BC SOFTWARE
Saved by @CodyyyGardner

As the year wrap's up, let's run through some of the worst public security mistakes and delays in fixes by AWS in 2020. A thread.

 First, that time when an AWS employee posted confidential AWS customer information including including AWS access keys for those customer accounts to github.
https://t.co/3Y7vgOwDtV
Discovery by @SpenGietz that you can disable CloudTrail without triggering GuardDuty by using cloudtrail:PutEventSelectors to filter all events. https://t.co/pR4TzI5xHV
Amazon launched their bug bounty, but specifically excluded AWS, which has no bug bounty. https://t.co/bPSw6GbnoV
Repeated, over and over again examples of AWS having no change control over their Managed IAM policies, including the mistaken release of CheesepuffsServiceRolePolicy, AWSServiceRoleForThorInternalDevPolicy, AWSCodeArtifactReadOnlyAccess.json, AmazonCirrusGammaRoleForInstaller.
The worst IAM policy mistake came later in the year with ReadOnlyAccess purging all of its privileges to replace them with read/write access to cassandra. https://t.co/YI4Y32UPAR
Kesten shows a flaw in how many vendors use IAM roles. Although not technically a mistake by AWS (shared responsibility blah blah blah), this is something AWS is entirely capable of identifying and pushing vendors to correct, but did nothing. https://t.co/8KSZegSKqn
AWS finally fixed a deficiency in the Route 53 and VPC APIs where if an attacker rerouted traffic via private hosted zones, you would not be able to audit for it. I list this here because this deficiency existed for 6 years! https://t.co/n3tnxEH1Lt
XSS on the web console. This issue was reported and fixed a few years ago but never disclosed until this year. https://t.co/6LksOQkXLw
Discovery that in the terms and conditions of AWS, when using machine learning services, AWS will use your data to improve their services and move that data outside of the regions you put it in. This was added to the terms in late 2017 but not noticed. https://t.co/kZd8s4yCZc
Crypto vulns found in AWS SDKs by Google employee @SchmiegSophie
https://t.co/D8w7mtR5yV
AWS finally provides a fix for the HTTP desync issues that had been reported to them almost a year prior https://t.co/8tXOoFArw3 and https://t.co/9hXvh6dEZh
AWS released CloudTrail Insights as a separate service, instead of integrating that functionality into GuardDuty. https://t.co/Z2TCcl9bpI 🍕🍕
AWS continues to make a mess of their managed IAM policies, creating AWS_Config_Role, AWS_ConfigRole, AWSConfigRole and AWSConfigServiceRolePolicy, along with 3 versions of AmazonMachineLearningRoleforRedshiftDataSource https://t.co/aK4c6ZVmYj https://t.co/Dao9JuXydU
Aiden manages to gain access to an AWS account run by AWS for one of their services where he was then able to see credentials to gain access to AWS customer accounts. This is IMHO the most epic issue of the year for AWS. https://t.co/qucuKEzNd3
Karim does a security audit of an AWS project, that points out enough issues that AWS deprecates the project. https://t.co/jBLzEMJ5KX
Another Google employee continues the trend of doing free work for AWS by finding more crypto issues: https://t.co/cjUV54g5ZE
Ian finds tagging privileges are not properly enforced by AWS calling into question the ability to use ABAC as a security boundary. https://t.co/buuMhoQjL5
Nick discovers a trick to test whether you have access to about 40 services without that testing being logged by CloudTrail. https://t.co/KJEjoiGuPm
AWS rolls out a new S3 web console which unfortunately once again allows people to set the "AuthenticatedUsers" ACL, which they haven't had in the console since 2017 because it is always misunderstood and wrong. https://t.co/VmKWySZtwE
AWS released their SOC 2 Type 2 for April-Sep 2020, with concerning issues in it. Unfortunately you aren't allowed to discuss these reports, but the issues are on page 120 and 121.
That wraps things up. Let's hope AWS figures out wtf they are doing with IAM managed policies next year.

End.

More from Software

Charity Majors
Charity Majors
@mipsytipsy
Developer productivity, y'all. It is a three TRILLION dollar opportunity, per the stripe report.

Eng managers and directors, we have got to stop asking for "more headcount" and start treating this like the systems problem that it is. https://t.co/XJ0CkFdgiO


If you are getting barely more than 50% productivity out of your very expensive engineers, I can pretty much guarantee you cannot hire your way out of this resourcing issue. 😐

(the stripe report is here:

Say you've got a strategic initiative that 3 engineers to build and support it. Well, they're going to be swimming in the same muddy pipeline as everyone else at ~50%, so you're actually gotta source, hire and train 6, er make that 7 (gonna need another manager too now)...

...which actually understates the problem, because each person you add also adds friction and overhead to the system. Communication, coordination all get harder and processes get more complex and elaborate, etc.

So we could hire 7 people, or we could patch up our sociotechnical system to lose say only 25% productivity to tech debt, instead of 42%? 🤔

By my calculations, that would reclaim 3 engineers worth of capacity given a team of just 17-18 people.
SOFTWARE
Yan Cui is making the AppSync Masterclass
Yan Cui is making the ...
@theburningmonk
If you missed @clare_liguori's Continuous Delivery session this week (like I did) then good news, it's available on-demand now 🎊

https://t.co/78b8sI2hHs

And here's my play-by-play for the session

🧵...

This is a typical CD pipeline in AWS.

This is far more complex than the most complex CD pipeline I have ever had! Just cos it's complex, doesn't mean it's over-engineered though. Given the blast radius, I'm glad they do releases carefully and safely.


If you look closely, beyond all the alpha, beta, gamma environments, it's one-box in a region first then the rest of the region, I assume starting with the least risky regions first.

For anyone thinking about going multi-region (after the recent Kinesis outage), this is one of the complexities you need to consider. To do multi-region right and deploy safely (minimize blast radius), this is one of the complexities you have to factor in.

This "deploy small at first then more broadly" principle applies to #serverless apps too, though you can't "deploy to one box". You can do it with canary deployments instead, CodeDeploy supports this practice for Lambda (using weighted aliases) out-of-the-box.
SOFTWARE
Advertisement
Patrick McKenzie
Patrick McKenzie
@patio11
One of the big promises of software is composability. You can build rich, powerful experiences out of basic building blocks.

APIs add new things to the toolbox. For example: Treasury, which lets an app/platform store, move, and track a business’

I've been a small business owner and can talk at length about SMB banking, and will later, but let's put on the software developer hat right now.

Lots of software talks about money, keeps records about money, does calculations about money, but can't *touch* money.

This is extremely frustrating when you're building SaaS apps for businesses, because you have total control over your UX right until your app needs to touch money... at which point all data about it lives in a silo you can't access.

So you generally push work to the operator.

For example, suppose you’re writing a business-in-a-box system for electricians, including an invoicing feature.

You need to be able to read bank transactions to reconcile. You probably can't. The owner can. So you ask the owner to do mind-numbing work a computer does better.

It sure would be great if your business customers had bank accounts you could actually introspect and operate on their behalves! You could just get the list of incoming payments and match against the invoices.

There is some software to write but it is not rocket science.
SOFTWARE
Jessica G. Young
Jessica G. Young
@JessGeraldYoung
@JuliaLMarcus @Iplaywithgerms This paper gives documentation on software (with causal reasoning, assumptions reviewed in appendix) for a parametric approach to estimating either "total effects" or "controlled direct effects" with competing events and time-varying

@Iplaywithgerms Total effects capture paths by which treatment affects competing event (e.g. protective total effect of lifesaving treatment on dementia may be wholly/partially due to effect on survival). Controlled direct effects do not capture these paths

@Iplaywithgerms More detailed reasoning on the difference and tradeoffs between total and controlled direct effects and causal reasoning in the point treatment context provided here along with description of some estimators and

@Iplaywithgerms If you are familiar with more robust approaches like IPW or even better TMLE for time-varying treatment, these are trivially adapted to go after the controlled direct effect by simply treating competing events like loss to follow-up (censoring). e.g.

@Iplaywithgerms Examples of IPW estimation of the total effect of a time-varying treatment described in Appendix D of this paper:
https://t.co/RNhcgTBMkb
And here
https://t.co/rMWmwFBWwV
Others in reference lists of above papers.
SOFTWARE
foone
foone
@Foone
now that's a title screen


foolish people like to quote that "science says there are only two genders". This is incorrect.

Science instead says that in addition to the regular genders, there are 25 Science Genders, shown here. (tag yourself I'm Skull)


I have no idea how to continue with this game.
I clicked a bunch of things and the game just pauses for a second, except when I clicked electron it animated and then was replaced by... something


Quarky & Quaysoo's Turbo Science!

Turbo Science is like regular Science, but FASTER


oh I see

is this Gizmos and Gadgets but by Sierra?
SOFTWARE

You May Also Like

Khatvaanga
Khatvaanga
@khatvaanga
Starting my 2nd thread on Sringeri Parampara. This will cover the Jagadgurus after Sri Vidyaranya to Sri Shivabhinava Nrisimha Bharati.

It is really very tough to match the brilliance and achievements of Vidyaranya. After whom came 15 - Chandrashekara Bharati [1386-1389].

The next Acharya was Nrisimha Bharati [1389-1408]. Harihara raya found a town for this Acharya - Narasimhapuram. Acharya helped the king by guiding him in political affairs. He also initiated the kind with mahamantras for spiritual development.

Subsequent Acharyas were
15-Puroshottama Bharati [1408 - 1448]
16-Shankara Bharati[1448 - 1455]
17-Chandrasekhara Bharati II [1455 - 1464]
18- Nrisimha Bharati II [1464 - 1479]
19-Puroshottama Bharati II [1479 - 1517]

20-Ramachandra Bharati [1517 - 1560]. Sadashiva Raya was emporer of Vijayanagara during this time.
21-Nrisimha Bharati III [1560 - 1573]
22-Nrisimha Bharati IV [1573 - 1576]
23-Nrisimha Bharati V [1576 - 1600]

24-Abhinava Nrisimha Bharati [1600-1623]. When he visited Malahanikareswara temple for first time he noticed there was no Vinayaka there so he took piece of turmeric and drew outline of Ganesha on a pillar and offered puja.
ALL
John Papa
John Papa
@John_Papa
Choosing the Right JavaScript Framework

Thanks for joining me @pluralsight to talk about javascript frameworks. We had 150+ awesome questions, so I'll try to answer the ones I couldn't get to online right here in a tweet stream

Watch the video -->
https://t.co/G7zeiKhXme


Q. Do arrow functions really make dealing with JavaScript's "this" keywords easier?

A. Yes! When using arrow functions, the scope of "this" is effectively passed in from the outer scope. See here in this REPL

1/n


Q. Where does Polymer fit in? Is it considered a framework like the others?

A. @Polymer is an excellent way to create web components, which are ideal for creating sets of interactivity that can be shared in web apps.

2/n

Q. Have we gone framework crazy?

A. At one time, quite possibly. A few years back we literally had framework overload. I feel it really has solidified into a few very strong choices.

3/n

Q. [Is] there no more need for @polymer?

A. See my previous question on this ... but in general, I think there is a lot of room for Web Components with frameworks.

4/n
ALL
Advertisement
Bharadwaj
Bharadwaj
@BharadwajSpeaks
Hinduism is a minority religion in Punjab.

During the Khalistan movement, the minority Hindus and Jains were subjected to several attacks. Hindu and Jain temples were frequently vandalized and desecrated. This thread documents a few instances.

Thread

Durgiana Mandir is one of the oldest temples of Amritsar. According to the regional Hindu tradition, the temple was built on the spot where Lava and Kusha bound Hanuman. The temple annually attracts millions of Hindus from all over the country.


Amristsar has a very ancient Hindu history.

According to the regional Hindu tradition recorded in the "Survey of Amritsar", Amritsar got its name from Amrit immersed by Lava and Kusha in a pond.


Durgiana Mandir was rebuilt in 1921.

It was used to house the Murtis of Vishnu and Durga which were thrown out from the Parikrama of Harmandir Sahib in 1905.

Because of its presence in Amritsar, it became a frequent target of radicals during the Khalistan movement.


In 1982, in what was a completely unprovoked attack, the Dal Khalsa "activists" threw a severed cow head inside Durgiana temple.
RELIGION
Billy Bostickson \U0001f3f4\U0001f441&\U0001f441 \U0001f193
Billy Bostickson 🏴👁&👁 ...
@BillyBostickson
Tip from the Monkey
Pangolins, September 2019 and PLA are the key to this mystery
Stay Tuned!


1. Yang


2. A jacobin capuchin dangling a flagellin pangolin on a javelin while playing a mandolin and strangling a mannequin on a paladin's palanquin, said Saladin
More to come tomorrow!


3. Yigang Tong
https://t.co/CYtqYorhzH
Archived: https://t.co/ncz5ruwE2W


4. YT Interview
Some bats & pangolins carry viruses related with SARS-CoV-2, found in SE Asia and in Yunnan, & the pangolins carrying SARS-CoV-2 related viruses were smuggled from SE Asia, so there is a possibility that SARS-CoV-2 were coming from
ALL
Anu Satheesh
Anu Satheesh
@AnuSatheesh5
Importance of Famous Payyannur Pavithra Mothiram or Ring

Payyanur Sri Subramanya Swami Temple 🚩
Kerala

Temple, constructed by Parasurama is known as the 'Pazhani' of Kerala.The place got its name from 'Payyante Ooru' where Payyan is another name by which Subramanya was called.


There are references about this temple in Brahmanda purana. Muni Garga mentions this temple and the place to  the Pandavas when they were in Vanavasa. Temple was destroyed two times, once due to fire and then during the attack of Tipu Sultan.


Important tradition here is wearing of Pavithram by the temple priest. Pavithram is a sort of  ring worn during performing Vedic rituals or during the "pithrubali". Usually worn while performing Tarpana or Shradham. The traditional Pavitram is usually made of Dharbha grass
ALL