Voice recognition—and data collection—have boomed in recent years. Researchers are figuring out how to protect your privacy.

Your voice reveals more about you than you realize. To the human ear, your voice can instantly give away your mood, for example—it’s easy to tell if you’re excited or upset. But machines can learn a lot more: inferring your age, gender, ethnicity, socio-economic status, health conditions, and beyond. Researchers have even been able to generate images of faces based on the information contained in individuals’ voice data.

As machines become better at understanding you through your voice, companies are cashing in. Voice recognition systems—from Siri and Alexa to those using your voice as your password—have proliferated in recent years as artificial intelligence and machine learning have unlocked the ability to understand not just what you are saying but who you are. Big Voice may be a $20 billion industry within a few years. And as the market grows, privacy-focused researchers are increasingly searching for ways to protect people from having their voice data used against them.

Vocal Threats

Both the words you say and how you say them can be used to identify you, says Emmanuel Vincent, a senior research scientist specializing in voice technologies at France’s National Institute for Research in Digital Science and Technology (Inria), but this is only the beginning. “You will also find other pieces of information about your emotions or your medical condition,” Vincent says.

“These additional pieces of information help build a more complete profile—then this would be used for all sorts of targeted advertisements,” Vincent says. As well as your voice data potentially feeding into the vast realm of data used to show you online ads, there’s also the risk that hackers could access the location where your voice data is stored and use it to impersonate you. A small number of these cloning incidents have already happened, proving the value your voice holds. Simple robocall scams have also recorded people saying “yes” to use the confirmation in payment scams.

Last year, TikTok changed its privacy policies and started collecting the voiceprints—a loose term for the data your voice contains—of people in the US alongside other biometric data, such as your faceprint. More broadly, call centers are using AI to analyze people’s “behavior and emotion” during phone calls and evaluate the “tone, pace, and pitch of every single word” to develop profiles of people and increase sales. “We’re almost in a situation where the systems to recognize who you are and link everything together exist, but the protection is not there—and it’s still quite far away from being readily usable,” says Henry Turner, who researched the security of voice systems at the University of Oxford.

Hidden Meaning

Your voice is produced through a complex process involving the lungs and your voice box, throat, nose, mouth, and sinuses. More than a hundred muscles are activated when you speak, says Rébecca Kleinberger, a voice researcher at the MIT Media Lab. “It's also very much the brain,” Kleinberger says. 

Researchers are experimenting with four ways to enhance privacy for your voice, says Natalia Tomashenko, a researcher at Avignon University, France, who has been studying voice and is the first author of a research paper on the results of a voice privacy engineering challenge. None of the methods are perfect, but they are being explored as possible ways to boost privacy in the infrastructure processing your voice data.

First is obfuscation, which tries to completely hide who the speaker is. Think of a Hollywood depiction of a hacker totally distorting their voice over a phone call as they explain a devilish plot or ransom (or hacktivist collective Anonymous’s promotional videos). Simple voice-changing hardware allows anyone to quickly change the sound of their voice. More advanced speech-to-text-to-speech systems can transcribe what you’re saying and then reverse the process and say it in a new voice.

Second, Tomashenko says, researchers are looking at distributed and federated learning—where your data doesn’t leave your device but machine learning models still learn to recognize speech by sharing their training with a bigger system. Another approach involves building encrypted infrastructure to protect people’s voices from snooping. However, most efforts are focused on voice anonymization.

Anonymization attempts to keep your voice sounding human while stripping out as much of the information that could be used to identify you as possible. Speech anonymization efforts currently involve two separate strands: anonymizing the content of what someone is saying by deleting or replacing any sensitive words in files before they are saved and anonymizing the voice itself. Most voice anonymization efforts at the moment involve passing someone’s voice through experimental software that will change some of the parameters in the voice signal to make it sound different. This can involve altering the pitch, replacing segments of speech with information from other voices, and synthesizing the final output.

Does anonymization technology work? Male and female voice clips that were anonymized as part of the Voice Privacy Challenge in 2020 definitely do sound different. They’re more robotic, sound slightly pained and could—to some listeners at least—be from a different person than the original voice clips. “I think it can already guarantee a much higher level of protection than doing nothing, which is the current status,” says Vincent, who has been able to reduce how easy it is to identify people in anonymization research. However, humans aren’t the only listeners. Rita Singh, an associate professor in Carnegie Mellon University’s Language Technologies Institute, says that total de-identification of the voice signal is not possible, as machines will always have the potential to make links between attributes and individuals, even connections that aren’t clear to humans. “Is the anonymization with respect to a human listener or is it with respect to a machine listener?” says Shri Narayanan, a professor of electrical and computer engineering at the University of Southern California.

“True anonymization is not possible without completely changing the voice,” Singh says. “When you completely change the voice, then it's not the same voice.” Despite this, it is still worth developing voice-privacy technology, Singh adds, as no privacy or security system is totally secure. Fingerprints and face identification systems on iPhones have been spoofed in the past, but overall, they’re still an effective method of protecting people’s privacy.

Bye, Alexa

Your voice is increasingly being used as a way to verify your identity. For example, a growing number of banks and other companies are analyzing your voiceprints, with your permission, to replace your password. There’s also the potential for voice analysis to detect illness before other signs are obvious. But the technology to clone or fake someone’s voice is advancing quickly.

If you have a few minutes of someone’s voice recorded, or in some instances a few seconds, it’s possible to recreate that voice using machine learning—_The Simpsons’_ voice actors could be replaced by deep fake voice clones, for instance. And commercial tools for recreating voices are readily available online. “There’s definitely more work in speaker identification and producing speech to text and text to speech than there is in protecting people from any of those technologies,” Turner says.

Many of the voice anonymization techniques being developed at the moment are still a long way from being used in the real world. When they are ready to be used it’s likely that companies will have to implement tools themselves, to protect their customers' privacy—there’s currently little individuals can do to protect their own voice. Avoiding calls with call centers or companies that use voice analysis, and not using voice assistants, could limit how much your voice is recorded and reduce possible attack opportunities.

But the biggest protections may come from legal cases and protections. Europe’s GDPR covers biometric data, including people’s voices, in its privacy protections. Guidelines say people should be told how their data is being used and provide consent if they’re being identified, and that some restrictions should be placed on personalization. Meanwhile, in the US, courts in Illinois— home to some of the strongest biometric laws in the country—are increasingly inspecting cases involving people’s voice data. McDonald’s, Amazon, and Google are all facing judicial scrutiny over how they use people’s voice data. The decisions in these cases could lay down new rules for the protection of people’s voices.

The Race to Hide Your Voice

By Owais Sultan
If you are online, protecting yourself from cybercrime should be your priority to avoid being a victim of…
This is a post from HackRead.com Read the original post: Protecting Your Data from Cybercriminals by Following Simple Yet Vital Steps

If you are online, protecting yourself from cybercrime should be your priority to avoid being a victim of online scams or cyberattacks. It is a matter of time before cybercriminals come for your data and the best thing one can do is learn about cybersecurity, and how cybercriminals think and perform cybercrime.

While protecting your data is a must, the issue of misconfigured databases has become a major threat to users’ data and personal information. In 2020, researchers identified over 10,000 unsecured databases that exposed more than ten billion (10,463,315,645) records to public access without any security authentication. This is why database forensics is vital.

**7 Ways to save yourself against cybercrime**

To protect yourself on the Internet you do not need to have a lot of computer knowledge; Just follow a few simple rules. This way you can protect yourself from the most frequent cybercrimes. 

**#1. Check the Padlock and don’t reveal the passwords**

Phishing is the best-known form of an online scam. Through an email, criminals impersonate a bank or a service such as Amazon or PayPal. These emails include a link that they ask to click that redirects the user to a fake website that, in appearance, is similar to that of the bank or the services mentioned.

From the form on this website, crooks obtain access codes and other personal data with which to steal the victim’s bank account. A good way to verify if you are on the legitimate page and not a fraudulent one is to look at the left area of ​​the navigation bar, where the website address is written, and see if a padlock appears that serves to verify the authenticity of the place.

Neither banks nor streaming or shopping services, such as Amazon or AliExpress, request confidential information either by email or in phone calls. Therefore, if you receive an email, SMS, or call asking for your personal data and passwords, do not answer. Also be wary if it has spelling mistakes, and has poorly conjugated verbs. 

**#2. Beware of discounts and Giveaways**

In most cases, the criminal business base is on fraudulent websites that offer products at low prices. They email potential victims claiming that they have won an iPad, a free Netflix subscription, or a collaboration with a known brand because you are an influencer or a girlfriend who asks for money to buy tickets to travel and see you.

Moreover, since cryptocurrency is a treasure trove these days; cybercriminals often compromise popular and verified social media accounts of celebrities to run free Bitcoin giveaway scams, whilst simultaneously attempting to steal victims’ funds and personal and financial information.

**#3. Beware of public networks and protect the mobile**

A public Wi-Fi network can be a nightmare for your online security and privacy. However, if there’s no other way, make sure you have a VPN on while you are connected to a public WI-Fi network as it will encrypt your network traffic.

**What threats could be expected while using public WiFi?**

Well, unsafe surfing is likely to attract a number of online threats to your security and privacy. Let us see some of them:

*   **Evil Twin/WiFi Phishing**: Justifying its name, in Evil twin the access routes creates a cloned network with the same network name. Evil Twin works in the same way as the normal phishing threat does when the user enters into the wrong access route, evil twin starts stealing system’s data or attacks in any other way.
*   **New war drivers:** Wardrivers are those who try to hack networks illegally, especially on an open network like a public free WiFi network. These war drivers could be anyone like hackers, professional criminals, or even the employees or competitors of a particular business.
*   **Malware:** One of the ancient types of online threats is malware also influences wireless networks. Viruses enter into the wireless network, send requests, and connect to the local area networks to make a way to the nearest wireless networks and corrupt the network system coming in its way.
*   **Data eavesdropping:** This is a very common Internet threat. With lots of interceptable signals and data sharing techniques, eavesdropping also prevails in public WiFi networks.

**Use a Password Manager**

It is of vital importance that you create unique strong passwords for each of your different accounts. If you use the same basic password for each account, you are putting your data at risk. Create a strong password that nobody will be able to figure out. It should be at least eight characters long, with a variety of numbers and letters, both upper and lower case. 

However, keeping track of a long list of complicated passwords isn’t an easy task, which is why you should use a reliable password manager. These platforms will encrypt all of your passwords, and store each one in a highly secure vault. You will be able to access the password manager online, so even if you are working from a remote location, you will be able to access the platform wherever you are in the world.

**Secure Your Mobile Device**

A lot of folks are unaware that hackers often aim to gain access to their victims’ mobile devices. We are all well aware that cybercriminals successfully hack into computers, but many of us tend to forget about protecting our smartphones and tablets. 

Whether you are using your mobile device for business, or for personal use, it must be secured. Most people store images, videos, contacts, bank information, etc. on their mobile phones or tablet. To avoid these files from being stolen or lost, you should run a VPN, invest in an antivirus package, plus, an anti-malware application. 

**Make Back-ups of all of your Data**

You should make physical and virtual copies of all of your data just in case it becomes compromised. Don’t rely on one single device to store all of your data. If the device breaks down or gets attacked, how would one retrieve the data? 

Failing to backup your data can be disastrous, and although cybercriminal activity has been well documented, people are still reluctant to make copies of their data. Consider saving data to an external device, like a flash drive.

However, you will want to be extra careful if you decide to connect the drive to another computer. If there is a virus on the computer, you could end up losing all of the files and folders stored on it. Run an antivirus scan before connecting the storage, and make sure there is no malware on the computer.

Protecting Your Data from Cybercriminals by Following Simple Yet Vital Steps

By Waqas
Pegasus Airlines is a Turkey-based low-cost airline that exposed Electronic Flight Bag (EFB) data to the public including…
This is a post from HackRead.com Read the original post: Pegasus Airlines Leaked 6.5TB of Data in AWS S3 Bucket Mess Up

**Pegasus Airlines is a Turkey-based low-cost airline that exposed Electronic Flight Bag (EFB) data to the public including sensitive information such as source code, crew and staff data, and flight details.**

A team of security researchers at SafetyDetectives have shared details of an unprotected cloud data storage discovered on February 28th, 2022. The details of the incident have only been shared this week.

According to researchers, the data belonged to a low-cost domestic and international flight operator known as Pegasus Airlines. Part of the data leak is the personal information of the airline’s flight crew, source code, and flight data. The database was left open in an AWS S3 bucket.

**Details of Leaked Data**

In a blog post published by SafetyDetectives, around 23 million documents were stored in the unprotected AWS S3 bucket, which equated to about 6.5TB of data. The exposed data included more than 3 million sensitive flight data files, including flight charts/revisions, pre-flight checks-related issues’ details, insurance documents, and crew shift information.

Furthermore, more than 1.6 million files contained the airline crew’s PII (personally identifiable information). This included their photos and signatures.

**Pegasus Airlines’ EFB Software Leaked the Data**

Reportedly, parts of the leaked data were tracked to the EFB (Electronic Flight Bag) software. This software, PegasusEFB, is developed by Pegasus Airlines and acts as an information management tool for the airline. EFBs help optimize the crew’s productivity by offering vital reference materials for the flight.

According to the SafetyDetectives research team, the source code of the EFB software was also included in the exposed database, including secret keys and plain text passwords. Pilots use PegasusEFB for various functions like take-off/landing, aircraft navigation, refueling, safety procedures, and other in-flight operations.

Image 1: PegasusEFB’s admin panel – Image 2: .CSV files with flight and crew data – Image 3: Flight charts featuring navigation data – Image 4: Photo of one of the Pegasus Airline’s crew members (Images Provided by SafetyDetectives)

**Possible Dangers**

The data leak has jeopardized the safety and privacy of the Pegasus Airline’s crew members. Researchers noted that the leak would allow threat actors to access sensitive flight details. Organized crime groups can coerce crew members, and bad actors may identify security loopholes in the airline and airport security.

Cybercriminals can tamper with “sensitive flight data and extra-sensitive files using passwords and secret keys found on PegasusEFB bucket.” Though researchers further claimed that there’s no certainty that pilots would use this bucket’s files for future flights, their contents may block vital EFB data from reaching the airline staff and risk the passengers and crew members.

> “With millions of files containing recent and possibly relevant flight data, unfortunately, an attacker could have numerous options to cause harm if they found PegasusEFB’s bucket.”
> 
> SafetyDetectives Cybersecurity Team

SafetyDetectives researchers stated that at the moment, there’s no evidence threat actors detected the trove before they did. The team notified Pegasus Airlines on 1 March 2022, and three weeks later, the leak was remediated.

**More AWS S3 Bucket Mess Up**

*   Misconfigured AWS bucket exposed 421GB of Artwork Archive data
*   Unprotected S3 Cloud Bucket Exposed 100GB of Classified NSA Data
*   350 million email addresses exposed on misconfigured AWS S3 bucket
*   Amazon S3 Buckets Exposed US Military’s Social Media Spying Campaign
*   S3 bucket mess up exposed 182GB of senior US, and Canada citizens’ data

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Pegasus Airlines Leaked 6.5TB of Data in AWS S3 Bucket Mess Up

The Amazon Link WordPress plugin through 3.2.10 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed.

CVE-2022-1645

Company will detail enhancements to Vulnerability Management, Detection and Response solution next month.

FOSTER CITY, Calif., May 25, 2022 /PRNewswire/ -- Qualys, Inc. (NASDAQ: QLYS), a pioneer and leading provider of disruptive cloud-based IT, security and compliance solutions, today announced it is holding the Qualys Security Conference (QSC) San Francisco in tandem with RSAC on June 7-8.

At the event, Qualys will unveil significant updates to the company's Vulnerability Management, Detection and Response (VMDR) solution. The new enhancements redefine how enterprises manage cybersecurity risk with an unprecedented capability to prioritize and remediate at scale.

Through keynotes, live demonstrations, customer presentations, training sessions and networking, the Qualys customer community will dive into the profound impact of the digital journey and converse on best practices and case studies on risk management and security automation.

The week will feature talks from Qualys experts, customer success stories and a feature keynote at the Cloud Security Alliance CxO Trust Summit:

**Qualys QSC San Francisco Featuring VMDR Live  
**QSC San Francisco will be held in person at the Palace Hotel in San Francisco. To view the full schedule and to register for the event, visit the website.

**Highlights include:**

*   **Sumedh Thakar, President and CEO:** Security Automation for the Digital Journey
*   **Nagi Prabhu, Chief Product Officer:** Bringing the Unified Power of the Qualys Cloud Platform to Address Today's Security Challenges
*   QSC customer presentations from **First American Financial** and others.
*   **VMDR LIVE:** Redefining Cybersecurity Risk Management with VMDR
    *   Introducing VMDR 2.0 with TruRisk
    *   Fireside chat with Brian Penn, **Aflac**
    *   Join VMDR Live virtually at www.qualys.com/vmdr-live.
*   **Qualys Cocktail Reception:** Come network with Qualys experts, customers and industry practitioners on Tuesday, June 7 at 6:00 pm PT at the Palace Hotel.
*   **Training Sessions:** On Wednesday, June 8, Qualys will lead two training courses, including an introduction to Qualys VMDR and How to Manage and Secure Your Container Assets.

**Qualys at RSAC  
**Attendees with RSAC credentials are welcome to join the following RSAC events to network with industry peers and learn more about Qualys:

*   **CxO Trust Summit at RSAC****: Jonathan Trull, CISO at Qualys:** Measuring the Maturity of Your Cloud Security Program. June 6, 8:30 am – 3 pm PT, RSAC – Moscone Center South, level 3
*   **DevOps Connect – DevSecOps @RSAC****:** Connect with the Qualys DevOps team to learn more about VMDR and our cloud-based IT, security and compliance solutions. June 7, 8:30 am – 4 pm PT, RSAC – Moscone Center South

**About Qualys**  
Qualys, Inc. (NASDAQ: QLYS) is a pioneer and leading provider of disruptive cloud-based Security, Compliance and IT solutions with more than 10,000 subscription customers worldwide, including a majority of the Forbes Global 100 and Fortune 100. Qualys helps organizations streamline and automate their security and compliance solutions onto a single platform for greater agility, better business outcomes, and substantial cost savings.

The Qualys Cloud Platform leverages a single agent to continuously deliver critical security intelligence while enabling enterprises to automate the full spectrum of vulnerability detection, compliance, and protection for IT systems, workloads and web applications across on premises, endpoints, servers, public and private clouds, containers, and mobile devices. Founded in 1999 as one of the first SaaS security companies, Qualys has strategic partnerships and seamlessly integrates its vulnerability management capabilities into security offerings from cloud service providers, including Amazon Web Services, the Google Cloud Platform and Microsoft Azure, along with a number of leading managed service providers and global consulting organizations. For more information, please visit www.qualys.com.

Qualys to Unveil VMDR 2.0 at Qualys Security Conference in San Francisco

Illicit trade still flourishing despite recent law enforcement takedowns

Illicit trade still flourishing despite recent law enforcement takedowns

Markets that trade in stolen credit card details have been a staple of the underground scene for years but recent cybercrime busts – along with sanctions stemming from the war in Ukraine – are putting the squeeze on cybercriminals.

Carding shops offer a platform to buy and sell stolen card data, which is often sourced directly from breaches or malware-infected point-of-sale (POS) terminals, as well as from skimming devices attached to POS terminals and ATMs.

Recent law enforcement busts had led to a wave of card shop closures. For example, the at the time largest illicit marketplace for stolen payment card data, Joker’s Stash, closed in February 2021.

In early February this year, Russian law enforcement agencies also seized four major card shops – Trump's Dumps, FERum, SkyFraud, and Ultimate Anonymity Services (UAS).

**Follow the money**

An analysis by Blueliv into the state of underground card shops focused on Brian’s Club and Rescator as currently active shops, comparing them with two inactive shops, FERum and All World Cards. Rescator used to be one of the biggest card shops until 2019, when it went offline and encountered a lengthy hiatus before unexpectedly returning in mid-2021.

“Rescator’s case demonstrates how this landscape can be highly volatile and that inactive card shops are not always permanently gone,” a blog post on by Blueliv, the threat intel division of security vendor Outpost24, notes.

Blueliv concludes that the underground carding market remains febrile.

“The card shop ecosystem is deeply impacted by different actors, events, historical moments, the adoption of security policies, and other factors,” Blueliv said. “Law enforcement agencies have a huge impact on the landscape, but personal reasons might lead criminals to withdraw from the carding scene.”

Blueliv’s research was presented at the recent Botconf 2022 conference in Nantes.

**Eastern front**

Geo-political factors as well as the security policy of e-commerce providers can impact the availability of products for illicit shops, which also impacts the overall landscape.

For example, more countries adopt security chips instead of magnetic stripes in their payment systems, meaning that magnetic strip card data dumps have less utility. Data dumps containing card info plus CVV values however have greater utility because they enable online fraud.

Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows, told The Daily Swig that sanctions against Russia following its invasion of Ukraine in February have impeded the ability of cybercriminals to realize the profits from their illegal activity.

“The ongoing conflict between Russia and Ukraine has resulted in some of the most significant economic sanctions in history being directed against Russia,” Morgan explained.

“This has also coincided with numerous providers shutting down their operations in Russia; Russian users looking to cash out through certain gift cards – for example Amazon or Paypal – may find this more difficult as such services are no longer available in their country of origin.”

Read more of the latest news about cybercrime

Recent changes have made it harder for entry-level cybercriminals to start making money, according to Morgan.

“Due to increasing sophistication of controls and user awareness, carding often requires a greater level of skills,” Morgan explained.

“A user will be required to steal the initial credentials – potentially by using skimmer on point of sale (POS) machines – parse logs from the affected machines for carding info, set up accounts on the relevant criminal marketplaces, and potentially also assist buyers with money laundering services.”

Morgan added: “Often, this necessitates several individuals working as a team, rather than one person who is capable of completing the entire carding attack on their own. This makes entry into the carding space more difficult for amateur cybercriminals who do not have those initial connections in the carding space.”

YOU MAY ALSO LIKE Ransomware scourge increases global data breach woes

Volatile market for stolen credit card data shaken up by sanctions against Russia




### Impact

If an attacker is able to perform a container escape of a container running as root on a host where Cilium is installed, the attacker can leverage Cilium's Kubernetes service account to gain access to cluster privileges that are more permissive than what is minimally required to operate Cilium. In affected releases, this service account had access to modify and delete `Pod` and `Node` resources. 

### Patches

The problem has been fixed and is available on versions >=1.9.16, >=1.10.11, >=1.11.5

### Workarounds

There are no workarounds available.

### Acknowledgements

The Cilium community has worked together with members of Isovalent, Amazon and Palo Alto Networks to prepare these mitigations.  Special thanks to Micah Hausler, Robert Clark, Yuval Avrahami, and Shaul Ben Hai for their cooperation.

### For more information

If you have any questions or comments about this advisory:

Email us at [security@cilium.io](mailto:security@cilium.io)

**Impact**

If an attacker is able to perform a container escape of a container running as root on a host where Cilium is installed, the attacker can leverage Cilium's Kubernetes service account to gain access to cluster privileges that are more permissive than what is minimally required to operate Cilium. In affected releases, this service account had access to modify and delete Pod and Node resources.

**Patches**

The problem has been fixed and is available on versions >=1.9.16, >=1.10.11, >=1.11.5

**Workarounds**

There are no workarounds available.

**Acknowledgements**

The Cilium community has worked together with members of Isovalent, Amazon and Palo Alto Networks to prepare these mitigations. Special thanks to Micah Hausler, Robert Clark, Yuval Avrahami, and Shaul Ben Hai for their cooperation.

**For more information**

If you have any questions or comments about this advisory:

Email us at security@cilium.io

**References**

*   GHSA-fmrf-gvjp-5j5g
*   https://nvd.nist.gov/vuln/detail/CVE-2022-29179
*   https://github.com/cilium/cilium/releases/tag/v1.10.11
*   https://github.com/cilium/cilium/releases/tag/v1.11.5
*   https://github.com/cilium/cilium/releases/tag/v1.9.16

GHSA-fmrf-gvjp-5j5g: Cilium enables rogue node to cluster admin privilege escalation

By ghostadmin
SQL (structured query language) is a unique programming language for storing, manipulating, and retrieving data from a database.…
This is a post from HackRead.com Read the original post: How to Optimize Your Database Storage in MySQL

SQL (structured query language) is a unique programming language for storing, manipulating, and retrieving data from a database. The language is applied in multiple relational database systems, including Postgres, Oracle, MySQL, and SQL Server, among others. Using SQL statements, developers can handle functional database operations like updating, creating, and deleting data.

With increasing data and technology becoming complex, it is crucial now to optimize MySQL databases to lower your infrastructure costs and deliver the best end-user experience. By optimizing your database storage, professionals will quickly identify bottlenecks, eliminate guessing games, and target insufficient operations by reviewing query execution plans.

Below are a few ways of optimizing your database storage in MySQL.

**Profile the server workload**

To fully understand how your server works, you should first review its workload. This will reveal the most expensive and slowest queries so you can optimize them. Remember that your most important metric in MySQL is time because you want the completion of a query to be almost instant when issued against your server.

**Understand your crucial resources**

All databases rely on four crucial resources; CPU, memory, network, and disk. Overwhelming any of these resources will create an inconsistent and weak server that leads to performance lags and issues. It is crucial to choose high-performing resources from the get-go because no amount of optimization of MySQL will make up for bad hardware. When checking the performance of your four resources, distinguish whether they are performing slowly or simply overloaded. This allows you to rectify performance issues quickly.

**Use the STaaS model**

STaaS (storage as a service) denotes a business model where a service provider will rent you storage resources through a subscription. With this alternative, you only pay for the storage you need when needed. This is an inexpensive option because it negates the capital expenses for new storage equipment and allows upgrading your storage according to your needs. Some of the major cloud storage providers using the STaaS model are Microsoft Azure, Oracle Cloud, Google Cloud, and Amazon Web Services.

**Do not use MySQL as your queue**

Your applications can be infiltrated by queues and access patterns looking like queues without you noticing. For instance, when you establish a status during web development, you might have accidentally created a queue.

A common instance of creating queues is when you mark emails as unsent, then send them and mark them as sent. Queues will keep tasks from running in parallel since workloads are serialized, and they generate tables detailing work in progress. Both issues will slow down your MySQL.

**Index all columns in ‘group by,’ ‘where,’ and ‘order by’ clauses**

Other than guaranteeing distinct, identifiable records, an index on MySQL allows the server to get faster results from a database. It is crucial when you want to sort your records. In some cases, an index on MySQL takes up a lot of space and might reduce performance on updates, deletes, and inserts. Nonetheless, when you have tables with more than ten rows, an index can reduce the execution time of your query.

When you know what dictates the performance of your database, you can reduce your costs and avoid overprovisioning. Hopefully, you have gathered a few facts on how MySQL works and how best to optimize it from the above article. Though it can be challenging, you can use phpMyAdmin to ease your database’s optimization. This is a free software tool that handles the web-based administration of MySQL.

Remember that optimization is iterative. With data growth and changes in workloads, new optimization opportunities will arise, so it is best to always be prepared for database optimization.

**More SQL and Database Topics**

1.  How to repair suspect database in SQL Server
2.  Whitehat hacker bypasses SQL injection filter for Cloudflare
3.  Hackers mining Monero on Microsoft SQL databases for the last 2 years
4.  US and China Exposed Most Databases Among 308,000 Discovered in 2021
5.  SQL Injection Allowed Hacker to Steal Data of 237,000 Users from Adult Site

How to Optimize Your Database Storage in MySQL

The world-leading data law changed how companies work. But four years on, there’s a lag on cleaning up Big Tech.

One thousand four hundred and fifty-nine days have passed since data rights nonprofit NOYB fired off its first complaints under Europe’s flagship data regulation, GDPR. The complaints allege Google, WhatsApp, Facebook, and Instagram forced people into giving up their data without obtaining proper consent, says Romain Robert, a program director at the nonprofit. The complaints landed on May 25, 2018, the day GDPR came into force and bolstered the privacy rights of 740 million Europeans. Four years later, NOYB is still waiting for final decisions to be made. And it’s not the only one.

Since the General Data Protection Regulation went into effect, data regulators tasked with enforcing the law have struggled to act quickly on complaints against Big Tech firms and the murky online advertising industry, with scores of cases still outstanding. While GDPR has immeasurably improved the privacy rights of millions inside and outside of Europe, it hasn’t stamped out the worst problems: Data brokers are still stockpiling your information and selling it, and the online advertising industry remains littered with potential abuses.

Now, civil society groups have grown frustrated with GDPR’s limitations, while some countries’ regulators complain the system to handle international complaints is bloated and slows down enforcement. By comparison, the information economy moves at breakneck speed. “To say that GDPR is well enforced, I think it’s a mistake. It's not enforced as quickly as we thought,” Robert says. NOYB has just settled a legal case against the delays in its consent complaints. “There’s still what we call an enforcement gap and problems with cross-border enforcement and enforcement against the big players,” adds David Martin Ruiz, a senior legal officer at the European Consumer Organization, which filed a complaint about Google’s location tracking four years ago.

Lawmakers in Brussels first proposed reforming Europe’s data rules back in January 2012 and passed the final law in 2016, giving companies and organizations two years to fall in line. GDPR builds upon previous data regulations, super-charging your rights and altering how businesses must handle your personal data, information like your name or IP address. GDPR doesn’t ban the use of data in certain cases, such as police use of intrusive facial recognition; instead, seven principles sit at its heart and guide how your data can be handled, stored, and used. These principles apply equally to charities and governments, pharmaceutical companies and Big Tech firms.

Crucially, GDPR weaponized these principles and handed each European country’s data regulator the power to issue fines of up to 4 percent of a firm's global turnover and order companies to stop practices that violate GDPR's principles. (Ordering a company to stop processing people’s data is arguably more impactful than issuing fines.) It was never likely that GDPR fines and enforcement were going to flow quickly from regulators—in competition law, for instance, cases can take decades—but four years after GDPR started, the total number of major decisions against the world’s most powerful data companies remains agonizingly low.

Under the dense series of rules that make up GDPR, complaints against a company that operates in multiple EU countries are usually funneled to the country where its main European headquarters are based. This so-called one-stop-shop process dictates that the country leads the investigation. The tiny nation of Luxembourg handles complaints against Amazon; the Netherlands deals with Netflix; Sweden has Spotify; and Ireland is responsible for Meta’s Facebook, WhatsApp, and Instagram, plus all of Google’s services, Airbnb, Yahoo, Twitter, Microsoft, Apple, and LinkedIn.

A glut of early and complex GDPR complaints has led to backlogs at regulators, including the Irish body, and international cooperation has been slowed down by paperwork. Since May 2018, the Irish regulator has completed 65 percent of cases involving cross-border decisions—400 are outstanding, according to the regulator's own stats. Other cases, launched by NOYB against Netflix (Netherlands), Spotify (Sweden), and PimEyes (Poland) have all also dragged on for years.

Europe’s data regulators claim GDPR enforcement is still maturing and that it is working well and improving over time. (Officials from France, Ireland, Germany, Norway, Luxembourg, Italy, the UK, and Europe’s two independent bodies, the EDPS and EDPB, were all interviewed for this article.) The number of fines has ramped up as the legislation has aged, hitting a running total of €1.6 billion (around $1.7 billion). The biggest? Luxembourg fined Amazon €746 million ($790 million), and Ireland fined WhatsApp €225 million ($238.5 million) last year. (Both companies are appealing the decisions). At the same time, one lesser-known Belgian fine could change how the entire ad tech industry works. However, officials concede that changes to the way GDPR is enforced could speed up the process and ensure swifter action.

Helen Dixon is at the heart of Europe’s GDPR enforcement, with the Irish Data Protection Commission (DPC) responsible for an outsized number of Big Tech firms. The DPC has faced criticism for struggling to keep up with the number of complaints under its purview, drawing ire from fellow regulators and calls to reform the body. “If everything comes at you at the same time, clearly there’s going to be a lag in terms of prioritizing and dealing sequentially with the issues while standing up what is a very significant legal framework,” Dixon says, defending her office’s performance. Dixon says the DPC has had to handle GDPR’s complexity from scratch, leading to many cases and new processes, and there aren’t simple answers for many of them.

“I would classify the DPC as being very effective in the first four years of application of the GDPR,” Dixon says. “The fact that DPC has stood up a new legal framework that many described as 'the law of everything' in a couple of short years, and implemented what are very significant sanctions in the form of fines and corrective measures already in that time period” shows its success, Dixon says. The organization has enforced measures against Twitter, WhatsApp, Facebook, and Groupon, among thousands of national cases, during this time.

“There should be an independent review of how to reform and strengthen the DPC,” says Johnny Ryan, a senior fellow at the Irish Council for Civil Liberties. “We cannot know from outside what the problems are.” Ryan adds that blame can’t just be leveled at the Irish regulator. “The European Commission has immense power. The GDPR is supposed to be an immense project. And the Commission has neglected the GDPR,” he says. “It doesn't just propose the laws, it also has to see that they are applied.”

So far, the European Commission has backed enforcement of GDPR in Ireland and across the continent. “The Commission has consistently called on data protection authorities to continue stepping up their enforcement efforts,” Didier Reynders, the European Commissioner for Justice, says in a statement. “We have launched six infringement procedures under the GDPR.” These legal cases include action against Slovenia for failing to import GDPR into its national law and questioning the independence of the Belgian data authority.

However, following a complaint from Ryan in February, the EU Ombudsman, a watchdog for European institutions, opened an inquiry into how the Commission has been monitoring data protection in Ireland. (The Ombudsman says the Commission has until May 25 to reply, after asking for its initial deadline to be extended. Reynders says the Commission does not comment on ongoing inquiries). If the Commission does look into Ireland, it could make recommendations, says Estelle Massé, the global data protection lead at Access Now, a technology-focused civil rights organization. “There is an issue, and if you don't intervene in this way, I don’t really see how the situation will resolve,” Massé says. “It has to go through an infringement procedure.”

Despite clear enforcement problems, GDPR has had an incalculable effect on data practices broadly. EU countries have made decisions in thousands of local cases and issued guidance to organizations to say how they should use people’s data. Spain’s LaLiga soccer league was fined after its app spied on users, retailer H&M was fined in Germany after it saved details about employees’ personal lives, the Netherlands’ tax body was fined over its use of a ‘blacklist,’ and these are just a handful of the successful cases.

Some of GDPR’s impact is also hidden—the law isn’t just about fines and ordering companies to change—and it has improved company behaviors. “If you compare the awareness about cybersecurity, about data protection, about privacy, as it looked like 10 years ago and it looks today, these are completely different worlds,” says Wojciech Wiewiórowski, the European Data Protection Supervisor, who oversees GDPR cases against European institutions, such as Europol.

Companies have been put off using people’s data in dubious ways, experts say, when they wouldn’t have thought twice about it pre-GDPR. One recent study estimated that the number of Android apps on Google’s Play store has dropped by a third since the introduction of GDPR, citing better privacy protections. “More and more businesses have allocated significant budgets to doing data protection compliance,” says Hazel Grant, head of the privacy, security, and information group at London-headquartered law firm Fieldfisher. Grant says that when GDPR decisions are made—such as Austria’s decision to make the use of Google Analytics unlawful—companies are concerned about what it means for them. “Four or five years ago, that enforcement wouldn't have happened,” Grant says. “And if it had happened, maybe a few data protection lawyers would have known about it—it wouldn't have been out there with clients coming to us saying we need advice on this.”

But at Big Tech levels where data is plentiful, the scale of complying with GDPR is different. One recent internal Facebook document obtained by Motherboard hints that the company doesn't really know what it does with your data—an assertion Facebook denied at the time. Equally, a WIRED and _Reveal_ joint investigation at the end of 2021 found serious shortcomings in the ways Amazon handles customer data. (Amazon said it had an “exceptional” track record in protecting data.)

Microsoft declined a request to comment. Neither Google nor Facebook provided comment in time for publication.

“There is a lag, especially on Big Tech, enforcing the law on Big Tech—and Big Tech means cross-border cases, and that means the one-stop-shop and the cooperation among the data protection authorities,” says Ulrich Kelber, the head of the German federal data protection regulator. The one-stop-shop allows all of Europe’s regulators to have a say on the final decision of the lead regulator in that case, which can then be challenged. Ireland’s fine against WhatsApp grew from the original proposed penalty of as little as €30 million ($31.8 million) to €225 million ($238.5 million) after other regulators weighed in. Another Irish case against Instagram is currently being discussed, Dixon says, which will add months to its final outcome.

The one-stop-shop was created under GPDR, meaning the process has started with teething problems, but four years in, a lot still needs to be improved. Tobias Judin, the head of international at Norway’s data protection authority, says that each week several drafts of decisions are circulated among Europe’s data regulators. “In the vast majority of those cases, we actually agree,” Judin says. (German authorities object the most.) Decisions can face a lot of back and forth between regulators, wrapped up in bureaucracy. “We do question whether, in those cases that have a European-wide impact, it makes sense and whether it is feasible that these cases are solely dealt with by one data protection authority until we reach the decision stage,” Judin says.

Luxembourg’s data regulator hit Amazon with a record-breaking €746 million ($790.6 million) fine last year, its first case against the retailer. Amazon is contesting the fine in court—in a statement to WIRED, the company repeated its assertion that “there has been no data breach, and no customer data has been exposed to any third party”—but Luxembourg’s regulator says investigations will always be lengthy despite it bringing in new ways to investigate companies. “I think under one year or one-half year, I think it’s almost impossible to have it closed before such a delay,” says Alain Herrmann, one of Luxembourg’s four data protection commissioners. “There are huge \[amounts of\] information to deal with.” Herrmann says Luxembourg has a few other international cases ongoing, but national secrecy laws prevent it from talking about them. “It’s just the \[one-stop-shop\] system, the lack of resources, the lack of clear law and procedure, which makes their job even more difficult,” Robert says.

The French data regulator has, in some ways, sidestepped the international GDPR process by directly pursuing companies’ use of cookies. Despite common beliefs, annoying cookie pop-ups don’t come from GDPR—they’re governed by the EU’s separate E-Privacy law, and the French regulator has taken advantage of this. Marie-Laure Denis, the head of French regulator CNIL, has hit Google, Amazon, and Facebook with hefty fines for bad cookie practices. Perhaps more importantly, it has forced companies to change their behavior. Google is altering its cookie banners across the whole of Europe following the French enforcement.

“We are starting to see really concrete changes to the digital ecosystems and evolution of practices, which is really what we are looking \[for\],” Denis says. She explains that CNIL will next look at data collection by mobile apps under the E-Privacy law, and cloud data transfers under GDPR. The cookie enforcement effort wasn’t to avoid GDPR’s protracted process, but it was more efficient, Denis says. “We still believe in the GDPR enforcement mechanism, but we need to make it work better—and quicker.”

In the last year, there have been growing calls to change how GDPR works. “Enforcement should be more centralized for big affairs,” Viviane Redding, the politician who proposed GDPR back in 2012, said of the data law in May last year. The calls have come as Europe passed its next two big pieces of digital regulation: the Digital Services Act and the Digital Markets Act. The laws, which focus on competition and internet safety, handle enforcement differently from GDPR; in some instances, the European Commission will investigate Big Tech companies. The move is a nod to the fact that GDPR enforcement may not have been as smooth as politicians would have liked.

There appears to be little appetite to reopen GDPR itself; however, smaller tweaks could help improve enforcement. At a recent meeting of data regulators held by the European Data Protection Board, a body that exists to guide regulators, countries agreed that some international cases will work to fixed deadlines and timelines and said they would try to “join forces” on some investigations. Norway’s Judin says the move is positive but questions how effective it will be in practice.

Massé, from Access Now, says a small amendment to GDPR could significantly address some of the biggest current enforcement problems. Legislation could ensure data protection authorities handle complaints in the same way (including using the same forms), explicitly lay out how the one-stop-shop should work, and make sure that procedures in individual countries are the same, Massé says. In short, it could clarify how GDPR enforcement should be handled by every country.

The view is also shared by data regulators, at least to some degree. France’s Denis says regulators should share more information, more quickly on cross-border cases so they can build up an informal consensus around a potential decision. “The Commission could also, for example, look at resources given to data protection authorities,” Denis says. “Because it’s a member state’s obligation to give sufficient resources to data protection authorities to carry out their duties.” The staff and resources regulators have to investigate and enforce is dwarfed by those of Big Tech.

“Potentially, if there was the possibility for some kind of an instrument specific to the GDPR—being a legal instrument—that would specify certain process and procedural issues, that might assist,” Ireland’s Dixon says. She adds that complications that could be ironed out include issues around access to files during investigations, whether those making the complaints are given access to the investigation process, and problems in translations. “There’s a whole range of inconsistencies around that, giving rise to delays and dissatisfaction on all sides,” Dixon says.

Without some changes—and strong enforcement—civil society groups warn that GDPR could fail to stop the worst practices of Big Tech companies and improve people’s sense of privacy. “The immediate thing that needs to be addressed is the Big Tech firms,” Ryan says. “If we cannot deal with Big Tech, we will create a permanence to the fatalism that people feel about privacy and data.” Four years in, Massé says she still has hope for GDPR enforcement. “It's really not what we had hoped for. But it’s also not in a place that I think we can start digging a grave for the GDPR and forget about it.”

Tag

#amazon