IMG_3715

OS X and iOS Unauthorized Cross Application Resource Access (XARA)

This is about rouge apps that preset the environment that other mass used apps will need once activated. Those rouge apps can later hook to those resources, having unauthorized access due to the fact they initiated the creation of the place holder for those resources.

The iOS sandbox protection mechanism can’t yet block this vulnerability.

This becomes very unsettling if you consider your iOS and OSx keychain password store can be exposed as well…

Read more on how this works and how to mitigate the risk. Basically avoid installing apps from

https://isc.sans.edu/diary/OS+X+and+iOS+Unauthorized+Cross+Application+Resource+Access+%28XARA%29/19815

Why Best Firms develop their Digital IQ, and how You can start doing it Right Now

Crazy Idea: Duolc, StretchOS and what Gazzilion Apps Really want [!OpenStack]

Yes, I am a DevOps, Big Data, Security kind of guy and I use Amazon AWS, Microsoft Azure and OpenStack, as well as other smaller players. But I like to take a new diverse, contrarian look at stuff the Cloud community seem to have kind of pre-determined agreement.

I am sitting at the OpenStack conference and learning about the cool news ways it can give you an edge. I believe that Open Source and OpenStack is at the heart of getting an edge. You need mature, fully supported vendor based platforms. But you also need at some points to move fast, faster, fastest. At that edge point Open Source and Open Stack are the tools you want to use.Those “free” toys, do have a cost spent in learning curves, education, cultural change and efforts to workaround cases of immaturity. When they mature, they join your base tool set as other new roughly edged opportunities arise.

However, looking at Cloud platforms, it is clear what they ask for are applications that can be spread across many computing nodes. Most of the current applications enterprises use are not set for the cloud.

While everyone in the Cloud Community is expecting the Enterprise to re-write or convert their applications to the cloud, Enterprises naturally just want the job done.

What the “Legacy” applications want is “Duolc” (“Cloud” spelled in reverse) deployed on “StretchOS”.

So “StretchOS“, a term I just made up, should be able to group a bunch of resources and make it so it behaves as a unified single operating system running on a single computer. The CPU, Memory, Disk and Network resources will be highly available and processes will be able to be served on any of the computing resources.

I am not aware of someone developing something such as “StretchOS”, but looking at the vast amount of applications that could immediately and effortlessly benefit of such a solution should attract a close look of entrepreneurs. This could be a cross-gap solution until most of the apps become cloud-enabled.

Now, as I dumped this crazy concept on your desk, I can go back to my Cloud deployments..

IBM, Facebook and others unlock Threat data for the sake of humanity..

Check this out…

http://www.owler.com/iaApp/article/553003cfe4b0d169951431b0.htm

IBM and Facebook as well as others are starting to contribute to a massive big data based repository of threat related information.

I had an internal startup for some time that was targeting security as well as general operational data to point to trends that need attention such as disk series that are reaching failure points, apps that suddenly morph and such.

Another topic was cleansing the data from any personal or internal information by tokenizing it.

I stopped this startup since I got to meet someone who was doing the same and pointed to the fact that there’s already enough data on one hand (and now per this post we have got much more of that) and on the other hand companies would agree to share cleansed data but would not be able to do it due to regulations that take time to defuse.

In any case you have now lots of data too sip through if you are a hungry Data scientist…

Deep AWS CLI stuff..

If you are an AWS DevOps girl or guy, you want to check this video out soon

Highlights I liked:

  1. Using JMESPath to exercise AWS CLI Queries
  2. AWS CLI Wait-for (successful completion of a command) new option
  3. AWS CLI Generate Skeleton to create a JSON file you can customise later on and feed to another command
  4. Using the new “Assume Role” authentication option

And more…