I've been helping people sell online since 1995.
Currently based in Los Angeles, CA. Feel free to reach out if you ever want to discuss anything over coffee; I'm always in search of new stories and new ideas.
Contact: gavin@estey.com http://www.linkedin.com/in/gavinestey
- The desired result is a 500 so it's possible to audit.
As much as this is a pain, the alternative can be more painful.
I used to have a client that would forward me an email from their security team every six weeks saying "we found a SQL injection issue with your site, can you look into this and confirm that it's fixed?" and I'd reply back saying "that not possible" and they'd go "ok, we've marked this as a false positive".
Eventually I got bored of having the same conversation over and over, so I asked them to show what they were finding. It turned out their scan would do the following:
Which of course is total nonsense, just because it returns different content doesn't mean anything.html1 = request("https://example.com/search?query=test") html2 = request("https://example.com/search?query=test' or 1=1--") if (html1 != html2) sql_injection_vulnerable = trueThis is a perfect use case for a WAF, I can stick one in front and then have it return 500s for all these requests and not worry about it any more.
In our case, we didn't have a WAF, but they had a obvious User-Agent, and it turns out that blocking all of their requests passed the scan too :)
- It's more so that Cloudflare has a WAF product that checks a box for security and makes people who's job it is to care about boxes being checked happy.
For example, I worked with a client that had a test suite of about 7000 or so strings that should return a 500 error, including /etc/hosts and other ones such as:
We "failed" and were not in compliance as you could make a request containing one of those strings--ignoring that neither Apache, SQL, or Windows were in use.../../apache/logs/error.log AND%20(SELECT%208203%20FROM%20(SELECT(SLEEP(5)))xGId) /../..//../..//../..//../winnt/system32/netstat.exe?-aWe ended up deploying a WAF to block all these requests, even though it didn't improve security in any meaningful way.
- To paraphrase a previous employer's strategy: fixed fee projects are for ones you plan to do over and over where it makes sense to invest at getting good at them.
The first one you lose a bunch of money, the second you might break even if you are lucky, and the tenth onward you make a bunch of money.
- One example is LookML, which used to build semantic data models in an analytic layer: https://cloud.google.com/looker/docs/what-is-lookml
- Dijkstra was talking about Dartmouth Basic in 1975:
- Variables: Single letter, optional digit. - Control flow: FOR loops, GOTO for others. - Subroutines: GOSUB line, RETURN. - Parameters: Passed via global variables. - Functions: 26 (FNA–FNZ), one line each. - IF statements: One line only. - See Living Worlds: http://www.effectgames.com/demos/worlds/
There's a iOS and Android app: https://pixfabrik.com/livingworlds/
- You can use MJML - https://mjml.io/ - which abstracts away a lot of the ugliness and Outlook hacks.
- In a previous role I was responsible for developing architecture that supported a bunch of different teams, so I started being pulled into a lot of meetings as the easy option for them was asking me. I ended up having 6-8 hours of meetings a day on top of my actual workload.
My solution was to not accept meetings and have a PM go grab me if they really needed me, that was enough friction to allow me time to get work done. As in your case, this created a bunch of mystique as I was now that guy that showed up in the middle of a meeting, said a bunch of smart things (hopefully!) and then left.
One of the difference about the new Zoom-centric world is that it's zero effort to add an somebody to a meeting "just in case". I push my leads to decline meetings where there is no clear agenda and/or clear idea of the value they can provide. It's ok that your default isn't to hit "accept", it's the meeting organizer's job to convince you that it's worth attending over other priorities.
- Recently I had to support a client who had a "no CVEs in a production deploy, ever" policy.
The stack included Linux, Java, Chromium, and MySQL. It took multiple person-years of playing whack-a-mole with dependencies to get it into production because we'd have to have conversations like:
So I definitely appreciate any vendor that tries to minimize CVEs.Client: there's a CVE in the this module Us: that's not exploitable because it's behind a configuration option that we haven't enabled Client: somebody could turn it on Us: even if they somehow did and nobody noticed, they would have to stand up a server inside your VPC and connect to that Client: well what if they did that? Us: then they'd already have root and you are hosed Client: but the CVE Us: - One interesting read on the topic of near misses and High-Reliability Organizations is the paper "Going Solid", which has a great summary here:
- I assume there's some point where they will start declining transactions and it could be some fixed number or some complex calculation based on all the data the bank has about my finances.
My point is that these examples are bad ones because they don't match the real world, which is messy and complex and inconsistent.
- When it comes to this topic, almost all examples don't match how things work in the real world where they are eventually consistent.
For example, my bank lets me go negative and then if I don't settle by the end of the day, overdraft protection will kick in for a little more than that negative amount.
- To generalize that idea a little, I think about technical debt being the accumulation of less-than-perfect decisions, if you consider the decision you made against the best possible decision that could have been made in hindsight.
Sometimes that's not making things flexible enough, or too flexible, or not having all the requirements captured, or making technical bets that didn't pan out.
- Steinway & Sons piano company built a company town, which is now part of Astoria, NYC. I lived for a few years in a house that was for factory workers, streets west of me were bigger houses intended for management.
https://americanhistory.si.edu/documentsgallery/exhibitions/...
- Regus has been around for a long time, I worked out of one of their offices in the mid-90s.
The great thing was that shared office space was new to most people, so when clients would visit they'd be impressed with the fancy building, the marble reception, and the huge conference room, and not know we were a 2-person shop renting a 6'x8' office.
- I've worked with a few companies where a significant portion of the staff have been there a long time--the sort of place where you join after high school and stay until retirement and the "new guy" has been there over a decade.
One CEO told me their secret to employee retention:
1. Compensate people a little better than you need to
2. Promote internally
3. Be one of the few employers in town so that 1 and 2 compound
- If you visit NYC, the mutton chop at Keen's is well worth trying: https://ny.eater.com/2015/1/30/7948527/the-mutton-chop-at-ke...
- I've spent a bunch of time over the last couple of years working on learning and enablement programs. The main thing that I've learnt is that nobody likes the bulk of online learning efforts: dated videos with forced Q&A interspersed.
I've got a strong hunch that learners have an overall learning modality: some prefer video, some prefer audio, some prefer long form text, and so on, but--there's also a local preference based on their current context: you might have a stronger preference to video for commuting or perhaps you like to print out materials and read it.
Finding ways to allow learners to come along their own journey that meets them where they are right now is key to generating better outcomes.
- It is a common story and sometimes those get put in the collective blender and we get apocryphal stories out of it. Here's two stories of my own:
Back in the mid 90s, I built out a system that gave every school in a district their own webpage that was carved out of some government funding for providing internet access. There was no budget for hardware though, so it ended up running on a repurposed workstation in somebody's office. One Tuesday even the cleaners unplugged it to vacuum and it didn't power back up after being plugged in. On Wednesday somebody helpfully stuck a piece of paper saying "don't unplug" to it, which seemed to solve that problem until the whole project was mothballed.
In the late 90s, I worked at a company where we started getting complaints from the staff about machines being getting slower over time. Nobody took it seriously until there was an inventory of machines taken and we found that a large amount had significantly less memory installed than they should have, somebody was stealing half the memory sticks from each. Hidden cameras were installed in the office and it turned out that somebody on the cleaning crew came with a screwdriver and ESD bags and knew how much to take to leave the machines working.
[1] https://shop.panasonic.com/pages/multishape [2] https://www.amazon.com/dp/B0CMGQWM1B