Abstract: The present embodiments relate to implementing change data on no-master NoSQL data stores. An optimized node can be identified from a plurality of NoSQL data storage nodes and a specialized node can be connected (e.g., collocated) to the optimized node. The specialized node can maintain change data capture (CDC) data provided by client nodes in a hash map that can be used as a point of truth for coordinating CDC data across the plurality of NoSQL data storage nodes. The plurality of NoSQL data storage nodes can identify and coordinate all read/write data obtained from multiple client devices in a geographically separated large-scale (e.g., planet scale) system to identify change data in a distributed data store. The specialized data can provide read data to devices in the large-scale system to reconcile inconsistencies in change data across nodes in the large-scale system.

Abstract: Embodiments described herein disclose methods and systems for encryption and decryption of data. In some implementations, an encryption and decryption system can protect private information of a user in documents with an artificial reality device. The encryption and decryption system can determine the portion of a document containing private information and encrypt that portion of the document. In some implementations, the encryption and decryption system can receive a document and identify the protected (e.g., encrypted) portion of the document. In some cases, the protected portion of the document can contain a security token that the encryption and decryption system can extract. The system can compare the security token to an authentication token associated with the user and determine whether the security and authentication token match. If the tokens match, the system can decrypt the protected portion of the document and display the decrypted data as a virtual object.

Abstract: A multi-tenant authentication system facilitates packaging and installing of integrations for authentication services of system tenants. The integrations include cloud resources of one or more cloud services. In order to package an integration, the multi-tenant authentication system retrieves resource manifests for cloud resources from corresponding cloud services. The multi-tenant authentication system generates the resource manifests to describe the cloud resource and any dependencies of the cloud resource, and also generates a package manifest including instructions for using the resource manifests to install the corresponding integration. The multi-tenant authentication system further facilitates installation of integration packages for tenants of the multi-tenant authentication system. The multi-tenant authentication system communicates with cloud services associated with resource manifests to install corresponding cloud resources to consistently replicate integrations for different tenants.

Abstract: Techniques are described herein for performing authentication, and also “eager” or “lazy” fetch of data, for restricted webpages based on the restricted webpages being associated with an authentication tier in an AASD registry. Inclusion of a restricted webpage in the AASD registry enables AASD-based authentication for the webpage. According to embodiments, information for a restricted webpage included in the AASD registry includes one or more of the following for the webpage: an identifier, an authentication level, allowed fields, eager fetch fields, one or more sources for one or more fields, etc. When information for a webpage is included in the AASD registry, that information is used to perform eager fetch for one or more fields of the webpage that are not associated with authentication requirements indicated in the AASD registry information, or whose authentication requirements are already fulfilled by the requesting client.

Abstract: Systems, devices, and methods are discussed for limiting exposure of internal network operations beyond the boundary of a secure network.

Abstract: A system can receive, from user input, request data indicative of a request to create a file with a first filename. The system can, based on the request data, determining a second filename for the file. The system can store an association between the first filename and the second filename. The system can create the file in a file system with the second filename.

Abstract: Some embodiments provide a method for providing a resource to a particular virtual private cloud that is deployed in a set of datacenters that host multiple virtual private clouds. At a resource issuer, the method receives a resource request from a particular machine deployed in the particular virtual private cloud, the resource request including a first set of cloud-specific data. The method obtains a cloud identifier for the particular machine from a registry service of the particular virtual private cloud that interacts with a datacenter-set cloud service that deploys machines in the datacenter set for different virtual private clouds. The method uses the obtained cloud identifier to obtain a second set of cloud-specific data for the particular machine from the datacenter-set cloud service. Upon determining that the first and second sets of cloud-specific data match, the method authenticates the particular machine and issues the resource for the particular machine.

Abstract: One or more implementations of the present specification provide an invoice access method and apparatus based on a blockchain, and an electronic device. The method includes: generating first ciphertext data by encrypting plaintext data of the target invoice based on a first key corresponding to an invoice issuer; generating second ciphertext data by encrypting the plaintext data of the target invoice based on a second key corresponding to an invoice receiver; adding the first ciphertext data and an user identifier of the invoice issuer to the blockchain as related to one another; and adding the second ciphertext data and an user identifier of the invoice receiver to the blockchain as related to one another.

Abstract: Disclosed herein are various embodiments for a sensitive data management system. An embodiment operates by receiving an HTTP request for an interface. A plurality of tiles, including both tiles associated with sensitive data and non-sensitive data, are identified for display on the interface. An access profile associated with providing access to the sensitive data is identified, the access profile including one or more requirements, associated with the HTTP request. Request information in the HTTP request corresponding to the one or more requirements of the access profile is identified. The identified request information is compared to the one more requirements of the access profile. A determination is made whether the identified request information satisfies the one more requirements of the access profile based on the comparing. At least one of: the second tile or the first tile and the second tile are provided for display on the interface based on the determination.

Abstract: A method including receiving, at a processor, credential requests for accessing the VPN environment from a first user device using a first interface and from a second user device using a second interface; transmitting, to the first user device, a first credential based at least in part on the first user device using the first interface; and transmitting, to the second user device, a second credential based at least in part on the second user device using the second interface, the first credential being different from the second credential. Various other aspects are contemplated.

Abstract: User system authentication includes a service infrastructure system receiving, from the user system, an authentication request including a user account identifier, generating a first validation code by performing a hash algorithm on the user account identifier and a first timestamp associated with the authentication request, sending to an email account associated with the user account identifier, an email message including the first validation code, receiving from the user system, a verification code, in response to receiving the verification code, generating a second timestamp, validating the second timestamp, in response to determining that the second timestamp is valid, generating a second validation code by performing the hash algorithm on the user account identifier and the first timestamp associated with the authentication request, comparing the verification code and the second validation code, and authenticating the user system, in response to a determination that the verification code and the second v

Abstract: A system can include: a plurality of processing Cores; a Package Interconnect communicatively coupled with the plurality of processing Cores; a Configurable LFSR PRV Generator Hardware Array means communicatively coupled with the Package Interconnect; a Galois Multiplication Hardware Accelerator means communicatively coupled with the Package Interconnect; an Extended Euclidian Algorithm Hardware Accelerator means communicatively coupled with the Package Interconnect; and a Fischer-Yates Shuffle Algorithm Hardware Accelerator means communicatively coupled with the Package Interconnect.

Abstract: An Internet Key Exchange protocol message indicating a first Internet Protocol Security traffic flow is to be established via a first device is obtained at the first device. The Internet Key Exchange protocol message is forwarded from the first device to a second device. An encryption key used to transmit traffic via the first Internet Protocol Security Traffic flow is received at the first device from a key value store. The key value store is populated with the encryption key in response to the second device obtaining the Internet Key Exchange protocol message. A first data packet to be transmitted via the first Internet Protocol Security traffic flow is obtained at the first device. The first device provides the first data packet encrypted with the encryption key of the first Internet Protocol Security traffic flow.

Abstract: An entity may generate digital account credentials when a new account is approved for generation by an authorizing entity that controls or issues new accounts. A user may contact an authorizing entity to open a new account with the authorizing entity. The authorizing entity may authenticate the user and may approve a new account to be generated for the user. The user may wish to conduct transactions immediately upon approval. However, the authorizing entity may not immediately generate a physical identification device along with an actual account identifier associated with the new account. An intermediary entity may generate digital account credentials for the new account immediately after the authorizing entity approves generation of the new account, provide the digital account credentials to the account holder, and process transactions using the digital account credentials.

Abstract: A device may determine that a first link of the device is active. The device may determine whether a Media Access Control Security (MACsec) session is established on the first link. The device may selectively enable or disable a second link of the device based on determining whether the MACsec session is established on the first link.

Abstract: Devices, systems, and methods for storing and managing sensitive information in a connected environment are provided. The system comprises a master controller and a sensitive information storage device (“SIS device”). The SIS device has an island that can be activated by user interaction with the SIS device. In general, the island is deactivated by default and when the island is deactivated, sensitive information that is stored on the SIS device cannot be accessed. Only when the island is activated by user interaction can the stored sensitive information be accessed.

Abstract: Systems and methods for using an application control prioritization index are disclosed.

Abstract: An endpoint in an enterprise network is monitored, and when a potential trigger for a distributed denial of service (DDoS) attack is followed by an increase in network traffic from the endpoint to a high reputation network address, the endpoint is treated as a DDoS service bot and isolated from the network until remediation can be performed.

Abstract: A system and method are described for information extraction from network traffic traces that are both encrypted and non-encrypted. The system includes a client computer and a remote computer, where the client computer communicates data over a network. The client computer sets a session key log file environment variable, such that when the client computer launches a supported browser, a session key log file (KLF) is created, computer network traffic traces are captured by retrieving data from encrypted traffic, and the KLF and captured traffic are periodically transferred to a remote server. A remote computer performs traffic mining to analyze the captured traffic traces and extract sensitive pieces of information.

Abstract: In one embodiment, a method is provided. The method includes receive, by a networking device, a request from a first computing device, to connect to the networking device. The method also includes creating a first network. The first network is one of a set of networks of the networking device. The first computing device is one of a set of computing devices that are connected to the network device. Each network of the set of networks is initially isolated from other networks of the set of networks when the network is created. Each network of the set of networks comprises a respective computing device of the set of computing devices. The method further includes assigning the first computing device to the first network.