CodeIsGo.com

This is the second part of a mini-series centered around cloud computing; a high-level overview of vendor lock-in and mitigation strategies. By Piotr.

Vendor lock-in happens when a customer is dependent on a vendor’s products or services and is unable to switch to another vendor without incurring substantial costs and/or organizational changes. This generic definition applies also to cloud vendor lock-in where cloud vendor is any public cloud provider like Azure, AWS, GCP, Hetzner, Linode, etc.

The article content covers:

• What is vendor lock-in?
• The Good - why single vendor strategy is attractive
• The Bad - putting all your eggs in one basket

Here are two most common pitfalls in avoiding cloud vendor lock-in:

• Using common lowest denominator
• Building your own integration layer

One of the most important benefits of using a public cloud provider are advanced services which can significantly improve developer productivity and lower complexity of IT governance.

In reality, things are very dynamic and every organization must be ready to react to the ever changing environment and requirements of the market they operate in. Good read!

Quantum computing remains a nascent technology, but its potential is already being felt across many sectors. From healthcare to finance to artificial intelligence, we look at the industries poised to be reshaped by quantum computers. By cbinsights.com.

One area the company is looking at is quantum annealing for digital modeling and materials sciences. For instance, a decent quantum computer could quickly filter through countless variables to help determine the most efficient wing design for an airplane. Other companies, including Daimler and Samsung, are already using quantum computers to help research new materials for building better batteries.

In this article authors look at 9 spaces where quantum computing is already making waves:

• Healthcare
• Finance
• Cybersecurity
• Blockchain and cryptocurrencies
• Artificial intelligence
• Logistics
• Manufacturing and industrial design
• Agriculture
• National security

Governments around the world are investing heavily in quantum computing research initiatives, partly in an attempt to bolster national security. Last year, the US government announced an almost $625M investment in quantum technology research institutes run by the Department of Energy — companies including Microsoft, IBM, and Lockheed Martin also contributed a combined $340M to the initiative. Similarly, China’s government has poured billions of dollars into numerous quantum technology projects and a team based in the country recently claimed to have achieved a quantum computing breakthrough. Good read!

We’re all rooting for a happy medium with WFH and RTO, but to succeed, take note of these takeaways from 2020. By Jon Arnold.

All the vendors are talking about it now, and while we have the technology to make the hybrid model work, it’s complicated. This isn’t like re-tooling the shop floor of an auto plant — not every workplace task can be automated, and not all productivity inputs can be measured. The great thing about automation is having continuous workflows that need little attention once up and running, but workers have lives to live, and each is coping with the pandemic in their own way.

On paper, the hybrid model sounds like — and is — the best way to balance many needs for what we call work in the current environment. Throughout 2020, the pendulum swung far to normalize WFH, and now we know that experiment has worked well for some, and not so well for others.

The article then deals with:

• Be careful what you wish for
• Otter.ai study — Takeaway #1: WFH is a mixed bag
• Otter.ai study — Takeaway #2: More meetings doesn’t mean more productivity
• Microsoft study — Takeaway #1: High productivity comes with a high price
• Microsoft study — Takeaway #2: The ties that bind … until they don’t

business leaders need to recognize that the hybrid work model is more than a matter of deploying the right UC platform. There are many lessons to be learned from these studies and the 2020 baseline data, and while hybrid checks a lot of boxes for both workers and employers, again, it’s complicated. Nice one!

Have you ever tried running a Java application on AWS Lambda? Well, even the simplest Java application takes significant time to start up at first. The reason behind is simple. AWS has to prepare a runtime environment for your application when it executes the first time. This is called cold-start. By Arnold Galovics.

When the environment is already prepared, the JVM is ready to go and only your application code needs to be invoked. This is called warm-start. Although after some time, a warm Lambda environment will be killed by AWS in case theres no invocation, and the same cold-start will occur.

I was always wondering what GraalVM is capable of. Ive read several articles how great it is, and how unbeliavable it speeds up Java applications. Ive tried it myself with a simple Spring Boot app, and well. The startup time was really impressive. But I didnt really get why startup time is so crucial for a normal Spring Boot application. Then it hit me, how great it would be if GraalVM is used in the serverless world with AWS Lambda.

The article then covers:

• The idea
• Custom Lambda runtimes
• Putting the puzzle together
• Complicating it with DynamoDB

Running native images in the Lambda environment is impressive. However it definitely brings in some complexity if you deal with libraries that are using reflection. The good thing is, GraalVM provides a special agent that can be attached to your application to record what classes/resources/etc are being used during runtime and generate an initial version of the configuration files. You can find the full code here on GitHub. See the charts comparing cold starts for default Java runtime and native code versus Node.js implementation. Excellent read!

Most of us are no strangers to phishing attempts, and over the years we’ve kept you informed about the latest tricks used by attackers in the epidemic of phishing and spear-phishing campaigns that plague, in particular, email users. This is an older but useful article by Phil Stokes.

In some kinds of malicious PDF attacks, the PDF reader itself contains a vulnerability or flaw that allows a file to execute malicious code. Remember that PDF readers aren’t just applications like Adobe Reader and Adobe Acrobat. Most browsers contain a built-in PDF reader engine that can also be targeted. In other cases, attackers might leverage AcroForms or XFA Forms, scripting technologies used in PDF creation that were intended to add useful, interactive features to a standard PDF document. “One of the easiest and most powerful ways to customize PDF files is by using JavaScript.” (Adobe)

Like other files that can come as attachments or links in an email, PDF files have received their fair share of attention from threat actors, too. In this post, we’ll take you on a tour of the technical aspects behind malicious PDF files: what they are, how they work, and how we can protect ourselves from them.

The content of the article:

• How Do PDF Files Execute Code?
• Cleaning Up the Code
• More Malicious JavaScript
• Stealing Credentials with an SMB Attack
• Another Day, Another Callback
• Protecting Against PDF Attacks

It’s impossible to tell whether a PDF file contains a credential stealing-callback or malicious JavaScript before opening it, unless you actually inspect it in the ways we’ve shown here. Of course, for most users and most use cases, that’s not a practical solution.

There are, however, a couple of things you can do on the user-side. Most readers and browsers will have some form of JavaScript control. In Adobe’s Acrobat Reader DC, for example, you can disable Acrobat JavaScript in the Preferences and manage access to URLs. Similarly, with a bit of effort, users can also customize how Windows handles NTLM. To learn more follow the link to the full article. Good read!

At long last, programming code’s application programming interfaces are protected from Oracle’s over-reaching claims. Ten years ago, Oracle argued that Google had infringed Oracle’s copyright, by copying the “structure, sequence, and organization” of 37 Java application programming interfaces (APIs) into Android. By Steven J. Vaughan-Nichols.

They’re the fundamental elements used to create programs. Now, at long last, the Supreme Court of the United States (SCOTUS) has concluded what programmers had known all along: APIs can’t be strictly copyrighted. Fair use must play its part.

Ironically, in the 90s, both Oracle and Sun, Java’s original owner, argued that software APIs shouldn’t be covered by copyright. That was then. This is now. For the last decade Oracle has been desperately trying to monetize its failed Sun purchase by attempting to squeeze $9-billion dollars out of Google’s use of Java APIs in Android.

Specifically, Oracle had claimed that Google had illegally copied about 11,500 lines of Java code, which set out 37 separate APIs. According to Oracle, Google’s APIs had violated Oracle Java copyright because they had duplicated Java APIs’ “structure, sequence, and organization.”

Now, Google is free to use these Java APIs in Android. Interesting news!

This blog post is an in-depth dive into the security features of the Intel/Windows platform boot process. In this post I’ll explain the startup process through security focused lenses, next post we’ll dive into several known attacks and how they were handled by Intel and Microsoft. By Igor Bogdanov.

The article explains why Microsoft’s SecureCore is so important and necessary:

• Introduction and System Architecture
• Overview
• Early power on
• Bring-Up (BUP)
• CPU initialization
• UEFI initialization
• Windows Boot
• Other OSs
• More protections

The Intel platform is based on one or two chips. Small systems have one, the desktop and server ones are separated to a CPU complex and a PCH complex (PCH = Platform Controller Hub).

Source: https://igor-blue.github.io/2021/02/04/secure-boot.html

This is an excellent article with plenty of links to other resources and schemas explaining the main concepts. Well done!

Couchbase has surveyed IT decision makers annually to find out the challenges they face in executing their digital transformation strategies. Perhaps unsurprisingly, 2020 was different from previous years. However, it may come as a surprise to find out how attuned CIOs are to the plight of developers. By Christina Knittel.

In 2020, we surveyed 450 Senior IT decision makers from US, UK, France and Germany. We asked them to describe their digital transformation challenges and how developers are being affected.

Developers are a vital part of enterprises’ digital transformation strategies. However, like any other part of the business at present, they are also under pressure. Asked what complaints their development teams have, 49 percent of organizations reported that developers were being asked to do too much in too little time – a situation that could easily end in stress, fatigue and burn-out.

_Source: https://blog.couchbase.com/2020-tech-lead-developer-heros-hints-into-2021/?preview_id=10582_

Ultimately, having to do too much in too little time leads to delays – especially if the organization’s goals are already ambitious. In a year where rapid reaction to unforeseen events was the norm, it is perhaps inevitable that 40 percent of respondents said their development teams were behind schedule with their current projects. Yet this may be an issue of management as much as capability. After all, 46 percent of respondents couldn’t give a precise answer.

86 percent of respondents experienced challenges with their development teams. 40 percent struggle to set clear, measurable goals for development teams, and the same number find it hard to ensure teams always have the right technology. The key to solving many issues is first giving teams the communication, guidance, and technology they need to succeed. For instance, teams shouldn’t be struggling to create innovative services with legacy technology that isn’t suited to the task. Follow the link to the full article for more details. Good read!

The 12 Factor App methodology is an influential pattern to designing scalable application architecture. Here is what that means for application architects and their architecture. By Bob Reselman.

Making applications that run at web-scale is hard work. Risks are everywhere—everything from having an application stop dead in its tracks due to network overload to having a competitor take your market share because it’s getting more code to demanding users faster than you can. Any advantage you can muster to create working code better and faster at web-scale is to your benefit.

The article then deals in depth with the following:

• Codebase
• Dependencies
• Config
• Backing Services
• Build, Release, Run
• Processes
• Port Binding
• Concurrency
• Disposability
• Dev/Prod Parity
• Logs
• Admin Processes

The 12 Factor App principles are designed to allow developers to create applications intended to run at web-scale. They can seem overwhelming at first, and in many ways, they are. Having to rethink the very nature of how you make software can be a daunting task. Nice one!

Ceph is our go-to choice for storage clustering (creating a single storage system by linking multiple servers over a network). Ceph offers a robust feature set of native tools that constantly come in handy with routine tasks or specialized challenges you may run into. By Joe Milburn.

Ceph is a unified, distributed storage system designed for excellent performance, reliability and scalability. Ceph is a well-established, production-ready, and open-source clustering solution.

The article then describes:

• What lead us to create Ceph Geo Replication?
• What is Ceph Geo Replication? How does it work?
• Geo-Replication Performance Testing
• How to install Ceph Geo Replication?

Ceph has some unique stats that no other filesystems give you. To build Ceph Geo Replication, we leveraged one of these directory attributes: rctime. rctime is the highest modification time of all files below the given directory. By using this attribute, Ceph Geo Replication can check the directory tree through checking rctime against the last known modification time of the previous backup, saving the time that would otherwise be wasted checking unmodified files.

If you wish to install cephgeorep, check out tehir GitHub page for instructions. Good read!