Mit der Rückkehr von Donald #Trump ins Weiße Haus wird die Abhängigkeit von #US-#Cloud-Diensten zu einem wachsenden Problem.
Denn der
#CloudAct zwingt US-amerikanische Firmen Anweisungen von US-Behörden Folge zu leisten, ganz gleich wo deren #Server stehen.

Nicht nur Staaten und Unternehmen, sondern auch Privatpersonen sind betroffen.

Angefangen bei #Datenspeichern über #Online-#Office-Anwendungen bis zu grundlegenden Internetdiensten wie #DNS oder Zertifizierungsstellen.

Es betrifft selbst smarte Geräte wie #WLAN-Steckdosen, wenn deren zentralen Dienste auf einem #Hyperscaler wie #Amazon #AWS oder #Microsoft #Azure liegen.

Doch es gibt Möglichkeiten, den #Datenabfluss zu minimieren und #Alternativen zu nutzen.

Welche das sind, erläutert c’t Redakteur Peter Siering. Die Optionen reichen von #Suchmaschinen über europäische Cloud-Speicher und Open-Source-Projekte bis zu dezentralen, sichereren #Messengern.

https://www.youtube.com/watch?v=5i2eLjLKl2s

@switchingsoftware

@bfdi !!
@bsi !!

Reliance on #AWS is our doom.
Not robot apocalypse or 'AGI'; a simple costs-cutting measure.

(Currently working to prevent doom, we're partially succeeding.)

Digital biomedical infrastructure all around the country is built on #AWS . However, simply getting data in/out of AWS, and managing access can be difficult to navigate. This friction motivated us to build sixtyfour, an AWS interface that will feel familiar to #rstats folks. Let us (+ @sean) know what you think!

- Blog post: https://recology.info/2025/04/sixtyfour/
- Repo: https://github.com/getwilds/sixtyfour
- Docs: https://getwilds.org/sixtyfour/

Yes, I know that Amazon/AWS are not popular here. Yes, it is annoying that we have a 5-day RTO expectation. Yes it is annoying that we are only hiring in a handful of cities (NYC, Seattle, DC).

Having said all that, if you'd like to come work with me and my colleagues securing customers who use #AWS, this job is on my team (I'm not a people manager, so I'm not the hiring manager). It's kinda cool #security stuff at global scale. It's at the intersection of building/deploying systems in the cloud, but with policy/governance and security telemetry in mind. If anyone wants me to refer them in I can.

A good candidate will have 2-5 years experience in security, demonstrated ability to write some python, JavaScript, or other modern language to get stuff done. It's not an SDE role, so there won't be a live-coding exercise, but you need to have a track record of at least sysadmin-level scripting/coding. Willing to learn isn't good enough. Experience in AWS is always good. AWS certifications (especially the security certification) are very desirable. This is not risk management/GRC. It's security.

My particular team is really good at DEI. Yes, I'm an old white man, but I'm very much in the minority on both my immediate team (10% white men) and the wider VP-level team. My immediate team is about 50/50 men/women, 2/3 people of colour, with one openly gay person at a very senior level. We're very serious about supporting people and treating people with respect. There are pockets of goodness, even in the belly of the beast.

https://www.amazon.jobs/en/jobs/2925499/security-engineer-global-services-security

Today, #AWS announced an extended $3 million annual commitment to #Kubernetes, reaffirming our commitment to supporting open source projects with the vital infrastructure they need to operate at global scale. For free.
https://aws.amazon.com/blogs/opensource/aws-cloud-credits-for-open-source-projects-affirming-our-commitment/

Le Québec sous espionnage américain
Nos données entre les mains des Américains
« Les révélations d’Edward Snowden en 2013 nous ont renseignés sur les méthodes du gouvernement américain pour espionner, par l’entremise d’entreprises, des citoyens et des organisations, même dans des pays alliés. »
https://www.lapresse.ca/actualites/souverainete-numerique/nos-donnees-entre-les-mains-des-americains/2025-04-01/le-risque-est-maintenant-reel.php
#USA #Québec #espionnage #infonuagique #CAQ #AWS #Dell #Microsoft #IBM #Oracle #Amazon

Some of my colleagues at #AWS have created an open-source serverless #AI assisted #threatmodel solution. You upload architecture diagrams to it, and it uses Claude Sonnet via Amazon Bedrock to analyze it.

I'm not too impressed with the threats it comes up with. But I am very impressed with the amount of typing it saves. Given nothing more than a picture and about 2 minutes of computation, it spits out a very good list of what is depicted in the diagram and the flows between them. To the extent that the diagram is accurate/well-labeled, this solution seems to do a very good job writing out what is depicted.

I deployed this "Threat Designer" app. Then I took the architecture image from this blog post and dropped that picture into it. The image analysis produced some of the list of things you see attached.

This is a specialized, context-aware kind of OCR. I was impressed at boundaries, flows, and assets pulled from a graphic. Could save a lot of typing time. I was not impressed with the threats it identifies. Having said that, it did identify a handful of things I hadn't thought of before, like EventBridge event injection. But the majority of the threats are low value.

I suspect this app is not cheap to run. So caveat deployor.
#cloud #cloudsecurity #appsec #threatmodeling

howdy, #hachyderm!

over the last week or so, we've been preparing to move hachy's #DNS zones from #AWS route 53 to bunny DNS.

since this could be a pretty scary thing -- going from one geo-DNS provider to another -- we want to make sure *before* we move that records are resolving in a reasonable way across the globe.

to help us to do this, we've started a small, lightweight tool that we can deploy to a provider like bunny's magic containers to quickly get DNS resolution info from multiple geographic regions quickly. we then write this data to a backend S3 bucket, at which point we can use a tool like #duckdb to analyze the results and find records we need to tweak to improve performance. all *before* we make the change.

then, after we've flipped the switch and while DNS is propagating -- -- we can watch in real-time as different servers begin flipping over to the new provider.

we named the tool hachyboop and it's available publicly --> https://github.com/hachyderm/hachyboop

please keep in mind that it's early in the booper's life, and there's a lot we can do, including cleaning up my hacky code.

attached is an example of a quick run across 17 regions for a few minutes. the data is spread across multiple files but duckdb makes it quite easy for us to query everything like it's one table.

If anybody out there is working on using #LLMs or #AI to analyze #security events in AWS, I wonder if you're considering bullshit attacks via event injection. Let me explain. I'm openly musing about something I don't know much about.

You might be tempted to pipe a lot of EventBridge events into some kind of AI that analyzes them looking for suspicious events. Or you might hook up to CloudWatch log streams and read log entries from, say, your lambda functions looking for suspicious errors and output.

LLMs are going to be terrible at validating message authenticity. If you have a lambda that is doing something totally innocuous, but you make it print() some JSON that looks just like a GuardDuty finding, that JSON will end up in the lambda function's CloudWatch log stream. Then if you're piping CloudWatch Logs into an LLM, I don't think it will be smart enough to say "wait a minute, why is JSON that looks like a GuardDuty finding being emitted by this lambda function on its stdout?"

You and I would say "that's really weird. That JSON shouldn't be here in this log stream. Let's go look at what that lambda function is doing and why it's doing that." (Oh, it's Paco and he's just fucking with me) I think an LLM is far more likey to react "Holy shit! there's a really terrible GuardDuty finding! Light up the pagers! Red Alert!"

Having said this, I'm not doing this myself. I don't have any of my #AWS logging streaming into any kind of #AI. So maybe it's better than I think it is. But LLMs are notoriously bad at ignoring anything in their input stream. They tend to take it all at face value and treat it all as legit.

You might even try this with your #SIEM . Is it smart enough to ignore things that show up in the wrong context? Could you emit the JSON of an AWS security event in, say, a Windows Server Event Log that goes to your SIEM? Would it react as if that was a legit event? If you don't even use AWS, wouldn't it be funny if your SIEM responds to this JSON as if it was a big deal?

I'm just pondering this, and I'll credit the source: I'm evaluating an internal bedrock-based threat modelling tool and it spit out the phrase "EventBridge Event Injection." I thought "oh shit that's a whole class of issues I haven't thought about."

After the agreement with #Google now @bsi signs the same with #AWS

https://www.aboutamazon.eu/news/aws/aws-and-bsi-sign-cooperation-agreement-to-advance-cybersecurity-and-digital-sovereignty-in-germany-and-the-eu

Good bye #digitalsouvereignty #digitalesouveränität

Some years ago, this would have been a good deal. Nowadays the threat has changed.

#LaravelCloud just charged me $5 for an app with zero traffic and no hibernation. That’s it, I’m outtie.

There are many other competitors with a mature platform for PHP projects and better specs. Plus, their “Free” tier does well hiding the “+ usage” that is charged. If that’s how they play ball I’m not going back.

Our "DeepSeek & Llama powered All-in-One LLM Suite" VM gets you running fast:
Quick Deploy: Launch on AWS with pre-configured settings.
Secure Access: Connect via RDP/SSH with SSL.
Easy Model Pull: Start using models with simple ollama pull commands.

More details: https://tinyurl.com/ydes6c57
For free course: https://tinyurl.com/2k7frdas
#AWS #LLM #AI #DeepSeek #MachineLearning #CloudComputing

MongoDB is hiring Engineering Manager

#golang #java #python #aws #azure #docker #gcp #kubernetes #mongodb #engineeringmanager
Gurugram, India
Full-time
MongoDB

Job details https://jobsfordevelopers.com/jobs/engineering-manager-at-mongodb-com-feb-24-2025-5020c5?utm_source=mastodon.world&utm_medium=social&utm_campaign=posting
#jobalert #jobsearch #hiring

Funny way to evade a lot of #AWS #SAST checkers that try to check your terraform or CDK or CloudFormation. They often look for open security groups (i.e., 0.0.0.0/0). Sadly, most of these tools are looking for THAT string. They don't evaluate it as a CIDR. You might really want a rule that says "anything bigger than /16 is suspicious". But that's not how they work.

So a couple rules like 0.0.0.0/1 and 128.0.0.0/1 will pretty much get you the whole Internet, but probably slip right past most of the "open-to-the-internet" checkers. Likewise they will catch ::/0 but will not catch ::/1 or 1000::/1.

One thing I did notice is that security groups normalize their CIDR ranges. So you could get a string like 8.8.8.8/0 through a static code analyzer (because it's not the string 0.0.0.0/0) but EC2 will normalize that to 0.0.0.0/0 when it stores it. So if you do a dynamic check by asking for the security group's ingress rules, it will report back 0.0.0.0/0 even though you had sent 8.8.8.8/0 originally.

I can't wait to see how AI will handle this.

Europe’s digital sovereignty is at risk.

Governments say they want sovereignty, yet they keep buying from #Microsoft #Google and #AWS.

If Europe wants control over its digital future, it must act now. The choice is clear:
Invest in open-source technologies
Reduce dependency on foreign providers

Read the full article https://xwiki.com/en/Blog/European-digital-sovereignty/

https://xcware.com is revolutionizing the cloud with Sky Computing! Unify AWS, Azure & on-prem into a seamless platform. Say goodbye to vendor lock-in & hello to flexibility.

Středeční #hiring update:

Do interního #DevOps týmu hledám borce na pozici, které říkáme
INFRASTRUCTURE AND DEVOPS SPECIALIST

HPP, nebo IČO, jak chceš.
Hybridní forma práce, kancl #Praha Nusle.
Nezávazná pokec s DevOps Leadem není problém, online/onsite.
Nespěcháme, hledáme oboustranný "match."