Call me crazy but that is a real worry for me, and has been for a while. How long until we see some large corporate software have their deployment process hijacked, and have it affect a ton of computers that auto-update?
One of the most dangerous versions of this IMO is someone who compromises a NPM/Pypi package that's widely used as a dependency. If you can make it so that the original developer doesn't know you've compromised their accounts (spear-phished SIM swap + email compromise while the target is traveling, for instance, or simply compromising the developer themselves), you don't need every downstream user to manually update - you just need enough projects that aren't properly configured with lockfiles, and you've got code execution on a huge number of servers.
I'm hopeful that the fallout from Crowdstrike will be a larger emphasis on software BOM risk - when your systems regularly phone home for updates, you're at the mercy of the weakest link in that chain, and that applies to CI/CD and end user devices alike.
As always, a relevant xkcd[1]. I would not be surprised if the answer to “how many machines can be compromised in 24 hours by threatening one person” was less than 8 figures. If you can find the right person, probably 9+.
I mean, isn't that roughly the solarwinds story? There is no real shortage of supply chain incidents in the last few years. The reality is we are all mostly okay with that tradeoff.
I will say that playing counter strike for money has given me confidence in stressful situations in a workplace, as well as helping me navigate tension between team members/co-workers.
It is mostly soft skill type stuff. For example, something goes wrong and veers from an original plan, and you have to come up with a solution and adapt in the moment.
The article is more of a history lesson and context than it is an ad. I see what you mean, but clicking “product -> What Is Antithesis?” Shows a clear description of what it does. Perhaps that could also either be added to the article or the home page?
Does anyone else feel like people follow these sort of industry pop-culture terms a bit too intensely? What I mean is that the existence of the term tends to bring out people trying to figure who that might be, as if it has to be 100% true.
I personally think that some people can provide “10x” (arbitrary) the value on occasion, like the low hanging fruit you said. I also believe some people are slightly more skilled than others, and get more results out of their work. That said, there are so many ways for somebody to have an impact that doesn’t have to immediate, that I find the term itself too prevalent.
Yep. No matter what you're doing, some people are more productive than others. Often it's a matter of experience and practice, sometimes ability to focus, sometimes motivation, rarely it's a lack or surplus of inherent ability. Using people effectively in the context of a team all depends on the skill of the manager though.
I think a lot of people that complain about 10x chattery in HN should take some kind of carpentry etc course or some other kind of handiwork like that with a real master.
Some of those people not only get things done much quicker, but they also get it done with better quality than an amateur, with less mistakes, throwing away less material, sometimes with more safety.
This is definitely more than 10x better. And there are some real hacks doing those kinds of jobs. I find programming to be not different than that.
Well sure, if you compare a master to a novice, there is almost always a great difference. But between masters of carpentry, there is usually not so much difference. But here with the 10x trope it is supposed to be different and I would say indeed, but it is not as common as many would like to think.
Perhaps there aren’t that many non-master carpenters (I don’t think that’s true, there’s plenty of professional incompetents), but I am 100% sure that not all professional developers are “masters”.
