Daily Tech Digest - April 20, 2018

Google disables “domain fronting” capability used to evade censors

Domain fronting uses a manipulation of the secure HTTP Web protocol (HTTPS) and the Transport Layer Security (TLS) standard to help fool deep packet inspection systems and firewall rules about the intended destination of a Web request and to exploit the functionality of content delivery networks (CDNs). Domain names show up three times during a Web request—as part of a DNS query for the IP address of the site, in the Server Name Indication (SNI) extension of TLS (which tells a server with multiple sites which domain the traffic is for), and in the HTTP "host" header of the Web request. For HTTP traffic, all three of those instances of the domain name are visible to a censor's network gear; when surfing an HTTPS site, the HTTP header is encrypted. In a domain fronting scheme, the DNS request and SNI extension use the domain name of an unblocked host, but the HTTPS header contains the actual destination—which the request is then forwarded to, as long as it's part of the same CDN. That destination is usually a proxy server, VPN gateway, or a Tor bridge.

Software Design Principles DRY and KISS

DRY stand for "Don't Repeat Yourself," a basic principle of software development aimed at reducing repetition of information. The DRY principle is stated as, "Every piece of knowledge or logic must have a single, unambiguous representation within a system." "We enjoy typing" (or, "Wasting everyone's time."): "We enjoy typing," means writing the same code or logic again and again. It will be difficult to manage the code and if the logic changes, then we have to make changes in all the places where we have written the code, thereby wasting everyone's time.To avoid violating the DRY principle, divide your system into pieces. Divide your code and logic into smaller reusable units and use that code by calling it where you want. Don't write lengthy methods, but divide logic and try to use the existing piece in your method. ... The KISS principle is descriptive to keep the code simple and clear, making it easy to understand. After all, programming languages are for humans to understand — computers can only understand 0 and 1 — so keep coding simple and straightforward. Keep your methods small. Each method should never be more than 40-50 lines.

Nine Things That Are Poised To Impact Cybersecurity

The next wave of cybersecurity attacks will come from the internet-of-things (IoT) devices like appliances, lights and cameras. These types of devices are cheap, easy to hack, can be found in large numbers and are geographically distributed, making them ideal targets for a hacker to commandeer and launch a distributed-denial-of-service (DDoS) attack on an unsuspecting enterprise. ... Utilize multi-factor authentication and SSO technologies to get a handle on authentication. Integrating this with Hashicorp Vault or an HSM solution can bring about encryption key management, encryption key rotation and administration of all your data. For sensitive information within databases, consider field-level encryption so that even with the breach, any data that is leaked is encrypted. ... Decentralizing data used for authentication is here and doing it for more PII is next. Firms are abandoning storage of biometrics, PINs, and passwords and now secure them on endpoints like mobile devices. Users authenticate on-device and swap public keys with their service provider.

Data firm leaks 48 million user profiles it scraped from Facebook, LinkedIn, others

The data was found in a human-readable, newline-delimited JSON file. The data collected includes names and physical addresses, and employment information and job histories data, and more, scraped from Facebook, LinkedIn, and Twitter profiles. UpGuard's own report, published Wednesday, contained search queries that Localblox would use to cycle through email addresses that it had collected through Facebook's search engine to retrieve users' photos, current job title and employer information, and additional family information. Facebook locked down its search feature earlier this month after scammers were running automated searches to harvest people's data. It's also believed that the company supplements its collected data from non-public sources, like purchased marketing data. The data is then compiled, organized and blended into existing individual profiles. The report described the collection operation as an effort to "build a three-dimensional picture on every individual affected" to use for advertising or political campaigning.

DevOps is key to low-code BPM, digital process automation

Created to reduce manual intervention in business process implementations across organizations, business process management (BPM) software did automate manual tasks. Until recently, however, the development of that software wasn't an automated affair. During a business process software development project a decade ago, Scrum master Reshma Nagrani relied on tools that were hardcoded and that had fragile code. It was hard to modify the existing software, so the project needed to be customized, and it wasn't easy to find the talent to do the customization work. Today, older BPM suites (BPMS) are more robust than ever in that they are customizable and customer-centric. New low-code BPM tools are so simple that non-IT business people can develop enterprise apps, although they're not so simple that companies don't need business process developers and managers. Indeed, their roles in DevOps teams and emerging digital process automation (DPA) projects remain critically important.

UK Commonwealth cyber security funding welcomed

The Commonwealth Cyber Declaration sets out, for the first time, a common vision for ensuring the internet remains free and open across the Commonwealth. It will commit members to raising national levels of cyber security and increased cooperation to counter those who seek to undermine nations’ values, security, even the integrity of elections. The new funding will help Commonwealth countries to prevent and respond to cyber security risks affecting governments, businesses and citizens. Some £5.5m of the funding has been earmarked to enable low- and middle-income Commonwealth members to carry out national cyber security capacity reviews before the next CHOGM in 2020. Prime minister Theresa May said cyber security affects all countries because online crime does not respect international borders. “I have called on Commonwealth leaders to take action and to work collectively to tackle this threat,” she said. “Our package of funding will enable members to review their cyber security capability, and deliver the stability and resilience that we all need to stay safe online and grow our digital economies.

What is hybrid cloud really, and what's the best strategy?

cloud computing business services
In an attempt to create clarity, some companies and vendors started using the term multi-cloud instead of hybrid, indicating that the strategy simply involves more than one cloud – public-public or public-private. Others have applied their own definitions to hybrid cloud to include any combination of public and private cloud with consistent platforms and/or services, but those are relatively new, she says.  Indeed, the market itself is shaping the definition of hybrid cloud, and analysts and vendors are beginning to fall in line in agreement on the definition a true hybrid cloud strategy. Increasingly, it’s about moving workloads seamlessly between public and private cloud platforms and creating a consistent architecture across both environments. Some vendors are promising these capabilities soon, while others are already starting to deliver. “Hybrid cloud is a cloud computing environment that uses a mix of private cloud and public cloud services with orchestration between the platforms allowing data and applications to be shared between them,” says Ritu Jyoti, research director on IDC's enterprise storage, server and infrastructure software team.

Understanding fast data and its importance in an IoT-driven world

The first necessity is a streaming system that processes various events as quickly as they arrive. Next, there must be a data store that extracts information just as speedily. When they both work together, businesses are well-equipped to understand why fast data offers such a wealth of information they won’t want to overlook. Investigating what’s available now gives companies a leg up to prepare for the increasing prominence of IIoT technologies. Being proactive also gives business leaders a chance to think about how they can use fast data most effectively to get closer to their goals. There are several ways fast data aligns with business objectives. As the IoT becomes more prominent than ever, the gadgets people use every day increasingly have Wi-Fi-enabled sensors that collect data and give personalized information. Among the likely use cases for the industrial sector are intelligent lights that sense when people leave the room and turn off to save energy, plus water fixtures that measure utility usage over time to let leaders know when and where waste happens.

Data protection is a business issue, says IAPP

Unlike the information security industry, the data privacy industry does not have a gender bias issue, he said. “Our membership is approximately 50/50 and there is roughly equal representation of men and women at all levels of seniority, right from the very top down, with equal salaries for men and women doing the same jobs.” The privacy industry started about 20 years ago, said Tene, when companies started appointing privacy officers and treating privacy as a strategic business issue rather than a compliance issue. The first movers were data-intensive companies such as DoubleClick, IBM, Axiom and Microsoft. As a result, the privacy industry is more mature in the US, but has started to pick up significantly in Europe and in recent years, largely driven by the GDPR, said Tene. “Data privacy is increasingly a business issue, and we are seeing a growing emphasis in business on data management, data governance and data risk,” he said.

The Importance of Validating the Testing Infrastructure

Sometimes when given something to test, some key details may be forgotten—and that’s okay. That’s why, as testers, it’s on us to validate the test infrastructure before diving in. Fortunately, there are several ways to do so. ... Access each node by checking the IPs of the components and that they have the indicated services. Validate the operating systems, and verify their versions, as well as the versions of the components (for example, Java, Apache, etc). In a performance test, looking for optimizations, different configurations are usually tested, trying to improve the results, comparing the performance of different options. So, to validate that what is documented in the results is accurate, it is necessary to review the initial configurations (at least the most relevant ones). For example, the size of each connection pool (in the database or the web server), the maximum and minimum allocated memory (in the case of JVM), etc.

Quote for the day:

"You do not lead by hitting people over the head. That's assault, not leadership." -- Dwight D. Eisenhower