BC SOFTWARE
Saved by @CodyyyGardner

As the year wrap's up, let's run through some of the worst public security mistakes and delays in fixes by AWS in 2020. A thread.

 First, that time when an AWS employee posted confidential AWS customer information including including AWS access keys for those customer accounts to github.
https://t.co/3Y7vgOwDtV
Discovery by @SpenGietz that you can disable CloudTrail without triggering GuardDuty by using cloudtrail:PutEventSelectors to filter all events. https://t.co/pR4TzI5xHV
Amazon launched their bug bounty, but specifically excluded AWS, which has no bug bounty. https://t.co/bPSw6GbnoV
Repeated, over and over again examples of AWS having no change control over their Managed IAM policies, including the mistaken release of CheesepuffsServiceRolePolicy, AWSServiceRoleForThorInternalDevPolicy, AWSCodeArtifactReadOnlyAccess.json, AmazonCirrusGammaRoleForInstaller.
The worst IAM policy mistake came later in the year with ReadOnlyAccess purging all of its privileges to replace them with read/write access to cassandra. https://t.co/YI4Y32UPAR
Kesten shows a flaw in how many vendors use IAM roles. Although not technically a mistake by AWS (shared responsibility blah blah blah), this is something AWS is entirely capable of identifying and pushing vendors to correct, but did nothing. https://t.co/8KSZegSKqn
AWS finally fixed a deficiency in the Route 53 and VPC APIs where if an attacker rerouted traffic via private hosted zones, you would not be able to audit for it. I list this here because this deficiency existed for 6 years! https://t.co/n3tnxEH1Lt
XSS on the web console. This issue was reported and fixed a few years ago but never disclosed until this year. https://t.co/6LksOQkXLw
Discovery that in the terms and conditions of AWS, when using machine learning services, AWS will use your data to improve their services and move that data outside of the regions you put it in. This was added to the terms in late 2017 but not noticed. https://t.co/kZd8s4yCZc
Crypto vulns found in AWS SDKs by Google employee @SchmiegSophie
https://t.co/D8w7mtR5yV
AWS finally provides a fix for the HTTP desync issues that had been reported to them almost a year prior https://t.co/8tXOoFArw3 and https://t.co/9hXvh6dEZh
AWS released CloudTrail Insights as a separate service, instead of integrating that functionality into GuardDuty. https://t.co/Z2TCcl9bpI 🍕🍕
AWS continues to make a mess of their managed IAM policies, creating AWS_Config_Role, AWS_ConfigRole, AWSConfigRole and AWSConfigServiceRolePolicy, along with 3 versions of AmazonMachineLearningRoleforRedshiftDataSource https://t.co/aK4c6ZVmYj https://t.co/Dao9JuXydU
Aiden manages to gain access to an AWS account run by AWS for one of their services where he was then able to see credentials to gain access to AWS customer accounts. This is IMHO the most epic issue of the year for AWS. https://t.co/qucuKEzNd3
Karim does a security audit of an AWS project, that points out enough issues that AWS deprecates the project. https://t.co/jBLzEMJ5KX
Another Google employee continues the trend of doing free work for AWS by finding more crypto issues: https://t.co/cjUV54g5ZE
Ian finds tagging privileges are not properly enforced by AWS calling into question the ability to use ABAC as a security boundary. https://t.co/buuMhoQjL5
Nick discovers a trick to test whether you have access to about 40 services without that testing being logged by CloudTrail. https://t.co/KJEjoiGuPm
AWS rolls out a new S3 web console which unfortunately once again allows people to set the "AuthenticatedUsers" ACL, which they haven't had in the console since 2017 because it is always misunderstood and wrong. https://t.co/VmKWySZtwE
AWS released their SOC 2 Type 2 for April-Sep 2020, with concerning issues in it. Unfortunately you aren't allowed to discuss these reports, but the issues are on page 120 and 121.
That wraps things up. Let's hope AWS figures out wtf they are doing with IAM managed policies next year.

End.

More from Software

phil jones (he/him - ele)
phil jones (he/him - e...
@interstar
The Great Software Stagnation is real, but we have to understand it to fight it. The CAUSE of the TGSS is not "teh interwebs". The cause is the "direct manipulation" paradigm : the "worst idea in computer science" \1


Progress in CS comes from discovering ever more abstract and expressive languages to tell the computer to do something. But replacing "tell the computer to do something in language" with "do it yourself using these gestures" halts that progress. \2

Stagnation started in the 1970s after the first GUIs were invented. Every genre of software that gives users a "friendly" GUI interface, effectively freezes progress at that level of abstraction / expressivity. Because we can never abandon old direct manipulation metaphors \3

The 1990s were simply the point when most people in the world finally got access to a personal computer with a GUI. So that's where we see most of the ideas frozen. \4

It's no surprise that the improvements @jonathoda cites, that are still taking place are improvements in textual representation : \5
SOFTWARE
John Fetterman
John Fetterman
@JohnFetterman
buffalo uses dominion scoreboard software so not really


DEAD PEOPLE SCORED FOR BUFFALO!

A truck delivered off a suitcase full of points at halftime from Canada for Buffalo.

#StopTheSteel !!!!

I’ll be submitting sworn affidavits from Steelers fans than they saw the Buffalo rigging the game but I want to emphasize that I’m not under oath.
SOFTWARE
Advertisement
Yan Cui is making the AppSync Masterclass
Yan Cui is making the ...
@theburningmonk
If you missed @clare_liguori's Continuous Delivery session this week (like I did) then good news, it's available on-demand now 🎊

https://t.co/78b8sI2hHs

And here's my play-by-play for the session

🧵...

This is a typical CD pipeline in AWS.

This is far more complex than the most complex CD pipeline I have ever had! Just cos it's complex, doesn't mean it's over-engineered though. Given the blast radius, I'm glad they do releases carefully and safely.


If you look closely, beyond all the alpha, beta, gamma environments, it's one-box in a region first then the rest of the region, I assume starting with the least risky regions first.

For anyone thinking about going multi-region (after the recent Kinesis outage), this is one of the complexities you need to consider. To do multi-region right and deploy safely (minimize blast radius), this is one of the complexities you have to factor in.

This "deploy small at first then more broadly" principle applies to #serverless apps too, though you can't "deploy to one box". You can do it with canary deployments instead, CodeDeploy supports this practice for Lambda (using weighted aliases) out-of-the-box.
SOFTWARE
Chris Heilmann
Chris Heilmann
@codepo8
🚨 🦮 Seven ways to test for accessibility using only what is already in browser developer tools of Chromium browsers https://t.co/C7kdbigHGE

@MSEdgeDev @EdgeDevTools @ChromiumDev
#tools #accessibility #browsers
Also, a thread: 👇🏼


Issues pane, powered by @webhintio, listing accessibility issues with explanations why these are problems, links to more info and direct links to the tools where to fix the problem. https://t.co/4K5RynHhbg


The inspect element overlay showing accessibility relevant information of the element, including contrast information, ARIA name, role and if it can be focused via keyboard.


Colour picker with contrast information offering colours that are AA/AAA compliant. You can also see compliant colours indicated by a line on the colour patch.
Note: the current algorithm fails to take font weight into consideration, that's why there will be a new one.


Vision deficit ("colour blindness") emulation. You can see what your product looks like for different visitors.
https://t.co/bxj1vySCAb
INTERNET , SOFTWARE
Charity Majors
Charity Majors
@mipsytipsy
Developer productivity, y'all. It is a three TRILLION dollar opportunity, per the stripe report.

Eng managers and directors, we have got to stop asking for "more headcount" and start treating this like the systems problem that it is. https://t.co/XJ0CkFdgiO


If you are getting barely more than 50% productivity out of your very expensive engineers, I can pretty much guarantee you cannot hire your way out of this resourcing issue. 😐

(the stripe report is here:

Say you've got a strategic initiative that 3 engineers to build and support it. Well, they're going to be swimming in the same muddy pipeline as everyone else at ~50%, so you're actually gotta source, hire and train 6, er make that 7 (gonna need another manager too now)...

...which actually understates the problem, because each person you add also adds friction and overhead to the system. Communication, coordination all get harder and processes get more complex and elaborate, etc.

So we could hire 7 people, or we could patch up our sociotechnical system to lose say only 25% productivity to tech debt, instead of 42%? 🤔

By my calculations, that would reclaim 3 engineers worth of capacity given a team of just 17-18 people.
SOFTWARE

You May Also Like

Anshul Pandey
Anshul Pandey
@Anshulspiritual
IMPORTANCE AND CHARACTERISTICS OF GARUDA PURAN.

On the request of Garud, Bhagwan Vishnu, the rider of Garud, described this Puran based in Taksharya Kalp. It has ninteen thousand shlokas.
This book begins with a question and goes on to describe the Shrishti.


Then it describes the Surya puja vidhi, Diksha, Shradha, Nav vyuh puja, Vishnu sahastra naam kirtan and dhyan, Yog, Mrityunjay puja,Mala mantra, Shivarcha, Gopal puja, Trailikya mohan Shridhar puja, Vishnuarcha, Devpuja, Sandhya, Pancham tattva, Durga and Chakra Archana,

Maheshwar puja, Pavitra ropan puja, Murti dhyan, Vaastu maan, Prasaad, Sarvdev pratishtha, Ashtaang Yog, Daan dharm, Prayaschit, Narak description, Chakravyuh, Jyotish, Samudra shastra, Swar gyan, Tirth, Importance of Gaya, Different Manvantars, Pittra's, Varna dharma,

Dravya shudhhi, Samarpan, Vinayak puja, Grah yagya, Ashram, Shouch, Pret shudhi, Niti Shashtra, Vrat katha, Som and Surya vansh, Hari vansh, Bharat akhyan, Ayurveda, Medicine in Ayurveda, Rog nashak kavach, Garud Kavach, Traipur mantra, Prashna, difficulties in vyakaran,

Chhand shastra, Discipline, Snan Vidhi Tarpan, Bali Vaishvadev, Pavarna Karma, Sapindan, Dharmasar, Repentence of sins, Prati sankraman, Karmafal, Yug dharm, Vishnu bhakti, Method of Namaskaar to Hari, Narsingh strotras, Gyanamrit, Vishnuarchan strotras, Principles of Sankhya,
RELIGION
Vibhu Vashisth
Vibhu Vashisth
@VIBHU_Tweet
LACHIT BORPHUKAN : AN UNSUNG WARRIOR OF THE AHOM KINGDOM & THE GREAT BATTLE OF SARAIGHAT

Originally named as Lachit Deca, Lachit Borphukan, the fierce and invincible Ahom Commander, was born during the early 17th century at Betioni in the Golaghat district of modern Assam.


His father, Momai Tamuli Borbarua was the ‘Governor’ of the kingdom and also ‘Commander-in-Chief’ of Ahom army under King Pratap Singha during his reign starting from 1603 to 1639. Lachit received military training from an early age and joined the Ahom King Jayadhvaj Singha...


...(1648-1663) as a scarf-bearer.  The post ‘scarf-bearer’ or ‘Soladhara Barua’ is considered as a part of the incumbent king’s personal staff. Owing to his military training Lechit was appointed "Ghora Barua", Supdt. of the Royal horses. When Chakradhwaj Singha became king..


..of Ahom dynasty in 1663,he appointed him Suptd. of The Royal Guards &finally he was appointed as Borphukan by the king.Then onwards,he was known as Lachit Borphukan.Borphukan used to be top councillor in Ahom Kingdom. This position was embedded with executive & judicial powers.


Assam was facing incessant Islamic invasion since Jan1662, when Mughal General Mir Jumla II attacked Ahom capital Gargaon. He never defeated Ahom king Jayadhwaja Singha as king retreated to hill &continued Guerrilla warfare.Prolonged fight &prospect of stalemate disturbed Jumla.
ALL
Advertisement
Anshul Pandey
Anshul Pandey
@Anshulspiritual
TYPES OF SINS(PAAP) AS PER SKAND PURAN.

There are three types of Adharma- Sthool, Sukshma and Ati Sukshma. The group of Sins in the Sthul section carries you to Narak. These sins are committed through your thoughts, words and deeds.


It is of four types.

1)First is the sin committed by your mental state-
Thinking about woman other then your spouse.

A)Resolution to amass wealth from others.

B)Thinking ill about others.

C)Thinking of doing a forbidden or unworthy deed.

2)Second is the sin that you commit through your words :-

A)Talking irrelevant things.

B)Telling a lie.

C)Speaking harshly.

D)Talking ill about others.

3)Third type of sin is committed through your body actions-

A)Eating food not prescribed to you or forbidden.

B)Violence.

C)Eating fancier food.

D)Acquiring other's wealth.

So these twelve types of sins.

There are six types of sinners or Mahapatak

1)One not bowing his head in front of a temple.

2)Never praise Shiva.

3)People who behave untowardly way in front of Ishwar.

4)People who do not show respect to Ishwar, guru or one who are undignified.

5)One who do not behave properly.

6)One who is jealous of other bhakts.

Below is the list of sins which people may commit.

1)One who does not help a needy person or a person in pain,
RELIGION
Melissa (she/her)
Melissa (she/her)
@LiteraryMouse
In regards to the #CapitolCoup, I’m in a unique position. I monitored forums ahead of time and then was present for the coup itself.

These are my observations based on what I saw and the evidence that’s been collected so far. I reserve the right to adjust my analysis as needed.

Let’s talk about the organization of the coup first. Seeing some people insist that the coup must have been highly planned and coordinated.

Yes and no. This was a #StochasticCoup. We’ll see little evidence of direct communication between Trump and the insurrectionists.

Within the insurrectionists, there was not one group that executed the storming of the Capitol.

Rather, there were a number of smaller groups working independently towards the same goal. I expect you’ll see little evidence that these various groups communicated with each other.

What you will see is detailed planning and coordination within these small groups.

Then there were the joyriders, those Trump supporters who weren’t directly involved in any plotting but who were more than happy to go along for the ride once the coup was in motion.

After four years, the insurrectionists were carefully attuned to Trump’s messaging.

Every tweet and statement of his was treated as marching orders and carefully dissected for meaning.

It’s why shutting down Trump’s Twitter account was so important.
POLITICS , INSURRECTIONISTS
Corey Gwin
Corey Gwin
@corey_gwin
Great thread full of potential https://t.co/jA8h08M48z ideas! 💡

📸 Social disposable camera app

Create a digital "roll" with friends. Take pictures from the roll. You can't see them until: the roll is used up, a time limit expires, or you get to a specific location.

🎙 Asynch interview platform

Send a guest a video or audio clip asking a question. Guest replies when able with same medium. Repeat. When done, share produced video/podcast.

✅ 24 Hour Startup Checklist/Overlay

A web app to track the progress of your project: ideation, naming, shipping code, launching.

Page can also be a dynamic browser overlay for live streaming.

Have tools for polls, surveys, sharing, launching to various outlets, etc.

👩‍⚖️ Healthcare "Lawyers"

If health insurance screws you over, no one has your back but you. Instead, can pay a small monthly fee to a service to take care of BS like this for you should issues arise.
TECH