Architecture Weekly #182 - 3rd June 2024
Welcome to the new week!
Let’s start with the security. We always put it as the last point, but should we? And I’m not even mentioning this humble newsletter, but in general. Security can be annoying. If you’re in a rush, do you really want to use this 2-Factor Authentication? If you have a tight budget, maybe you can cut the corners on security? If you want to onboard new clients quickly, maybe you could also make the process faster by lowering the security standards?
That last part was the case for Snowflake, one of the emerging cloud data platforms. Yes, was, because they just faced one of the biggest data breaches. Kevin Beaumont did a coverage of it.
Let’s start with this one:
So what happens, essentially, is info stealers were used to gain access to Snowflake databases using their customer’s stolen credentials, using the client name rapeflake (side note to threat actor over that name: really?).
Snowflake themselves fell into this trap, by both not using multi factor authentication on their demo environment and failing to disable a leaver’s access. Shit happens, incidents happen, and while Snowflake may present themselves as having no platform breach, they themselves also fell into the same problem and in terms of optics isn’t great.. as they can point out customers messed up, but they messed up too.
That’s also one of the issues I described in Form a wall! And other concerns about security. Cloud magically won’t help us. If Snowflake were trying to cut corners by making access to the demo servers faster and not requiring their users to at least setup MFA, then the question would not be IF but WHEN they’re breached.
Such a breach sounds terrible for the data platform. Well, they recently added AI to the description. Maybe that will help them…
Of course, it won’t. This is the new surface of the threats. Read another coverage from Kevin where he shows how easily this can happen thanks to Windows 11 Copilot:
Or check out a nice walkthrough by Zeev Kalyuzhner from the Wix:
Btw. we’re bombarded by the financial numbers generated by NVidia. Some are saying that they’re the biggest company now. They managed to jump from the quick cryptocurrency bubble to the Generative AI/LLM bubble. So this may be true, but…
…but recent Dell financial results may show a scratch on this crystal view. They recently put a lot of money into jumping into the Generative AI server delivery; they even managed to deploy many servers for that need, yet the figures stayed the same. Most of their profit is coming from the same sources as before. This may mean that either server market for GenAI has terribly low margins. Is it true, or is it just anecdotal evidence? We’ll see, but it’s worth watching this trend. As with any other technology, it’s sad, but the truth is that enterprise adoption is critical. And if Dell cannot have a proper enterprise adoption, then it’s not great info for the GenAI market. Read more:
It sounds like Cloud Providers decided to show all the users that they can kick you off and delete your data when they want. We covered Google mishaps, and now Cloudflare made a move. Yet, this time, it wasn’t accidental but an intentional move:
The case is fishy from both sides. The cut-off company is an online casino. They were using Cloudflare for services that are not allowed in many countries. It’s a neverending battle between governments and companies like that with blocking IPs, DNSes, etc. Cloudflare (probably) didn’t want to get their services blacklisted. They offer a “bring your own IP” option in Enterprise services, and that’s what they were offering for the company. Yet, the company still preferred to pay 200$ instead of 10 000 a month.
Here, things have become bad for Cloudflare. They should be explicit about it if they want to cut off the company because of the legal policies. It seems that online gambling was bad for Cloudflare until they started paying more. Then it would be acceptable. Pecunia non olet.
Of course, the newsletter author is overselling and showing only one side. But what we saw in his blog article is again a story of their terrible sales department. Also, let’s be frank, they didn’t want to drop this gambling business only because of the moral parts. They also have a story of supporting worse cases.
What we can learn from this story is that nothing is free, even if the vendor says that. Each thing has its limits, and if we’re successful, we will need to pay more. And the more is dependant on the scale of our success. Prepare your business model for that.
If you’re not getting a boost from vendor lock, use standards; they will help you move elsewhere.
If it’s getting you a boost, invest in the proper backups of your configurations and at least think about the migrate-out strategies.
Use boring tech.
And don’t do shady business. Because it seems that there are days when even casinos are not always winning.
I’ll post in the next releases if there’s an answer from Cloudflare.
Speaking about boring tech, if you’re looking for inspiration, check a nice article from Mark Seemann about the fundamentals:
It’s a nice walkthrough, not made in a boomer “I-can’t-keep-up-anymore-so-you-should-also-not-to” style. It shows how Mark selects the skills and technologies and the criteria he uses. Of course, select your own set.
Evergreens is also relational database indexing strategies. I just found this online book, and it looks great:
Coming back to the security, check how cookies and tokens work:
Documenting your code properly:
Still, we should keep an eye on new trends, such as platform engineering. Google released article on common myths:
Or server-side UI components:
I think that Dan did a great job explaining why, even though they look like the old thing, it’s not precisely circling back, but more a spiral and a next step of evolution.
Check also other links!
Cheers
Oskar
p.s. I invite you to join the paid version of Architecture Weekly. It already contains the exclusive Discord channel for subscribers (and my GitHub sponsors), monthly webinars, etc. It is a vibrant space for knowledge sharing. Don’t wait to be a part of it!
p.s.2. Ukraine is still under brutal Russian invasion. A lot of Ukrainian people are hurt, without shelter and need help. You can help in various ways, for instance, directly helping refugees, spreading awareness, and putting pressure on your local government or companies. You can also support Ukraine by donating, e.g. to the Ukraine humanitarian organisation, Ambulances for Ukraine or Red Cross.
Architecture
Google Cloud Blog - 5 myths about platform engineering: what it is and what it isn’t
Andy Jiang, Luca Casonato, Jo Franchetti - How to document your JavaScript package
Afrefs - How Ahrefs Gets a Billion Dollar-Worth Infrastructure With a 90% Discount
Decentralized Identity Foundation - Decentralized Identifiers (DIDs) as an Identifier Metasystem
DevOps
Frontend
Database
Markus Winand - Use the Index, Luke! A Guide to Database Performance for Developers
CedarDB - An ode to PostgreSQL, and why it is still time to start over
Testing
AWS
Java
.NET
Michael Staib - Getting Started with OpenTelemetry and GraphQL in .NET
Andrew Lock - Thoughts about primary constructors: 3 pros and 5 cons
dnvm - A command-line interface for installing and updating different dotnet SDKs
Coding Life
Industry
Robin Dev - Cloudflare took down our website after trying to force us to pay 120k$ within 24h
VentureBeat - Dell earnings reveal sluggish enterprise AI adoption
TechRadar - EU ChatGPT Taskforce: a road to GDPR enforcement on AI?
Security
Kevin Beaumont - Snowflake at centre of world’s largest data breach
ArsTechnica - Google Chrome’s plan to limit ad blocking extensions kicks off next week
Zeev Kalyuzhner - Exploiting LLMs: Unpacking Excessive Agency in a 6-Step Guide