BC SOFTWARE
Saved by @CodyyyGardner

As the year wrap's up, let's run through some of the worst public security mistakes and delays in fixes by AWS in 2020. A thread.

 First, that time when an AWS employee posted confidential AWS customer information including including AWS access keys for those customer accounts to github.
https://t.co/3Y7vgOwDtV
Discovery by @SpenGietz that you can disable CloudTrail without triggering GuardDuty by using cloudtrail:PutEventSelectors to filter all events. https://t.co/pR4TzI5xHV
Amazon launched their bug bounty, but specifically excluded AWS, which has no bug bounty. https://t.co/bPSw6GbnoV
Repeated, over and over again examples of AWS having no change control over their Managed IAM policies, including the mistaken release of CheesepuffsServiceRolePolicy, AWSServiceRoleForThorInternalDevPolicy, AWSCodeArtifactReadOnlyAccess.json, AmazonCirrusGammaRoleForInstaller.
The worst IAM policy mistake came later in the year with ReadOnlyAccess purging all of its privileges to replace them with read/write access to cassandra. https://t.co/YI4Y32UPAR
Kesten shows a flaw in how many vendors use IAM roles. Although not technically a mistake by AWS (shared responsibility blah blah blah), this is something AWS is entirely capable of identifying and pushing vendors to correct, but did nothing. https://t.co/8KSZegSKqn
AWS finally fixed a deficiency in the Route 53 and VPC APIs where if an attacker rerouted traffic via private hosted zones, you would not be able to audit for it. I list this here because this deficiency existed for 6 years! https://t.co/n3tnxEH1Lt
XSS on the web console. This issue was reported and fixed a few years ago but never disclosed until this year. https://t.co/6LksOQkXLw
Discovery that in the terms and conditions of AWS, when using machine learning services, AWS will use your data to improve their services and move that data outside of the regions you put it in. This was added to the terms in late 2017 but not noticed. https://t.co/kZd8s4yCZc
Crypto vulns found in AWS SDKs by Google employee @SchmiegSophie
https://t.co/D8w7mtR5yV
AWS finally provides a fix for the HTTP desync issues that had been reported to them almost a year prior https://t.co/8tXOoFArw3 and https://t.co/9hXvh6dEZh
AWS released CloudTrail Insights as a separate service, instead of integrating that functionality into GuardDuty. https://t.co/Z2TCcl9bpI 🍕🍕
AWS continues to make a mess of their managed IAM policies, creating AWS_Config_Role, AWS_ConfigRole, AWSConfigRole and AWSConfigServiceRolePolicy, along with 3 versions of AmazonMachineLearningRoleforRedshiftDataSource https://t.co/aK4c6ZVmYj https://t.co/Dao9JuXydU
Aiden manages to gain access to an AWS account run by AWS for one of their services where he was then able to see credentials to gain access to AWS customer accounts. This is IMHO the most epic issue of the year for AWS. https://t.co/qucuKEzNd3
Karim does a security audit of an AWS project, that points out enough issues that AWS deprecates the project. https://t.co/jBLzEMJ5KX
Another Google employee continues the trend of doing free work for AWS by finding more crypto issues: https://t.co/cjUV54g5ZE
Ian finds tagging privileges are not properly enforced by AWS calling into question the ability to use ABAC as a security boundary. https://t.co/buuMhoQjL5
Nick discovers a trick to test whether you have access to about 40 services without that testing being logged by CloudTrail. https://t.co/KJEjoiGuPm
AWS rolls out a new S3 web console which unfortunately once again allows people to set the "AuthenticatedUsers" ACL, which they haven't had in the console since 2017 because it is always misunderstood and wrong. https://t.co/VmKWySZtwE
AWS released their SOC 2 Type 2 for April-Sep 2020, with concerning issues in it. Unfortunately you aren't allowed to discuss these reports, but the issues are on page 120 and 121.
That wraps things up. Let's hope AWS figures out wtf they are doing with IAM managed policies next year.

End.

More from Software

Matt Bennett
Matt Bennett
@LongvueMatt
There is real opportunity to:

- scale a HoldCo
- focused on a portfolio of software & digital-forward assets
- serving niche and/or traditionally sleepy verticals

A playbook to follow...

But first... why is there opportunity?

- software is eating the world (& APIs are eating software)
- there are great product opp's for those who know where to look
- theres no real competition
- SaaS/subscription is the best delivery model out there (build once, sell twice+)

And why now?

We’re entering what I call the ‘Deployment Era’ ... where more traditional (sleepy) businesses will increasingly leverage software/tech to improve their model

And the best part is... we're on the front-end of riding this longer-term wave

So what does this mean?

Software (& other digital-first products) will eat more of the ‘traditional SMB’ stack

But most aren’t focused here bc it isn’t sexy or cool…

Which is where the opp is for those who have the right deal nose & know what to build & for who

There is big opportunity to build/scale in overlooked places...

Where you can build/acquire assets that have the best econ delivery model (SaaS/sub), w/ low competition, where you have an inside edge/know everyone in industry, & can do it when no one is looking
SOFTWARE
Andrew Harmel-Law \U0001f3e1
Andrew Harmel-Law 🏡...
@al94781
Software architecture is in crisis, and the way to fix it is a hefty dose of anarchy.


Some lay the blame for this on @boicy with the whole microservices thing.

(Admittedly, @nicolefv, @jezhumble and @realgenekim didn’t help when they statistically proved that he might have been onto something with all that de-coupling and team-alignment…)

However I don’t blame him at all.

I think he saved us; bringing us back to the path of value-delivery and independent services, but now with added independent teams.


But one thing is clear. Microservices need more architecture, not less (as do other forms of #Accelerate-style software organisation).

(See https://t.co/B2hWmXhIqe if you need convincing)

I mean, all those pesky slices we need to carve up our monoliths (or were they big balls of mud?) That’s a significant amount of work right there…
SOFTWARE , ARCHITECTURE
Advertisement
Abhiram Reddy
Abhiram Reddy
@nrabhiram
It’s been a minute since I’ve written code. So, I figured that now might be a good time to start learning how to use the Blueprint system in #UnrealEngine. I felt that it’d be interesting to share my progress and mistakes. So here goes!
🧵

1.
Firstly, I made use of the auto-rigging feature in Mixamo to give my character a skeleton. This allows you to use the Mixamo animations for the character in Unreal Engine.


2.
In the Animation Blueprint, I tried to add a punching state to the character. The problem I faced initially was that the character glides while punching. This occurs because multiple states of the animation are active (as their transition conditions are satisfied).


3.
There are a couple of solutions for this:

👉Blending the punch and idle states (character can punch while running) by using the Layered Blend Per Bone node.

👉Disabling input while the punch occurs.


4.
I didn’t like the outcome when I blended the animations. as the hip rotates more than we’d like it to. This leads to the character punching upwards and to the left. This isn’t favorable as the enemy is usually straight ahead. Disabling the input worked way better!
SOFTWARE
Jack Butcher
Jack Butcher
@jackbutcher
Building Principles:



1/

Value = doing things that other people don't do, won't do or can't do.

"You get paid in direct proportion to the difficulty of problems you solve" — Elon Musk


2/

Service is high-touch result generation (building experience), product is low-touch result generation (scaling experience).


3/

In a world of infinite distraction, focus is the only path to freedom.


4/

Sell time to buy experience, sell experience to buy time.

“If you don't find a way to make money while you sleep, you will work until you die.” — Warren Buffett
SOFTWARE , ALL
Anson Horton
Anson Horton
@AnsonHorton
1/ In early 2004 we were heads down executing on Edit and Continue across a large contingent of teams. There had been several iterations of scoping, redesigns, and customer feedback.

2/ We had a weekly meeting every Thursday morning when representatives from each of the teams would get together and review progress. It was fairly heavy weight, but there were so many teams involved that it was necessary to have a regular sync.

3/ Regardless, E&C was coalescing, but teams were stretched thin working diligently to enable scenarios, improve performance, fix bugs, etc. It had been a month or so since we decided to add support for C# to the matrix as well, so folks were a bit stressed.

4/ That set the stage for the meeting that we had on the first Thursday in April. A debugger PM named Habib Heydarian ran the meeting and after a brief intro he gave me a ring to come in and present.

5/ I walked in and handed out a document that I had written up, titled DCR: C# Edit and Continue for Venus. DCR meant design change request, and Venus was the design-time code name for ASP .NET support.
SOFTWARE

You May Also Like

Stephen Bush
Stephen Bush
@stephenkb
Some quick thoughts on Sam Gyimah's resignation after conversations with various Conservative MPs: 1) the chances of a second referendum are a lot higher than I thought:

2) At this point, if you are a young and ambitious Tory MP it is now so overwhelmingly in your interest to vote against the withdrawal agreement. V v hard to see how Julian Smith can cap rebellion at under 100:

3) Really just to reiterate 1) Gyimah is the kind of "No, never gonna rebel" vaguely pro-EU Tory you'd need to get on side to outweigh Labour Leavers and Real Concerners.
POLITICS
Seth Abramson
Seth Abramson
@SethAbramson
I don't care one way or another about the Elizabeth Warren DNA kerfuffle; it's silliness bred of Trump's lunacy, not a serious political matter.

But—*but*—the blowback on Warren is useful as a reminder that facts, science, and really truth of any kind is now anathema to the GOP.

2/ If you're online trying to convince a Trumpist of *anything*—I mean *anything*—stop right now.

The Trumpists' reaction to Warren's DNA test—a cacophony of fact-free insanity about race and DNA and even just *the bare facts of what happened*—tells you you're wasting your time.

3/ I don't see the point in baiting Trumpists, or insulting them, or calling attention to their madness on a daily basis. These people are fundamentally unserious about truth, discourse, and anything resembling a community of ideas. So:

1) Ignore them—completely.
2) Vote—always.

4/ I don't always live up to that standard, but I'm *trying*. I'm *trying* to ignore as beneath dialogic significance those who say "most people" have Native American ancestry, or who can't read basic studies to understand Warren's DNA test, or who say Trump never made a bet, &c.

5/ Trump wants to call Warren "Pocahontas" because he's a racist, wants to appeal to racists, and his cult-like following so ignores *everything bad he does* that they think that, had she lied—she didn't—*this* (this!) would be worse than anything Trump has done.

*Process that*.
ALL
Advertisement
Pat Walls
Pat Walls
@thepatwalls
And here they are...

THE WINNERS OF THE 24 HOUR STARTUP CHALLENGE

Remember, this money is just fun. If you launched a product (or even attempted a launch) - you did something worth MUCH more than $1,000.

#24hrstartup

The winners 👇

#10

Lattes For Change - Skip a latte and save a life.

https://t.co/M75RAirZzs

@frantzfries built a platform where you can see how skipping your morning latte could do for the world.

A great product for a great cause.

Congrats Chris on winning $250!


#9

Instaland - Create amazing landing pages for your followers.

https://t.co/5KkveJTAsy

A team project! @bpmct and @BaileyPumfleet built a tool for social media influencers to create simple "swipe up" landing pages for followers.

Really impressive for 24 hours. Congrats!


#8

SayHenlo - Chat without distractions

https://t.co/og0B7gmkW6

Built by @DaltonEdwards, it's a platform for combatting conversation overload. This product was also coded exclusively from an iPad 😲

Dalton is a beast. I'm so excited he placed in the top 10.


#7

CoderStory - Learn to code from developers across the globe!

https://t.co/86Ay6nF4AY

Built by @jesswallaceuk, the project is focused on highlighting the experience of developers and people learning to code.

I wish this existed when I learned to code! Congrats on $250!!
MAKERS
Kevin Roose
Kevin Roose
@kevinroose
On press call, Zuckerberg says FB users "naturally engage more with sensational content" that comes close to violating its rules. Compares it to cable TV and tabloids, and says, "This seems to be true regardless of where we set our policy lines."

Zuckerberg says FB is in the process of setting up a "new independent body" that users will be able to appeal content takedowns to. Sort of like the "Facebook Supreme Court" idea he previewed earlier this year.

Zuckerberg: "One of my biggest lessons from this year is that when you connect more than 2 billion people, you’re going to see the good and bad of humanity."

This is how Facebook says it's trying to change the engagement pattern on its services. https://t.co/3p0PGc912o


[email protected] asks Zuckerberg if anyone is going to lose their job over the revelations in the NYT story. He dodges, says that personnel issues aren't a public matter, and that employee performance is evaluated all the time.
TECH
Nicolas
Nicolas
@necolas
A brief analysis and comparison of the CSS for Twitter's PWA vs Twitter's legacy desktop website. The difference is dramatic and I'll touch on some reasons why.

Legacy site *downloads* ~630 KB CSS per theme and writing direction.

6,769 rules
9,252 selectors
16.7k declarations
3,370 unique declarations
44 media queries
36 unique colors
50 unique background colors
46 unique font sizes
39 unique z-indices

https://t.co/qyl4Bt1i5x


PWA *incrementally generates* ~30 KB CSS that handles all themes and writing directions.

735 rules
740 selectors
757 declarations
730 unique declarations
0 media queries
11 unique colors
32 unique background colors
15 unique font sizes
7 unique z-indices

https://t.co/w7oNG5KUkJ


The legacy site's CSS is what happens when hundreds of people directly write CSS over many years. Specificity wars, redundancy, a house of cards that can't be fixed. The result is extremely inefficient and error-prone styling that punishes users and developers.

The PWA's CSS is generated on-demand by a JS framework that manages styles and outputs "atomic CSS". The framework can enforce strict constraints and perform optimisations, which is why the CSS is so much smaller and safer. Style conflicts and unbounded CSS growth are avoided.
TECH