Die Abhängigkeit der EU von Drittstaaten liegt bei digitalen Diensten bei über 80 Prozent und muss laut dem EU-Parlament dringend reduziert werden. (Europaparlament, Politik)
Quelle: Golem
Mit Hardware für Rechenzentrum verdient Intel mehr, das Privatkundengeschäft schwächelt. Dank mehr EUV soll Intel Foundry Services kräftig wachsen. (Intel, Prozessor)
Quelle: Golem
AWS Config announces launch of an additional 13 managed Config rules for various use cases such as security, durability, and operations. You can now search, discover, enable and manage these additional rules directly from AWS Config and govern more use cases for your AWS environment. With this launch, you can now enable these controls across your account or across your organization. For example, you can assess your security posture across Amazon Cognito User pools, Amazon EBS Snapshots, AWS Cloudformation Stacks and more. Additionally, you can leverage Conformance Packs to group these new controls and deploy across an account or across organization, streamlining your multi-account governance. For the full list of recently released rules, visit the AWS Config developer guide. For description of each rule and the AWS Regions in which it is available, please refer our Config managed rules documentation. To start using Config rules, please refer our documentation. New Rules Launched:
AURORA_GLOBAL_DATABASE_ENCRYPTION_AT_REST
CLOUDFORMATION_STACK_SERVICE_ROLE_CHECK
CLOUDFORMATION_TERMINATION_PROTECTION_CHECK
CLOUDFRONT_DISTRIBUTION_KEY_GROUP_ENABLED
COGNITO_USER_POOL_DELETE_PROTECTION_ENABLED
COGNITO_USER_POOL_MFA_ENABLED
COGNITO_USERPOOL_CUST_AUTH_THREAT_FULL_CHECK
EBS_SNAPSHOT_BLOCK_PUBLIC_ACCESS
ECS_CAPACITY_PROVIDER_TERMINATION_CHECK
ECS_TASK_DEFINITION_EFS_ENCRYPTION_ENABLED
ECS_TASK_DEFINITION_LINUX_USER_NON_ROOT
ECS_TASK_DEFINITION_WINDOWS_USER_NON_ADMIN
SES_SENDING_TLS_REQUIRED
Quelle: aws.amazon.com
Starting today, Amazon Elastic Compute Cloud (Amazon EC2) C8i and C8i-flex instances are available in the Asia Pacific (Sydney), and Europe (Frankfurt) regions. These instances are powered by custom Intel Xeon 6 processors, available only on AWS, delivering the highest performance and fastest memory bandwidth among comparable Intel processors in the cloud. These C8i and C8i-flex instances offer up to 15% better price-performance, and 2.5x more memory bandwidth compared to previous generation Intel-based instances. They deliver up to 20% higher performance than C7i and C7i-flex instances, with even higher gains for specific workloads. The C8i and C8i-flex are up to 60% faster for NGINX web applications, up to 40% faster for AI deep learning recommendation models, and 35% faster for Memcached stores compared to C7i and C7i-flex. C8i-flex are the easiest way to get price performance benefits for a majority of compute intensive workloads like web and application servers, databases, caches, Apache Kafka, Elasticsearch, and enterprise applications. They offer the most common sizes, from large to 16xlarge, and are a great first choice for applications that don’t fully utilize all compute resources. C8i instances are a great choice for all memory-intensive workloads, especially for workloads that need the largest instance sizes or continuous high CPU usage. C8i instances offer 13 sizes including 2 bare metal sizes and the new 96xlarge size for the largest applications. To get started, sign in to the AWS Management Console. Customers can purchase these instances via Savings Plans, On-Demand instances, and Spot instances. For more information about the new C8i and C8i-flex instances visit the AWS News blog.
Quelle: aws.amazon.com
Beim Weltwirtschaftsforum in Davos hat Elon Musk verkündet, den humanoiden Roboter Optimus bis Ende 2027 an die Öffentlichkeit zu verkaufen. (Elon Musk, Roboter)
Quelle: Golem
Auf Zigtausenden deutschen Servern läuft eine nicht mehr unterstützte Exchange-Version. Die Zahlen bessern sich zwar, bleiben aber bedenklich hoch. (Exchange, Microsoft)
Quelle: Golem
Autodesk baut weltweit Arbeitsplätze ab. Der Softwarekonzern begründet den Schritt mit einer weiteren Anpassung seiner Organisation. (Autodesk, CAD)
Quelle: Golem
Microsoft testet den KI-Coding-Assistenten von Anthropic und setzt ihn bei Entwicklern von Windows, Teams und Office ein. (Anthropic, Microsoft)
Quelle: Golem
Fast zwei Jahre nach der Ankündigung erhalten Waze-Nutzer neue Warnungen vor Bodenschwellen, gefährlichen Kurven und Einsatzfahrzeugen. (Waze, Google)
Quelle: Golem
FIPS compliance is a great idea that makes the entire software supply chain safer. But teams adopting FIPS-enabled container images are running into strange errors that can be challenging to debug. What they are learning is that correctness at the base image layer does not guarantee compatibility across the ecosystem. Change is complicated, and changing complicated systems with intricate dependency webs often yields surprises. We are in the early adaptation phase of FIPS, and that actually provides interesting opportunities to optimize how things work. Teams that recognize this will rethink how they build FIPS and get ahead of the game.
FIPS in practice
FIPS is a U.S. government standard for cryptography. In simple terms, if you say a system is “FIPS compliant,” that means the cryptographic operations like TLS, hashing, signatures, and random number generation are performed using a specific, validated crypto module in an approved mode. That sounds straightforward until you remember that modern software is built not as one compiled program, but as a web of dependencies that carry their own baggage and quirks.
The FIPS crypto error that caught us off guard
We got a ticket recently for a Rails application in a FIPS-enabled container image. On the surface, everything looked right. Ruby was built to use OpenSSL 3.x with the FIPS provider. The OpenSSL configuration was correct. FIPS mode was active.
However, the application started throwing cryptography module errors from the Postgres Rubygem module. Even more confusing, a minimal reproducer of a basic Ruby app and a stock postgres did not reproduce the error and a connection was successfully established. The issue only manifested when using ActiveRecord.
The difference came down to code paths. A basic Ruby script using the pg gem directly exercises a simpler set of operations. ActiveRecord triggers additional functionality that exercises different parts of libpq. The non-FIPS crypto was there all along, but only certain operations exposed it.
Your container image can be carefully configured for FIPS, and your application can still end up using non-FIPS crypto because a dependency brought its own crypto along for the ride. In this case, the culprit was a precompiled native artifact associated with the database stack. When you install pg, Bundler may choose to download a prebuilt binary dependency such as libpq.
Unfortunately those prebuilt binaries are usually built with assumptions that cause problems. They may be linked against a different OpenSSL than the one in your image. They may contain statically embedded crypto code. They may load crypto at runtime in a way that is not obvious.
This is the core challenge with FIPS adoption. Your base image can do everything right, but prebuilt dependencies can silently bypass your carefully configured crypto boundary.
Why we cannot just fix it in the base image yet
The practical fix for the Ruby case was adding this to your Gemfile.
gem "pg", "~> 1.1", force_ruby_platform: true
You also need to install libpq-dev to allow compiling from source. This forces Bundler to build the gem from source on your system instead of using a prebuilt binary. When you compile from source inside your controlled build environment, the resulting native extension is linked against the OpenSSL that is actually in your FIPS image.
Bundler also supports an environment/config knob for the same idea called BUNDLE_FORCE_RUBY_PLATFORM. The exact mechanism matters less than the underlying strategy of avoiding prebuilt native artifacts when you are trying to enforce a crypto boundary.
You might reasonably ask why we do not just add BUNDLE_FORCE_RUBY_PLATFORM to the Ruby FIPS image by default. We discussed this internally, and the answer illustrates why FIPS complexity cascades.
Setting that flag globally is not enough on its own. You also need a C compiler and the relevant libraries and headers in the build stage. And not every gem needs this treatment. If you flip the switch globally, you end up compiling every native gem from source, which drags in additional headers and system libraries that you now need to provide. The “simple fix” creates a new dependency management problem.
Teams adopt FIPS images to satisfy compliance. Then they have to add back build complexity to make the crypto boundary real and verify that every dependency respects it. This is not a flaw in FIPS or in the tooling. It is an inherent consequence of retrofitting a strict cryptographic boundary onto an ecosystem built around convenience and precompiled artifacts.
The patterns we are documenting today will become the defaults tomorrow. The tooling will catch up. Prebuilt packages will get better. Build systems will learn to handle the edge cases. But right now, teams need to understand where the pitfalls are.
What to do if you are starting a FIPS journey
You do not need to become a crypto expert to avoid the obvious traps. You only need a checklist mindset. The teams working through these problems now are building real expertise that will be valuable as FIPS requirements expand across industries.
Treat prebuilt native dependencies as suspect. If a dependency includes compiled code, assume it might carry its own crypto linkage until you verify otherwise. You can use ldd on Linux to inspect dynamic linking and confirm that binaries link against your system OpenSSL rather than a bundled alternative.
Use a multi-stage build and compile where it matters. Keep your runtime image slim, but allow a builder stage with the compiler and headers needed to compile the few native pieces that must align with your FIPS OpenSSL.
Test the real execution path, not just “it starts.” For Rails, that means running a query, not only booting the app or opening a connection. The failures we saw appeared when using the ORM, not on first connection.
Budget for supply-chain debugging. The hard part is not turning on FIPS mode. The hard part is making sure all the moving parts actually respect it. Expect to spend time tracing crypto usage through your dependency graph.
Why this matters beyond government contracts
FIPS compliance has traditionally been seen as a checkbox for federal sales. That is changing. As supply chain security becomes a board-level concern across industries, validated cryptography is moving from “nice to have” to “expected.” The skills teams build solving FIPS problems today translate directly to broader supply chain security challenges.
Think about what you learn when you debug a FIPS failure. You learn to trace crypto usage through your dependency graph, to question prebuilt artifacts, to verify that your security boundaries are actually enforced at runtime. Those skills matter whether you are chasing a FedRAMP certification or just trying to answer your CISO’s questions about software provenance.
The opportunity in the complexity
FIPS is not “just a switch” you flip in a base image. View FIPS instead as a new layer of complexity that you might have to debug across your dependency graph. That can sound like bad news, but switch the framing and it becomes an opportunity to get ahead of where the industry is going.
The ecosystem will adapt and the tooling will improve. The teams investing in understanding these problems now will be the ones who can move fastest when FIPS or something like it becomes table stakes.
If you are planning a FIPS rollout, start by controlling the prebuilt native artifacts that quietly bypass the crypto module you thought you were using. Recognize that every problem you solve is building institutional knowledge that compounds over time. This is not just compliance work. It is an investment in your team’s security engineering capability.
Quelle: https://blog.docker.com/feed/
