Depth over Noise #3

This time, I have a mixed basket of topics. Let's get started.

Supply chain attacks are underrated #

Within software engineering, one of the most significant threats that can impact the entire industry is supply chain attacks. The industry recently saw two of them, but got quite lucky in the process. It's always interesting to inspect the vectors of these attacks.

The first one was an injection attack via the delivery pipeline. It's fascinating to see how this was possible by using products where you might not typically consider this type of threat.

Social engineering caused the second. Please ensure you're using a password manager and enable two-factor authentication (2FA) on all accounts you use. Also, create custom, random passwords for each service. Then, please be extra cautious about the emails you receive and take security-related action only when you're focused on the subject, rather than mindlessly checking boxes.

Here are the latest ones, the industry talks about:

• Nx S1ngularity Postmortem
  • StepSecurity deep dive
  • The Hacker News shows summary and impact
• npm chalk and debug packages compromised
  • Aikido deep dive
  • We all dodged a bullet by Xe
  • The problem with package managers by kerkour

Don't build your castle in other people's kingdoms #

Such an important business lesson: Don't build your castle in other people's kingdoms. I love the post for its clarity, showing the issue with actions and rules to prevent them:

In the past ... social media sites have changed their terms or introduced suspicious paid plans ...
Every single year one social network or another pulls a stunt like this. Somehow people are still shocked when it happens.
Don’t be.
It isn’t a matter of if, it is a matter of when. They don’t care about you. You must market your game [website, etc.] as if the platform you are using will go away tomorrow and you will lose access to some or most of your followers.

And the rules he derives from it:

Rule #1: Build your castle on land you own.
Rule #2: Shamelessly use the other kingdoms just like they are using you.
Rule #3: Always move people back to your kingdom, never to another kingdom.
Rule #4: Operate like your castle can get shutdown tomorrow.
Rule #5: Be suspicious of new kingdoms that give away easy visibility.
Rule #6: Give good reasons to go back to the Castle in your Kingdom. And be persistent!

The problem of building your castle in another kingdom is highlighted in a great comic:

This is one of the reasons I have my own independent website instead of relying on publishing platforms (like Medium, LinkedIn, DEV Community, Substack, etc.). Within this platform space – with the same issues – there is a new player with a new approach:

Substack's publishing platform with prestige and marketing traps #

Substack positioned itself as a publishing platform like many others (Medium, DEV Community, Ghost, Beehiiv, WordPress, etc.). Yet, Substack tries to go down its own route through marketing. This marketing approach opens new doors for them, but not without raising concerns.

The trouble with Substack's marketing explains John Gruber in the article The Substack Branding and Faux Prestige Trap. It shows the branding tactic in action:

Substack is a damn good name. It looks good, it sounds good. It’s short and crisp and unique. But now they’ve gotten people to call publications on Substack not “blogs” or “newsletters” but “substacks”.

The article Don’t Call It a Substack highlights, why this is a problem:

Imagine the author of a book telling people to “read my Amazon”. A great director trying to promote their film by saying “click on my Max”. That’s how much they’ve pickled your brain when you refer to your own work and your own voice within the context of their walled garden. There is no such thing as “my Substack”, there is only your writing, and a forever fight against the world of pure enshittification.

Then, back to John Gruber's article, he concludes:

... writes for Substack, formerly with The New York Times. Thanks so much.

...[The author] does not “write for Substack”. No one would say that Jason Snell “writes for WordPress”, or that Jason Kottke or yours truly “writes for Movable Type”. No one says Molly White, Casey Newton, or Craig Calcaterra “writes for Ghost”, or that Oliver Darcy “writes for Beehiiv”. Only with Substack does anyone perceive creator branding as being subservient to the platform — something that ought to be seen merely as an interchangeable CMS — like that.

Random Reads #

Remains of the Day wrote two pieces I liked a lot. The writing style immediately captivated me. I delved into each subject and learned a lot. I can highly recommend these articles. Perhaps I will revisit them in this newsletter someday, providing my highlights from them:

• Invisible asymptotes: His journey working for big tech and how so-called S-Curves are a thing.
• Selfies as a second language: Reviewing interesting patterns in social media, like: "When I send a Snap [selfie] to any of the people in my address book, the oldies respond, inevitably, with some text message, maybe an emoji if they're somewhat hip. If I send a Snap to a young'un, inevitably I'll receive a selfie in response."

Bartosz Ciechanowski creates deep dive articles about various topics with crazy good 3D-showcases you can explore on your own, highly recommended:

• Cameras and Lenses
• GPS

The Uncharted Territory has a GeoHistory section, providing interesting reviews attached with data:

• Never Bet Against America
• Rise Up, Europe!
• The Birth of German(y)

Comic and meme sites:

• xkcd: Dependency
• Good Tech Things: OSS SOS
• Comic Agilé: The Unagile Release Train, ReadMe
• The Oatmeal: Reaching people on the internet