big week in security news - defcon/blackhat last week. would have gone, but i’m traveling in japan instead.

security

web race conditions - james kettle gives a technique to more reliably time http requests, making race conditions more exploitable. still hard to exploit - they are super black box

sensitive iam policies - an attempt at a comprehensive list of sensitive iam policies. denylists in aws are still such a bad idea.

monetizing browser extensions - if you have code running in a few thousand users’ browsers, then …investors… are willing to pay about $0.20/user for access. see also: collection of inquiries to “partner” or purchase hoverzoom

enumerate attack surface via source code - tool to parse source code and extract endpoints worth scanning. this may be more comprehensive than a crawler

deploy vulnerable cloud resources i’ve been trying to find an easy, repeatable, secure way to run automated tests of cloud security scanners in ci/cd. this gets closer, but i still have not found something i'm happy with. if you have a suggestion, let me know.

github oidc is hard - automated testing for github/aws confused deputy issues

nemesis: automating offsec data processing - automatically secret scan and extract metadata when a resource is discovered. the approach is close to right but execution isn't quite there yet. github

turn on push protection in github - github can detect secrets before you commit

product strategy

andrew chen: how to get product market fit - if you don't hit pmf on day 0, it usually takes years. build something people already understand in a space with a lot of competitors - then you know customers want what you're selling. only innovate a little - maybe 20% of the product should be new.

andrew chen: what to do when product growth stalls - retention, retention, retention. build for the customers who don't sign up or who cancel. don't build for the customers who love you already.

andrew chen: next feature fallacy - building the next feature won't save you. especially when that feature only makes the lives of power users better. lifesaving features should be immediately useable by new users.

how ramp builds product (partial) - “our culture is velocity” - this is a scary statement - building the wrong thing fast is worse than building the right thing slow. the tradeoffs to achieve velocity are worth understanding. Once a team is aligned on direction, they should be able to run without interference from requirements, approvals, or estimations. invest everything into directional alignment with feature teams and keep planning short-term and tactical - don't waste time with a product team that plans and estimates individual features.

games

on the design of the new euro game barcelona - dani garcia started with a theme, then scrounged to find mechanics that fit the theme and are fun. i assumed most designers did the opposite.

misc

i like this software for generating timelines. example here: history of vim

100 pieces of advice - write letters and be kind and a lot of travel advice

the perfect murder - this theoretically perfect murder method only failed because it wasn't fully implemented

FLIP is scrapped - unique research vessel is no more. it would rotate to submerge large portions of itself and take measurements from a stable and quiet platform