Things hard and not so hard.... RSS 2.0
# Wednesday, January 15, 2014

My take and some answers on ithttp://www.cloudsecurityalliance.org/topthreats/

Welcome back folks to a beautiful 2014 and I had an interesting one while going through a Cloud Solution Design
I came across this document The Notorious Nine Cloud Computing Top Threats in 2013 and I thought I’d talk through these concerns one by one.

  1. Data Breaches -  this issue can occur on many levels and I don’t think it’s just limited to ‘Cloud’ per se – it could be your insurance company down the road,
    the doctor, dentist etc. and we’ve all seen those TV shows where the ‘hustlers’ go through someone’s trash to pull out key gems of information to unlock the scam.

    Interestingly in the paper, the university of North Carolina Chapel Hill came up with a technique to steal data from a VM running as one of many within the same host, with the ‘unis VM’ able
    to steal data being transmitted through the other VMs. This was performed through a combination of monitoring various known factors of the host,
    such as thread scheduling, L1 cache and power. The paper highlighted that currently the virtualisation technologies need to do more about isolation.
  2. Data Loss – Cloud and non-cloud users fall foul of this with Cloud typically being a target for hackers. Geo-Replication, backups and Government policies on data and it’s storage all help here.
    Encryption could be something that you may want to employ to ensure some protection over the copies of data now present.
  3. Account Hijacking – gaining unlawful access to account details such as user/pass combination. Amazon in 2010 was foul to a cross site scripting bug that allowed 3rd parties to get access
    to user/pass credentials. With the explosion on the Cloud keeping your credentials safe becomes that much more important. Also changing passwords frequently would be a good habit
    to get into.

    The other interesting point here to note is that if your account is indeed hijacked then it maybe sometime until the hackers exploit this.

    Gaining access to someone’s account doesn’t have to be a hi-tech solution either. As in the movie Sneakers all that was required was a dinner conversation for the voice password
    ”My voice is my passport”
  4. Insecure APIs – Cloud based APIs form the under pinning of many software and services available today. Essentially ensure these APIs are secure to the best possible effort and
    while they may not be compromised, are they able to stand DDOS attacks for e.g.
  5. Denial of Service – With the advent of the Cloud and cloud services, these attacks could for e.g. hit your Cloud based website causing it to be unresponsive, but you’re still being
    billed for the usage. Also within Microsoft Azure web site configurations we can now add DDOS settings to indicate when the underlying load balancer should throttle the requests coming
    from a particular rogue client.
  6. Malicious Insiders – the focus here is both internal, hosted and Cloud based solutions. Policies and procedures are more important within the Cloud space – what procedures does your
    provider follow? Who can access the encryption keys? where are they stored? etc.
  7. Abuse of Cloud Services – The Cloud possesses many servers, elastic scale and dynamic compute power, making it the perfect platform
    for a bot-net to spin up in and get to work. Azure limits default subscriptions to 20 cores, more are available upon request.
  8. Insufficient Due Diligence – Don’t jump into the Cloud platform without examining the offer. Many hosting providers have added the word ‘Cloud’ to the front of their names as in ‘Cloud Hosting Providers’ with the underlying process and infrastructure the same, with the same vulnerabilities.

    In this space Azure has many ratified processes that get re-certified each year with some of these processes available to military grade specification.

    Cloud is big business for Microsoft and getting things like this wrong would be a true achilles heel.
  9. Shared Technology Issues – as Cloud providers share underlying technologies from CPUs, Services, Storage and other services. If these are exposed then so is your platform potentially.

Talk to you soon.

Mick.

Wednesday, January 15, 2014 4:07:07 PM (AUS Eastern Daylight Time, UTC+11:00)  #    Comments [0] -
Azure | Integration | General | Other | TechTalk
# Tuesday, April 26, 2011

Hi folks, I thought I’d share something that captivated me on this rainy Easter day and that was

Visual Studio Asynchronous Programming - http://msdn.microsoft.com/en-au/vstudio/async
(you’ll need VS2010 + SP1 before you grab the CTP)
There’s a new improved compiler + an extended library for us.

Hands up who’s done async programming in either VB.NET or C#??? It’s a pain! Thread management, Main UI threads can only update certain objects, passing values between main + background threads, determining whether a thread has completed its tasks… and so on…

Basically all these ‘issues’ keep us from delving further into the world of asynchronous programming cause it very rapidly becomes complex just managing the two worlds – sync + async.

Today I was pleasantly surprised!!!

About a year ago I saw a great presentation on F# and I was amazed at how if they wanted to run a bit of code async it was simple an extra character as in:

set results = …..   <-sync

set results! = ….  <- run this async

(don’t quote me on the above, but it’s something like that – let’s call it pseudo code)

Why are we interested in this? – that’s always the first question to ask when investigating. Too many times we here ‘this is really cool’ and ‘check this cool software out’ etc… but the real reason of WHY do we want to go down this road is never answered.

On a ‘developers machine’ looking at 5 items, running a single test client – you’d have to say “works on my machine” and you’d have no need to async anything. True. Let’s move beyond our beloved developer box and think about UAT/PROD environments and what your code is doing.

What happens if 4 concurrent requests come along – how is your code going to perform? (As developers we’d be thinking …’it’s in the hands of IIS, not my issue’ :) )
(I recently was presented with a solution that ran across 20 odd servers, the answer to everything was get more hardware to make the app more performant, scalable etc – couldnt be the code.)

So as the requests start to build (don’t know an exact number but let’s say 100/sec), what is happening to your code? how often do we sit down with profiling tools on our code in this space? must be the disks..slow…and as always we have definitive proof works on my machine says the developer!

It’s not until we see our code running under load that we get an appreciation for where things could be improved and are causing grief for not only IIS but other systems as well.

Scalability, performance and scalability – single threaded app/service vs multi-threaded. Multi-threaded tend to win all the time.

Let me give you a couple of suggestions where this stuff is great:

  1. As part of a WF/WCF/Class where you want to ‘push’ some processing into the background – critical things can be done upfront, and you can push some of the ‘other stuff’ into the background.
  2. Take advantage of some of the great multi-core/multi-cpu Servers out there – single threaded tend to run on the same core on the same CPU (known as thread affinity)

Anyway enough jabbering from me and let’s see some of the hidden gems…

Async Programming Framework

Let me show you a couple of examples (from my set):

1. Fetching a webpage

image

Here I go off to twitter and search for all the BizTalk items.

Couple of things to notice
- …Async is added to the end of routines for convention, indicating that these are Async callable routines.
- not a single IAsyncResult to be seen, no StateObject and no Callback routines!
– line 104 the async keyword indicating that this routine itself can be called async if desired (more for the compiler)
- line 108 the await keyword is used in the Async framework to ‘wait for the async task to complete’  then move onto the next line.
- line 108 WebRequest.Create(…).GetResponseAsync – it’s the GetResponseAsync that is the async method, no …Begin or ..OnEnd calls! Just write it as you read it.
- line 109 We get a reference to the response stream (I should check for the existence of data etc – demo code, demo code :))
- line 112 …await stm.ReadAsync(…) – reads the response stream into a buffer on a background thread and we wait there until this completes (await keyword). By all means there’s many other ways to program this, as in we don’t need to wait, we could run this guy in the background quite happy and then check on him periodically.

That’s it! Not too tough at all, multi-threaded goodness right there. You can have blocking and non-blocking calls etc.

2. What about a Chunk of CPU based code

NO Async Example – as per normal, doing some cpu things.

image

Written in Async….

image

Points to notice:
- line 63 async Task<int[]> … to the Async framework the async methods are wrapped within a Task class. We must ‘wrap’ anything we return from our routines within a Task<..> – here I’m returning an int[]
-line 66 … = TaskEx.Run(…something to run in a background thread…). As we’re dealing with a block of code, there’s a Task Extension class that allows us to run that bit of code Async.
-line 79 await matrix – this line ensures that our async routine has indeed completed (or errored) before we move onto the next line.

Too easy if you’ve lived in the other world.

As always remember this is CTP so I wouldn’t go rolling out into Prod just yet. The perf numbers I get are pretty much identical to rolling all of this by hand with ThreadPool.QueueWorkItem(…) and IAsyncResult etc.

Well done MS!

Enjoy and here’s my VS.NET Sample Solutions – I had great fun! Oh – this is also applicable to Silverlight + WP7 apps :)

Tuesday, April 26, 2011 11:33:52 PM (AUS Eastern Standard Time, UTC+10:00)  #    Comments [0] -
.NET Developer | Async | Silverlight | TechTalk | Tips
# Wednesday, February 18, 2009

I just came across a great demonstration of a fantastic new piece of kit.

Siftables they're called (shot this month) that 'interact' and play with each other on a desk, table what ever.

CubeWorld guys was something I'd had my eye on for a while.....

 

Siftables takes it far beyond the next level, check it out for yourself.

http://www.ted.com/index.php/talks/david_merrill_demos_siftables_the_smart_blocks.html

image

Wednesday, February 18, 2009 11:04:48 AM (AUS Eastern Daylight Time, UTC+11:00)  #    Comments [0] -
General | TechTalk | Tips
# Friday, January 18, 2008

Happy 2008 all!

Enter BizTalk HotRod

As we know getting things done in BizTalk requires specific knowledge around specific areas with various tweaks here and there (e.g. creating a flat file schema that removes the field names in the first line).

Some folks at Microsoft have felt the same way and decided to kick off their shoes and embrace an alternative to a mid-life crisis and the temptation of a Harley around the world. Two Microsoft TS's are embarking on the trail.

They have created a BizTalk quarterly magazine filled with some fantastic tips'n tricks (e.g. creating pipelines to handle zip compression using Office OpenXML format) - and the language and format of the magazine suits me down to a 'T'. Very funny reading.

I look down the table of contents and it's got some great tips all in the one spot -to find this stuff elsewhere is going to take alot of time assuming it exists.

Check it out and see if it's worthwhile - it's currently free (you may see yours truly post an article there one day :)

BizTalk HotRod Magazine - "Where BizTalk meets the road"

 

Well done guys - well done!!!

Friday, January 18, 2008 1:55:12 AM (AUS Eastern Daylight Time, UTC+11:00)  #    Comments [0] -
BizTalk | Insights | TechTalk | Tips
# Thursday, December 20, 2007

Microsoft have rounded up all the serious BizTalk Bloggers (MVPs + keen MS guys + Teams) and the Connected Systems Division (CSD Team) within Microsoft and produced a valuable aggregator with all this in one spot.

Just have a look at the bloggers that are contributing to this - sensational!!! One stop shop for you guys.

From WCF to BizTalk, EDI + Custom Pipelines.

MicrosoftBizTalkBlogs

We all display this logo on our site.

Here's the RSS Feed http://biztalkblogs.com/RssDoc.xml

Merry Christmas!!!!!

Thursday, December 20, 2007 5:25:04 AM (AUS Eastern Daylight Time, UTC+11:00)  #    Comments [0] -
BizTalk | Insights | RFID | TechTalk
# Wednesday, November 14, 2007

Move over Thierry Henry(shame he's gone to Barca :), Kylie and U2..... make room for .NET 3.5 up on your wall.

The folks at MS have been super busy, while talking about what will be in .NET 4+ they release the posters.

Stay tuned for more!

Grab the .NET 3.5 Common Types and Classes

net3.5

Wednesday, November 14, 2007 3:03:55 PM (AUS Eastern Daylight Time, UTC+11:00)  #    Comments [0] -
.NET Developer | BizTalk | General | MOSS | TechTalk | Tips
# Friday, August 31, 2007

The ever vibrant Andrew Coates pinged me an email yesterday asking for my involvement in becoming a TechTalk Blogger........

I'm currently on this Island called 'Hamilton' at a 'Partner' Conference (yeah right!!! :)) so naturally I said 'yes!' (not too many people are saying 'no' around here)

I've got some great stories around RFID, BizTalk R2 and obvious integration into WSS/MOSS and what that means.

Hope you're going to join me on a great journey together! Gotta dash the scuba diving boat is waiting for me... (erm...the next 'partner activity')

Mick. 

Friday, August 31, 2007 11:57:01 AM (AUS Eastern Standard Time, UTC+10:00)  #    Comments [0] -
BizTalk | Events | General | MOSS | TechTalk
Archive
<September 2014>
SunMonTueWedThuFriSat
31123456
78910111213
14151617181920
21222324252627
2829301234
567891011
Blogroll
 AppFabric CAT
AppFabric Windows Server Customer Advisory Team - New Blog.
[Feed] BizTalk 2006 - Windows SharePoint Services adapter
BizTalk 2006 Sharepoint adapter!!
 Breeze SharePoint 2010 Bootcamp
Breeze SharePoint 2010 Bootcamp
[Feed] BTS 2006 R2/EDI
[Feed] Chris Vidotto (MS BTS Legend)
Needs no intro....
 Mark Daunt
BTS/SPS/.NET GURU!!!
About the author/Disclaimer

Disclaimer
The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.

© Copyright 2014
Breeze
Sign In
Statistics
Total Posts: 603
This Year: 7
This Month: 0
This Week: 0
Comments: 270
All Content © 2014, Breeze