BC SOFTWARE
Saved by @CodyyyGardner

As the year wrap's up, let's run through some of the worst public security mistakes and delays in fixes by AWS in 2020. A thread.

 First, that time when an AWS employee posted confidential AWS customer information including including AWS access keys for those customer accounts to github.
https://t.co/3Y7vgOwDtV
Discovery by @SpenGietz that you can disable CloudTrail without triggering GuardDuty by using cloudtrail:PutEventSelectors to filter all events. https://t.co/pR4TzI5xHV
Amazon launched their bug bounty, but specifically excluded AWS, which has no bug bounty. https://t.co/bPSw6GbnoV
Repeated, over and over again examples of AWS having no change control over their Managed IAM policies, including the mistaken release of CheesepuffsServiceRolePolicy, AWSServiceRoleForThorInternalDevPolicy, AWSCodeArtifactReadOnlyAccess.json, AmazonCirrusGammaRoleForInstaller.
The worst IAM policy mistake came later in the year with ReadOnlyAccess purging all of its privileges to replace them with read/write access to cassandra. https://t.co/YI4Y32UPAR
Kesten shows a flaw in how many vendors use IAM roles. Although not technically a mistake by AWS (shared responsibility blah blah blah), this is something AWS is entirely capable of identifying and pushing vendors to correct, but did nothing. https://t.co/8KSZegSKqn
AWS finally fixed a deficiency in the Route 53 and VPC APIs where if an attacker rerouted traffic via private hosted zones, you would not be able to audit for it. I list this here because this deficiency existed for 6 years! https://t.co/n3tnxEH1Lt
XSS on the web console. This issue was reported and fixed a few years ago but never disclosed until this year. https://t.co/6LksOQkXLw
Discovery that in the terms and conditions of AWS, when using machine learning services, AWS will use your data to improve their services and move that data outside of the regions you put it in. This was added to the terms in late 2017 but not noticed. https://t.co/kZd8s4yCZc
Crypto vulns found in AWS SDKs by Google employee @SchmiegSophie
https://t.co/D8w7mtR5yV
AWS finally provides a fix for the HTTP desync issues that had been reported to them almost a year prior https://t.co/8tXOoFArw3 and https://t.co/9hXvh6dEZh
AWS released CloudTrail Insights as a separate service, instead of integrating that functionality into GuardDuty. https://t.co/Z2TCcl9bpI 🍕🍕
AWS continues to make a mess of their managed IAM policies, creating AWS_Config_Role, AWS_ConfigRole, AWSConfigRole and AWSConfigServiceRolePolicy, along with 3 versions of AmazonMachineLearningRoleforRedshiftDataSource https://t.co/aK4c6ZVmYj https://t.co/Dao9JuXydU
Aiden manages to gain access to an AWS account run by AWS for one of their services where he was then able to see credentials to gain access to AWS customer accounts. This is IMHO the most epic issue of the year for AWS. https://t.co/qucuKEzNd3
Karim does a security audit of an AWS project, that points out enough issues that AWS deprecates the project. https://t.co/jBLzEMJ5KX
Another Google employee continues the trend of doing free work for AWS by finding more crypto issues: https://t.co/cjUV54g5ZE
Ian finds tagging privileges are not properly enforced by AWS calling into question the ability to use ABAC as a security boundary. https://t.co/buuMhoQjL5
Nick discovers a trick to test whether you have access to about 40 services without that testing being logged by CloudTrail. https://t.co/KJEjoiGuPm
AWS rolls out a new S3 web console which unfortunately once again allows people to set the "AuthenticatedUsers" ACL, which they haven't had in the console since 2017 because it is always misunderstood and wrong. https://t.co/VmKWySZtwE
AWS released their SOC 2 Type 2 for April-Sep 2020, with concerning issues in it. Unfortunately you aren't allowed to discuss these reports, but the issues are on page 120 and 121.
That wraps things up. Let's hope AWS figures out wtf they are doing with IAM managed policies next year.

End.

More from Software

foone
foone
@Foone
I'm pretty sure whoever designed this control usually makes gender selectors for websites...

Poly Bridge has a language SLIDER.


all languages exist on a spectrum from English to 한국어


next I want to see a game with a "choose language" button and it brings up this language map like it's a skill tree


gonna spend 200 XP to unlock Tamil

that's from
SOFTWARE
Andrew Harmel-Law \U0001f3e1
Andrew Harmel-Law 🏡...
@al94781
Software architecture is in crisis, and the way to fix it is a hefty dose of anarchy.


Some lay the blame for this on @boicy with the whole microservices thing.

(Admittedly, @nicolefv, @jezhumble and @realgenekim didn’t help when they statistically proved that he might have been onto something with all that de-coupling and team-alignment…)

However I don’t blame him at all.

I think he saved us; bringing us back to the path of value-delivery and independent services, but now with added independent teams.


But one thing is clear. Microservices need more architecture, not less (as do other forms of #Accelerate-style software organisation).

(See https://t.co/B2hWmXhIqe if you need convincing)

I mean, all those pesky slices we need to carve up our monoliths (or were they big balls of mud?) That’s a significant amount of work right there…
SOFTWARE , ARCHITECTURE
Advertisement
Sunil Kumar
Sunil Kumar
@sunilc_
How should one approach System Design questions during an interview?

Here's the step by step guide:

🧵👇🏻

System design interviews are generally open ended discussions. There's no one right answer.

The main focus in this round is to see your thought process and whether you'll be able to design a minimal system keeping future scale in mind and by following the standard principles.

Know that many interviewers deliberately make it hard to see how you approach a given problem.

You cannot possibly design a complex system in 1-2 hours which engineers usually take months to years to design, develop and build.

So this is how you should approach this round:

1. Clarify the requirements: As mentioned earlier the questions are generally very open ended. So you need to ask a lot of question to set the scope clear for the discussion.

Example: "Design an application like Twitter"

Twitter has a lot of features like:
- Post tweet
- Home timeline
- Profile timeline
- Analytics
- Likes
- Retweets
- Following
- Bookmark
- Trending etc

You get the idea!
SOFTWARE , INFO
Patrick McKenzie
Patrick McKenzie
@patio11
One of the big promises of software is composability. You can build rich, powerful experiences out of basic building blocks.

APIs add new things to the toolbox. For example: Treasury, which lets an app/platform store, move, and track a business’

I've been a small business owner and can talk at length about SMB banking, and will later, but let's put on the software developer hat right now.

Lots of software talks about money, keeps records about money, does calculations about money, but can't *touch* money.

This is extremely frustrating when you're building SaaS apps for businesses, because you have total control over your UX right until your app needs to touch money... at which point all data about it lives in a silo you can't access.

So you generally push work to the operator.

For example, suppose you’re writing a business-in-a-box system for electricians, including an invoicing feature.

You need to be able to read bank transactions to reconcile. You probably can't. The owner can. So you ask the owner to do mind-numbing work a computer does better.

It sure would be great if your business customers had bank accounts you could actually introspect and operate on their behalves! You could just get the list of incoming payments and match against the invoices.

There is some software to write but it is not rocket science.
SOFTWARE
foone
foone
@Foone
1. in the beginning, browsers didn't have download statusbars
2. firefox got a browser statusbar extension. it was configurable and worked well
3. chrome cloned it without options and it didn't work as well

4. firefox realized chrome was faster and more secure at everything and therefore dropped extensions
5. now firefox doesn't have a download statusbar either

6. someone reimplements download statusbars in firefox's new web-extensions format. it's terrible because of the inherent limitations of the significantly less flexible and powerful extension format

7. CHROME WINS! (with its terrible download statusbar implementation which can't be fixed by users, because No Options and No Skins and No Extensions)

this is where we are now
SOFTWARE

You May Also Like

Patrick Byrne
Patrick Byrne
@PatrickByrne
READ AND RETWEET AS THOUGH THE LIFE OF YOUR NATION DEPENDS ON IT. WHICH IT DOES. Citizens, I am going to add to the picture with more information. I am not going to let this pass while keeping information to myself. I am going to walk you through 2 narratives.

A printing shop in Michigan prints ballots for Delaware County, Pennsylvania and as Lancashire County, Pennsylvania (this is normal). But along with the ballots it prints on contract and delivers to those counties, it prints some ballots that get diverted to Bethpage, New York.

There, a boiler room of folks fill in "Biden" (often without even voting downballot). The ballots (which are forensically legitimate, given that they come from the same print shop as the good ballots, ) then get trucked into Pennsylvania and mailed. Hundreds of thousands.

We have all of that documented. Texts, statements, affidavits, everything.

We also know that this same ballot printing company (and other firms in the same family) also print for Michigan, Wisconsin, Arizona, and Georgia.
POLITICS , LEGAL
Cole Escola
Cole Escola
@ColeEscola
If you know me, you know I don't like broadcasting details about my personal life on this website, but I have been getting asked why I'm not doing Christmas this year so I just wanna put this whole mess to bed. First of all, I don't agree with gay marriage... (1 of 4,625)

... full of dog food and she said, "I'm pretending this is ice cream! Treat me like a baby!" and proceeded to hump her own arm and I thought, "something tells me this isn't the real Norah Jones"... (117 of 4,625)

...cost me $7,000. I had to put it on two separate credit cards! It wasn't 'til I got to my car that I realized "that's way too expensive for one onion." But I didn't have time. Amanda Seyfried was begging to change my diaper... (1,001 of 4,625)

...another Christmas miracle. Mistletoe, stockings, sleigh bells, snow! All these things I have put up my ass. The taste of coffee... (2,974 of 4,625)

...I felt a *very* cold finger on my cheek and I turned around and I said, "Grandma?" and she goes, "Surprise, I'm alive and I work at Sears!" I said, "okay"... (3,047 of 4,625)
SOCIETY
Advertisement
Mo Rajabifard
Mo Rajabifard
@morajabi
👨‍💻 Last resume I sent to a startup one year ago, sharing with you to get ideas:

- Forget what you don't have, make your strength bold
- Pick one work experience and explain what you did in detail w/ bullet points
- Write it towards the role you apply
- Give social proof

/thread


"But I got no work experience..."

Make a open source lib, make a small side project for yourself, do freelance work, ask friends to work with them, no friends? Find friends on Github, and Twitter.

Bonus points:

- Show you care about the company: I used the company's brand font and gradient for in the resume for my name and "Thank You" note.
- Don't list 15 things and libraries you worked with, pick the most related ones to the role you're applying.
-🙅‍♂️"copy cover letter"

"I got no firends, no work"

One practical way is to reach out to conferences and offer to make their website for free. But make sure to do it good. You'll get:

- a project for portfolio
- new friends
- work experience
- learnt new stuff
- new thing for Twitter bio

If you don't even have the skills yet, why not try your chance for @LambdaSchool? No? @freeCodeCamp. Still not? Pick something from here and learn https://t.co/7NPS1zbLTi
You'll feel very overwhelmed, no escape, just acknowledge it and keep pushing.
LIFE
History Under Your Feet
History Under Your Fee...
@HUFToday
#TodayInHistory Ram Prasad Bismil,Ashfaqullah Khan and Roshan Singh are hanged in 1927, as they give up their life for the cause of freedom and inspire many a revolutionary. #LestWeForget


Shahjahanpur was a hub of revolution during the freedom struggle. Most of the revolutioaries in the North, were from this town. And among them, the most famous were two friends, whom destiny would bring together- Ram Prasad Bismil and Ashfaqullah Khan.

Ashfaqullah Khan was born at the turn of the 20th century on October 22, while Bismil was born 3 years earlier on June 11, in the same town. Both of them were excellent writers in Urdu and Hindi.

Both of them would come together under the Hindustan Republican Association, not to mention the fact that Ashfaq was an admirer of Bismil’s poetry, and became close friends with him on that account.

And both these men were hanged on the same date, December 19, 1927 for their involvement in the Kakori event. Two men from different religions, different backgrounds, yet destiny would bring them together.
HISTORY
Jaya_Upadhyaya
Jaya_Upadhyaya
@Jayalko1
SRI MOOKAMBIKA DEVI, KOLLUR (KAR)

There was an Asura, Kaumasura, who was doing penance to please Shiva and get a boon. To prevent him from asking for a boon, Devi Saraswati made him dumb (hence called Mookasur)
Later, Adi Parashakti slayed him and came to be called Mookambika.


It is said that Adi Shankaracharya had a vision in which Devi agreed to follow him provided he did not look back. He kept walking and was assured of her presence due to the sound of anklets. When he reached here in Kollur, he turned back as the sound of anklets had stopped.


So Devi stayed here and merged with the lingam. The place came to be called Mookambika Kshetram.
The linga has integrated on it’s left side MahaKali, Maha Lakshmi and Maha Saraswathi and on the right side- Brahma, Vishnu and Shiva.


A swarna rekha (gold line) divides this linga into left and right portion. Adi Shakthi in this Udhbhavlinga form appears only here.
Devi sits in padmasana and has 4 hands.
Adi Shankaracharya installed the Sri Chakra in front of Devi and also composed the Soundarya Lahiri here.
ALL