Asynchronous communication

For years now I've lived with email notifications turned off. Both at work and home accounts. It's never caused a problem, since people know how to reach me for emergencies, and I believe it has helped me be calmer and more productive.

Doist explains why asynchronous communication leads to increased productivity.
The article is great, and here are some highlights:

Real-time communication comes with a few downsides:

• Leads to constant interruptions,
• prioritizes being connected over being productive,
• creates unnecessary stress,
• leads to lower quality discussions and suboptimal solutions.

Having a more asynchronous way of working is better because of:

• Control over the workday = happier and more productive employees,
• high-quality communication versus knee-jerk responses,
• better planning leads to less stress,
• deep work becomes the default,
• automatic documentation and greater transparency,
• time zone equality.

And here's how to get there:

• Plan ahead to give people time to consider your message,
• after meetings, document discussions, and outcomes,
• turn off notifications,
• evaluate people based on their output and results, not how responsive they are or the number of hours they work,
• emphasize trust, organization, independence, and accountability,
• adopt a Direct Responsible Individual (DRI) model for management and decision-making,
• make transparency a priority,
• use tools that promote transparency, deep work, and async communication.

Meta: Managing engineers

Dear engineering managers, here’s an excellent 17' talk of a Github manager on “How to grow emotionally intelligent engineering teams”.
It’s really to the point imho. Highly recommended to watch!

Practical AWS security setup

2021 Update: Since I wrote this article in 2019, I've found this PDF guide on the same topic. It is much more elaborate and complete than my own notes. I highly recommend going through it :)

AWS security on the cheap

So, you're on a budget (say, you are voluntarily building a workshop for students in Ghana) and you want a secure AWS environment to allow people to learn on.

How do you setup and secure the account?
You use infrastructure-as-code and a few free tools. I'll discuss the setup and give code in my next blog post.

In this post I'll show something about two of the tools:
How does AWS's Trusted Advisor (free version) compare to NCC group's ScoutSuite?

Well, on a relatively simple AWS account, Trusted Advisor finds no issues:

But ScoutSuite has findings: 

Many of these findings are worth looking into and getting fixed. The rest can be marked as false positives, so they don't show up in future scans.

Please note that getting a paid AWS support plan would enable extra Trusted Advisor features that might produce similar results. But I like to be able to do it for free :D.

NSA gives defense advice

The NSA’s Tailored Access Operations unit gives a talk about how they attack the rest of the world. Very interesting for us defenders. 

My take-aways to make these guys' (and other nation state attackers') lives harder: 

• They get an edge by knowing the network better than the people running it. 
• 0-days are not such a huge tool for them (!). They can breach most corp networks using known vulnerabilities. So use recent software! 
• User awareness can only help up to a point. Beyond that (for advanced persistent threats), the users can always be tricked into clicking. You must have technical measures to defend against those. 
• Older protocols are usually targeted because they are easy to sniff/decode. There is no use in upgrading your apps to use latest (e.g.) SSO technologies if one still uses legacy. 
• One of their worst nightmares: an out-of-band network tap, monitoring for anomalous behavior. 
• Don’t use old-school AVs which rely only on signatures, use something with reputation checking.

AWS security tool collections

I've come across a few of them lately:

• Jason Chan's list of AWS security resources
• Toniblyx's mega collection of AWS security tools
• Something that's missing from there: Brian Warehime's guide to Easy to use GuardDuty alerting with the help of Terraform and Slack

Edit 20-Oct-19: Configuring GuardDuty on multiple accounts is a PITA, so this article might help.

Being a tech lead & project management

I found the guidelines that Webflow issues to their Tech Leads useful and inspiring. Webflow is a tool for building websites, but it doesn't really matter, it could be any cool software company that issued this.

The whole article is worth a read for people in such roles (and their managers), but here are three highlights:

On crunch time:
"When people operate at their peak performance, where they engage in the flow state 2–4 hours a day, they are incapable of more work without drastic consequences. They should already be operating at peak efficiency, and asking more of them has severe diminishing returns and a detrimental impact to them personally, and to Webflow as a company."

On moving deadlines:
"Too much is at stake when we attempt to hit an unrealistic deadline, and among them are team burnout, poor product quality, reduced morale, and more.

The important idea here is not to lose sight of a delivery date. That’s all that matters. Projects will fall into limbo when a missed deadline stays (ahem) dead and the project careens toward the unknown. This is worse than moving the deadline, so move it!"

On the 80-20 principle, the last 20% of a project takes a lot of time, and is usually needed. If you want to stop at 80%, consider this: you want to buy a piano for your living room. How much would you pay for one that plays fine [80%] but its wood is still untreated [20%]?
Webflow says "Just treat the 80% point in your project as the halfway marker. That will align expectations against the added effort nuance prescribes."