< Back to the archive

Like what you see? Subscribe here and get it every week in your inbox!

Issue #186 - October 2, 2022

Here are the top threads of the week, happy reading!

Top comment by firstSpeaker

There are significantly worst things happening in the industry by much much bigger consultancy names. We, an enterprise, hire complete teams from the consultancy that would pick some of the work in different projects with their own product owner and so on but under our contract.

We seldom see all the people whom we interviewed for the teams, as devs, being present in the meetings that they are all expected to be present (of course it is most often the timezone difference that is the mentioned reason). Or people who join have their camera turned off, so no way to see them.

Code quality that comes, is not on par with the skillset we evaluated during the interviews and I suspect the whole consultancy is doing something similar with presenting top engineers in the interview and then moving them between many teams. Leaving the less skilled engineer to do the work.

Top comment by jcrawfordor

Very important that you develop complete confidence that there isn't anything wrong with your product. It's not uncommon, in fact it's very common, for compromise kits for websites to take measures to avoid detection. A common one is only serving the malicious content when a specific referrer is present (I've seen this be Yahoo Search in the case of compromised Drupal installations multiple times, not really sure why). It might be wise to engage a security firm to conduct an investigation if you don't have in-house expertise in this area. You should definitely review logs carefully for any unusual inbound traffic. Sometimes looking up your own domain on services like virustotal can reveal the problem, as it might turn up samples of malware retrieved from your website.

I say this because I have been involved in this exact situation multiple times: website flagged by some or other security service, website operator has no idea why and insists it is fine, website turns out to be serving the landing page of a major pharma scam campaign unnoticed by the website operator due to anti-detection measures.

Top comment by jawns

I bought a house with solar panels 6 years ago.

There was an ethernet cable plugged into the inverter panel, which ran to a Comcast box.

We switched to FIOS after a couple of months, and never switched the connectivity of the solar panels. Everything worked fine, but ...

A few months later, I received a strongly worded email from an organization I had never heard of, saying that I needed to get the solar panels back online, because it was a requirement of the contract the previous owner had entered into to sell the SRECs generated by the panels. Failing to connect the panels to the Internet could lead them to pursue action related to a lien they had on our property.

Wait, what contract? And what lien? This was the first I'd heard of either, and the lien hadn't come up during the title-insurance process.

It turns out the previous owner of the house had entered into a contract with an organization in our state that pays you a lump sum, if you sign away the rights to the SRECs your system generates. The owner had used that lump sum to help pay for the panels.

But then he sold the house to my wife and me, without ever disclosing the existence of the contract. So basically he sold the SRECs to both of us. He sold them to the organization by virtue of their contract, and he sold them to us, by virtue of the ownership of the panels transferring to us when we bought the house.

And the lien never came up because it was not against the real estate itself; rather, it was against the SRECs -- the Solar Renewable Energy Credits that are generated by the panels. They're not physical assets, but they do have substantial value.

It took the retention of a lawyer and a whole bunch of back-and-forth between us, the seller, our buyer and seller's agents, the lawyer who handled our settlement, and the SREC-buying organization to get the whole mess sorted out.

In the end, we got the lien and contract dissolved ... and then we hooked the panels up to FIOS, and I get handy little charts of all the SRECs we're generating :)

Top comment by koonsolo

You're going to love to hate this: Best choice I made was using WordPress!

I run https://rpgplayground.com, a web tool to make RPG games without coding (6000+ user published games) The app itself is written in Haxe. My website is WordPress.

Haxe because it will be easy to port to any device.

Why was WordPress the best choice? Basically everything you need has a plugin.

I needed a forum: bbPress

I needed a community where my members post updates: BuddyPress

I need to send out a newsletter, and most Saas options are crazy expensive: plugin mailster.co, 1 time payment. (Using critsend.com)

Needed some faq page with search, needed a captcha for registering, experimented with ads, post updates to discord, user reporting system, ... You name it, there is a plugin for that.

I also have an external person who writes my newsletters, but isn't allowed push the "publish" button. All thanks to the user roles functionality.

Of course I needed my own plugin to integrate my app and show shared games. I could have written that myself, but then I would lose out on time developing my tool. So I was able to hire a cheap php WordPress developer who made my custom plugin. Went great!

WordPress is so crazy powerfull, that if you want to create some community website, it offers everything you need.

I know my experience is not what many of you would expect, so therefore thought it was interesting to share it with you.

Top comment by SyneRyder

The spam is quite likely coming via Google itself.

Google's mail servers have been compromised for several weeks now. It's commonly being used for infected crypto spam (all those "new traderbot" emails with the attached infected PDF, for example). I'm not yet sure if these are just compromised GMail accounts, or if the mail servers themselves have been compromised. There seem to be some reports on AbuseIPDB of intrusion attempts coming directly from Google's mail servers.

I've tried reporting it to Google (eg via SpamCop), and Google declines to receive reports. I have been reporting it through AbuseIPDB as well. Here is one Google mail server that has had over 300 abuse reports:

https://www.abuseipdb.com/check/209.85.167.48

There are many more, and I linked to a few more when I posted about it here on HN over a month ago:

https://news.ycombinator.com/item?id=32434810

Top comment by retrac98

Reduce scope, or move the deadline. Taking shortcuts or working overtime in significant amounts just leads to more trouble down the road.

Once the project is delivered, make sure you all sit down and do a retrospective on what went wrong, decide what you’ll change next time, and actually make those changes.

If none of this seems feasible in your organisation any time soon, leave. Don’t waste your time with people who aren’t taking your work seriously.

Top comment by bwb

1. Leaders Eat Last Deluxe: Why Some Teams Pull Together and Others Don't

We gave this to every employee at the business, as it models the type of culture and leaders we wanted to grow. For me personally, it put down on paper what I had been trying to do for years. It was something I reread often to try to improve my manager/leadership skills. This type of thinking helped me become a better CEO (it wasn't instant).

2. Playing to Win: How Strategy Really Works

Great books on tactics and strategy; it helped me improve why we did things and created a much better approach to problems.

3. 4. Lean B2B: Build Products Businesses Want and The Lean Product Playbook: How to Innovate with Minimum Viable Products and Rapid Customer Feedback

Totally changed how I approach building solutions and testing ideas. I learn how to do customer dev interviews and go from learning to testing what problems I am hearing and so on. I’ve flipped through each of them 50+ times as I construct the next interview or so on. I particularly like the Product Playbooks method to evaluate different problems and the value individuals put on them. They have been helpful as I’ve started to learn, and I’ve got a long way to go.

I wish I had these 10 years previous; it would have saved a lot of money.

Top comment by hunglee2

In simple terms, the Bank of England and UK Gov are pursuing conflicting economic policies, BoE trying to take money out of circulation through hiking up interest rates, whilst UK Gov is putting money into circulation by proposing massive debt funded tax cuts.

The obvious incoherency of this then led to the markets losing confidence in the UK economy, crashing the value of the pound, which in turn makes the planned UK debt funded tax cut plan even more expensive than it already needed to, leading to even more loss of confidence.

We are now in cascading crisis, from which there are no good option, only worse and terrible ones.

Top comment by deanmoriarty

I haven't been doing anything at all, beside some mechanical tax-loss harvesting. Suffered -21% YTD returns (~$800k lost on paper) on my 3-fund portfolio, which includes roughly 85/15 stocks/bonds.

Thanks to new contributions my net worth since last year is "just" down -11%. I haven't increased the rate of my new contributions because I have always dumped all my savings in the market since forever, I never kept any "dry powder" for moments like these as I always thought it was too much opportunity cost. Actually, thinking about it, the rate of new contributions significantly decreased this year because a good chunk of my pay is in FAANG RSUs :-)

It sucks, but I know I don't know anything and I can't risk timing the market and being double-slapped (first slap: taxes to liquidate the portfolio; second slap: not catching the market rebound, when/if it will happen).

Again, it sucks when you think how much stuff I could have bought with the ~$800k I lost on paper. My parents, old-school folks, think I am completely insane and irrational for letting this happen, and they also though this in March 2020 when I didn't sell. I literally have my dad texting me every other day begging me to sell. But surprisingly you get used to it, and I do not think I would panic, nor change my plans, even if we go much lower from here.

Top comment by Hermitian909

For SAAS companies that do B2B it's important to remember two arms of the company:

1. Sales -> You can hire a lot of sales people if they're generating enough business to cover their own salaries

2. Customer Support -> Big enterprise contracts generally have support written into them. Thus, for every enterprise customer Docusign may need anywhere from 0.1 -> 3 (or more) FTEs. If you price this right it's always worth it to keep growing the org this way.

Docusign has a lot of opportunities to upsell customers on legal services they provide.

You should also consider the scaling cost of internal support. For every 10 FTEs, add a manager. Also add on HR, accounting, janitorial, etc. Easilly 20% of the company might be these sorts of internal support roles.