How critical is encryption-at-rest for public cloud hosted systems

I wok as a solutions architect for web based systems on AWS and as part of this role often respond to Information Security questionnaires. Nearly all questionnaires request information about data encryption at-rest and in-transit. However only a much smaller percentage ask about other security aspects, such as password policies or common web application security issues, as published by OWASP.

I wonder how common/ likely accessing of clients data is within a public cloud provider such as AWS, Azure and GCP. It seems a very high barrier to pass for an external party, even data centers of small local web hosting companies seem to have very good physical access security. And informal conversations with bank employees tell me that accessing someone’s bank account without reason leads to instant dismissal, so surely public cloud providers would have similar controls in place?

This is not to challenge the value of encryption at rest, it is very cheap to access, so there is no reason not to enable it, but where does it sit in terms of priorities?

Is there any chance of local PC getting infected when you analyse PCAP malware file in cloud server through putty?

Is there any chance of local PC getting infected when you analyse PCAP malware file in cloud server through putty?I want to run pcap malware to test snort in my cloud server.I want to know on doing so if it will affect my local machine.

Handling API keys for client-side app with cloud key vault

I would like to hear about the security implications of my desktop app’s current API usage workflow:

  1. Client-side WPF desktop app connects to Azure Key Vault, a cloud vault, by authenticating via a self-signed certificate packaged and distributed with the app’s installer.
  2. Client app retrieves the API key and the key is assigned to a declared runtime object.
  3. Client app uses the key value to make the required GET requests.
  4. Client app closes with Application.Current.Shutdown().

Not well-versed in security myself, but I wondered:

  • Is distributing self-signed certs a risky practice? Ie. others may create a clone app with it
  • Can others potentially hack into the client during runtime and access the key?
  • Potentials for man-in-the-middle attacks to intercept keys when retrieving from vault?

Keen to hear expert thoughts about the above and other ideas. I can’t think of another way to make the GET request directly from client-side.

Multiple casting of Stinking cloud at same time

If multiple casters cast Stinking cloud targeting the same area, will a character who enters that area save multiple times? I know that effect does not stack, but if he has to save multiple times, in case one succeeds one save but fails the other, he would still be nauseated.

If only one Stinking cloud is in effect, what is the DC? Is it the highest DC? What if there are other modifies to one spell that makes them different (e.g. one Stinking cloud with DC 19, and another Stinking cloud with DC 18 but enhanced with Disruptive Spell metamagic)? How about SR (one spell could be enhanced by Piercing Spell metamagic to overcome SR, but has a lower DC)? What happens when it is dispelled using targeted dispel? Or what if using area dispel?

Does the Rune Knight choose the new target for Cloud Rune or does the original target choose the new target?

Quoting from the Rune Knight’s Skye (Cloud Rune)

In addition, when you or a creature you can see within 30 feet of you is hit by an attack roll, you can use your reaction to invoke the rune and cause that attack to target a different creature within 30 feet of you (other than the attacker), using the same roll. This magic can transfer the attack regardless of the attack’s range. Once you invoke the rune, you can’t do so again until you finish a short or long rest.

Does that mean the Rune Knight chooses the new target for the attack?

Thank you so much for your help!

Questions about cloud hosting for a solo dev

So basically I’m shopping around for the right version control software. Whether free/open-source like SVN, or paid like Plastic, I keep seeing references to cloud hosting, which pretty much always requires some kind of extra subscription.

As someone with a non-technical background, I don’t feel like I have a good grasp on whether or not cloud hosting is even something that I would benefit from as a solo developer. What are the pros and cons?

And even if it’s something I do need, is there a "free" way to go about it?

For example, would it be a valid workflow to install SVN for maintaining a local repository on my computer, and then just manually upload my current project version to GitHub periodically to serve as a sort of "offsite backup"?

Can one trust OS and apps from Onyx: app store, modified Android, Onyx Cloud

Onyx Boox is a brand of e-book reader produced by Onyx International Inc, based in China. They have e-book readers based on Android OS. They have features that can violate user privacy or other accounts security:

  1. App store with optimized for e-book apps from other App stores: kindle, office, evernote and etc
  2. Account manager: Dropbox, Evernote and etc
  3. Option to enable Google play and other Google services (like Calendar)
  4. Onyx Cloud (sync personal notes and etc)

So the question is: are there any sings of backdoors or vulnerabilities known about their modified apps or OS itself or other stuff that can lead to user data leaks (like privacy leaks or leaks of sensitive information: like passwords or other data)?

A way to get out of taking Cloud of Daggers damage?

Suppose Alice, Charlie, and Bob are in combat (in that order).

Alice casts Cloud of Daggers centered on Bob. This question explains that Bob takes no damage (yet), as merely creating the area doesn’t trigger the damage.

Charlie casts Thunderwave on Bob, who fails the save. Bob takes 2d8 thunder damage and is pushed 10ft, out of the area created by Cloud of Daggers.

Next is Bob’s turn. Would I be correct to say that Bob never takes damage from the Cloud of Daggers (unless he does something silly like run back into it)?

Is Adobe Creative Cloud uploading files from hard drive without my permission?

I was trying to uninstall InDesign from my Windows 10 computer. To uninstall/update any of Adobe’s programs, you have to first update to the latest version of Creative Cloud, which is a hub that manages all its programs (PS, Illustrator, AfterEffects, etc). Once the update was complete, I uninstalled InDesign, but noticed that there was a small progress indicator on the top-right corner.

When I opened it, I saw that it said “File syncing” was in progress. I thought “What file syncing? I never asked to sync any files!”

enter image description here

I immediately paused the sync. Upon clicking on the settings icon, it turns out it was auto-syncing files from my entire C:/Users/[UserName]/Documents/ folder, without asking for any permission to do this! (I’ve since created an empty /Adobe subfolder so it doesn’t have anything to upload).

enter image description here

I think I stopped it before it was able to upload anything. Has Adobe been automatically uploading files from its users’ /Documents folder without their consent, or am I overreacting? If so, is there a way to blacklist all internet access to all of Adobe’s products? I don’t want the next update to reset these permissions, and having to worry about auto-syncing in future versions!

ImageContents not working on Wolfram Cloud iOS app

I tried using the experimental ImageContents[] function, introduced in MMA 12, on my PC (using Mathematica) as well as on my iPad (using Wolfram Cloud app). On my PC it worked, but not on Wolfram Cloud. It said that it had to download some 200 MB of data from their servers, just like it did on Mathematica. However after the download nothing happened.

This was the image:

And this is the result on my PC: ImageContents results

Does anyone know what is the issue?