/
AWS Identity and Access Management (IAM) Access Analyzer offers tools that help you set, verify, and refine permissions. You can use IAM Access Analyzer external access findings to continuously monitor your AWS Organizations organization and Amazon Web Services (AWS) accounts for public and cross-account access to your resources, and verify that only intended external access is granted. Now, you can use IAM Access Analyzer unused access findings to identify unused access granted to IAM roles and users in your organization.
If you lead a security team, your goal is to manage security for your organization at scale and make sure that your team follows best practices, such as the principle of least privilege. When your developers build on AWS, they create IAM roles for applications and team members to interact with AWS services and resources. They might start with broad permissions while they explore AWS services for their use cases. To identify unused access, you can review the IAM last accessed information for a given IAM role or user and refine permissions gradually. If your company has a multi-account strategy, your roles and policies are created in multiple accounts. You then need visibility across your organization to make sure that teams are working with just the required access.
Now, IAM Access Analyzer simplifies inspection of unused access by reporting unused access findings across your IAM roles and users. IAM Access Analyzer continuously analyzes the accounts in your organization to identify unused access and creates a centralized dashboard with findings. From a delegated administrator account for IAM Access Analyzer, you can use the dashboard to review unused access findings across your organization and prioritize the accounts to inspect based on the volume and type of findings. The findings highlight unused roles, unused access keys for IAM users, and unused passwords for IAM users. For active IAM users and roles, the findings provide visibility into unused services and actions. With the IAM Access Analyzer integration with Amazon EventBridge and AWS Security Hub, you can automate and scale rightsizing of permissions by using event-driven workflows.
In this post, we’ll show you how to set up and use IAM Access Analyzer to identify and review unused access in your organization.
To generate unused access findings, you need to create an analyzer. An analyzer is an IAM Access Analyzer resource that continuously monitors your accounts or organization for a given finding type. You can create an analyzer for the following findings:
An analyzer for unused access findings is a new analyzer that continuously monitors roles and users, looking for permissions that are granted but not actually used. This analyzer is different from an analyzer for external access findings; you need to create a new analyzer for unused access findings even if you already have an analyzer for external access findings.
You can centrally view unused access findings across your accounts by creating an analyzer at the organization level. If you operate a standalone account, you can get unused access findings by creating an analyzer at the account level. This post focuses on the organization-level analyzer setup and management by a central team.
IAM Access Analyzer charges for unused access findings based on the number of IAM roles and users analyzed per analyzer per month. You can still use IAM Access Analyzer external access findings at no additional cost. For more details on pricing, see IAM Access Analyzer pricing.
To enable unused access findings for your organization, you need to create your analyzer by using the IAM Access Analyzer console or APIs in your management account or a delegated administrator account. A delegated administrator is a member account of the organization that you can delegate with administrator access for IAM Access Analyzer. A best practice is to use your management account only for tasks that require the management account and use a delegated administrator for other tasks. For steps on how to add a delegated administrator for IAM Access Analyzer, see Delegated administrator for IAM Access Analyzer.
Figure 1: Create analyzer page
Now that you’ve created the analyzer, IAM Access Analyzer starts reporting findings for unused access across the IAM users and roles in your organization. IAM Access Analyzer will periodically scan your IAM roles and users to update unused access findings. Additionally, if one of your roles, users or policies is updated or deleted, IAM Access Analyzer automatically updates existing findings or creates new ones. IAM Access Analyzer uses a service-linked role to review last accessed information for all roles, user access keys, and user passwords in your organization. For active IAM roles and users, IAM Access Analyzer uses IAM service and action last accessed information to identify unused permissions.
Note: Although IAM Access Analyzer is a regional service (that is, you enable it for a specific AWS Region), unused access findings are linked to IAM resources that are global (that is, not tied to a Region). To avoid duplicate findings and costs, enable your analyzer for unused access in the single Region where you want to review and operate findings.
Your analyzer aggregates findings from across your organization and presents them on a dashboard. The dashboard aggregates, in the selected Region, findings for both external access and unused access—although this post focuses on unused access findings only. You can use the dashboard for unused access findings to centrally review the breakdown of findings by account or finding types to identify areas to prioritize for your inspection (for example, sensitive accounts, type of findings, type of environment, or confidence in refinement).
Review the findings overview to identify the total findings for your organization and the breakdown by finding type. Figure 2 shows an example of an organization with 100 active findings. The finding type Unused access keys is present in each of the accounts, with the most findings for unused access. To move toward least privilege and to avoid long-term credentials, the security team should clean up the unused access keys.
Figure 2: Unused access finding dashboard
Review the dashboard to identify the accounts with the highest number of findings and the distribution per finding type. In Figure 2, the Audit account has the highest number of findings and might need attention. The account has five unused access keys and six roles with unused permissions. The security team should prioritize this account based on volume of findings and review the findings associated with the account.
In this section, we’ll show you how to review findings. We’ll share two examples of unused access findings, including unused access key findings and unused permissions findings.
As shown previously in Figure 2, the IAM Access Analyzer dashboard showed that accounts with the most findings were primarily associated with unused access keys. Let’s review a finding linked to unused access keys.
Figure 3: List of unused access findings
Figure 4: Finding example – Unused IAM user access keys
From here, you can investigate further with the development teams to identify whether the access keys are still needed. If they aren’t needed, you should delete the access keys.
Another goal that your security team might have is to make sure that the IAM roles and users across your organization are following the principle of least privilege. Let’s walk through an example with findings associated with unused permissions.
Figure 5: Finding example – Unused permissions
The security team now has a view of the unused actions for this role and can investigate with the development teams to check if those permissions are still required.
The development team can then refine the permissions granted to the role to remove the unused permissions.
Unused access findings notify you about unused permissions for all service-level permissions and for 200 services at the action-level. For the list of supported actions, see IAM action last accessed information services and actions.
IAM Access Analyzer categorizes findings as active, resolved, and archived. In this section, we’ll show you how you can act on your findings.
You can resolve unused access findings by deleting unused IAM roles, IAM users, IAM user credentials, or permissions. After you’ve completed this, IAM Access Analyzer automatically resolves the findings on your behalf.
To speed up the process of removing unused permissions, you can use IAM Access Analyzer policy generation to generate a fine-grained IAM policy based on your access analysis. For more information, see the blog post Use IAM Access Analyzer to generate IAM policies based on access activity found in your organization trail.
You can suppress a finding by archiving it, which moves the finding from the Active tab to the Archived tab in the IAM Access Analyzer console. To archive a finding, open the IAM Access Analyzer console, select a Finding ID, and in the Next steps section, select Archive, as shown in Figure 6.
Figure 6: Archive finding in the AWS management console
You can automate this process by creating archive rules that archive findings based on their attributes. An archive rule is linked to an analyzer, which means that you can have archive rules exclusively for unused access findings.
To illustrate this point, imagine that you have a subset of IAM roles that you don’t expect to use in your tracking period. For example, you might have an IAM role that is used exclusively for break glass access during your disaster recovery processes—you shouldn’t need to use this role frequently, so you can expect some unused access findings. For this example, let’s call the role DisasterRecoveryRole. You can create an archive rule to automatically archive unused access findings associated with roles named DisasterRecoveryRole, as shown in Figure 7.
Figure 7: Example of an archive rule
IAM Access Analyzer exports findings to both Amazon EventBridge and AWS Security Hub. Security Hub also forwards events to EventBridge.
Using an EventBridge rule, you can match the incoming events associated with IAM Access Analyzer unused access findings and send them to targets for processing. For example, you can notify the account owners so that they can investigate and remediate unused IAM roles, user credentials, or permissions.
For more information, see Monitoring AWS Identity and Access Management Access Analyzer with Amazon EventBridge.
With IAM Access Analyzer, you can centrally identify, review, and refine unused access across your organization. As summarized in Figure 8, you can use the dashboard to review findings and prioritize which accounts to review based on the volume of findings. The findings highlight unused roles, unused access keys for IAM users, and unused passwords for IAM users. For active IAM roles and users, the findings provide visibility into unused services and actions. By reviewing and refining unused access, you can improve your security posture and get closer to the principle of least privilege at scale.
Figure 8: Process to address unused access findings
The new IAM Access Analyzer unused access findings and dashboard are available in AWS Regions, excluding the AWS GovCloud (US) Regions and AWS China Regions. To learn more about how to use IAM Access Analyzer to detect unused accesses, see the IAM Access Analyzer documentation.
If you have feedback about this post, submit comments in the Comments section below. If you have questions about this post, contact AWS Support.
Want more AWS Security news? Follow us on Twitter.
Post Syndicated from Tristan Nguyen original https://aws.amazon.com/blogs/messaging-and-targeting/build-better-engagement-using-the-aws-community-engagement-flywheel-part-2-of-3/
Businesses are constantly looking for better ways to engage with customer communities, but it’s hard to do when profile data is limited to user-completed form input or messaging campaign interaction metrics. Neither of these data sources tell a business much about their customer’s interests or preferences when they’re engaging with that community.
To bridge this gap for their community of customers, AWS Game Tech created the Cohort Modeler: a deployable solution for developers to map out and classify player relationships and identify like behavior within a player base. Additionally, the Cohort Modeler allows customers to aggregate and categorize player metrics by leveraging behavioral science and customer data. In our first blog post, we talked about how to extend Cohort Modeler’s functionality.
In this post, you’ll learn how to:
For this example, we’re going to retrieve a cohort of individuals from our Cohort Modeler who we’ve identified as at risk:
Either way, we want to make sure they understand the risks of what they’re doing and who they’re dealing with.
Pinpoint provides various robust methods to import user contact and personalization data in specific formats, and once Pinpoint has ingested that data, you can use Campaigns or Journeys to send customized and personalized messaging to your cohort members – either via automation, or manually via the Pinpoint Console.
In this architecture, you’ll create a simple Amazon DynamoDB table that mimics a game studio’s database of record for its customers. You’ll then create a Trigger for Amazon Simple Storage Service (Amazon S3) bucket that will ingest the Cohort Modeler extract (created in the prior blog post) and convert it into a CSV file that Pinpoint can ingest. Lastly, once generated, the AWS Lambda function will prompt Pinpoint to automatically ingest the CSV as a static segment.
Once the automation is complete, you’ll use Pinpoint’s console to quickly and easily create a Campaign, including an HTML mail template, to the imported segment of players you identified as at risk via the Cohort Modeler.
At this point, you should have completed the steps in the prior blog post, Extending the Cohort Modeler. This is all you’ll need to proceed.
Now that we’ve extended the Cohort Modeler and built a way to extract cohort data into an S3 bucket, we’ll transform that data into a Segment in Pinpoint, and use the Pinpoint Console to send a message to the members of the Cohort via a Pinpoint Campaign. In this walkthrough, you’ll:
You’ll need a Pinpoint Project (sometimes referred to as an “App”) to send messaging to your cohort members, so navigate to the Pinpoint console and click Create a Project.
For this step, you’re emulating a game studio’s database of record for its players, and therefore the Lambda function that you’re creating, (to merge Cohort Modeler data with the database of record) is also an emulation.
In a real-world situation, you would use the same ingestion method as the S3TriggerCohortIngest.py example that will be created further below. However, instead of using placeholder data, you would use the ‘playerId’ information extracted from the Cohort Modeler. This would allow you to formulate a specific query against your main database, whether it requires an SQL statement, or some other type of database query.
Navigate to the DynamoDB Console. You’re going to create a table with ‘playerId’ as the Primary key, and four additional attributes: email, favorite role, first name, and last name.
You’ll need some synthetic data in the database, so that your Cohort Modeler-Pinpoint integration can query the database, retrieve contact information, and then import that contact information into Pinpoint as a Segment.
| A | B | C | D | E | |
| 1 | playerId | favoriteRole | firstName | lastName | |
| 2 | xortiz | [email protected] | Healer | Tristan | Nguyen |
| 3 | msmith | [email protected] | DPS | Brett | Ezell |
Now that the table’s populated, you can build the integration between Cohort Modeler and your new “database of record,” allowing you to use the cohort data to send messages to your players.
Pinpoint requires a CSV or JSON file stored on S3 to run an Import Segment job, so we’ll need a bucket (separate from our Cohort Modeler Export bucket) to facilitate this.
Before creating the Lambda function, we need to create a role that allows the Cohort Modeler data to be imported into Amazon Pinpoint in the form of a segment.
For more details on how to create an IAM role to allow Amazon Pinpoint to import endpoints from the S3 Bucket, refer to this documentation. Otherwise, you can follow the instructions below:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "pinpoint.amazonaws.com"
},
"Condition": {
"StringEquals": {
"aws:SourceAccount": "accountId"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:mobiletargeting:region:accountId:apps/application-id"
}
}
}
]
}You’ll need to create a Lambda function for S3 to trigger when Cohort Modeler drops its export files into the export bucket, as well as the connection to the Cohort Modeler export bucket to set up the trigger. The steps below will take you through the process.
Head to the Lambda service menu, and from Functions page, choose Create function. From there:
import json
import os
import uuid
import urllib
import boto3
from botocore.exceptions import ClientError
### S3TriggerCohortIngest
# We get activated once we're triggered by an S3 file getting Put.
# We then:
# - grab the file from S3 and ingest it.
# - negotiate with a DB of record (Dynamo in our test case) to pull the corresponding player data.
# - transform that record data into a format Pinpoint will interpret.
# - Save that CSV into a different S3 bucket, and
# - Instruct Pinpoint to ingest it as a Segment.
# save the CSV file to a random unique filename in S3
def save_s3_file(content):
# generate a random uuid csv filename.
fname = str(uuid.uuid4()) + ".csv"
print("Saving data to file: " + fname)
try:
# grab the S3 bucket name
s3_bucket_name = os.environ['S3BucketName']
# Set up the S3 boto client
s3 = boto3.resource('s3')
# Lob the body into the object.
object = s3.Object(s3_bucket_name, fname)
object.put(Body=content)
return fname
# If we fail, say why and exit.
except ClientError as error:
print("Couldn't store file in S3: %s", json.dumps(error.response))
return {
'statuscode': 500,
'body': json.dumps('Failed access to storage.')
}
# Given a list of users, query the user dynamo db for their account info.
def query_dynamo(userlist):
# set up the dynamo client.
ddb_client = boto3.resource('dynamodb')
# Set up the RequestIems object for our query.
batch_keys = {
'userdata': {
'Keys': [{'playerId': user} for user in userlist]
}
}
# query for the keys. note: currently no explicit error-checking for <= 100 items.
try:
db_response = ddb_client.batch_get_item(RequestItems=batch_keys)
return db_response
# If we fail, say why and exit.
except ClientError as error:
print("Couldn't access data in DynamoDB: %s", json.dumps(error.response))
return {
'statuscode': 500,
'body': json.dumps('Failed access to db.')
}
def ingest_pinpoint(filename):
s3url = "s3://" + os.environ.get('S3BucketName') + "/" + filename
try:
pinClient = boto3.client('pinpoint')
response = pinClient.create_import_job(
ApplicationId=os.environ.get('PinpointApplicationID'),
ImportJobRequest={
'DefineSegment': True,
'Format': 'CSV',
'RegisterEndpoints': True,
'RoleArn': 'arn:aws:iam::744969268958:role/PinpointSegmentImport',
'S3Url': s3url,
'SegmentName': filename
}
)
return {
'ImportId': response['ImportJobResponse']['Id'],
'SegmentId': response['ImportJobResponse']['Definition']['SegmentId'],
'ExternalId': response['ImportJobResponse']['Definition']['ExternalId'],
}
# If we fail, say why and exit.
except ClientError as error:
print("Couldn't create Import job for Pinpoint: %s", json.dumps(error.response))
return {
'statuscode': 500,
'body': json.dumps('Failed segment import to Pinpoint.')
}
# Lambda entry point GO
def lambda_handler(event, context):
# Get the bucket + obj name from the incoming event
incoming_bucket = event['Records'][0]['s3']['bucket']['name']
filename = urllib.parse.unquote_plus(event['Records'][0]['s3']['object']['key'], encoding='utf-8')
# light up the S3 client
s3 = boto3.resource('s3')
# grab the file that triggered us
try:
content_object = s3.Object(incoming_bucket, filename)
file_content = content_object.get()['Body'].read().decode('utf-8')
# and turn it into JSON.
json_content = json.loads(file_content)
except Exception as e:
print(e)
print('Error getting object {} from bucket {}. Make sure they exist and your bucket is in the same region as this function.'.format(filename, incoming_bucket))
raise e
# Munge the file we got into something we can actually use
record_content = json.dumps(json_content)
# load it into json
record_json = json.loads(record_content)
# Initialize an empty list for names
namelist = []
# Iterate through the records in the list
for record in record_json:
# Check if "playerId" key exists in the record
if "playerId" in record:
# Append the first element of "playerId" list to namelist
namelist.append(record["playerId"][0])
# use the name list and grab the corresponding users from the dynamo table
userdatalist = query_dynamo(namelist)
# grab just what we need to create our import file
userdata_responses = userdatalist["Responses"]["userdata"]
csvlist = "ChannelType,Address,User.UserId,User.UserAttributes.FirstName,User.UserAttributes.LastName\n"
for user in userdata_responses:
newString = "EMAIL," + user["email"] + "," + user["playerId"] + "," + user["firstName"] + "," + user["lastName"] + "\n"
csvlist += newString
# Dump it to S3 with a unique filename.
csvFile = save_s3_file(csvlist)
# and tell Pinpoint to import it as a Segment.
pinResponse = ingest_pinpoint(csvFile)
return {
'statusCode': 200,
'body': json.dumps(pinResponse)
}Firstly, you’ll need to raise the function timeout, because sometimes it will take time to import large Pinpoint segments. To do so, navigate to the Configuration tab, then General configuration and change the Timeout value to the maximum of 15 minutes.
Next, select Environment variables beneath General configuration in the navigation pane. Choose Edit, followed by Add environment variable, for each Key and Value below.
In a production build, you could have this information stored in System Manager Parameter Store, in order to ensure portability and resilience.
While still in the Configuration tab, from the navigation pane, choose the Permissions menu option.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::YOUR-PINPOINT-BUCKET-NAME-HERE/*",
"arn:aws:s3:::YOUR-PINPOINT-BUCKET-NAME-HERE",
"arn:aws:s3:::YOUR-CM-BUCKET-NAME-HERE/*",
"arn:aws:s3:::YOUR-CM-BUCKET-NAME-HERE"
]
},
{
"Effect": "Allow",
"Action": "dynamodb:BatchGetItem",
"Resource": "arn:aws:dynamodb:region:accountId:table/userdata"
},
{
"Effect": "Allow",
"Action": "mobiletargeting:CreateImportJob",
"Resource": "arn:aws:mobiletargeting:region:accountId:apps/application-id"
},
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::accountId:role/PinpointSegmentImport"
}
]
}The goal is for the Lambda to be triggered when Cohort Modeler drops the extract file into its designated S3 delivery bucket. Fortunately, setting this up is a simple process:
The best way to test the end to end process is to simply connect to the endpoint you created in the first step of the process and send it a valid query. I personally use Postman, but you can use curl or any other HTTP tool to send the request.
Again, refer back to your prior work to determine the HTTP API endpoint for your Cohort Modeler’s cohort extract endpoint, and then send it the following query:
https://YOUR-ENDPOINT.execute-api.YOUR-REGION.amazonaws.com/Prod/data/cohort/ea_atrisk?threshold=2
You should receive back a response that looks something like this:
{'statusCode': 200, 'body': 'export/ea_atrisk_2_2023-09-12_13-57-06.json'}The Status code confirms that the request was successful, and the body provides the name of the export file which was created.
If these three steps are complete, then the outbound arm of the Community Engagement Flywheel is functional. All that’s left now is to test the Segment by using it in a Campaign.
In order to send your message recipients a message, you’ll need a message template. In this section, we’ll walk you through this process. The Pinpoint Template Editor is a simple HTML editor, but other third-party services like visual designers, can integrate directly with Pinpoint to provide a seamless integration between the design tool and Pinpoint.
For the final step, you will create and send a campaign to the endpoints included in the Segment that the Community Engagement Flywheel created. Earlier, you mapped three email addresses to the identities that Cohort Modeler generated for your query: your email, and two test emails from the SES Email Simulator. As a result, you should receive one email to the email address you selected when you’ve completed this process, as well as events which indicate the status of all campaign activities.
Check your inbox! You will shortly receive the email, and this confirms the Campaign has been successfully sent.
So far you’ve extended the Cohort Modeler to report on the cohorts it’s built for you, you’ve operated on that extract and built an ETL machine to turn that cohort into relevant contact and personalization data, you’ve imported the contact data into Pinpoint as a static Segment, and you’ve created a Pinpoint Campaign witih that Segment to send messaging to that Cohort.
In the next and final blog post, we’ll show how to respond to events that result from your cohort members interacting with the messaging they’ve been sent, and how to enrich the cohort data with those events so you can understand in deeper detail how your messaging works – or doesn’t work – with your cohort members.
Tristan (Tri) Nguyen is an Amazon Pinpoint and Amazon Simple Email Service Specialist Solutions Architect at AWS. At work, he specializes in technical implementation of communications services in enterprise systems and architecture/solutions design. In his spare time, he enjoys chess, rock climbing, hiking and triathlon.
Brett Ezell is an Amazon Pinpoint and Amazon Simple Email Service Specialist Solutions Architect at AWS. As a Navy veteran, he joined AWS in 2020 through an AWS technical military apprenticeship program. When he isn’t deep diving into solutions for customer challenges, Brett spends his time collecting vinyl, attending live music, and training at the gym. An admitted comic book nerd, he feeds his addiction every Wednesday by combing through his local shop for new books.
Post Syndicated from Tristan Nguyen original https://aws.amazon.com/blogs/messaging-and-targeting/build-better-engagement-using-the-aws-community-engagement-flywheel-part-1-of-3/
Businesses are constantly looking for better ways to engage with customer communities, but it’s hard to do when profile data is limited to user-completed form input or messaging campaign interaction metrics. Neither of these data sources tell a business much about their customer’s interests or preferences when they’re engaging with that community.
To bridge this gap for their community of customers, AWS Game Tech created the Cohort Modeler: a deployable solution for developers to map out and classify player relationships and identify like behavior within a player base. Additionally, the Cohort Modeler allows customers to aggregate and categorize player metrics by leveraging behavioral science and customer data.
In this series of three blog posts, you’ll learn how to:
In this blog post, we’ll show how to extend Cohort Modeler’s functionality to include and provide cohort reporting and extraction.
For this example, we’re going to retrieve a cohort of individuals from our Cohort Modeler who we’ve identified as at risk:
Either way, we want to make sure they understand the risks of what they’re doing and who they’re dealing with.
Because the Cohort Modeler’s API automatically translates the data it’s provided into the graph data format, the request we’re making is an easy one: we’re simply asking CM to retrieve all of the player IDs where the player’s ea_atrisk attribute value is greater than 2.
In our case, that either means
These are currently the only two activities which generate at-risk data in our example model.
In this example, you’ll extend Cohort Modeler’s functionality by creating a new API resource and method, and test that functional extension to verify it’s working. This supports our use case by providing a studio with a mechanism to identify the cohort of users who have engaged in activities that may put them at risk for fraud or malicious targeting.
This blog post series integrates two tech stacks: the Cohort Modeler and the Digital User Engagement Events Database, both of which you’ll need to install. In addition to setting up your environment, you’ll need to clone the Community Engagement Flywheel repository, which contains the scripts you’ll need to use to integrate Cohort Modeler and Pinpoint.
You should have the following prerequisites:
In order to meet our functional requirements, we’ll need to extend the Cohort Modeler API. This first part will walk you through the mechanisms to do so. In this walkthrough, you’ll:
Normally it’d be enough to just create the S3 Bucket, but because our Cohort Modeler operates inside an Amazon Virtual Private Cloud (VPC), we need to both create the bucket and create an interface endpoint.
The size of a Cohort Modeler extract could be considerable depending on the size of a cohort, so it’s a best practice to deliver the extract to an S3 bucket. All you need to do in this step is create a new S3 bucket for Cohort Modeler exports.
When accessing “global” services, like S3 (as opposed to VPC services, like EC2) from inside a private VPC, you need to create an Endpoint for that service inside the VPC. For more information on how Gateway Endpoints for Amazon S3 work, refer to this documentation.
When accessing “global” services, like S3 (as opposed to VPC services, like EC2) from inside a private VPC, you need to create an Endpoint for that service inside the VPC. One of the things the Endpoint needs to know is what network interfaces to accept connections from – so we’ll need to create a Security Group to establish that trust.
You can use the code as provided in a Lambda, but the gremlin libraries required for it to run are another story: gremlin_python doesn’t come as part of the default Lambda libraries. There are two ways to address this:
The Layer is a best practice, so that’s what we’re going to do here.
In Python, you’ll need to upload a .zip file to the Layer, and all of your libraries need to be included in paths within the /python directory (inside the zip file) to be accessible. Use pip to install the libraries you need into a blank directory so you can zip up only what you need, and no more.
pip install --target=./python gremlinpythonEnsure that you’re zipping the python folder, the resultant file should be named python.zip and extracts to a python folder.
Head to the Lambda console, and select the Layers menu option from the AWS Lambda navigation pane. From there:
Assuming all steps have been followed, you’ll receive a message that the layer has been successfully created.
You’ll be extending the Cohort Modeler with new functionality, and the way CM manages its functionality is via microservice-based Lambdas. You’ll be building a new API: to query the CM and extract Cohort information to S3.
Head back to the Lambda service menu, in the Resources for (your region) section, choose Create Function. From there:
import os
import json
import boto3
from datetime import datetime
from gremlin_python import statics
from gremlin_python.driver.driver_remote_connection import DriverRemoteConnection
from gremlin_python.driver.protocol import GremlinServerError
from gremlin_python.driver import serializer
from gremlin_python.process.anonymous_traversal import traversal
from gremlin_python.process.graph_traversal import __
from gremlin_python.process.strategies import *
from gremlin_python.process.traversal import T, P
from aiohttp.client_exceptions import ClientConnectorError
import logging
logger = logging.getLogger()
logger.setLevel(logging.INFO)
s3 = boto3.client('s3')
def query(g, cohort, thresh):
return (g.V().hasLabel('player')
.has(cohort, P.gt(thresh))
.valueMap("playerId", cohort)
.toList())
def doQuery(g, cohort, thresh):
return query(g, cohort, thresh)
# Lambda handler
def lambda_handler(event, context):
# Connection instantiation
conn = create_remote_connection()
g = create_graph_traversal_source(conn)
try:
# Validate the cohort info here if needed.
# Grab the event resource, method, and parameters.
resource = event["resource"]
method = event["httpMethod"]
pathParameters = event["pathParameters"]
# Grab query parameters. We should have two: cohort and threshold
queryParameters = event.get("queryStringParameters", {})
cohort_val = pathParameters.get("cohort")
thresh_val = int(queryParameters.get("threshold", 0))
result = doQuery(g, cohort_val, thresh_val)
# Convert result to JSON
result_json = json.dumps(result)
# Generate the current timestamp in the format YYYY-MM-DD_HH-MM-SS
current_timestamp = datetime.now().strftime('%Y-%m-%d_%H-%M-%S')
# Create the S3 key with the timestamp
s3_key = f"export/{cohort_val}_{thresh_val}_{current_timestamp}.json"
# Upload to S3
s3_result = s3.put_object(
Bucket=os.environ['S3ExportBucket'],
Key=s3_key,
Body=result_json,
ContentType="application/json"
)
response = {
'statusCode': 200,
'body': s3_key
}
return response
except Exception as e:
logger.error(f"Error occurred: {e}")
return {
'statusCode': 500,
'body': str(e)
}
finally:
conn.close()
# Connection management
def create_graph_traversal_source(conn):
return traversal().withRemote(conn)
def create_remote_connection():
database_url = 'wss://{}:{}/gremlin'.format(os.environ['NeptuneEndpoint'], 8182)
return DriverRemoteConnection(
database_url,
'g',
pool_size=1,
message_serializer=serializer.GraphSONSerializersV2d0()
)Head back to the Lambda service page, and fom the navigation pane, select Functions. In the Functions section select ApiCohortGet from the list.
Now, underneath the Function overview, navigate to the Configuration tab and choose Environment variables from the navigation pane.
While still in the Configuration tab, under the navigation pane choose Permissions.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::YOUR-S3-BUCKET-NAME-HERE",
"arn:aws:s3:::YOUR-S3-BUCKET-NAME-HERE /*"
]
}
]
}Now you’ll need to establish the API Gateway that the Cohort Modeler created with the new Lambda functions that you just created. If you’re on the old console User Interface, we strongly recommend switching over to the new console UI. This is due to the previous UI being deprecated by the 30th of October 2023. Consequently, the following instructions will apply to the new console UI.
We’re not quite finished. We want to be able to ask the Cohort Modeler to give us a cohort based on a path parameter – so that way when we go to /data/cohort/COHORT-NAME/ we receive back information about the cohort name that we provided. Therefore…
Now we’ll create the GET Method we’ll use to request cohort data from Cohort Modeler.
You’ll want to access your API securely, so at a minimum you should create an API Key and require it as part of your access model.
Now that you’ve made your changes, you’ll want to deploy the API with the new endpoint enabled.
When the API has deployed, the system will display your API’s URL. You should now be able to test your new Cohort Modeler API:
{'statusCode': 200, 'body': 'export/ea_atrisk_2_2023-09-12_13-57-06.json'}The status code indicates a successful query, and the body indicates the name of the json file in your extract S3 bucket which contains the cohort information. The name comprises of the attribute, the threshold level and the time the export was made. Go ahead and navigate to the S3 bucket, find the file, and download it to see what Cohort Modeler has found for you.
import requests
import json
url = 'https://<NeptuneEndpointURL>:8182/loader'
headers = {
'Content-Type': 'application/json'
}
data = {
"source": "<S3FileURI>",
"format": "csv",
"iamRoleArn": "NeptuneIAMRoleARN",
"region": "us-east-1",
"failOnError": "FALSE",
"parallelism": "MEDIUM",
"updateSingleCardinalityProperties": "FALSE",
"queueRequest": "TRUE"
}
response = requests.post(url, headers=headers, data=json.dumps(data))
print(response.text)In this post, you’ve extended the Cohort Modeler to respond to requests for cohort data, by both querying the cohort database and providing an extract in an S3 bucket for future use. In the next post, we’ll demonstrate how creating this file triggers an automated process. This process will identify the players from the cohort in the studio’s database, extract their contact and other personalization data, compiling the data into a CSV file from that request, and import that file into Pinpoint for targeted messaging.
Tristan (Tri) Nguyen is an Amazon Pinpoint and Amazon Simple Email Service Specialist Solutions Architect at AWS. At work, he specializes in technical implementation of communications services in enterprise systems and architecture/solutions design. In his spare time, he enjoys chess, rock climbing, hiking and triathlon.
Brett Ezell is an Amazon Pinpoint and Amazon Simple Email Service Specialist Solutions Architect at AWS. As a Navy veteran, he joined AWS in 2020 through an AWS technical military apprenticeship program. When he isn’t deep diving into solutions for customer challenges, Brett spends his time collecting vinyl, attending live music, and training at the gym. An admitted comic book nerd, he feeds his addiction every Wednesday by combing through his local shop for new books.