BC SOFTWARE
Saved by @CodyyyGardner

As the year wrap's up, let's run through some of the worst public security mistakes and delays in fixes by AWS in 2020. A thread.

 First, that time when an AWS employee posted confidential AWS customer information including including AWS access keys for those customer accounts to github.
https://t.co/3Y7vgOwDtV
Discovery by @SpenGietz that you can disable CloudTrail without triggering GuardDuty by using cloudtrail:PutEventSelectors to filter all events. https://t.co/pR4TzI5xHV
Amazon launched their bug bounty, but specifically excluded AWS, which has no bug bounty. https://t.co/bPSw6GbnoV
Repeated, over and over again examples of AWS having no change control over their Managed IAM policies, including the mistaken release of CheesepuffsServiceRolePolicy, AWSServiceRoleForThorInternalDevPolicy, AWSCodeArtifactReadOnlyAccess.json, AmazonCirrusGammaRoleForInstaller.
The worst IAM policy mistake came later in the year with ReadOnlyAccess purging all of its privileges to replace them with read/write access to cassandra. https://t.co/YI4Y32UPAR
Kesten shows a flaw in how many vendors use IAM roles. Although not technically a mistake by AWS (shared responsibility blah blah blah), this is something AWS is entirely capable of identifying and pushing vendors to correct, but did nothing. https://t.co/8KSZegSKqn
AWS finally fixed a deficiency in the Route 53 and VPC APIs where if an attacker rerouted traffic via private hosted zones, you would not be able to audit for it. I list this here because this deficiency existed for 6 years! https://t.co/n3tnxEH1Lt
XSS on the web console. This issue was reported and fixed a few years ago but never disclosed until this year. https://t.co/6LksOQkXLw
Discovery that in the terms and conditions of AWS, when using machine learning services, AWS will use your data to improve their services and move that data outside of the regions you put it in. This was added to the terms in late 2017 but not noticed. https://t.co/kZd8s4yCZc
Crypto vulns found in AWS SDKs by Google employee @SchmiegSophie
https://t.co/D8w7mtR5yV
AWS finally provides a fix for the HTTP desync issues that had been reported to them almost a year prior https://t.co/8tXOoFArw3 and https://t.co/9hXvh6dEZh
AWS released CloudTrail Insights as a separate service, instead of integrating that functionality into GuardDuty. https://t.co/Z2TCcl9bpI 🍕🍕
AWS continues to make a mess of their managed IAM policies, creating AWS_Config_Role, AWS_ConfigRole, AWSConfigRole and AWSConfigServiceRolePolicy, along with 3 versions of AmazonMachineLearningRoleforRedshiftDataSource https://t.co/aK4c6ZVmYj https://t.co/Dao9JuXydU
Aiden manages to gain access to an AWS account run by AWS for one of their services where he was then able to see credentials to gain access to AWS customer accounts. This is IMHO the most epic issue of the year for AWS. https://t.co/qucuKEzNd3
Karim does a security audit of an AWS project, that points out enough issues that AWS deprecates the project. https://t.co/jBLzEMJ5KX
Another Google employee continues the trend of doing free work for AWS by finding more crypto issues: https://t.co/cjUV54g5ZE
Ian finds tagging privileges are not properly enforced by AWS calling into question the ability to use ABAC as a security boundary. https://t.co/buuMhoQjL5
Nick discovers a trick to test whether you have access to about 40 services without that testing being logged by CloudTrail. https://t.co/KJEjoiGuPm
AWS rolls out a new S3 web console which unfortunately once again allows people to set the "AuthenticatedUsers" ACL, which they haven't had in the console since 2017 because it is always misunderstood and wrong. https://t.co/VmKWySZtwE
AWS released their SOC 2 Type 2 for April-Sep 2020, with concerning issues in it. Unfortunately you aren't allowed to discuss these reports, but the issues are on page 120 and 121.
That wraps things up. Let's hope AWS figures out wtf they are doing with IAM managed policies next year.

End.

More from Software

Jessica G. Young
Jessica G. Young
@JessGeraldYoung
@JuliaLMarcus @Iplaywithgerms This paper gives documentation on software (with causal reasoning, assumptions reviewed in appendix) for a parametric approach to estimating either "total effects" or "controlled direct effects" with competing events and time-varying

@Iplaywithgerms Total effects capture paths by which treatment affects competing event (e.g. protective total effect of lifesaving treatment on dementia may be wholly/partially due to effect on survival). Controlled direct effects do not capture these paths

@Iplaywithgerms More detailed reasoning on the difference and tradeoffs between total and controlled direct effects and causal reasoning in the point treatment context provided here along with description of some estimators and

@Iplaywithgerms If you are familiar with more robust approaches like IPW or even better TMLE for time-varying treatment, these are trivially adapted to go after the controlled direct effect by simply treating competing events like loss to follow-up (censoring). e.g.

@Iplaywithgerms Examples of IPW estimation of the total effect of a time-varying treatment described in Appendix D of this paper:
https://t.co/RNhcgTBMkb
And here
https://t.co/rMWmwFBWwV
Others in reference lists of above papers.
SOFTWARE
Andrew Harmel-Law \U0001f3e1
Andrew Harmel-Law 🏡...
@al94781
Software architecture is in crisis, and the way to fix it is a hefty dose of anarchy.


Some lay the blame for this on @boicy with the whole microservices thing.

(Admittedly, @nicolefv, @jezhumble and @realgenekim didn’t help when they statistically proved that he might have been onto something with all that de-coupling and team-alignment…)

However I don’t blame him at all.

I think he saved us; bringing us back to the path of value-delivery and independent services, but now with added independent teams.


But one thing is clear. Microservices need more architecture, not less (as do other forms of #Accelerate-style software organisation).

(See https://t.co/B2hWmXhIqe if you need convincing)

I mean, all those pesky slices we need to carve up our monoliths (or were they big balls of mud?) That’s a significant amount of work right there…
SOFTWARE , ARCHITECTURE
Advertisement
Mark Newton Total Landscaping Supplies
Mark Newton Total Land...
@NewtonMark
It's incredibly hard to become a customer of @Telstra so you can give them money. They absolutely despise money, and do everything in their power to erect as many obstacles as possible in the way of a normal person establishing a billing relationship with them.

First: "I'd like to buy a 4G WiFi hotspot please."
"Umm, we don't have any. Maybe try K-Mart."

Are you serious? You can't sell me a mobile broadband service, and you'd prefer me to go to a department store. Okay...

So I go to the department store, and they have the same Telstra product $20 cheaper than Telstra does.

Go to activate it. Error message, SIM serial number has already been activated. Well goddamn.

So, back to the @Telstra shop. "Yes, I know I can return the whole thing, but all I want is a $2 SIM to get started. Can you just sell me one of those?"

No. They don't have any. Zero SIMs in the store.

ARE YOU KIDDING ME? WHAT OTHER PURPOSE DOES A TELSTRA SHOP HAVE?

Their first suggestion was to buy one from @AusPost, but they take 24 hours to activate their prepaid SIMs. Maybe try Woolies?
SOFTWARE
Chris Heilmann
Chris Heilmann
@codepo8
🚨 🦮 Seven ways to test for accessibility using only what is already in browser developer tools of Chromium browsers https://t.co/C7kdbigHGE

@MSEdgeDev @EdgeDevTools @ChromiumDev
#tools #accessibility #browsers
Also, a thread: 👇🏼


Issues pane, powered by @webhintio, listing accessibility issues with explanations why these are problems, links to more info and direct links to the tools where to fix the problem. https://t.co/4K5RynHhbg


The inspect element overlay showing accessibility relevant information of the element, including contrast information, ARIA name, role and if it can be focused via keyboard.


Colour picker with contrast information offering colours that are AA/AAA compliant. You can also see compliant colours indicated by a line on the colour patch.
Note: the current algorithm fails to take font weight into consideration, that's why there will be a new one.


Vision deficit ("colour blindness") emulation. You can see what your product looks like for different visitors.
https://t.co/bxj1vySCAb
INTERNET , SOFTWARE
Benchmark
Benchmark
@GetBenchmarkCo
🚨 $PSKY MedTech 🚨

🩺 Provides a healthcare CRM software

📈 Sales are set to grow by 38% YoY from 2020 to 2021

⚡️ Developing a platform for third-parties to commercialise their MedTech apps and integrate these with PatientSky’s software

✅ Becoming a Platform-as-a-Service


PatientSky $PSKY.OL was founded in 2014 in Norway and started as a patient administration tool for clinics

🩺 It serves as a platform for ordering appointments, prescriptions, video consultations and e-consultations


The solution grew rapidly from 100.000 to 1.8m app downloads in less than 4 years

🥼 And it added a myriad of possibilities along the way, starting from a simple EHR management tool to a MedTech platform


1️⃣ By 2016 it counted 100k downloads and had morphed into a SaaS tool offering a task scheduler, internet connectivity and a VOIP module

2️⃣ By 2019, it counted over 1m app downloads and added an insurance module, Electronic Health Records (EHR) and a medication tool

✨ The company also introduced a Platform-as-a-Service tool, enabling its customers to build their own medical apps on top of PatientSky’s platform

3️⃣ By 2020, it expanded into hospitals and counted over 1.8m app downloads
SOFTWARE

You May Also Like

\u0936\u094d\u0930\u0940\u092e\u093e\u0932\u0940 \u0939\u093f\u0924\u0947\u0936 \u0905\u0935\u0938\u094d\u0925\u0940
श्रीमाली हितेश अवस्थी...
@HiteshAwasthi89
Sri Devi Karumariamman mandir, Chennai, Tamilnadu

Sri Devi Karumariamman mandir is in Thiruverkadu, a suburb of Chennai. It is said that God Muruga came here and obtained the 'Vel' (spear) from His mother, Goddess Karumari (an avatar of Parvathi) 1/n


to fight the demon Suran and hence this place was called as 'Vel kadu' and became as Verkadu. As per legend Devi Karumariamman once disguised as a soothsayer visited Bhagwan Surya, the Sun God, to predict His future. 2/n


Not realising that the soothsayer is none other than Sakthi Matha, Surya ignored Her. Angered by his indifference, Devi Karumariamman immediately retreated. Bhagwan Surya lost His glory and the earth plunged into darkness. 3/n


Bhagwan Surya then realised His folly and pleaded forgiveness from Devi Karumariamman. In order to pacify mother Karumariamman, Suryadev said that His rays would fall on Her directly twice in a year and touch her feet. (in the month of Panguni (March- April) & during (Sep - Oct)


Mother Karumari Amman is worshipped here in two forms.A swayambu (self manifested) with only head visible above the ground and another one in a graceful sitting posture with all Parasakthi features,with four arms holding skull, sword, trishul, udukkai (damru). 5/n
ALL
Anu Satheesh
Anu Satheesh
@AnuSatheesh5
Krishna and the False Vasudeva
#story

Paundraka Vasudeva was a King mentioned in Bhagavatha Purana. He was friend of Jarasandha, the king of Magadha. He believed that he is Vasudeva Krishna.
Once Paundraka Vasudeva received a letter from Shishupala, stating that he wanted


protection from Krishna, because it was Rukmini's wedding and Shishupala thought Krishna would take away Rukmini.

Paundraka Vasudeva agreed and went to Vidarbha, the Kingdom of Shishupala, but failed to provide protection as Krishna took Rukmini away. Paundraka Vasudeva was


feeling sad. His Minister's cheered him.
They said that Paundraka Vasudeva was the real Vasudeva and Krishna is a cheater. Everyone started to believe this and soon Paundraka Vasudeva soon started to taunt Krishna by saying that Krishna was a cheater.
Paundraka Vasudeva then


challenged Krishna to a war and Krishna said that he would give Paundraka his Chakra and Gadha. Paundraka suspected some foul play and went to King of Kashi for his protection. In battlefield, Krishna came in front of Paundraka, and said that he would throw his Chakra and Gadha


to him. But, Krishna's throw was perfect that the Gadha hurled him to the Ground and the Chakra killed him.
Krishna soon killed king of Kashi with an arrow and his head went flying to Kashi.
Thus Victorious Krishna was recieved by people of Dwaraka.
Hare Krishna 🙏🕉🙏
ALL
Advertisement
Christina Warren
Christina Warren
@film_girl
A brief thread on Jovan Hutton Pulitzer, the crazy con man who is now claiming to have hacked into the Georgia voting machines in Fulton County. 90s kids and tech aficionados might remember Jovan as the inventor of the CueCat, the dumbest gadget of all time.

Also, for anyone who wants to claim that Jovan Hutton Pulitzer (not his given name, but one he changed legally after the CueCat debacle) invented QR Codes: he did not. Like that other right-wing crazy man who claimed to have invented email, Jovan didn’t invent QR Codes.

He did invent the CueCat, a product that somehow raised $185 million dollars for a tethered barcode scanner for magazines and newspapers, so you could get ads from your ads. As I said, the dumbest product of all time. Good backup barcode scanners after they were hacked, however

Oh, that’s another thing. When CueCat was a thing, its systems were hacked. I guess that’s what makes Jovan a security expert. His bankrupt company from 20 years ago was hacked and widely mocked. He’s a genius.

In recent years, Jovan pivoted to being a treasure hunter who was featured on and widely mocked on Curse of Oak Island, because the man is insane.
POLITICS
Coffee Sloth \u2615
Coffee Sloth ☕
@CaseyExplosion
*Heads-up that this thread will feature some extreme examples of homophobia and transphobia.*

Hey folks, have you ever wondered why trans people face constant accusations of fetishism, sexual predation and child abuse/grooming? Well, today let's talk about stochastic terrorism.

So, first we have to talk about what stochastic terrorism actually is. Remember when there was a conspiracy that there was a pedophile ring operating out of a pizza parlour basement, and a crazed gunman showed up? It's that sort of incitement that stochastic terrorism describes.

It's the demonisation or incitement against a group of people or individuals with the intent that other, unaffiliated parties will act upon it; it's the releasing doctored footage and a shooter show up at Planned Parenthood as a direct result of what he's been led to believe.

So with that in mind, let's talk about Russia's extreme anti-LGBT laws that banned the "promotion" of LGBT lifestyles to children. A move that specifically marked LGBT people as a threat to children, and resulted in neo-nazis meting out vigilante "justice" against gay men.


Groups such as this would lure unsuspecting gay men via dating sites, and brutalise and humiliate them on camera. They did so under the guise of combating child abusers, one group calling themselves "Occupy
SOCIETY
Eileen May
Eileen May
@suleskerry
Joanna Cherry:"Alex Salmond secured a concession that nothing in Scotland Act would preclude the people of Scotland from subsequently choosing an independent future. This is recorded in Hansard during second reading of Referendums (Scotland & Wales) Bill, May 21, 1997."

Donald Dewar said: “I should be the last to challenge the sovereignty of the people, or deny them the right to opt for any solution to the constitutional question they wished. For example, if they want to go for independence, I see no reason why they should not do so." JC

"In same debate Alex Salmond went on to emphasise that “… the Claim of Right referred to sovereign right of the Scottish people to determine a form of Govt best suited to their needs. It did not suggest sovereignty resides with English Members of Parliament." Joanna Cherry

Joanna Cherry: "Donald Dewar articulated the democratic norm later enshrined in the Edinburgh Agreement. His concession laid the foundation for the 2014 referendum in recognising the rights of Scots to choose whether to remain part of our voluntary union with England."

"I am wholly in agreement with view that we must find a legal & constitutional way to demonstrate that public opinion in Scotland has changed since 2014 referendum, in order for our independence to be internationally recognised & therefore meaningful." Joanna Cherry
SOCIETY