Image for post
Image for post
Evening sun on the Thames — Photo by the author.

If you start paying some attention to keeping safe on line, it doesn’t take long before you start seeing articles — and advertisements — telling you that you need a VPN. So then — do you need a VPN?

No.

To be a bit more accurate: probably not, under most circumstances.

It might help if I talk about what a VPN is. I could start by saying it’s a Virtual Private Network, but that’s not going to help. Let’s go back a bit. At the highest level, when your laptop or phone is communicating with a remote service, we might as well just think of it as a pipe between the two devices carrying data. …


There are a handful of problems that keep recurring across my decades of working in information technology. Some problems are simple to address, some are always annoying, and a few of them seem doomed to need re-solving each time.

Image for post
Image for post
Photo by the author

The one on my mind today is that of addresses, and locations. The crux of the problem is this: addresses and locations are two very different things, and yet information system designers and implementers persistently and repeatedly mix the two up, and fail to grasp the subtle complexities of either.

I’ve struggled with the consequences of this in many different arenas — validation of addresses, parsing addresses to try to identify a location, going from locations to addresses, and all sorts of misguided attempts to perform geographical analysis of data without having any locations. …


Russian dolls
Russian dolls
(Russian Dolls — photo by myself)

I love scams. I love the improbable email, and the cunning SMS tricks, and the eternal optimism of the inexperienced con artist. There are few things in the world of technology, and the world of information security, that reveal so much humanity as scams.

There’s one simple technique to inoculate yourself against most scams:

If it sounds too good to be true, it probably is.

The thing about scams is that they appeal directly to our emotions. …


Sunset over the water with a bridge in silohuette
Sunset over the water with a bridge in silohuette

Last time I wrote I spoke at some length about passwords, and why you should use a password manager. The nice thing about sophisticated password managers like 1Password is that they usually provide a way to make your passwords shared across your various devices — laptops, desktops, tablets, phones and even smart watches. The big drawback to that is that there is some risk of your passwords being exposed if your device is stolen or used by someone else.

It’s not only passwords that are a problem with mobile devices. For convenience we usually have them set up so that things like email, calendars, contacts, and social media sites are left logged in and open. …


If you look online for advice on keeping safe online, two pieces of advice that are usually at or near the top of the list are “use a strong password” and “use a password manager”. Great advice, but useless if you don’t know why. What’s a “strong password”? One that bench presses it’s own weight? A password manager? What does that even mean?

I’ll try to unpack those and explain why “strong password” and “password manager” are actually good advice, and at the top of the list. …


I’ve had reason lately to be thinking about the information that is available for keeping safe on-line. It feels to me that a lot of it is either aimed at experts who worry about keeping a business safe, or else it’s rather too simple and likely to be aimed at your Grandma.

On that basis, I’m going to try to write a series of small pieces aimed at particular topics, keep it simple, but also offer meaningful advice.

Image for post
Image for post
Misty morning on the Thames

So to start with, I thought I’d talk about the risks you face online.

There’s really only three main risks the average person…


Early morning lamplight on the Champs Elysee
Early morning lamplight on the Champs Elysee

A few weeks ago I was posed a rather odd question, or rather one that struck me as odd. Some questions, we believe in our hearts, never need to be asked, and yet sometimes they are. This question stuck with me, and deserves some serious consideration.

I’d given a presentation on a framework for thinking about security risks. During the questions following I was asked, and I paraphrase: “doesn’t security slow down progress too much for a startup?” In my surprise I sputtered a somewhat testy response, saying that no, that’s part of the cost of doing business now. I think I should unpack that though. …


Barbed wire with sunset and river behind
Barbed wire with sunset and river behind

Wait.. what? Isn’t OWASP something to do with web applications? That was my first reaction too when, some years ago, I was asked to do an “OWASP top 10 analysis” on a project that had nothing at all to do with web applications. At the time I was able to steer the conversation in more fruitful and useful directions, but the thought stuck with me: is the OWASP “top 10” a useful framework for thinking about security in Data Engineering?

Before delving into that question, let’s take the first of several detours, and think a bit about what a web application is. If we take a sufficiently distant view, we can hand wave and say a web application takes data from end users through a web browser, transforms it somehow, and updates a data store. Or it goes the other way, pulling data from a store, transforming it, and passing it back to the user. For example, the user uploads a 9Mb picture of a cat, the web app creates a tiny thumbnail, and pushes both into some storage. …


Snow covered mountain peaks at Innsbruck
Snow covered mountain peaks at Innsbruck
Innsbruck peaks

Wasabi is a very interesting and compelling competitor for AWS S3… but also potentially a superb collaborator.

What are Wasabi and S3 though? Stripping these services down to their barest bones, they are cloud-based, highly available and resilient object stores with effectively unlimited storage capacity. Digging a bit further, they are both key/value stores, which means that every binary object is uniquely identified by a key, in much the same way that a file on your laptop is uniquely identified by a folder path and file name.

There are two big conceptual benefits that immediately arise from treating object storage as key/value pairs inside a container or grouping. First up, developers have long been familiar with using key/value stores in their code — all modern languages used in the last few decades have some version of an in-memory key/value store, and support the same basic semantics: you can put an object in the store with a key, get an object from the store by supplying the key, remove an object using it’s key, or test if the object is there. …


Image for post
Image for post
Capela de Nossa Senhora da Peninha

One of the problems with cloud security compared to on-premise is that there is more risk that someone unauthorised will be able to gain access to your EC2 linux instances via SSH. That’s one of the reasons I’m keen on server less solutions, various X-As-A-Service services, and on not opening up a server for access by SSH at all. It’s easier to keep bad guys off a server if you don’t let anyone onto the server.

There are a variety of reasons though why you really do want to allow your developers and operators to get direct access to a server, and a variety of mechanisms have arisen. Session Manager is a particularly nice one, as it removes the need to open up SSH on a server at all, although at the cost of requiring an AWS service to be running on the host. Because it runs through the web console, it’s nicely locked down to authorised users via IAM roles and policies, and access is audited through CloudTrail. The trouble is that it operates through the console, and is not providing direct access from the developers’ desktop terminal. …

About

Robert Hook

Managing Partner of Leap Beyond, with a belief that technology can be simple, easy and fun. 30+ yearsbuilding robust, secure data driven solutions.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store