How to Defend Amazon S3 Buckets from Ransomware Exploiting SSE-C Encryption - Related to performance, encryption, systems, sse-c, buckets

Advanced Java Performance Tuning for Low-Latency Systems

In the realm of high-performance computing, low-latency applications are critical for industries such as finance, gaming, and real-time data processing. Java, with its robust ecosystem and mature tooling, is a popular choice for building such applications. However, achieving optimal performance requires a deep understanding of JVM tuning, garbage collection strategies, and benchmarking tools. This article explores advanced techniques for tuning Java applications to meet the demanding requirements of low-latency systems.

1. Understanding the Basics of Java Performance Tuning.

Before diving into advanced techniques, it’s essential to grasp the foundational aspects of Java performance tuning. The Java Virtual Machine (JVM) is the runtime engine that executes Java bytecode, and its performance directly impacts application latency. Garbage collection (GC), a critical component of the JVM, manages memory allocation and deallocation. Poor GC performance can lead to unpredictable pauses, increasing latency. Additionally, benchmarking is key to identifying bottlenecks and validating optimizations.

2. JVM Tuning for Low-Latency Applications.

The JVM offers a wide range of tuning options to optimize performance. One of the first steps is configuring the heap size using -Xms and -Xmx to set the initial and maximum heap size. This avoids frequent resizing, which can cause latency spikes. Adjusting the ratio of young to old generation memory with -XX:NewRatio can also optimize performance based on whether your application creates more short-lived or long-lived objects.

Thread management is another critical area. Parameters like -XX:ParallelGCThreads and -XX:ConcGCThreads allow you to control the number of threads used for garbage collection, balancing CPU usage and GC efficiency. For applications that rely heavily on the Just-In-Time (JIT) compiler, enabling tiered compilation with -XX:+TieredCompilation can help balance startup time and peak performance. Fine-tuning the -XX:CompileThreshold parameter can also determine how many method invocations occur before JIT compilation kicks in.

Memory allocation strategies, such as enabling Thread-Local Allocation Buffers (TLABs) with -XX:+UseTLAB , can reduce contention in multi-threaded applications. Additionally, controlling how long objects stay in the young generation before being promoted to the old generation with -XX:MaxTenuringThreshold can further optimize memory usage.

3. Garbage Collection Strategies for Low Latency.

Garbage collection is often the primary source of latency in Java applications. Choosing the right GC algorithm and tuning its parameters is crucial for low-latency systems. The G1 Garbage Collector (G1GC) is designed for low-latency applications and divides the heap into regions, prioritizing garbage collection in the most filled regions. Parameters like -XX:MaxGCPauseMillis allow you to set the target maximum pause time for GC cycles, while -XX:G1NewSizePercent and -XX:G1MaxNewSizePercent control the size of the young generation.

For applications requiring even lower pause times, the Z Garbage Collector (ZGC) is a scalable, low-latency GC designed for large heaps. Enabling ZGC with -XX:+UseZGC and adjusting parameters like -XX:ZAllocationSpikeTolerance can help avoid latency spikes caused by allocation spikes. Similarly, the Shenandoah GC performs most of its work concurrently with application threads, making it ideal for consistent low-latency performance. Enabling Shenandoah with -XX:+UseShenandoahGC can significantly reduce pause times.

For specialized use cases, such as benchmarking or applications with very short lifetimes, the Epsilon GC serves as a no-op garbage collector. Enabling it with -XX:+UseEpsilonGC can be useful for scenarios where GC pauses are not a concern or memory is managed manually.

Enterprises value the ability to fine-tune Java applications for low latency, as it directly impacts customer experience and operational efficiency.

Accurate benchmarking is essential for identifying performance bottlenecks and validating optimizations. The Java Microbenchmark Harness (JMH) is a powerful tool for writing and running benchmarks. JMH helps eliminate common benchmarking pitfalls, such as JIT optimizations and warm-up effects, ensuring reliable results. For example, you can use JMH to measure the impact of different GC algorithms or JVM tuning parameters on application latency.

5. Real-World Applications and Industry Perspectives.

In industries like high-frequency trading, where microseconds matter, Java performance tuning is critical. Companies often combine JVM tuning, low-latency GC algorithms, and rigorous benchmarking to achieve the desired performance. For instance, switching from the default Parallel GC to ZGC or Shenandoah can reduce GC pause times from hundreds of milliseconds to just a few milliseconds, significantly improving application responsiveness.

Experts like Kirk Pepperdine, a well-known Java performance tuning consultant, emphasize the importance of understanding application behavior before applying optimizations. Similarly, Monica Beckwith, a Java performance engineer, highlights the need for continuous monitoring and tuning, as application requirements and workloads evolve over time.

Many developers appreciate the flexibility and control that JVM tuning offers, but they also acknowledge the steep learning curve involved in mastering these techniques.

Java performance tuning for low-latency applications is both an art and a science. By leveraging advanced JVM tuning techniques, selecting the right garbage collection strategy, and using tools like JMH for benchmarking, developers can significantly reduce latency and improve application performance. While the JVM provides a wealth of options, it’s crucial to understand the specific needs of your application and workload to make informed decisions.

As Java continues to evolve, with innovations like Project Loom and new GC algorithms, the tools and techniques for performance tuning will only become more powerful. For developers and organizations aiming to build high-performance, low-latency systems, mastering these advanced techniques is essential.

In 2025, forward-thinking engineering teams are reshaping their approach to work, combining emerging technologies with new approaches to collaboration......

Makulu Linux is a Linux distribution you’ve probably never heard of, which is a shame because it’s pretty cool. This flavor of Linux is based on Debia......

So far, 2025 has been the year of AI agents — where generative AI technology is used to automate actions. We’ve seen OpenAI’s Operator debut, demonstr......

How to Defend Amazon S3 Buckets from Ransomware Exploiting SSE-C Encryption

A new ransomware campaign, dubbed Codefinger, has been targeting Amazon S3 individuals by exploiting compromised AWS credentials to encrypt data using Server-Side Encryption with Customer-Provided Keys (SSE-C). Attackers then demand ransom payments for the symmetric AES-256 keys required to decrypt the data. AWS has released recommendations to help individuals mitigate the risk of ransomware attacks on S3.

All key management for S3 server-side encryption with SSE-C is handled outside of AWS, with encryption key material provided alongside the object, ensuring the cloud provider never stores the key material. Following Halcyon's findings, AWS . Steve de Vera, manager in the AWS Customer Incident Response Team, and Jennifer Paz, security engineer at AWS, explain:

Working with end-individuals, our security teams detected an increase of data encryption events in S3 that used an encryption method known as SSE-C. While this is a feature used by many end-individuals, we detected a pattern where a large number of S3 CopyObject operations using SSE-C began to overwrite objects, which has the effect of re-encrypting customer data with a new encryption key. Our analysis uncovered that this was being done by malicious actors who had obtained valid customer credentials, and were using them to re-encrypt objects.

Using publicly disclosed or compromised AWS keys, the threat actor identifies keys with permissions to execute s3:GetObject and s3:PutObject requests. The attacker can then initiate the encryption process by including the x-amz-server-side-encryption-customer-algorithm header, using an AES-256 encryption key that they generate and store locally. An S3 lifecycle rule is then applied to mark files for deletion within seven days, adding urgency to the ransom demand. The Halcyon RISE team explains why this poses a significant challenge:

Unlike traditional ransomware that encrypts files locally or in transit, this attack integrates directly with AWS’s secure encryption infrastructure. Once encrypted, recovery is impossible without the attacker’s key.

While these actions do not exploit a vulnerability in any AWS service, Reddit user Zenin highlights in a popular thread:

The biggest threat here is really that the heavy lifting of encrypting the data can be offloaded to S3 and far less likely to raise concerns while it processes. Most traditional ransomware attacks cause a lot of side effects as they run.

Furthermore, AWS CloudTrail logs only the HMAC of the encryption key, which is insufficient for recovery and forensic analysis. Corey Quinn, chief cloud economist at The Duckbill Group, comments:

"Encrypt Everything--no wait not like that" says AWS, in the wake of S3 objects being encrypted using native S3 functionality via ransomware. That's frankly an ingenious attack vector. Evil. But ingenious.

AWS emphasizes the importance of using short-term credentials, implementing data recovery procedures, and preventing the use of SSE-C on S3 buckets when not necessary for the workload. Additionally, enabling detailed logging for S3 operations is a best practice for detecting unusual activity, such as bulk encryption or lifecycle policy changes. Paz and de Vera write:

If your applications don’t use SSE-C as an encryption method, you can block the use of SSE-C with a resource policy applied to an S3 bucket, or by a resource control policy (RCP) applied to an organization in AWS Organizations.

If a ransomware attack on S3 is suspected, both Halcyon and AWS recommend immediately restricting SSE-C usage, auditing AWS keys, enabling advanced logging, and promptly engaging AWS support as mitigation measures.

In a recent announcement on the React blog, the React team shared a significant enhancement: Create React App (CRA) is being deprecated. This......

Shell scripting is a powerful tool for automation, system administration, and software deployment. However, as your shell scripts grow in size and com......

Monzo Bank in the recent past revealed Monzo Stand-in, an independent backup system on GCP that ensures essential banking services remain operational during app......

GitHub Actions Adds Linux ARM64 Hosted Runners in Public Preview

GitHub in the recent past introduced the public preview of Linux arm64 hosted runners for GitHub Actions. Free for public repositories, this enhancement provides developers with more efficient tools for building and testing software on Arm-based architectures.

A changelog post on GitHub Blog summarised the announcement. Arm64 runners are hosted environments that enable developers to execute workflows, eliminating the need for cross-compilation or emulation. These 4 vCPU runners, using Cobalt 100 processors, can provide up to a 40% CPU performance increase compared to the previous generation of Microsoft Azure's Arm-based virtual machines.

The addition of arm64 runners aligns with the increasing demand for arm-based computing, driven by the energy efficiency and performance advantages of the architecture.

Native arm64 execution provides benefits such as faster build times and more reliable testing outcomes compared to emulated environments. At the time of arm64 release on GitHub Actions in June 2024, GitHub had supported Ubuntu and Windows VM images for these runners, enabling a straightforward start for clients building on Arm. However, back in June, these runners were available to GitHub Team and Enterprise Cloud Plans end-clients only.

To use the arm64 hosted runners, include these labels in your workflow files within public repositories: [website] and [website] . These labels are only functional in public repositories; workflows in private repositories using these labels will fail.

Standard runners usage limits, including maximum concurrency based on your plan, apply to all runs in public repositories. Developers are advised to expect potentially longer queue times during peak hours while the arm64 runners are in public preview.

The tech community on Hacker News welcomed this development as we saw interesting discussion threads. One user highlighted how this feature could encourage a broader shift toward ARM-based cloud workflows, mentioning the cost-effectiveness of arm CPUs compared to x64.

Another thread enquired about pricing differences between arm64 and x64 instances. One HN user agartner also provided an example of how to use the native GitHub Actions arm runners to accelerate docker builds.

This capability is particularly beneficial for projects targeting arm devices, such as IoT applications, mobile platforms, and cloud-native services. GitHub has encouraged people to share their experiences and suggestions by joining the community discussion.

For further details, interested readers can visit the documentation and also view a list of VM images from GitHub partners.

In a recent announcement on the React blog, the React team shared a significant upgrade: Create React App (CRA) is being deprecated. This......

This week's Java roundup for February 17th, 2025 functions news highlighting: the release of Apache NetBeans 25; the February 2025 release of the Payar......