Welcome to episode 254 of the Cloud Pod podcast – where the forecast is always cloudy! This week we’re talking about trust issues with some security updates over at Azure, forking drama at Redis, and making all of our probably terrible predictions for Google Next. Going to be in Vegas? Find one of us and get a sticker for your favorite cloud podcast! Follow us on Slack and Twitter to get info on finding your favorite host IRL. (Unless Jonathan is your favorite. We won’t be giving directions to his hot tub.)
Titles we almost went with this week:
- The Cloud Pod Hosts Fail To Do Their Homework
- The Cloud Pod Now Has a Deadline
- This Is Why I Love Curl … EC2 Shop Endpoint is Awesome
- AI & Elasticsearch… AI – But Not Like That
- Preparing for Next Next Week
A big thanks to this week’s sponsor:
We’ve got a new sponsor! Sonrai Security
Check out Sonrai Securities’ new Cloud Permission Firewall. Just for our listeners, enjoy a 14 day trial at www.sonrai.co/cloudpod
Follow Up
02:15 AWS, Google, Oracle back Redis fork “Valkey” under the Linux Foundation
- In no surprise, placeholderKV is now backed by AWS, Google and Oracle and has been rebranded to Valkey under the Linux Foundation.
- Interestingly, Ericsson and Snap Inc. also joined Valkey.
03:19 Redis vs. the trillion-dollar cabals
- Anytime an open source company changes their license, AWS and other cloud providers are blamed for not contributing enough upstream.
- Matt Asay, from Infoworld, weighs in this time.
- The fact that placeholder/Valkey was forked by several employees at AWS who were core contributors of Redis, does seem to imply that they’re doing more than nothing.
- I should point out that Matt Asay also happens to run Developer relations at MongoDB. Pot, meet kettle.
04:14 Ryan – “It’s funny because I always feel like the cloud contribution to these things is managed services around them, right? It’s not necessarily improvements to the core source code. It’s more management of that source code. Now there are definitely areas where they do make enhancements, but I’m not sure the vast majority makes sense to be included in an open source made for everyone product either.”
General News
07:01 What we know about the xz Utils backdoor that almost infected the world
- The Open Source community was a bit shocked when a Microsoft Developer revealed a backdoor had been intentionally planted in xz Utils, an open source data compression utility available on almost all installations of Linux and Other Unix-Like OS.
- The person – or people – behind this project likely spent years working on it.
- They were very close to seeing the backdoor merged into Debian and Redhat, when a software developer spotted something fishy.
- Xz Utils is nearly ubiquitous in linux, providing lossless data compression on virtually all Unix like operating systems.
- Xz utils provides critical compressing and decompression of data during all kinds of operations.
- Xz Utils also supports the legacy .lzma format, making it even more critical.
- It was found by a MS developer working on Microsoft’s Postgres offerings, and was troubleshooting performance issues with a debian system and SSH.
- Specifically, SSH logins were consuming too many CPU cycles and were generating errors with valgrind, a utility for monitoring computer memory.
- Malicious code added modified the way the software functions when performing operations related to lzma compression or decompression. When these functions involved SSH, they allowed for malicious code to be executed with root privileges.
- In 2021 the first time a change was made by a user, changing the libarchive project replacing a safe_fprint function with a variant that was less secure. No one noticed.
- The same user submitted a path over the mailing list, and almost immediately, a never-before-seen participant named Jigar Kumar joined the discussion and argued that Lasse Collin, the longtime maintainer of xz Utils, hadn’t been updating the software often or fast enough. Kumar, with the support of Dennis Ens and several other people who had never had a presence before, pressured Collin to bring on an additional developer to maintain the project.
- In Jan 2023, JiaT75 made their first commitment to xz Utils. In the months following, Jia Tan became increasingly involved. For instance, Tan replaced Collin’s contact information with their own oss-fuzz, a project that scans open source software for vulnerabilities that can be exploited. Tan also requested that oss-fuzz disable the ifunc function during testing, a change that prevented it from detecting the malicious changes Tan would soon make to xz Utils.
- In February of this year, Tan issued commits for versions 5.6.0 and 5.6.1 of xz utils. The updates implemented the backdoor, and in the following weeks, they appealed to developers of Ubuntu, Red Hat, and Debit to merge the updates into their OS. Eventually, one of the two updates made it into several releases.
- Fedora Rawhide, Fedora 41, Debian Testing, OpenSuse Tumbleweed and OpenSuse MicroOS and Kali Linux
- The attack was targeted at Debian or Redhat distributions, as the attack only did the final steps of the backdoor when building the library on AMD64 and building a Debian or RPM package.
09:54 Jonathan – Typical Microsoft engineer finding every reason but their own product to blame the latency. No, but that’s awesome though, that kind of attention to detail is amazing…This could have been disastrous. This is a huge save.”
14:49 Microsoft Unbundled Teams—Are Customers Better Off?
- Thanks to the EU, we’re getting some really cool stuff. For instance, in the EU you’ll soon have access to alternative app stores. In other news. And now Slack has made some pretty loud complaints in regards to Office 365 subscriptions.
- If you don’t have an O365 subscription, you can now select to have it with Teams or without – and basically pay for Teams on your own (5.65 per user/month).
- This is supposed to make it more competitive for Slack, Zoom, etc., to compete against big old mean Microsoft.
- I mean, at 15 dollars a month for Zoom and Slack plans starting at 7.25 a month, I think MS still wins.
AI is Going Great – Or How ML Makes Money
22:59 Cohere Embeddings Now Available Through Elastic’s Inference API
- For those of you still trying to make ES your AI play – nope.
- You can now use Cohere Embed v3 models in Elastics Inference API. This allows your business to create embeddings for their data easily, index those embeddings in elastic, and perform vector and hybrid searches across their documents.
- Developers can use Elastic’s ingest pipelines to add Cohere embeddings to their indices for vector search with a single API call, and they can take advantage of Cohere’s native embedding compression to reduce storage costs by 75%.
23:38 Ryan – “To be honest, AI is the only way that you’re going to solve Elasticsearch ingest problem. So I’m kind of for this, because that’s what it would take if you’re trying to use Elasticsearch as, you know, and not being in complete control of the data input.”
24:50 Announcing DBRX: A new standard for efficient open source LLMs
- Databaricks is announcing DBRX their new open source Large Language Model built by their Mosaic research team that outperforms all established open source models on standard benchmarks.
- They have three reasons to be excited about DBRX:
- It handedly beats open source models such as LLaMA2-70B, Mixtral, and Grok-1 on language understanding, programming, math and logic.
- It beat GPT 3.5 on most benchmarks, which is important as they have seen a major behavioral shift in the last quarter among their 12,000 customers. Enterprises and organizations are increasingly replacing proprietary models with oss models for better efficiency and control.
- DBRX is a Mixture of Experts (MOE) model built on the Megablocks research and OSS project, making the model extremely fast in terms of tokens/second.
25:37 Jonathan – “.pretty cool. I just wish I had the hardware to run it. It’s great being open source, but unless you’ve got massive GPUs or tons of RAM to do inference with a regular CPU, you’re kind of out of luck. But now I’m very keen on trying it.”
AWS
26:36 Explore cloud security in the age of generative AI at AWS re:Inforce 2024
- I forgot Re:Inforce was a thing, but apparently it’s coming up in Philadelphia, June 10-12th.
- Some of the highlights from the event promise to be talks on how AWS secures AWS and Steve Schmidt’s “vision for the future.”
- And of course Navigating Security of Generative AI and other Emerging Trends.
- I’m gonna watch the keynote from afar. Probably from a hot tub.
- Want more info or to register? Check out all the info here.
28:02 Amazon GuardDuty EC2 Runtime Monitoring is now generally available
- Amazon GuardDuty EC2 Runtime Monitoring is now GA.
- The release expands the threat detection coverage for EC2 instances at runtime and complement the anomaly detection that GuardDuity already provides by continuously monitoring VPC Flow Logs, DNS Query Logs, and AWS Cloudtrail management events.
- You now have visibility into on-host, OS-level activities and container-level context into detected threats.
- Guard duty EC2 Runtime allows you to identify and respond to threats that might target compute resources.
- These may include remote code executions that lead to the download and execution of malware.
28:36 Matthew – “It’s slowly becoming a anti-malware tool and going to replace some of these other tools that everyone has. It’s one less agent that you need on these boxes consuming more CPU, more memory, more everything. So, you know, it’s nice to see that they’re slowly expanding. But at what point does Amazon get yelled at that AWS is taking over too many markets like Microsoft and teams?”
29:37 Introducing AWS CodeConnections, formerly known as AWS CodeStar Connections
- AWS is renaming AWS Codestar connections to AWS CodeConnections. The name change is effective everywhere.
- We smell something coming for ReInvent…
31:44 Amazon DynamoDB Import from S3 now supports up to 50,000 Amazon S3 objects in a single bulk import
- I don’t know why I want to import 50,000 S3 objects in a single bulk import to Dynamo.
- I’m sure it’s AI or ML-related somehow, and if I can do this vs an ETL, so we’re here for this nonsense.
28:22 Jonathan – “I honestly think it’s more about data migration between different services, data lakes, things like that.”
Do any of our listeners have any reasons you’d use this? Let us know!
33:18 AWS Cost Allocation Tags now support retroactive application
- AWS now allows customers to enable cost allocation tags retroactively for up to 12 months. As long as customers have added tags to specific resources in the past, customers can activate (or deactivate) cost allocation tags today and apply cost allocation tags to historical usage for these resources for up to 12 months.
33:50 Justin – “On the surface it looks really awesome, but the devil is in the details on this one… Again, maybe this is the beginning of something more cool coming later, because there’s a lot of really great things they could be doing in cost management, but they’re just not yet.”
35:14 EC2 Shop API
- How did i not know about this, simple curl commands to get EC2 pricing.
- Curl ‘https://ec2.shop’
- Supports filters and region as well as can provide it as JSON
36:05 Ryan – “This is fantastic. Even when you use it on the browser, it’s pretty sweet. It’s a rudimentary UI, which is fine, right? Because I really want to curl it. But the fact that you can query your search and be able to quickly get multiple different instance types and multiple regions and multiple configurations, pretty awesome.
38:46 Run Chef 11-18 recipes on Windows using AWS Systems Manager
- You can now run Chef 11-18 recipes on EC2 or On-Premise instances. These capabilities were previously only available to linux instances, enabling customers with the power to combine the power of Chef recipes with the control and safety benefits from AWS Systems Manager, regardless of Windows or Linux.
- TIL
38:27 Ryan – “I mean, Chef is probably the only Configure It management tool that I think is like actually works on Windows. So like, I’ll give them that. Like, you’re right, I made the assumption that the systems manager worked on both and I don’t have enough Windows workloads that I ever tested that theory.”
39:56 Introducing AWS Deadline Cloud: Set up a cloud-based render farm in minutes
- In a name we will never remember, AWS Deadline Cloud, a new fully managed service that enables creative teams to easily set up render farms in minutes, scale to run more projects in parallel and only pay for what you use.
- AWS Deadline cloud provides a web-based portal with the ability to create and manage render farms, preview in progress renders, view and analyze render logs, and easily track the costs of your render.
- This is specifically targeted at Architecture, Engineering and Construction companies and Media & Entertainment.
- You have the flexibility to bring your own licenses or leverage third party renderers such as Maya, Nuke, and Houdini.
41:05 Jonathan – “Deadline Cloud is like batch for EC2, in a way. I think it’s all about building pipelines and things and jobs. And then Deadline Cloud manages the underlying EC2 resources for you. So it’s kind of like a batch tool, I guess.”
GCP
42:30 Google Cloud Backup and DR upgrade: VM protection made easier
- Google is announcing a new feature for Google Cloud Backup & DR, making it easier to safeguard your critical Google VMs.
- You can leverage the power of Google Cloud Tags, including inheritance, to easily configure backup policies for compute engine VMs, ensuring consistent protection of your dynamic cloud environments.
43:43 GCP Next Predictions:
Next week is Google Next! So of course we are going to do our usual terrible job of predicting what Google may announce next week:
Google Next Guides
Google Next Predictions
Justin
- Gemini 2.0 will be announced and available at Google Next
- LLM/Prompt Security from Mandian/Google solution
- Something around the brand confusion of GKE Enterprise/Anthos
Jonathan
- IAM Conditions to support calling a web service or cloud function to do more dynamic permissions
- Anything for IM on the mainstage
- A new Security Forensics capability (threat hunting/Siem/ish)
Matt
- Healthcare company will be a guest on the mainstage with all the back end processing etc.
- Integrations with Gemini and BigQuery
- GCP will make fun of Azure for backing Redis in a subtle way
Ryan
- GCP will highlight how their use AI to tackle the climate crisis
- GCP will announce a managed NFS/CIFS solution. (EFS competitor)
- GCP will announce an AI enhancement or robot to their google assistant homepod
Google Next Tie Breaker:
How many times will they say AI/LLM on stage?
Ryan – 67
Matt – 142
Jonathan – 52
Justin – 78
Number of main stage announcements?
Matt – 25
Jonathan – 9
Justin – 1
Ryan – 2
Azure
59:24 Announcing new tools in Azure AI to help you build more secure and trustworthy generative AI applications
- Azure is announcing new tools for AI Quality and Safety challenges, they are available now or coming soon to Azure AI Studio for generative AI App Developers
- Prompt Shields to detect and block prompt injection attacks, including a new model for identify indirect prompt attacks before they impact your model, coming soon and and now available in preview in Azure AI content Safety
- And because that made no sense… its Prompt Shield for Jailbreak Attacks in preview, and Prompt Shield for Indirect attacks that is coming soon
- Groundedness detection to detect hallucinations in model outputs, coming soon
- Safety systems messages to steer your models behavior toward safe, responsible outputs, coming soon.
- Safety evaluations to assess an applications vulnerability to jailbreak attacks and to generate content risks, now available in preview.
- Risk and Safety monitoring to understand what model inputs, outputs and end users are triggering content filters to inform mitigations, coming soon and now available in preview in Azure OpenAI service.
1:00:44 Ryan – “I do think we’re going to see a lot more of these type of services or augments to the existing sort of AI studio products across the board, just because everyone’s having the same thoughts of like, oh, we haven’t put any protections or guardrails. What are we going to do? We put all of our data in this custom model. Maybe that wasn’t a good idea.”
1:02:39 Using Microsoft Azure Virtual Network Manager to enhance network security
- Managing the scale of your network at large and diverse employers is incredibly difficult leveraging traditional models for network security. They point at the NSG’s available in Azure like Centralied, decentralized and hybrid and they all have strengths and weaknesses.
- Ideally the best model is a hybrid model of network security, where some are globally managed and some are locally managed.
- However this further results in inconsistency, complexity and lack of enforcement.
- To address these, they are building a new model based on Azure Virtual Network Manager, which allows the governance team to create and apply admin results across multiple NSGs, while still enabling the app teams to manage their own NSG rules.
- To do this they introduce network groups, which is a collection of network resources that can be defined using logical conditions.
1:04:23 Jonathan – “So this is a struggle for me on Azure, which is like, NSG’s act as like this dual layer of ACLs and security groups. And it’s always like a struggle for me because I want that more granular control that both give you, but NSG kind of fits both of them. And I haven’t fully found where I land, if I like it, if I don’t like it, kind of go down that route.”
Cloudflare
1:05:13 Making state easy with D1 GA, Hyperdrive, Queues and Workers Analytics Engine updates
-
- Cloudflare loves to release real products on April Fools day, and this year is no exception. They’re announcing three production ready services including:
- D1, their serverless SQL Database
- Hyperdrive which makes your existing database feel like they’re distributed
- Worker Analytics Engine their time series database
-
-
- Core databases are one of your most critical pieces of infrastructure. Needing to be ultra-reliable. It can’t lose data. It needs to scale. And so Cloudflare has built that out to build D1, their global serverless SQL database.
- Supports 10GB databases and 50,000 databases per account, new data export capabilities and enhanced query debugging via D1 insights.
- The free tier gets you 25 Billion / Month in reads, 50 Million / month in writes and the first 5gb of storage included.
- They have a lot planned for D1, including global read replication, even larger databases and more time travel capabilities to allow you to branch your database and new API’s for dynamic querying and/or creating a new database-on-the-fly from within a worker.
- Seems cool, but not sure i want to lock myself into this
-
-
- Hyperdrive was launched in beta last september, and now its GA for Postgres.
- Hyperdrive is designed to make the centralized database you already have feel like they are global. They use their global network to get faster routes to your database, keep connection pools primed, and cache your most frequently run queries as close to users as possible.
- Importantly, Hyperdrive supports the most popular drivers and ORM libraries out of the box, so you don’t have to re-learn or re-write your queries.
- They’re not done yet, with MySQL support coming, as well as support connecting to databases inside private networks (including cloud vpc networks) via Cloudflare Tunnel and Magic WAN.
- Cloudflare has decided they don’t want to charge for it, and so if you are already paying for the Workers Paid plan, hyperdrive is now free.
-
- Workers Analytics Engine provides unlimited-cardinality analytics at scale, via a built in API to write data points from workers, and a SQL API to query the data
- Worker Analytics Engine is powered by the same ClickHouse-based system we have depended on for years at Cloudflare.
- Since launching in beta, developers have depended on worker analytics for many use cases, from large enterprises to open-source projects such as Counterscale.
- Workers Free and Workers Paid will include allocating data points written and read queries.
1:08:54 Jonathan – “I think this is what AWS could have done with the RDS proxy, actually, because they had a proxy which was designed to route to a DR region or another region in case a local region failed. They could equally have built caching for queries into something like that.”
1:09:10 Justin – “…Which I thought they were going to do. And then they never, they never really delivered on that feature beyond announcing it… there’s even less need for them to do it now. Because that’s part of the reason why you wanted that layer was to keep the Aurora serverless primed, so you weren’t getting like, oh, timeout. Oh no, hey, the proxy’s gonna hold the timeout long, and then we spin up the resource behind the time hood.”
Aftershow
Biggest Deepfake Fraud? Fake Zoom Meeting, CFO Cloned, $25 Million Stolen
- A Hong Kong Finance employee was victim to a 26.5 Million dollar scam that leveraged multiple deep fakes.
- The perpetrators used deepfake technology to transform publicly available video and audio footage into lifelike versions of the company’s staff members, including a digitally cloned chief financial officer.
- The victim, a finance department employee, received a phishing email in mid January, purportedly from the company’s UK-based CFO, instructing them to conduct a secret transaction.
- Despite an initial “moment of doubt” the employee succumbed to the ruse after participating in a group video conference. During the call, the deepfake representations of company employees appeared authentic, leading the victim to follow the instructions and make 15 transfers totaling $25 million to five different banks.
- The episode took over one week, from the initial contact to the point the victim realized the scam.
- The scammers digitally recreated the meeting’s participants using deepfake technology, imitating their voices and appearances with convincing accuracy.
- Scammers employed a scripted self-introduction and gave orders before abruptly ending the meeting. Following the initial contact, scammers continued to engage with the victim through IM, emails and One-On-One video calls.
Closing
And that is the week in the cloud! Go check out our sponsor, Sonrai and get your 14 day free trial. Also visit our website, the home of the Cloud Pod where you can join our newsletter, slack team, send feedback or ask questions at theCloud Pod.net or tweet at us with hashtag #theCloud Pod