Welcome to the new week!

Let’s start with the security. We always put it as the last point, but should we? And I’m not even mentioning this humble newsletter, but in general. Security can be annoying. If you’re in a rush, do you really want to use this 2-Factor Authentication? If you have a tight budget, maybe you can cut the corners on security? If you want to onboard new clients quickly, maybe you could also make the process faster by lowering the security standards?

That last part was the case for Snowflake, one of the emerging cloud data platforms. Yes, was, because they just faced one of the biggest data breaches. Kevin Beaumont did a coverage of it.

• Kevin Beaumont - Snowflake at centre of world’s largest data breach

Let’s start with this one:

So what happens, essentially, is info stealers were used to gain access to Snowflake databases using their customer’s stolen credentials, using the client name rapeflake (side note to threat actor over that name: really?).

Snowflake themselves fell into this trap, by both not using multi factor authentication on their demo environment and failing to disable a leaver’s access. Shit happens, incidents happen, and while Snowflake may present themselves as having no platform breach, they themselves also fell into the same problem and in terms of optics isn’t great.. as they can point out customers messed up, but they messed up too.

That’s also one of the issues I described in Form a wall! And other concerns about security. Cloud magically won’t help us. If Snowflake were trying to cut corners by making access to the demo servers faster and not requiring their users to at least setup MFA, then the question would not be IF but WHEN they’re breached.

Such a breach sounds terrible for the data platform. Well, they recently added AI to the description. Maybe that will help them…

Of course, it won’t. This is the new surface of the threats. Read another coverage from Kevin where he shows how easily this can happen thanks to Windows 11 Copilot:

• Kevin Beaumont - Stealing everything you’ve ever typed or viewed on your own Windows PC is now possible with two lines of code — inside the Copilot+ Recall disaster.

Or check out a nice walkthrough by Zeev Kalyuzhner from the Wix:

• Zeev Kalyuzhner - Exploiting LLMs: Unpacking Excessive Agency in a 6-Step Guide

Btw. we’re bombarded by the financial numbers generated by NVidia. Some are saying that they’re the biggest company now. They managed to jump from the quick cryptocurrency bubble to the Generative AI/LLM bubble. So this may be true, but…

…but recent Dell financial results may show a scratch on this crystal view. They recently put a lot of money into jumping into the Generative AI server delivery; they even managed to deploy many servers for that need, yet the figures stayed the same. Most of their profit is coming from the same sources as before. This may mean that either server market for GenAI has terribly low margins. Is it true, or is it just anecdotal evidence? We’ll see, but it’s worth watching this trend. As with any other technology, it’s sad, but the truth is that enterprise adoption is critical. And if Dell cannot have a proper enterprise adoption, then it’s not great info for the GenAI market. Read more:

• VentureBeat - Dell earnings reveal sluggish enterprise AI adoption

It sounds like Cloud Providers decided to show all the users that they can kick you off and delete your data when they want. We covered Google mishaps, and now Cloudflare made a move. Yet, this time, it wasn’t accidental but an intentional move:

• Robin Dev - Cloudflare took down our website after trying to force us to pay 120k$ within 24h

The case is fishy from both sides. The cut-off company is an online casino. They were using Cloudflare for services that are not allowed in many countries. It’s a neverending battle between governments and companies like that with blocking IPs, DNSes, etc. Cloudflare (probably) didn’t want to get their services blacklisted. They offer a “bring your own IP” option in Enterprise services, and that’s what they were offering for the company. Yet, the company still preferred to pay 200$ instead of 10 000 a month.

Here, things have become bad for Cloudflare. They should be explicit about it if they want to cut off the company because of the legal policies. It seems that online gambling was bad for Cloudflare until they started paying more. Then it would be acceptable. Pecunia non olet.

Of course, the newsletter author is overselling and showing only one side. But what we saw in his blog article is again a story of their terrible sales department. Also, let’s be frank, they didn’t want to drop this gambling business only because of the moral parts. They also have a story of supporting worse cases.

What we can learn from this story is that nothing is free, even if the vendor says that. Each thing has its limits, and if we’re successful, we will need to pay more. And the more is dependant on the scale of our success. Prepare your business model for that.

If you’re not getting a boost from vendor lock, use standards; they will help you move elsewhere.

If it’s getting you a boost, invest in the proper backups of your configurations and at least think about the migrate-out strategies.

Use boring tech.

And don’t do shady business. Because it seems that there are days when even casinos are not always winning.

I’ll post in the next releases if there’s an answer from Cloudflare.

Speaking about boring tech, if you’re looking for inspiration, check a nice article from Mark Seemann about the fundamentals:

• Mark Seemann - Fundamentals

It’s a nice walkthrough, not made in a boomer “I-can’t-keep-up-anymore-so-you-should-also-not-to” style. It shows how Mark selects the skills and technologies and the criteria he uses. Of course, select your own set.

Evergreens is also relational database indexing strategies. I just found this online book, and it looks great:

• Markus Winand - Use the Index, Luke! A Guide to Database Performance for Developers

Coming back to the security, check how cookies and tokens work:

• Tommi Hovi - Demystifying cookies and tokens

Documenting your code properly:

• Andy Jiang, Luca Casonato, Jo Franchetti - How to document your JavaScript package

Still, we should keep an eye on new trends, such as platform engineering. Google released article on common myths:

• Google Cloud Blog - 5 myths about platform engineering: what it is and what it isn’t

Or server-side UI components:

• Dan Abramov - React for Two Computers

I think that Dan did a great job explaining why, even though they look like the old thing, it’s not precisely circling back, but more a spiral and a next step of evolution.

Check also other links!

Cheers

Oskar

p.s. I invite you to join the paid version of Architecture Weekly. It already contains the exclusive Discord channel for subscribers (and my GitHub sponsors), monthly webinars, etc. It is a vibrant space for knowledge sharing. Don’t wait to be a part of it!

p.s.2. Ukraine is still under brutal Russian invasion. A lot of Ukrainian people are hurt, without shelter and need help. You can help in various ways, for instance, directly helping refugees, spreading awareness, and putting pressure on your local government or companies. You can also support Ukraine by donating, e.g. to the Ukraine humanitarian organisation, Ambulances for Ukraine or Red Cross.

Architecture

• Google Cloud Blog - 5 myths about platform engineering: what it is and what it isn’t

• Andy Jiang, Luca Casonato, Jo Franchetti - How to document your JavaScript package

• Afrefs - How Ahrefs Gets a Billion Dollar-Worth Infrastructure With a 90% Discount

• Tommi Hovi - Demystifying cookies and tokens

• Decentralized Identity Foundation - Decentralized Identifiers (DIDs) as an Identifier Metasystem

DevOps

• GitHub - Introducing Artifact Attestations–now in public beta

Frontend

• Dan Abramov - React for Two Computers

Database

• Markus Winand - Use the Index, Luke! A Guide to Database Performance for Developers

• CedarDB - An ode to PostgreSQL, and why it is still time to start over

Testing

• Matteo Vaccari - Test-Driving HTML Templates

AWS

• AWS Database Blog - Continuously replicate Amazon DynamoDB changes to Amazon Aurora PostgreSQL using AWS Lambda

Java

• Nicolai Parlog - Model Data, the Whole Data, and Nothing but the Data - Data Oriented Programming v1.1

• Vlad Mihlacea - PostgreSQL COPY result set to file

.NET

• Damien Bod - Implement a Microsoft Entra ID external authentication method using ASP.NET Core and OpenIddict

• Michael Staib - Getting Started with OpenTelemetry and GraphQL in .NET

• Andrew Lock - Thoughts about primary constructors: 3 pros and 5 cons

• dnvm - A command-line interface for installing and updating different dotnet SDKs

Coding Life

• Mark Seemann - Fundamentals

Industry

• Robin Dev - Cloudflare took down our website after trying to force us to pay 120k$ within 24h

• VentureBeat - Dell earnings reveal sluggish enterprise AI adoption

• TechRadar - EU ChatGPT Taskforce: a road to GDPR enforcement on AI?

• Above the Law - Airline Said It's Not Responsible For Terrible Advice From Its Own Customer Service AI Bot. The Court... Disagreed.

Security

• Kevin Beaumont - Snowflake at centre of world’s largest data breach

• ArsTechnica - Google Chrome’s plan to limit ad blocking extensions kicks off next week

• Kevin Beaumont - Stealing everything you’ve ever typed or viewed on your own Windows PC is now possible with two lines of code — inside the Copilot+ Recall disaster.

• Zeev Kalyuzhner - Exploiting LLMs: Unpacking Excessive Agency in a 6-Step Guide

Trivia

• Computing: the Details - Call the compiler, fax it your code