Orbitz hit with data breach, info on 880,000 payment cards at risk

The online travel company Orbitz has suffered a major data breach possibly exposing the personal information associated with the owners of up to 880,000 payment cards.

The company, a subsidiary of Expedia, said in a statement that the payment card information was taken during a breach that hit its consumer and partner platforms. The exposed consumer data was taken from certain purchases made between January 1, 2016 and June 22, 2016, while information from purchases was exposed from the partner platform between January 1, 2016 and December 22, 2017.

Orbitz did not disclose the nature of the data breach, but a few industry executives believe either an Orbitz partner may be to blame or an internal staffer’s credentials were compromised.

“Orbitz mentions it believes the hacker got into the ‘Orbitz consumer and business partner platform.’ It’s not entirely clear to me what the company is referring to, but by the sounds of it third parties are able to access Orbitz customer information, which for some reason includes payment card details. Orbitz hasn’t provided any additional details about how the breach occurred, but I suspect one of the partners on this platform was compromised,” said Paul Bischoff, privacy advocate at Comparitech.com.

However, Perry Chaffee, VP of strategy at authentication company WWPass, said that the target was stored in a centralized database that was most likely accessible to “trusted” admins who could have been compromised without their knowledge and that database was probably also accessible on the back end.

“According to Verizon’s DBIR, there’s an 81 percent probability that the compromised credentials of a trusted admin were the root cause of this attack.  There’s a 19 percent chance that access resulted from a more complex back-end attack, but I’d be more focused on the 4/5 chance that an admin’s password was guessed, stolen, intercepted, or cracked,” he said.

The intrusion was discovered on March 1, 2018 and most likely took place between October 1, 2017 and December 22, 2017, Orbitz said. The company was conducting an investigation on an older Orbitz.com platform when its researchers found evidence that unauthorized access had been gained.

The information that was likely accessed may include full name, payment card information, date of birth, phone number, email address, physical and/or billing address, and gender. The company said that despite the information being unsecure it has not found any direct evidence that this personal information was actually taken from the platform.

“Our investigation to date has not found any evidence of unauthorized access to other types of personal information, including passport and travel itinerary information. For U.S. customers, Social Security numbers were not involved in this incident, as they are not collected nor held on the platform,” Orbitz said.

Orbitz was acquired by Expedia in February 2015 for $1.6 billion in cash.

“Orbitz is not alone in its lack of visibility into some systems. Any organization that is acquired by or is acquiring another business and its IT assets typically has a major blind spot with respect to its legacy or non-production systems. As is the case with most audits and post-mortems in the event of a breach, Expedia is likely looking back at the infrastructure affiliated with its prior acquisitions, like Travelocity, to ensure all of its owned databases are not similarly impacted,” said Mike Schuricht, VP product management for Bitglass.

George Avetisov, CEO of HYPR, said that while how part of the breach has not been made public the fact that this amount of personal information was stored in one locale is problematical.

“The Orbitz breach is yet another example of what happens when personal credentials are centralized. The centralization of biometrics, pins, passwords, and credit cards has proven to create a single point of failure targeted by hackers. Large enterprises are moving towards decentralized authentication in order to prevent large scale breaches, eliminate fraud and ensure user privacy,” he stated.


via:  scmagazine

Save pagePDF pageEmail pagePrint page

What’s at Stake with NIST 800-171 and How to Ensure You’re Compliant

Over the past three years, The National Institute of Standards and Technology defined 800-171 security requirements. These requirements were designed to protect Controlled Unclassified Information in Nonfederal information systems, as well as organizations.

When the DFAR (Defense Federal Acquisition Regulations) came out, most believed this mandate would finally create protection between government contractors who run the federal agencies to ensure that certain types of federal information are protected in any environment. The Department of Defense created milestones that each and every federal system integrator or contract holder must meet to uphold these requirements.


There are 14 categories of security requirements that must be met. Each category has a unique set of policy tests that affected programs must meet.

  1. Access Control
  2. Audit and Accountability
  3. Awareness and Training
  4. Configuration Management
  5. Identification and Authentication
  6. Incident Response
  7. Maintenance
  8. Media Protection
  9. Physical Protection
  10. Personnel Security
  11. Risk Assessment
  12. Security Assessment
  13. System and Communications Protection
  14. System and Information Integrity

The 800-171 requirements stem from NIST 800-53, which is a DFAR that controls unclassified information shared between the federal government with a non-federal entity.

Since 2015, we have watched and engaged with many system integrators, as well as manufacturers to ensure our federal government contractors meet all 800-171 DFAR mandates. The final date when all contractors had to meet DFARS 800-171 has passed, and most are not in compliance per the December 2017 deadline. Additions and controls are to be made in upcoming months, so if you are not compliant, you need to be.


There will be consequences for non-compliance, as not being able to conduct business with the federal government means large revenues lost and existing federal contracts being held at a standstill or withdrawn completely.

As Beverly Cornelius points out in a blog on The State of Security, the following three things are inevitable:

  • Contract Termination. It is reasonable to expect that the U.S. government will terminate contracts with prime contractors over NIST 800-171 non-compliance since it constitutes a failure to uphold contract requirements. Subcontractor non-compliance will cause a prime contractor to be non-compliant as a whole.
  • Criminal Fraud. If a company states it is compliant when it knowingly is not compliant, that is misrepresentation of material facts. This is a criminal act, for it fits the definition of any act intended to deceive through a false representation of some fact resulting in the legal detriment of the person who relies upon the false information.
  • Breach of Contract Lawsuits. Both prime contractors and subcontractors could be exposed legally. A tort is a civil breach committed against another in which the injured party can sue for damages. The likely scenario for a NIST 800-171-related tort would be around negligence on behalf of the accused party by not maintaining a specific code of conduct (e.g., NIST 800-171 controls).

As you can see from those examples, the cost of non-compliance is quite significant. As always, seek competent legal counsel for any pertinent questions on your specific compliance obligations.


To become compliant, you can do the following things:

  1. Make someone responsible for the efforts.
  2. Review your current outlook and what needs to be done.
  3. Contact an organization that can help.

In watching many OEM companies’ attempts to sell their products, it has become clear that some are not advertising their solutions. The “unclear” presentation of their solutions has burned cycles for the contractors who have been desperately trying to meet the federally mandated dates. It is clear that some of the controls are complex, hard to implements and certainly can’t be met with one or two company’s solutions.

No one company can meet the mandates, so when a company says they can cover every control or that they can even cover a single control in full, be prepared to question them thoroughly. There are very few like Tripwire that can fully cover a single control in full.

Therefore, in order to meet these mandates, companies like Tripwire have cross-pollinated with other best-of-breed solutions providers and found ways to bring together multiple products to meet the requirements.

Tripwire’s collaborative efforts breaks down the walls between vendors and creates the solutions that multiple vendors provide to accurately meet 800-171 and protect our federal government’s data. It has simplified the research for IT staff, so that you only need to reach out to one POC. You will immediately have a team that will guide any contract holders to meet all DFAR requirements.



via:  tripwire

Save pagePDF pageEmail pagePrint page

Open AWS S3 bucket managed by Walmart jewelry partner exposes info on 1.3M customers

Personal information belonging to 1.3 million customers of Walmart jewelry partner MBM Company has been exposed because yet another Amazon S3 bucket was left open on the internet.

The open S3 bucket, named “walmartsql,” housed an MSSQL database backup, named MBMWEB_backup_2018_01_13_003008_2864410.bak, that “contained internal MBM mailing lists, encrypted credit card details, payment details, promo codes, and item orders, which gives the appearance that this is the main customer database for MBM Company Inc.,” according to a report by Kromtech Security, which discovered the open server on Feb. 3. Dates on the records ranged from 2000 to early 2018.

“The negligence of leaving a storage bucket open to the public after the publication of so many other vulnerable Amazon S3 buckets is simple ignorance,” Kromtech said in a report detailing its findings. “Furthermore, to store an unprotected database file containing sensitive customer data in it anywhere directly online is astonishing, and it is completely unfathomable that any company store passwords in plain text instead of encrypting them.”

Fred Kneip, CEO at CyberGX, said the implications are reminiscent of the breach that hit Target a few years ago. “A small third party that most people have never heard of has its weak security controls exploited, allowing hackers to access customer data from a major retailer whose name gets dragged into headlines, affecting the retailer’s reputation and bottom line. That sentence describes the infamous 2013 Target breach where attackers compromised a small HVAC vendor, but could just as easily be applied to the recent Walmart breach caused by a jewelry partner,” said Kneip. “Hackers are increasingly targeting vendors, partners and other third parties to access sensitive data, and retailers need to understand that they are going to be held responsible for the security shortcomings of any third party in their digital ecosystem.”

Noting that “organizations must understand where they are storing their data, whether the storage system is appropriate for the data they’re keeping there, and whether they have the internal resources to responsibly secure those data systems,” Threat Stack CSO Sam Bisbee said, “the onus must also be on AWS” because while “the shared responsibility model for security is accurate and fair,” it’s starting “to feel disingenuous as AWS continues to release point solution tools, yet leaks keep occurring.”

Threat Stack’s research shows that open storage buckets aren’t limited to S3 buckets, but “nearly three-quarters of organizations have critical AWS misconfigurations of some kind,” particularly “large organizations that have grown rapidly over time, both organically and inorganically, and often rely on third parties.”

Bisbee explained that “it can be very difficult to maintain security visibility into your infrastructure as assumed knowledge gets dispersed, particularly as business leaders continually prioritize speed over security.”


via:  scmagazine

Save pagePDF pageEmail pagePrint page

3 Ways to Combat Cyber Crime with an Enterprise War Machine

3 Ways to Combat Cyber Crime with an Enterprise War Machine - Gautam Dev @TechDemocracy

It’s a war out there. Malware forms are proliferating and growing ever-more sophisticated. IoT and software and hardware innovation are creating new capabilities, while also resulting in new gaps and vulnerabilities. And massive information breaches have enabled cyber criminals to create rich profiles of consumers, as well as identify pressure points for senior leaders across industries.

In fact, cybercrime is slated to hit $6 trillion dollars annually by 2021. Anyone can witness the real-time bombardment of cyber assaults on maps like Norse. It’s alarming – and it’s getting worse, day after day.

There’s seemingly nothing to be done – or is there?

Here are three ways to combat cybercrime:

1.      Throw more talent and technology at the problem: As cybercrime escalates, so should enterprises’ response. One common solution: Do more of everything. Cybersecurity spending will skyrocket to $1 trillion by 2021, as companies hire top talent, including elite white-hat teams that hack their own companies’ networks, and invest in technology systems like security incident and event management (SIEM) systems to monitor networks edge to edge. The goal: To get smarter about finding the proverbial needle in the haystack.

But is it working? We’ve seen account after account of cyber breaches caused by human error, such as failure to patch systems on a timely basis or turning off the torrent of alerts caused by SIEM. Then there are massive hardware issues that catch us by surprise, such as Intel’s revelation that its chips were vulnerable to the Spectre and Meltdown vulnerabilities. And now we’re seeing a rise in file less attacks, which lower the barrier to entry and bypass security systems more effectively than malicious executable files. There’s simply no guarantee that crackerjack talent or shiny toys with new bells and whistles can meet the latest generation of threats. The cracks are already showing.

2.      Improve cyber governance. To fight cyber war, you don’t need a gun or bullets: You need a strategy, a plan, and guidance from war-savvy generals who are leading the battle from the front. This requires the cooperation of the entire C-suite. If CEOs aren’t aware of the need for cyber governance – and they should be – security leaders need to close the gap and elevate cyber risk to the board level.

There are many ways to describe cyber governance. Here’s a simple one: Cyber governance is the creation and application of methodologies, rules, programs and policies applied holistically across the enterprise to assess and manage cyber risk.

The Intellicta platform fast tracks the activation of cyber governance with its risk framework and helps the non-technical executives in the c-suite get up to speed. This is not just another toy – Intellicta is a risk dashboard that layers over your other systems, business processes, regulations, and more to give you a holistic look at risk, security, compliance and governance. It analyzes risks and vulnerabilities, assigns them a score, and gives them a price tag. Imagine knowing at one glance that ransomware is a $10M threat, an end-of-life system is creating a $30M exposure, or password-based logins are creating a $250M risk. Wouldn’t that help guide your thinking? Wouldn’t that shape your strategy, investments, and roadmap?

While investing in good cyber governance takes time, talent, and yes, investment, there is no time to waste. Cybercriminals are getting smarter, and you need to fight an air battle, not a ground war.


3.      Get control over AI: AI is heralded as the shiny new savior of cyber security. Leverage analytics, automate processes, use machine learning to get smarter and smarter, and poof – cyber risks be gone.

But, let’s not kid ourselves. The bad guys already have access to AI technologies and gargantuan amounts of data required to cause havoc on AI routines.

Those of us in cyber security know AI is a big boon to our industry, especially when it can make intelligent defense decisions on humans’ behalf, but it is not our salvation. Here’s why.

AI is already being used for analytics, but it must be taught to get smart on various use cases and ignore false positives, which takes time. As we’re deploying it on processes, gaining more expertise, and extending it across use cases – cyber criminals are, too. It’s not that farfetched to imagine real-time wargaming with enterprises’ best talent using AI to identify and eliminate cyber attacks that cybercriminals have identified, designed, and launched with AI.

When it comes to that level of hand-to-hand combat, you are going to wish you had risen above. You are going to need a framework and a platform to have eyes on the skies on all your threats and deploy your best talent and technology on the most important ones. You are going to have to make critical decisions and triage. Not every risk is worth fighting, but the important ones demand everything you’ve got.

So why not start now? Contact TechDemocracy to learn more about cyber risk governance and Intellicta, our real-time enterprise risk intelligence and assurance platform.

Cyber risk is a war – build your war machine today.


via:  linkedin

Save pagePDF pageEmail pagePrint page

Cortana will now read your email and let you verbally compose a response

Microsoft has added the ability to ask about, have read, and respond to Outlook email using Cortana, its digital assistant. Here’s how it works.

  • Microsoft has given Cortana the ability to read emails aloud and take dictation for responses, making it the second digital assistant to integrate those features by default.
  • The features are only available for Harma
  • n Kardon Evoke smart speakers and Windows 10 devices, with no word on whether they’re coming to the iOS or Android apps. They’re also only available for Outlook accounts, and not Outlook.com or other email services.

As announced on the Windows Insider Webcast, Microsoft’s digital assistant Cortana will now read and take dictation for email responses.

Features like this have been among those commonly requested by digital assistant users, but Cortana is only the second assistant, after Apple’s Siri, that can read email aloud and take dictation without third-party addons.

Along with announcing the change to Cortana’s capabilities, the Cortana team also announced a change in the way you get the digital assistant’s attention: You don’t need to say “hey, Cortana” anymore—simply “Cortana” will suffice.

How to use Cortana’s email features

As reported by Windows Central, all it takes to get Cortana to read email or take dictation is to ask if you have any unread emails. Cortana can also search for email from specific people or specify unread emails by a specific date, as well as take dictation to be sent as an email.

Microsoft hasn’t released any commands to use to access these features, though our sister site ZDNet reports saying “did I get any new email since last night” has generally worked.

If you want to access the new Cortana features you’ll either have to have an updated Windows 10 PC or a Harman Kardon Evoke, a smartspeaker with Cortana integration. The features aren’t yet available for the Cortana app on Android or iOS, and Microsoft hasn’t said when (or if) they will be.

Also of note, ZDNet reports that the new Cortana features only work on an actual Outlook account—not Outlook.com, Gmail, or any other services. So if you don’t have an enterprise-managed Outlook account you may be out of luck.

Getting your other digital assistant to handle your email

The lineup of digital assistants all offer different features when it comes to reading email aloud, taking dictation, or even interacting with an email account.

Apple’s Siri is the digital assistant when it comes to controlling email with your voice, provided you use the native iOS email app. Any account you’ve added email support for can be accessed via Siri simply by asking if you have any new email. Siri can also take dictation, find emails from particular senders, and do everything that Cortana can now do, without being locked to an Outlook account.

Google Assistant can check for emails, display results on the screen, and even take dictation, but it doesn’t include reading emails aloud as one of its features, which is a bit stifling. It can read text messages and will turn on your flashlight if you say “lumos,” but sadly, email recital is missing.

Amazon Alexa doesn’t offer native email support, but you can install the Newton skill to get it to read email back to you. Bad news: Using the Newton skill requires a paid Newton subscription, which is $49.99/year.

Kudos to Microsoft for adding this new feature, but by locking it to one particular email service it’s still leaving Cortana behind the competition, which in this case is solidly led by Apple.


via:  techrepublic

Save pagePDF pageEmail pagePrint page

Microsoft forces Windows 10 update on PCs that were set up to block it

Some users reported being pushed to the Win10 1709 upgrade with no advanced warning.

  • Certain Windows 10 users are being forced to upgrade to version 1709, even if they have deferred the Feature Updates.
  • All users who have been forced to upgrade to Windows 10 version 1709 seem to have limited the Diagnostic Data that could be collected by Microsoft.

Some Windows 10 users are reportedly being forced to upgrade to version 1709, even if they had chosen to opt out of automatic updates.

As reported by Windows blog AskWoody, Windows 10 users on versions 1607 and 1703 were pushed into the update, even if they had Feature Updates deferred. In a separate Woody on Windows column in Computerworld, it was also noted that the updates were forced on users with no advance warning.

Version 1607 is also known as the Anniversary Update, and version 1703 is called the First Spring Creators Update of Windows 10. The push to version 1709 is an upgrade to what is known as the Fall Creators Update, originally released on October 17, 2017.

The forced updates are interesting because they seem to bypass a safeguard feature that prevents automatic updates. By deferring feature updates, Windows users can push back certain updates for quite a long time, placing them on a path called “Current Branch for Business.” But this surprise upgrade was unavoidable for some users, even with the deferral in place.

However, as noted in Computerworld’s report, Microsoft has done this twice before. Once in July 2017, once in November 2017, and once in January 2018.

This is causing problems for some users. A user named bobcat5536 posted on the AskWoody site that the update caused their PC to boot into version 1709, but with no sound or color.

This forced upgrade didn’t hit all users of version 1607 and version 1703. But the users who were forced to upgrade seem to have had the Diagnostic Data level set to zero, Computerworld reported. To put it another way, upgrades were pushed to users who were sending “the minimum amount of telemetry to Microsoft,” the report said.

If a user’s Diagnostic Data level is set to Full or Basic, they likely won’t get the update, the report noted. The forced update also might have something to do with this update not going through Windows Update, therefore not following the determined deferral settings.


via:  techrepublic

Save pagePDF pageEmail pagePrint page

These programs will save your butt when Mac users need to remove malware

No wonder they moved on to High Sierra.


Yes Virginia, Macs do get viruses. By 2017, McAfee said they have detected over 700,000 malware strains so far. The lion’s share of Mac malware is adware. It’s certainly better to get infected by adware than ransomware (although Mac ransomware is a thing, too). But adware is also something you want to get rid of. Some adware can engage in spyware actions which violate your privacy and put your sensitive data at risk. All malware pretty much uses CPU cycles and memory which can be better allocated toward the applications you actually want to run!

Now that the “Macs don’t get malware” myth is gradually starting to fade away, it’s likely you will be called upon to remove malware from someone’s Mac.


Before I start recommending programs, I’ll show you a couple of little procedures I was taught that may help users and tech support with very mild forms of Mac malware. If a user’s Mac behaves suspiciously, I would try these steps first first and run malware removal applications as your second step.

This is what you can do if a user’s Mac gets “you’ve got a virus” scareware in their web browser. (This applies to any web browser in macOS, not just Safari.)

Close the web browser right away. The user can always retrieve the tabs they were using later.

Open the Downloads folder. Drag every installer file and unfamiliar file into Trash. Empty the Trash. Then relaunch the web browser. If you don’t see the scareware pages again, chances are you removed the web malware. But I would still run malware removal tools afterwards.

Here’s something you can try if you see the UI of an app that you suspect is malicious. Note the name of the app. Then try to close it. If you can’t close it and are forced to drag the window elsewhere, that’s a good reason to be suspicious. Open the Utilities folder and launch Activity Monitor. Look under All Processes for the name of the suspicious app or anything else you don’t recognize. Click Quit Process for each of them. Check your Applications folder and see if you can find the suspicious app’s name there. If so, drag the icon into Trash, then empty Trash. Whether or not you were able to Trash the malicious application, you should still run malware removal tools afterwards. My malware removal experience has taught me that removed malware can still leave malicious files and unwelcome changes to configuration files.

As in my Windows piece, I recommend putting these apps onto USB sticks and DVDs as well. Have them available to carry with you in both mediums just in case you can only access one method or the other on a Mac. Many Macbooks lack optical drives, and you may also find a Mac with a functioning optical drive with malfunctioning USB ports. As I said, be prepared for anything.

Malware removal

Malwarebytes for Mac

I recommended Malwarebytes in my Windows piece. The Mac version is great, too! The free version of Malwarebytes for Mac will scan your disks and remove any malware it recognizes, and the UI is nice and simple. You can download it from here.

No consumer malware removal tool will help with zero day or fileless attacks. But the majority of Mac malware can be removed with Malwarebyes for Mac, provided you have updated its signatures recently.

Mac Rogue Remover Tool

Some versions of macOS still have a serious problem with Mac Defender, Mac Security, Mac Protector, and Mac Guard rogue anti-spyware programs. If your user runs the Leopard, Snow Leopard, Lion, or Mountain Lion versions of OS X,BleepingComputer’s tool will remove those particular trojans which plague those operating systems.

Download BleepingComputer’s free tool here.

Kaspersky Virus Scanner for Mac

Kaspersky’s freeware tool for Mac can detect and remove malware for Windows and Android. Windows and Android malwaremay not noticeably affect your Mac, but you don’t want to be sharing that malware to Windows PCs or Android devices if they connect to your Mac over the internet, by being mounted, or by sharing disks.

Kaspersky Virus Scanner will also remove malware that targets macOS specifically, so it’s worth a try. You can learn more here.

Bootable OS

It’s not unheard of for Macs to be difficult or impossible to boot into macOS properly. Some Mac malware may damage the file system or boot sector. Put a DVD or USB stick with the following OS into the user’s Mac and reboot it. Before the Mac tries to boot into macOS or OS X, hit the Option(⌥) key. You will execute Startup Manager, and you can select the optical or USB disk from there.

Disk images on a USB stick need to be written with software which makes them bootable. Again, you can use UNetbootin to make a bootable USB drive. There are Windows, Mac, and Linux versions of UNetbootin you can download from here.


I recommended PartedMagic for Windows. But as it supports HFS and HFS+ as well, you can also use PartedMagic to fix broken file systems on a Mac. PartedMagic can partition, rescue data, fix how your HDD boots, and even do disk cloning.

You can download it here.

Save pagePDF pageEmail pagePrint page

77% of companies don’t have a consistent cybersecurity response plan – Report

An IBM security report found that the time to resolve security issues is increasing, and that is costing companies more money.

  • In a study of cyber resilience, 77% of respondents didn’t have formal cyber security incident response plan (CSIRP) applied consistently across their organization. — IBM, 2018
  • 57% of business leaders said it’s taking longer to resolve cyber incidents and 65% said attack severity is increasing. — IBM, 2018

Despite the rapid proliferation of new cyber threats, 77% of business leaders admitted that they don’t have a formal cybersecurity incident response plan (CSIRP) that’s applied consistently in their organization.

That statistic comes from a new IBM report on cybersecurity resilience—a study of 2,800 security and IT professionals from around the world—released Wednesday. Although a form CSIRP can be considered a core part of cyber readiness, nearly half of those surveyed said that their response plan is informal or ad hoc, if it even exists at all.

Even though a majority of the respondents didn’t have a formal plan applied properly in their business, 72% felt that they were more cyber resilient today than they were at the same time last year. Of those that felt confident in their resilience, 61% said it was due to their ability to hire skilled security staff.

But, as any security expert knows, an organization needs the right people and the right tools to stay safe. Apparently, many respondents felt that way too, as 60% said a lack of investment in next-gen tech like artificial intelligence (AI) and machine learning was holding them back from achieving proper resilience to cyberattacks.

Despite this confidence, 57% said it’s taking longer to resolve cybersecurity incidents than before. Additionally, 65% said the severity of cyberattacks is increasing. And what makes this worse is that only 31% had the proper budget in place to boost their security capabilities.

“Organizations may be feeling more Cyber Resilient today, and the biggest reason why was hiring skilled personnel,” Ted Julian, co-founder of IBM Resilient, said in a press release. “Having the right staff in place is critical but arming them with the most modern tools to augment their work is equally as important.”

The lack of proper security planning could hit these businesses in their wallets as well. A 2017 Cost of a Data Breach Study, also from IBM, found that a data breach would cost roughly $1 million less, on average, if the victim could contain it within 30 days.


via:  techrepublic

Save pagePDF pageEmail pagePrint page

How PostgreSQL just might replace your Oracle database

Although heavily dependent on Oracle today, Salesforce seems to be seeking database freedom—and its efforts could result in the same freedom for all enterprises.

Despite being filled with Oracle veterans, Salesforce.com can’t seem to stop flirting with rival databases, with reports surfacing that the SaaS vendor has made “significant progress” to move away from Oracle with its own homegrown database. This comes on the heels of Salesforce adding to its investment in NoSQL database leader MongoDB, which compounds the company’s long-standing interest in PostgreSQL.

With Silicon Valley at the vanguard of change, Salesforce’s infidelity to Oracle could be a sign of, or at least a spark to, a broader shift in enterprise database decisions.

This looking beyond Oracle shouldn’t be happening

Oracle has dominated the database industry for decades, using that heft to catapult it into enterprise applications and other adjacent markets. Lately, however, the wheels seem to be wobbling on its database gravy train. As Gartner analyst Merv Adrian has made clear, although Oracle still has a commanding lead in database market share, it has bled share every year since 2013. The only thing keeping the wheels on that train is inertia: “When someone has invested in the schema design, physical data placement, network architecture, etc. around a particular tool, that doesn’t get lifted and shifted easily, something that Gartner calls ‘entanglement.’”

Such entanglement has been particularly strong at Salesforce. With nearly two decades invested in Oracle, the pain involved in moving off Oracle would be substantial. Even so, and despite a 2013 megadeal between Salesforce and Oracle to cement Salesforce’s dependence on the database giant for nine years, Salesforce has never really stopped shopping around for alternatives.

The reason? Data sovereignty. Even if Oracle weren’t a fierce Salesforce competitor (and it is), having another vendor—any vendor—own such a critical part of a company’s data infrastructure necessarily reduces its agility.

Shopping around for database freedom

And so Salesforce has been looking for alternatives to Oracle. Although attempts to build its own database are relatively new, Salesforce’s attempts to look at rival databases has been going on for years, most recently with MongoDB. As reported, Salesforce just increased its investment in NoSQL leader MongoDB by nearly 45,000 shares, having first invested while MongoDB was still a private company. Between the two investments, Salesforce’s MongoDB investment represents 6 percent of its institutional holdings, the second-largest such investment it has made.

Salesforce has been an active investor in a variety of startups over the years, using such investments to strategically keep a pulse on the market (while keeping competitors out). With investments as varied as Twilio, Jitterbit, and SessionM, Salesforce has been a very active investor with tens of millions of dollars plowed into dozens of companies.

Seen this way, the MongoDB investment is no big deal.

Indeed, Salesforce’s MongoDB investment is a rounding error in MongoDB’s current $1.9 billion market cap. Even so, the fact that the SaaS vendor opted to put money into an Oracle database rival suggests an interest in keeping a foot firmly planted outside the Oracle camp. Nor is it alone: MongoDB counts more than 6,000 customers, indicating broad interest in moving beyond Oracle for modern applications.

And yet Salesforce’s database wanderlust points to a different database than MongoDB that could spoil Oracle’s dominance.

A long-term flirtation with PostgreSQL

If, in fact, Salesforce is developing a homegrown replacement for Oracle’s database, it might well be building it on PostgreSQL, the database Salesforce has actively flirted with since 2012. In 2013, Salesforce hired Tom Lane, a prominent PostgreSQL developer. In that same year, it hired several more, and even today PostgreSQL experience is called out for in dozens of jobs advertised on the company’s career page. Just as Facebook, Google, and other web giants have shaped MySQL to meet their aggressive demands for scale, so too might Salesforce be able to mold PostgreSQL to wean it from its dependence on Oracle.

Could Salesforce opt to tweak MongoDB or another NoSQL database? Sure, but it’s more likely that Salesforce would modify PostgreSQL to suit its needs than MongoDB, for a few reasons:

  • Although MongoDB is licensed under an open source license (AGPL version 3), it’s a license that raises question marks as to whether Salesforce could modify it and run a public service on top without either contributing those changes back to MongoDB (which it is unlikely to want to do) or paying MongoDB a great deal of money (also unlikely).
  • More important, while MongoDB is an excellent database (disclosure: I worked at MongoDB for a few years), it’s not as close a replacement for Oracle as PostgreSQL is. PostgreSQL is by no means a drop-in replacement for Oracle’s database, but a developer or DBA that is familiar with Oracle will find PostgreSQL similar.

Oracle would claim that it isn’t worried, but the DB-Engines database popularity ranking, which measures database popularity across a range of factors, should give it pause. For years, PostgreSQL has been on the rise, even as Oracle and MySQL (its open source database) have faded. PostgreSQL is now a strong fourth place, with MongoDB right behind it. If you talk to Silicon Valley startups and enterprise giants alike, you quickly see that PostgreSQL is having a “moment,” one that has been going on for years.

That moment, however, could become a serious movement with a tech bellwether like Salesforce behind it. If Salesforce jumped to PostgreSQL, or a variant thereof—or even if it managed to build a completely unrelated, custom database—that would be a serious signal to the rest of the Global 2000 that Oracle’s era of dominance is at an end.


via: infoworld

Save pagePDF pageEmail pagePrint page

EU plans new laws to force companies to hand over data held outside the EU on request

EU Justice Commissioner Vera Jourova claims such measures will speed-up legal investigations.

EU plans new laws to force companies to hand over data held outside the EU on request

EU Justice Commissioner Vera Jourova all but confirms EU plans.



The European Commission is planning new measures in forthcoming law enforcement legislation that would force technology and social media companies to hand over customer data held outside the EU. It claims that the measures, due to be unveiled before the end of March, will speed up legal investigations.

But the new laws would be little different from the ongoing case in the US whereby the Department of Justice (DoJ) has demanded that Microsoft hand over emails held by Microsoft in a data center located in Ireland.

Microsoft has argued that it is outside US legal jurisdiction and, hence, should take its order to Ireland. Microsoft is supported in that case by the European Union. In December it was reported that the EU planned to make a submission in support of Microsoft’s position.

But according to Reuters, European officials are planning new laws that will compel organizations to turn over personal data on request, even if that data is held outside the European Union.

The new measures will almost certainly be opposed by privacy campaigners, who claim that such extra-territorial jurisdiction not only erodes well-established legal principles, but will undermine privacy rights.

Technology firms, meanwhile, fear that it will undermine trust in cloud computing and cloud services, not to mention clashing with privacy laws, such as the EU’s own General Data Protection Regulation (GDPR).

Under the proposals, according to Reuters’ sources, the personal data of anyone “linked” with an investigation by an EU state could be compromised, regardless of whether they are an EU citizen or not.

This could potentially put EU states at loggerheads with other governments around the world.

Reuters adds that the proposed legislation is still in its drafting stage and will go before member states by the end of March. The resulting directive could take two years to be agreed.

European Justice Commissioner Vera Jourova appeared to confirm the plans, telling Reuters that current measures for accessing cross-border evidence held on computer was “very slow and non-efficient”.



via:  v3

Save pagePDF pageEmail pagePrint page