As the year wrap's up, let's run through some of the worst public security mistakes and delays in fixes by AWS in 2020. A thread.
The ReadOnly IAM managed policy just had a huge purge of allowed actions.— Aidan W Steele (@__steele) October 16, 2020
Some of the things it lost:
* CodeBuild (some)
* Licence Manager
* AWS SSO
It gained access to sts:GetFederationToken and GetServiceBearerToken
Today is a good day for the security of AWS VPCs. A new API was released: route53:ListHostedZonesByVPC. This addresses a long-standing (six years!) deficiency in the Route 53 and VPC APIs.— Aidan W Steele (@__steele) June 18, 2020
You can now list all private hosted zones associated with a given VPC. I'll try explain. pic.twitter.com/AVm2zsR43F
An older vulnerability write up about an XSS on the #AWS console which I responsibly disclosed to Amazon— Johann Rehberger (@wunderwuzzi23) July 1, 2020
Hope its interesting for some who are getting started with #pentestinghttps://t.co/IGkS6LqiXw
Also AMZN now awards #bugbounties via Hackerone. Check it out! No aws though
After some final wrestling with CVSS, here my security advisory and proof of concept for three issues I've found in the golang AWS S3 crypto SDK (similar issues have been in the other language versions as well, but I didn't look at them).— Dr. rer. nat. Sophie, her arms wide (@SchmiegSophie) August 10, 2020
The issues are fixed for new files in V2 https://t.co/slUu9h5NWg
AWS CloudTrail now provides relevant user statistics to act on anomalies detected by CloudTrail Insights— What\u2019s New on AWS (@awswhatsnew) August 25, 2020
CloudTrail Insights now helps you correlate user identities, user agents, and error codes associated with unusual levels of API activity. Now, ... https://t.co/euHA4HgSuu
Someone told me that "Tink should follow AWS Encryption SDKs", so I showed them why Tink works the way it is and AWS SDKs were doing it wrong.— thaidn (@XorNinja) September 28, 2020
Here are 3 vulnerabilities in AWS SDKs and AWS KMS. AMNZ has fixed them in release 2.0.0 of the SDKs:https://t.co/tamjxene1T
More from Software
- scale a HoldCo
- focused on a portfolio of software & digital-forward assets
- serving niche and/or traditionally sleepy verticals
A playbook to follow...
But first... why is there opportunity?
- software is eating the world (& APIs are eating software)
- there are great product opp's for those who know where to look
- theres no real competition
- SaaS/subscription is the best delivery model out there (build once, sell twice+)
And why now?
We’re entering what I call the ‘Deployment Era’ ... where more traditional (sleepy) businesses will increasingly leverage software/tech to improve their model
And the best part is... we're on the front-end of riding this longer-term wave
So what does this mean?
Software (& other digital-first products) will eat more of the ‘traditional SMB’ stack
But most aren’t focused here bc it isn’t sexy or cool…
Which is where the opp is for those who have the right deal nose & know what to build & for who
There is big opportunity to build/scale in overlooked places...
Where you can build/acquire assets that have the best econ delivery model (SaaS/sub), w/ low competition, where you have an inside edge/know everyone in industry, & can do it when no one is looking
Some lay the blame for this on @boicy with the whole microservices thing.
(Admittedly, @nicolefv, @jezhumble and @realgenekim didn’t help when they statistically proved that he might have been onto something with all that de-coupling and team-alignment…)
However I don’t blame him at all.
I think he saved us; bringing us back to the path of value-delivery and independent services, but now with added independent teams.
But one thing is clear. Microservices need more architecture, not less (as do other forms of #Accelerate-style software organisation).
(See https://t.co/B2hWmXhIqe if you need convincing)
I mean, all those pesky slices we need to carve up our monoliths (or were they big balls of mud?) That’s a significant amount of work right there…
Firstly, I made use of the auto-rigging feature in Mixamo to give my character a skeleton. This allows you to use the Mixamo animations for the character in Unreal Engine.
In the Animation Blueprint, I tried to add a punching state to the character. The problem I faced initially was that the character glides while punching. This occurs because multiple states of the animation are active (as their transition conditions are satisfied).
There are a couple of solutions for this:
👉Blending the punch and idle states (character can punch while running) by using the Layered Blend Per Bone node.
👉Disabling input while the punch occurs.
I didn’t like the outcome when I blended the animations. as the hip rotates more than we’d like it to. This leads to the character punching upwards and to the left. This isn’t favorable as the enemy is usually straight ahead. Disabling the input worked way better!
Value = doing things that other people don't do, won't do or can't do.
"You get paid in direct proportion to the difficulty of problems you solve" — Elon Musk
Service is high-touch result generation (building experience), product is low-touch result generation (scaling experience).
In a world of infinite distraction, focus is the only path to freedom.
Sell time to buy experience, sell experience to buy time.
“If you don't find a way to make money while you sleep, you will work until you die.” — Warren Buffett
2/ We had a weekly meeting every Thursday morning when representatives from each of the teams would get together and review progress. It was fairly heavy weight, but there were so many teams involved that it was necessary to have a regular sync.
3/ Regardless, E&C was coalescing, but teams were stretched thin working diligently to enable scenarios, improve performance, fix bugs, etc. It had been a month or so since we decided to add support for C# to the matrix as well, so folks were a bit stressed.
4/ That set the stage for the meeting that we had on the first Thursday in April. A debugger PM named Habib Heydarian ran the meeting and after a brief intro he gave me a ring to come in and present.
5/ I walked in and handed out a document that I had written up, titled DCR: C# Edit and Continue for Venus. DCR meant design change request, and Venus was the design-time code name for ASP .NET support.
You May Also Like
2) At this point, if you are a young and ambitious Tory MP it is now so overwhelmingly in your interest to vote against the withdrawal agreement. V v hard to see how Julian Smith can cap rebellion at under 100:
3) Really just to reiterate 1) Gyimah is the kind of "No, never gonna rebel" vaguely pro-EU Tory you'd need to get on side to outweigh Labour Leavers and Real Concerners.
But—*but*—the blowback on Warren is useful as a reminder that facts, science, and really truth of any kind is now anathema to the GOP.
2/ If you're online trying to convince a Trumpist of *anything*—I mean *anything*—stop right now.
The Trumpists' reaction to Warren's DNA test—a cacophony of fact-free insanity about race and DNA and even just *the bare facts of what happened*—tells you you're wasting your time.
3/ I don't see the point in baiting Trumpists, or insulting them, or calling attention to their madness on a daily basis. These people are fundamentally unserious about truth, discourse, and anything resembling a community of ideas. So:
1) Ignore them—completely.
4/ I don't always live up to that standard, but I'm *trying*. I'm *trying* to ignore as beneath dialogic significance those who say "most people" have Native American ancestry, or who can't read basic studies to understand Warren's DNA test, or who say Trump never made a bet, &c.
5/ Trump wants to call Warren "Pocahontas" because he's a racist, wants to appeal to racists, and his cult-like following so ignores *everything bad he does* that they think that, had she lied—she didn't—*this* (this!) would be worse than anything Trump has done.
THE WINNERS OF THE 24 HOUR STARTUP CHALLENGE
Remember, this money is just fun. If you launched a product (or even attempted a launch) - you did something worth MUCH more than $1,000.
The winners 👇
Lattes For Change - Skip a latte and save a life.
@frantzfries built a platform where you can see how skipping your morning latte could do for the world.
A great product for a great cause.
Congrats Chris on winning $250!
Instaland - Create amazing landing pages for your followers.
A team project! @bpmct and @BaileyPumfleet built a tool for social media influencers to create simple "swipe up" landing pages for followers.
Really impressive for 24 hours. Congrats!
SayHenlo - Chat without distractions
Built by @DaltonEdwards, it's a platform for combatting conversation overload. This product was also coded exclusively from an iPad 😲
Dalton is a beast. I'm so excited he placed in the top 10.
CoderStory - Learn to code from developers across the globe!
Built by @jesswallaceuk, the project is focused on highlighting the experience of developers and people learning to code.
I wish this existed when I learned to code! Congrats on $250!!
Zuckerberg says FB is in the process of setting up a "new independent body" that users will be able to appeal content takedowns to. Sort of like the "Facebook Supreme Court" idea he previewed earlier this year.
Zuckerberg: "One of my biggest lessons from this year is that when you connect more than 2 billion people, you’re going to see the good and bad of humanity."
This is how Facebook says it's trying to change the engagement pattern on its services. https://t.co/3p0PGc912o
[email protected] asks Zuckerberg if anyone is going to lose their job over the revelations in the NYT story. He dodges, says that personnel issues aren't a public matter, and that employee performance is evaluated all the time.
Legacy site *downloads* ~630 KB CSS per theme and writing direction.
3,370 unique declarations
44 media queries
36 unique colors
50 unique background colors
46 unique font sizes
39 unique z-indices
PWA *incrementally generates* ~30 KB CSS that handles all themes and writing directions.
730 unique declarations
0 media queries
11 unique colors
32 unique background colors
15 unique font sizes
7 unique z-indices
The legacy site's CSS is what happens when hundreds of people directly write CSS over many years. Specificity wars, redundancy, a house of cards that can't be fixed. The result is extremely inefficient and error-prone styling that punishes users and developers.
The PWA's CSS is generated on-demand by a JS framework that manages styles and outputs "atomic CSS". The framework can enforce strict constraints and perform optimisations, which is why the CSS is so much smaller and safer. Style conflicts and unbounded CSS growth are avoided.